mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-15 12:53:31 +08:00
fix: tighten skill risk key detection
This commit is contained in:
parent
000738442d
commit
d24f0f4bda
@ -715,6 +715,20 @@ describe('skill market risk analysis', () => {
|
||||
expect(risk).toEqual(['requires-api-key'])
|
||||
})
|
||||
|
||||
it('does not treat similarly named fields as allowed tools or hooks', () => {
|
||||
const risk = analyzeSkillRisk({
|
||||
entryContent: [
|
||||
'---',
|
||||
'disallowed-tools: Bash',
|
||||
'webhooks: https://example.com/callback',
|
||||
'---',
|
||||
].join('\n'),
|
||||
files: [],
|
||||
})
|
||||
|
||||
expect(risk).toEqual(['external-network'])
|
||||
})
|
||||
|
||||
it('returns an empty array when no conservative risks are detected', () => {
|
||||
const risk = analyzeSkillRisk({
|
||||
entryContent: 'A local-only skill with no special permissions.',
|
||||
|
||||
@ -11,6 +11,8 @@ const RISK_LABEL_ORDER: SkillMarketRiskLabel[] = [
|
||||
|
||||
const EXECUTABLE_EXTENSION = /\.(sh|bash|zsh|fish|ps1|cmd|bat|py|js|ts)$/i
|
||||
const API_KEYWORD = /api[\s_-]?key|token|secret/i
|
||||
const ALLOWED_TOOLS_KEY = /^\s*allowed-tools\s*:/m
|
||||
const HOOKS_KEY = /^\s*hooks\s*:/m
|
||||
|
||||
export function analyzeSkillRisk(input: {
|
||||
entryContent?: string
|
||||
@ -19,13 +21,12 @@ export function analyzeSkillRisk(input: {
|
||||
}): SkillMarketRiskLabel[] {
|
||||
const labels = new Set<SkillMarketRiskLabel>()
|
||||
const entryContent = input.entryContent ?? ''
|
||||
const entryLines = entryContent.split(/\r?\n/)
|
||||
|
||||
if (entryLines.some((line) => line.includes('allowed-tools:'))) {
|
||||
if (ALLOWED_TOOLS_KEY.test(entryContent)) {
|
||||
labels.add('allowed-tools')
|
||||
}
|
||||
|
||||
if (entryLines.some((line) => line.includes('hooks:'))) {
|
||||
if (HOOKS_KEY.test(entryContent)) {
|
||||
labels.add('hooks')
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user