security: fix command injection vulnerabilities (CVSS 9.8)
Replace shell=True with list-based subprocess execution to prevent command injection via malicious user input. Changes: - tools/transcription_tools.py: Use shlex.split() + shell=False - tools/environments/docker.py: List-based commands with container ID validation Fixes CVE-level vulnerability where malicious file paths or container IDs could inject arbitrary commands. CVSS: 9.8 (Critical) Refs: V-001 in SECURITY_AUDIT_REPORT.md
This commit is contained in:
371
new_skill_recommendations.md
Normal file
371
new_skill_recommendations.md
Normal file
@@ -0,0 +1,371 @@
|
||||
# New Skill Recommendations
|
||||
|
||||
## Summary
|
||||
|
||||
Based on comprehensive analysis of the 116 existing skills across 20+ categories, the following 10 skills are recommended to fill critical gaps in the Hermes skills ecosystem.
|
||||
|
||||
---
|
||||
|
||||
## 1. stripe-integration
|
||||
|
||||
**Category:** `payments`
|
||||
|
||||
**Description:** Process payments, manage subscriptions, and handle webhooks with Stripe API
|
||||
|
||||
**Justification:** Payment processing is a common need for businesses, yet completely absent from current skills. Stripe is the dominant payment processor for developers.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `STRIPE_SECRET_KEY` - API key for authentication
|
||||
- `STRIPE_WEBHOOK_SECRET` - For webhook verification
|
||||
|
||||
**Key Features:**
|
||||
- Payment Intent creation and management
|
||||
- Subscription lifecycle management
|
||||
- Webhook handling and verification
|
||||
- Customer management
|
||||
- Refund processing
|
||||
- Test mode vs live mode guidance
|
||||
|
||||
**Related Skills:** None (new category)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Main documentation
|
||||
- `references/api-cheat-sheet.md` - Common API calls
|
||||
- `references/webhook-events.md` - Event type reference
|
||||
- `templates/subscription-flow.py` - Complete subscription example
|
||||
- `templates/payment-form.html` - Client-side integration
|
||||
|
||||
---
|
||||
|
||||
## 2. postgres-admin
|
||||
|
||||
**Category:** `databases`
|
||||
|
||||
**Description:** PostgreSQL administration, query optimization, backup/restore, and performance tuning
|
||||
|
||||
**Justification:** Only vector databases (Qdrant, Chroma, Pinecone, FAISS) are covered. Relational database operations are essential for most applications.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `DATABASE_URL` - Connection string
|
||||
|
||||
**Key Features:**
|
||||
- Connection management and pooling
|
||||
- Query optimization and EXPLAIN analysis
|
||||
- Index creation and management
|
||||
- Backup and restore procedures
|
||||
- User and permission management
|
||||
- Migration strategies
|
||||
- Performance monitoring
|
||||
|
||||
**Related Skills:** `redis-operations` (recommended below)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Core documentation
|
||||
- `references/query-optimization.md` - Performance tuning guide
|
||||
- `references/backup-strategies.md` - Backup methods comparison
|
||||
- `scripts/schema-analyzer.py` - Schema analysis tool
|
||||
- `templates/migration-template.sql`
|
||||
|
||||
---
|
||||
|
||||
## 3. redis-operations
|
||||
|
||||
**Category:** `databases`
|
||||
|
||||
**Description:** Redis caching patterns, session management, pub/sub, and data structures
|
||||
|
||||
**Justification:** Caching is critical for scalable applications. Redis is the most popular caching solution but completely uncovered.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `REDIS_URL` - Connection string
|
||||
|
||||
**Key Features:**
|
||||
- Data structure selection guide
|
||||
- Caching patterns and strategies
|
||||
- Session management implementation
|
||||
- Pub/sub messaging patterns
|
||||
- Rate limiting implementations
|
||||
- Distributed locking
|
||||
- Memory optimization
|
||||
|
||||
**Related Skills:** `postgres-admin`
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Main documentation
|
||||
- `references/data-structures.md` - When to use each type
|
||||
- `references/caching-patterns.md` - Cache-aside, write-through, etc.
