haitham/claw3d
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): close remaining path validation gaps (#77)

Browse Source 
Harden the SSH agent-state and skill-removal paths to match the local security model, and avoid rejecting valid local workspace skill removals.

Made-with: Cursor

Co-authored-by: iamlukethedev <lucas.guilherme@smartwayslfl.com>
This commit is contained in:
Luke The Dev
2026-03-27 22:21:41 -05:00
committed by GitHub
parent e0eb73111b
commit c3556d2daa
10 changed files with 69 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/unit/skillsRemoveLocal.test.ts
+10 -1
View File
@@ -2,14 +2,23 @@ import fs from "node:fs";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import { afterEach, describe, expect, it } from "vitest";
import { removeSkillLocally } from "@/lib/skills/remove-local";
const mkTmpDir = () => fs.mkdtempSync(path.join(os.tmpdir(), "claw3d-skill-remove-"));
describe("skills remove local", () => {
const originalStateDir = process.env.OPENCLAW_STATE_DIR;
afterEach(() => {
if (originalStateDir === undefined) delete process.env.OPENCLAW_STATE_DIR;
else process.env.OPENCLAW_STATE_DIR = originalStateDir;
});
it("removes a workspace skill directory", () => {
process.env.OPENCLAW_STATE_DIR = mkTmpDir();
const workspaceDir = mkTmpDir();
const managedSkillsDir = mkTmpDir();
const skillDir = path.join(workspaceDir, "skills", "github");