Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 257 Pull Requests 35 Actions 4 Packages Projects Releases Wiki Activity

fix: review fixes — path traversal guard, trust_style consistency, edge cases

Browse Source 
Address code review findings:

Security (Medium):
- Path traversal guard in OptionalSkillSource.fetch() — resolve() and
  validate that the path stays within optional-skills/ before reading

Bug fixes (Medium):
- Add 'builtin' to trust_style dicts in do_inspect() and
  _resolve_short_name() — official skills now show bright_cyan 'official'
  label consistently across all display functions (5/5 dicts fixed)

Edge cases (Low):
- Clamp page_size to [1, 100] in do_browse() to prevent ZeroDivisionError
- Update SkillMeta.source docstring to include 'official'
- Add browse command to optional-skills/DESCRIPTION.md
This commit is contained in:
teknium1
2026-03-06 01:40:01 -08:00
parent ec0fe3242a
commit f6f3d1de9b
3 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
optional-skills/DESCRIPTION.md
View File

@@ -6,8 +6,10 @@ These skills ship with the hermes-agent repository but are not copied to
`~/.hermes/skills/` during setup. They are discoverable via the Skills Hub:
```bash
hermes skills search <query> # finds optional skills labeled "official"
hermes skills install <identifier> # copies to ~/.hermes/skills/ and activates
hermes skills browse # browse all skills, official shown first
hermes skills browse --source official # browse only official optional skills
hermes skills search <query> # finds optional skills labeled "official"
hermes skills install <identifier> # copies to ~/.hermes/skills/ and activates
```
## Why optional?