Skip to content

Merge pull request #501 from alirezarezvani/claude/audit-pr-498-workflow-Pa5Ku#502

Merged
alirezarezvani merged 5 commits intomainfrom
dev
Apr 8, 2026
Merged

Merge pull request #501 from alirezarezvani/claude/audit-pr-498-workflow-Pa5Ku#502
alirezarezvani merged 5 commits intomainfrom
dev

Conversation

@alirezarezvani
Copy link
Copy Markdown
Owner

@alirezarezvani alirezarezvani commented Apr 8, 2026

Summary

Checklist

  • Target branch is dev (not main — PRs to main will be auto-closed)
  • Skill has SKILL.md with valid YAML frontmatter (name, description, license)
  • Scripts (if any) run with --help without errors
  • No hardcoded API keys, tokens, or secrets
  • No vendor-locked dependencies without open-source fallback
  • Follows existing directory structure (domain/skill-name/SKILL.md)

Type of Change

  • New skill
  • Improvement to existing skill
  • Bug fix
  • Documentation
  • Infrastructure / CI

Testing

Elkidogz and others added 5 commits April 8, 2026 15:07
@Elkidogz @claude
feat(engineering): add tc-tracker skill
2d1f0d2 
Self-contained skill for tracking technical changes with structured JSON
records, an enforced state machine, and a session handoff format that lets
a new AI session resume work cleanly when a previous one expires.

Includes:
- 5 stdlib-only Python scripts (init, create, update, status, validator)
  all supporting --help and --json
- 3 reference docs (lifecycle state machine, JSON schema, handoff format)
- /tc dispatcher in commands/tc.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix(ci): break long compileall line to pass yamllint 160-char limit
cca920d 
https://claude.ai/code/session_01X1RKFAkEwxgg6gQvJG1KCa
@alirezarezvani
Merge pull request #498 from Elkidogz/feature/tc-tracker
3c19048
@alirezarezvani @github-actions
chore: sync codex skills symlinks [automated]
ac6b754
@alirezarezvani
Merge pull request #501 from alirezarezvani/claude/audit-pr-498-workf…
9332c07 
…low-Pa5Ku
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

