[SECURITY] No integrity verification for GitHub skill downloads (supply chain risk)

[FZ2000]

Severity: P2

Summary

apc install owner/repo --skill foo fetches SKILL.md from GitHub over HTTPS but performs no integrity verification (checksum, signature, or commit pinning). A supply chain attack on the source GitHub repository would silently install malicious skill content to all AI tools on the machine.

Affected Code

src/skills.py — fetch_skill_from_repo():

resp = httpx.get(url, follow_redirects=True, timeout=15)
# ... parses and saves without any hash check

Attack Scenario

1. Attacker gains write access to a popular skills repo (e.g. via compromised maintainer account, dependency confusion, or social engineering)
2. Attacker modifies skills/foo/SKILL.md to contain prompt injection payloads
3. Users running apc install owner/repo --skill foo install the malicious skill silently
4. Next time the AI tool reads its config, the injected instructions execute

Impact

• Silent installation of prompt injection payloads into AI tool configs
• No warning or verification step warns the user about content change
• Malicious skills could instruct the AI to exfiltrate data, run dangerous commands, etc.

Recommended Mitigations

1. Commit pinning: Support apc install owner/repo@<sha> --skill foo to pin to a specific commit hash
2. Checksum manifest: Skills repos can publish a checksums.json listing SHA256 hashes per skill; apc install can verify before writing
3. Content preview: Before installing, show the skill content diff and require explicit confirmation (especially for -y bypassing)
4. Signature support: Support GPG/sigstore signatures for skill authors

At minimum, display the commit SHA being fetched so users can audit:

Fetching frontend-design from owner/repo @ abc1234 (main)

References

• CWE-494: Download of Code Without Integrity Check
• SLSA supply chain security framework