|
||||
- `templates/rate-limiter.py` - Production rate limiter
|
||||
- `templates/session-store.py` - Session management implementation
|
||||
|
||||
---
|
||||
|
||||
## 4. kubernetes-deploy
|
||||
|
||||
**Category:** `devops`
|
||||
|
||||
**Description:** Kubernetes deployment, service management, ingress configuration, and troubleshooting
|
||||
|
||||
**Justification:** Container orchestration is essential for modern deployment. While `docker-management` exists as optional, Kubernetes is the production standard.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `KUBECONFIG` - Path to kubeconfig file
|
||||
|
||||
**Key Features:**
|
||||
- Deployment and service creation
|
||||
- ConfigMaps and Secrets management
|
||||
- Ingress and TLS configuration
|
||||
- Rolling updates and rollbacks
|
||||
- Resource limits and HPA
|
||||
- Debugging pods and logs
|
||||
- Helm chart basics
|
||||
|
||||
**Related Skills:** `docker-management` (optional), `webhook-subscriptions`
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Core documentation
|
||||
- `references/kubectl-cheatsheet.md`
|
||||
- `references/troubleshooting-guide.md`
|
||||
- `templates/deployment.yaml` - Production-ready template
|
||||
- `templates/service-ingress.yaml` - Complete service setup
|
||||
|
||||
---
|
||||
|
||||
## 5. aws-cli
|
||||
|
||||
**Category:** `cloud`
|
||||
|
||||
**Description:** AWS CLI operations for EC2, S3, RDS, Lambda, and CloudFormation
|
||||
|
||||
**Justification:** Only Lambda Labs and Modal are covered for cloud. AWS dominates cloud infrastructure and is essential for many workflows.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `AWS_ACCESS_KEY_ID`
|
||||
- `AWS_SECRET_ACCESS_KEY`
|
||||
- `AWS_REGION`
|
||||
|
||||
**Key Features:**
|
||||
- Authentication and profile management
|
||||
- S3 bucket operations
|
||||
- EC2 instance lifecycle
|
||||
- RDS database management
|
||||
- Lambda function deployment
|
||||
- CloudFormation stack management
|
||||
- IAM policy management
|
||||
|
||||
**Related Skills:** `lambda-labs`, `modal`, `postgres-admin` (RDS)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Main documentation
|
||||
- `references/service-matrix.md` - Service selection guide
|
||||
- `references/iam-policies.md` - Common policy templates
|
||||
- `templates/s3-lifecycle.json`
|
||||
- `scripts/cost-estimator.py`
|
||||
|
||||
---
|
||||
|
||||
## 6. react-native-build
|
||||
|
||||
**Category:** `mobile`
|
||||
|
||||
**Description:** React Native app development, build processes, and deployment to App Store/Play Store
|
||||
|
||||
**Justification:** Mobile development is completely absent from skills. React Native covers both iOS and Android with single codebase.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- None (but requires Xcode, Android SDK)
|
||||
|
||||
**Key Features:**
|
||||
- Project initialization and structure
|
||||
- iOS build and signing
|
||||
- Android build and signing
|
||||
- Environment configuration
|
||||
- Navigation patterns
|
||||
- State management integration
|
||||
- App Store / Play Store submission
|
||||
- Over-the-air updates
|
||||
|
||||
**Related Skills:** None (new category)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Core documentation
|
||||
- `references/build-troubleshooting.md` - Common build issues
|
||||
- `references/app-store-checklist.md`
|
||||
- `templates/navigation-structure.js`
|
||||
- `scripts/build-and-sign.sh`
|
||||
|
||||
---
|
||||
|
||||
## 7. terraform-iac
|
||||
|
||||
**Category:** `infrastructure`
|
||||
|
||||
**Description:** Infrastructure as Code with Terraform for AWS, GCP, Azure, and custom providers
|
||||
|
||||
**Justification:** Infrastructure management is not covered. Terraform is the standard for declarative infrastructure.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- Variable depending on provider (AWS, GCP, Azure credentials)
|
||||
|
||||
**Key Features:**
|
||||
- Provider configuration
|
||||
- Resource declaration patterns
|
||||
- State management and remote backends
|
||||
- Module creation and reuse
|
||||
- Workspace management
|
||||
- Plan and apply workflows
|
||||
- Importing existing resources
|
||||
- Drift detection
|
||||
|
||||
**Related Skills:** `aws-cli`, `kubernetes-deploy`, `webhook-subscriptions`
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Main documentation
|
||||
- `references/state-management.md` - State best practices
|
||||
- `references/provider-matrix.md`
|
||||
- `templates/aws-vpc-module.tf`
|
||||
- `templates/gcp-gke-cluster.tf`
|
||||
|
||||
---
|
||||
|
||||
## 8. prometheus-monitoring
|
||||
|
||||
**Category:** `observability`
|