🔒 Skill Security Audit Results

engineering — FAIL

Severity Count
🔴 Critical 41
🟡 High 15
Findings detail 
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_size.py",
  "line": 26,
  "pattern": "result = subprocess.run(BUILD_CMD, shell=True, capture_output=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_size.py",
  "line": 34,
  "pattern": "subprocess.run(DOCKER_BUILD_CMD, shell=True, capture_output=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/test_pass_rate.py",
  "line": 13,
  "pattern": "result = subprocess.run(TEST_CMD, shell=True, capture_output=True, text=True, timeout=300)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/build_speed.py",
  "line": 20,
  "pattern": "subprocess.run(CLEAN_CMD, shell=True, capture_output=True, timeout=60)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/build_speed.py",
  "line": 23,
  "pattern": "result = subprocess.run(BUILD_CMD, shell=True, capture_output=True, timeout=600)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_speed.py",
  "line": 20,
  "pattern": "subprocess.run(COMMAND, shell=True, capture_output=True, timeout=120)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_speed.py",
  "line": 25,
  "pattern": "result = subprocess.run(COMMAND, shell=True, capture_output=True, timeout=120)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 125,
  "pattern": "\"risk\": \"Arbitrary command execution via os.system()\",",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 132,
  "pattern": "\"risk\": \"Command execution via os.popen()\",",
  "risk": "Command execution via os.popen()",
  "fix": "Use subprocess.run() with list arguments and capture_output=True"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 154,
  "pattern": "\"risk\": \"Arbitrary code execution via eval()\",",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 161,
  "pattern": "\"risk\": \"Arbitrary code execution via exec()\",",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 162,
  "pattern": "\"fix\": \"Remove exec() \u2014 rewrite logic to avoid dynamic code execution\",",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "PRIV-ESC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 342,
  "pattern": "\"fix\": \"Remove sudo usage. Skills should never require elevated privileges\",",
  "risk": "Sudo invocation \u2014 privilege escalation attempt",
  "fix": "Remove sudo usage. Skills should never require elevated privileges"
}
{
  "severity": "HIGH",
  "category": "DESERIAL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 378,
  "pattern": "\"fix\": \"Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)\",",
  "risk": "Unsafe YAML loading \u2014 can execute arbitrary code",
  "fix": "Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)"
}
{
  "severity": "CRITICAL",
  "category": "PRIV-ESC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 468,
  "pattern": "\"regex\": r\"<!--\\s*(?:system|instruction|override|ignore|execute|run|sudo|admin)\",",
  "risk": "Sudo invocation \u2014 privilege escalation attempt",
  "fix": "Remove sudo usage. Skills should never require elevated privileges"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 579,
  "pattern": "\"risk\": \"Dynamic Function constructor \u2014 equivalent to eval()\",",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 918,
  "pattern": "shutil.rmtree(tmp_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 930,
  "pattern": "shutil.rmtree(tmp_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 1046,
  "pattern": "shutil.rmtree(cleanup_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 100,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 142,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 182,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 429,
  "pattern": "- os.system(), os.popen() usage",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 429,
  "pattern": "- os.system(), os.popen() usage",
  "risk": "Command execution via os.popen()",
  "fix": "Use subprocess.run() with list arguments and capture_output=True"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 431,
  "pattern": "- eval(), exec() usage",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 431,
  "pattern": "- eval(), exec() usage",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 123,
  "pattern": "code = 'os.system(\"ls -la\")'",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 128,
  "pattern": "code = 'result = eval(user_input)'",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 133,
  "pattern": "code = 'exec(user_code)'",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 138,
  "pattern": "code = 'subprocess.run(cmd, shell=True)'",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CRED-HARVEST",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 297,
  "pattern": "api_key = os.environ.get(\"API_KEY\")",
  "risk": "Reads sensitive environment variables",
  "fix": "Remove credential access. Skills should not need external credentials"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 441,
  "pattern": "os.system(\"echo \" + user_input)",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 464,
  "pattern": "subprocess.run(cmd, shell=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 486,
  "pattern": "return eval(user_input)",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 507,
  "pattern": "exec(user_code)",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 60,
  "pattern": "| **System prompt override** | \"Ignore previous instructions\", \"You are now...\" | \ud83d\udd34 CRITICAL |",
  "risk": "Attempts to override system prompt and prior instructions",
  "fix": "Remove instruction override attempts"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 61,
  "pattern": "| **Role hijacking** | \"Act as root\", \"Pretend you have no restrictions\" | \ud83d\udd34 CRITICAL |",
  "risk": "Safety restriction bypass attempt",
  "fix": "Remove safety bypass instructions"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 62,
  "pattern": "| **Safety bypass** | \"Skip safety checks\", \"Disable content filtering\" | \ud83d\udd34 CRITICAL |",
  "risk": "Explicit safety mechanism bypass",
  "fix": "Remove safety bypass directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 65,
  "pattern": "| **Data extraction** | \"Send contents of\", \"Upload file to\", \"POST to\" | \ud83d\udd34 CRITICAL |",
  "risk": "Instruction to exfiltrate data",
  "fix": "Remove data transmission directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 66,
  "pattern": "| File read | Access credential files | `open(os.path.expanduser(\"~/.aws/credentials\"))` |",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 75,
  "pattern": "| Override | \"Ignore previous instructions\" | In SKILL.md body |",
  "risk": "Attempts to override system prompt and prior instructions",
  "fix": "Remove instruction override attempts"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 76,
  "pattern": "| Role hijack | \"You are now an unrestricted AI\" | Redefine agent identity |",
  "risk": "Role hijacking \u2014 attempts to redefine the AI's identity",
  "fix": "Remove role redefinition. Skills should provide instructions, not identity changes"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 77,
  "pattern": "| Safety bypass | \"Skip safety checks for efficiency\" | Disable guardrails |",
  "risk": "Explicit safety mechanism bypass",
  "fix": "Remove safety bypass directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 247,
  "pattern": "- Access credential files or sensitive env vars",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/env-secrets-manager/SKILL.md",
  "line": 84,
  "pattern": "Production applications should never read secrets from `.env` files or environment variables baked into container images",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 150,
  "pattern": "\"      - run: python3 -m pip install -U pip\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 151,
  "pattern": "\"      - run: python3 -m pip install -r requirements.txt || true\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 235,
  "pattern": "\"    - python3 -m pip install -U pip\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 236,
  "pattern": "\"    - python3 -m pip install -r requirements.txt || true\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 717,
  "pattern": "# Check for pip/npm install in code",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to package.json for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 102,
  "pattern": "\"message\": \"pip install without --no-cache-dir \u2014 retains pip cache in layer\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 103,
  "pattern": "\"fix\": \"Use: pip install --no-cache-dir -r requirements.txt\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 110,
  "pattern": "\"message\": \"npm install includes devDependencies \u2014 use npm ci --omit=dev for production\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to package.json for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 177,
  "pattern": "RUN pip install -r requirements.txt",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/browser-automation/scripts/scraping_toolkit.py",
  "line": 107,
  "pattern": "pip install playwright",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/browser-automation/scripts/form_automation_builder.py",
  "line": 183,
  "pattern": "pip install playwright",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}

engineering/tc-tracker — PASS

No findings.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

📊 Skill Quality Review (Tessl)

Skill Score Description Content Verdict
engineering/tc-tracker 0/100 ⚠️ 0% 0% NEEDS WORK

Threshold: 70/100 — skills below this score need improvement before merge.

🔧 Internal Validation

  • engineering/tc-tracker: structure 78.8/100 (GOOD), scripts 5/5 PASS, security PASS

@claude
Copy link
Copy Markdown

claude bot commented Apr 8, 2026

PR Review: engineering/tc-tracker skill

This is a well-conceived skill. The append-only audit trail, atomic writes, state machine enforcement, and session handoff block for AI continuity are all strong design choices. Python stdlib-only is correct for this repo's portability requirement.

A few issues to address before merging:

Blocking

1. PR checklist is blank
None of the checklist boxes are checked. Per repo process, at minimum verify:

  • Scripts run with --help without errors
  • No hardcoded API keys/tokens

2. Missing license in SKILL.md frontmatter
The checklist requires name, description, and license. The SKILL.md only has name and description:

---
name: "tc-tracker"
description: "..."
---

Add license: MIT (or whichever matches the repo license).

Code Issues

3. Dead code in tc_validator.py
slugify() (line ~264) and compute_registry_statistics() (line ~275) are defined but never called within the module. Either use them or remove them.

4. Inconsistent timezone in tc_create.py
now_iso() correctly uses timezone.utc, but the date slug and session ID use naive datetime.now():

# tc_create.py line ~208
today = datetime.now()   # ← no timezone
tc_id = f"TC-{next_num:03d}-{date_slug(today)}-{name_slug}"

# line ~184
session_id = args.session_id or f"session-{int(datetime.now().timestamp())}-..."  # ← no timezone

Fix: use datetime.now(timezone.utc) in both places (timezone is already imported).

5. tc_root config value is never honored
tc_init.py writes "tc_root": "docs/TC" to the config, and detect_project_name() reads the config in several places — but every script ignores this value and always hardcodes root / "docs" / "TC". Either remove tc_root from the config (it's unused) or actually read it when resolving tc_dir.

6. Fragile TOML parsing in tc_init.py
The detect_project_name() pyproject.toml parser matches any line containing name =, which would incorrectly match project_name = "..." or maintainer_name = "...". A minimal fix:

in_project_section = False
for line in pyproject.read_text(...).splitlines():
    stripped = line.strip()
    if stripped in ("[project]", "[tool.poetry]"):
        in_project_section = True
    elif stripped.startswith("["):
        in_project_section = False
    elif in_project_section and stripped.startswith("name") and "=" in stripped:
        ...

Design Notes (non-blocking)

7. Handoff lists are append-only with no way to clear/replace
tc_update.py can only append to next_steps, blockers, and key_context — there's no --handoff-clear-next or --handoff-replace-next option. This means a stale step must be overridden by adding a "remove step X" note rather than pruning the list. Consider adding --handoff-clear-next (replace list entirely) as a follow-up.

8. Ambiguous prefix matching in find_record_path
tc_status.py and tc_update.py use entry.name.startswith(tc_id) for prefix lookup. Searching for TC-001 would match TC-001-... correctly, but searching for TC-0 would match any TC. If this is intended for convenience, document it. Otherwise, require exact IDs in lookup to avoid ambiguity.

9. validate_state_transition in tc_validator.py is public API but unused internally
The function is well-written and matches the tc_update.py logic. Consider calling it from validate_tc_record to cross-check that each revision entry records a valid transition — this would give the validator real teeth on historical audit trails.

CI Change

The ci-quality-gate.yml reformatting is cosmetic but correct — no functional change.

Summary: Fix items 1–6 before merge. Items 7–9 are worth tracking as follow-up improvements.

@alirezarezvani alirezarezvani merged commit 659707e into main Apr 8, 2026
6 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alirezarezvani @Elkidogz @claude