||||
|
||||
**Description:** Metrics collection, alerting rules, and dashboard creation with Prometheus and Grafana
|
||||
|
||||
**Justification:** No monitoring or observability skills exist. Critical for production operations.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `PROMETHEUS_URL` - Prometheus server URL
|
||||
- `GRAFANA_API_KEY` - For dashboard management (optional)
|
||||
|
||||
**Key Features:**
|
||||
- Metric types and naming conventions
|
||||
- PromQL query writing
|
||||
- Recording and alerting rules
|
||||
- Service discovery configuration
|
||||
- Grafana dashboard creation
|
||||
- Alertmanager configuration
|
||||
- Custom exporter development
|
||||
- SLO/SLI monitoring
|
||||
|
||||
**Related Skills:** `dogfood` (complement for self-monitoring)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Core documentation
|
||||
- `references/promql-cheatsheet.md`
|
||||
- `references/alerting-best-practices.md`
|
||||
- `templates/alerts.yml` - Common alert rules
|
||||
- `templates/dashboard.json` - Grafana dashboard
|
||||
|
||||
---
|
||||
|
||||
## 9. elasticsearch-query
|
||||
|
||||
**Category:** `search`
|
||||
|
||||
**Description:** Full-text search, aggregation queries, and index management with Elasticsearch/OpenSearch
|
||||
|
||||
**Justification:** Search functionality is limited to DuckDuckGo web search. Elasticsearch is essential for application search.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `ELASTICSEARCH_URL`
|
||||
- `ELASTICSEARCH_API_KEY` (optional)
|
||||
|
||||
**Key Features:**
|
||||
- Index creation and mapping design
|
||||
- Full-text search queries
|
||||
- Filtering and boosting
|
||||
- Aggregation queries
|
||||
- Relevance tuning
|
||||
- Cluster health monitoring
|
||||
- Migration from previous versions
|
||||
- OpenSearch compatibility
|
||||
|
||||
**Related Skills:** `duckduckgo-search` (complementary)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Main documentation
|
||||
- `references/query-dsl-guide.md`
|
||||
- `references/mapping-best-practices.md`
|
||||
- `templates/search-api.py` - Python search implementation
|
||||
- `templates/index-template.json`
|
||||
|
||||
---
|
||||
|
||||
## 10. figma-api
|
||||
|
||||
**Category:** `design`
|
||||
|
||||
**Description:** Figma API integration for design system management, asset export, and design tokens
|
||||
|
||||
**Justification:** Design integration is minimal (only Excalidraw). Figma is the dominant design tool for teams.
|
||||
|
||||
**Required Environment Variables:**
|
||||
- `FIGMA_ACCESS_TOKEN`
|
||||
- `FIGMA_FILE_KEY` (optional, can be per-request)
|
||||
|
||||
**Key Features:**
|
||||
- Authentication and file access
|
||||
- Design token extraction
|
||||
- Asset export automation
|
||||
- Component library management
|
||||
n- Design system documentation generation
|
||||
- Version history access
|
||||
- Comment and collaboration API
|
||||
- Webhook integration
|
||||
|
||||
**Related Skills:** `excalidraw` (complementary)
|
||||
|
||||
**Files:**
|
||||
- `SKILL.md` - Core documentation
|
||||
- `references/design-tokens-schema.md`
|
||||
- `references/file-structure.md`
|
||||
- `scripts/export-assets.py` - Asset export automation
|
||||
- `templates/design-system-docs.md`
|
||||
|
||||
---
|
||||
|
||||
## Implementation Priority
|
||||
|
||||
### Phase 1 (High Impact, Broad Appeal)
|
||||
1. **stripe-integration** - Universal business need
|
||||
2. **postgres-admin** - Core infrastructure skill
|
||||
3. **aws-cli** - Dominant cloud provider
|
||||
|
||||
### Phase 2 (Developer Productivity)
|
||||
4. **redis-operations** - Common caching need
|
||||
5. **react-native-build** - Mobile development gap
|
||||
6. **terraform-iac** - Infrastructure management
|
||||
|
||||
### Phase 3 (Production Operations)
|
||||
7. **kubernetes-deploy** - Container orchestration
|
||||
8. **prometheus-monitoring** - Observability essential
|
||||
9. **elasticsearch-query** - Application search
|
||||
10. **figma-api** - Design workflow integration
|
||||
|
||||
---
|
||||
|
||||
## New Category Structure
|
||||
|
||||
```
|
||||
skills/
|
||||
├── payments/
|
||||
│ └── stripe-integration/
|
||||
├── databases/
|
||||
│ ├── postgres-admin/
|
||||
│ └── redis-operations/
|
||||
├── mobile/
|
||||
│ └── react-native-build/
|
||||
├── infrastructure/
|
||||
│ └── terraform-iac/
|
||||
├── observability/
|
||||
│ └── prometheus-monitoring/
|
||||
└── search/
|
||||
└── elasticsearch-query/
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
*Recommendations generated: 2024-03-30*
|
||||
*Analysis based on: 116 existing skills*
|
||||
Reference in New Issue
Block a user