feat(security): add content scanning for SKILL.md files (#6)

Implement security scanning layer for SKILL.md content with risk labels,
sanitization, and UI warnings. Includes database schema updates, API
integration, CLI warnings, and comprehensive documentation.

Author: mrgoonie

CLAUDE.md

@@ -90,7 +90,7 @@ pnpm db:migrate:remote    # Apply migrations to remote D1
 | `/api/skills/:slug/install` | api.skill-install.ts | Optional (API key or X-Device-Id) |
 | `/api/report` | api.usage-report.ts | Session/Key |
 | `/api/user/api-keys` | api.user-api-keys.ts | Session |
-| `/api/skills/register` | api.skill-register.ts | None |
+| `/api/skills/register` | api.skill-register.ts | Session/Key |
 | `/api/admin/seed` | api.admin.seed.ts | Admin secret |
 
 ## Database Tables (Drizzle schema)
@@ -125,6 +125,7 @@ Search algorithm: `./docs/search-algorithm.md`
 - **Env vars** in `apps/web/.dev.vars` (local) or Cloudflare Secrets (production). Never commit `.dev.vars`.
 - **Max 200 LOC per file** — split into focused modules if exceeded.
 - **Seed data** in `scripts/seed-data.json` (30 real skills from skills.sh). Seed via `ADMIN_SECRET=... pnpm seed`.
+- **Content security scanning** — all SKILL.md content scanned for prompt injection, invisible chars, ANSI escapes, shell injection. `risk_label` column stores result ("safe"/"caution"/"danger"/"unknown"). Sanitization strips zero-width Unicode + ANSI escapes before storage.
 
 ## Deployment
 

apps/web/app/components/skill-content-renderer.tsx

@@ -2,13 +2,36 @@ import Markdown from "react-markdown";
 
 interface SkillContentRendererProps {
   content: string;
+  riskLabel?: string;
 }
 
-/** Renders skill markdown content with styled prose */
-export function SkillContentRenderer({ content }: SkillContentRendererProps) {
+/** Renders skill markdown content with styled prose and optional risk badge */
+export function SkillContentRenderer({ content, riskLabel }: SkillContentRendererProps) {
   return (
-    <div className="sx-prose">
-      <Markdown>{content}</Markdown>
+    <div className="relative">
+      {riskLabel && riskLabel !== "unknown" && (
+        <div className="mb-3 flex items-center gap-2 text-xs">
+          <span
+            className={[
+              "rounded-full px-2 py-0.5 font-medium",
+              riskLabel === "safe" && "bg-green-500/20 text-green-400",
+              riskLabel === "caution" && "bg-yellow-500/20 text-yellow-400",
+              riskLabel === "danger" && "bg-red-500/20 text-red-400",
+            ]
+              .filter(Boolean)
+              .join(" ")}
+          >
+            {riskLabel === "safe"
+              ? "No Issues Detected"
+              : riskLabel === "caution"
+                ? "Review Recommended"
+                : "Suspicious"}
+          </span>
+        </div>
+      )}
+      <div className="sx-prose">
+        <Markdown>{content}</Markdown>
+      </div>
     </div>
   );
 }

apps/web/app/lib/db/schema.ts

@@ -26,6 +26,7 @@ export const skills = sqliteTable(
     bayesian_rating: real("bayesian_rating").default(0),
     trending_score: real("trending_score").default(0),
     favorite_count: integer("favorite_count").default(0),
+    risk_label: text("risk_label").default("unknown"),
     created_at: integer("created_at", { mode: "timestamp_ms" }).notNull(),
     updated_at: integer("updated_at", { mode: "timestamp_ms" }).notNull(),
   },

apps/web/app/lib/security/content-scanner.ts

@@ -0,0 +1,106 @@
+/**
+ * Content scanner for SKILL.md files.
+ * Detects prompt injection, invisible chars, and suspicious patterns.
+ * Pure function, no async, no dependencies — fast and testable.
+ */
+
+export type RiskLabel = "safe" | "caution" | "danger" | "unknown";
+
+export interface ScanResult {
+  label: RiskLabel;
+  findings: string[];
+}
+
+// DANGER patterns — any single match = "danger"
+const INVISIBLE_UNICODE = /[\u200B-\u200D\uFEFF\u2060-\u2064\u2066-\u206F]/g;
+const ANSI_ESCAPE = /\x1B\[[0-9;]*[A-Za-z]/g;
+const PROMPT_INJECTION_PATTERNS = [
+  /ignore\s+(all\s+)?(previous|prior|above)\s+(instructions|prompts|rules)/i,
+  /you\s+are\s+now\s+(?:a|an|the|my)\s+/i,
+  /(?:reveal|show|print|output|leak)\s+(?:the\s+)?system\s+prompt/i,
+  /(?:override|replace|rewrite)\s+(?:the\s+)?system\s+prompt/i,
+];
+const JS_PROTOCOL = /javascript\s*:/i;
+const DATA_HTML = /data\s*:\s*text\/html/i;
+const SHELL_INJECTION = /(?:\$\([^)]+\)|eval\s*\(|exec\s*\()/;
+
+// CAUTION patterns — 2+ matches = "caution"
+const CAUTION_PATTERNS: Array<{ regex: RegExp; label: string }> = [
+  { regex: /<script/i, label: "html-script-tag" },
+  { regex: /<iframe/i, label: "html-iframe-tag" },
+  { regex: /<object/i, label: "html-object-tag" },
+  { regex: /<embed/i, label: "html-embed-tag" },
+  { regex: /<form/i, label: "html-form-tag" },
+  { regex: /(?:bit\.ly|tinyurl\.com|t\.co|goo\.gl)\//i, label: "url-shortener" },
+  { regex: /[A-Za-z0-9+/]{200,}={0,2}/, label: "base64-block" },
+  { regex: /<!--[\s\S]{500,}?-->/, label: "hidden-html-comment" },
+  { regex: /process\.env/i, label: "env-access" },
+  { regex: /fs\.readFile/i, label: "fs-read" },
+  { regex: /child_process/i, label: "child-process" },
+  // XML-style tags commonly used in prompt injection (moved from DANGER)
+  { regex: /^\s*<system/im, label: "xml-system-tag" },
+  { regex: /^\s*<assistant/im, label: "xml-assistant-tag" },
+  { regex: /^\s*<human/im, label: "xml-human-tag" },
+];
+
+export function scanContent(content: string): ScanResult {
+  const findings: string[] = [];
+
+  // DANGER checks
+  const zwChars = content.match(INVISIBLE_UNICODE);
+  if (zwChars) {
+    findings.push(`danger:invisible-chars:${zwChars.length} zero-width characters`);
+  }
+
+  const ansi = content.match(ANSI_ESCAPE);
+  if (ansi) {
+    findings.push(`danger:ansi-escape:${ansi.length} terminal escape codes`);
+  }
+
+  for (const pattern of PROMPT_INJECTION_PATTERNS) {
+    if (pattern.test(content)) {
+      findings.push(`danger:prompt-injection:${pattern.source}`);
+    }
+  }
+
+  if (JS_PROTOCOL.test(content)) {
+    findings.push("danger:js-protocol:javascript: URL detected");
+  }
+
+  if (DATA_HTML.test(content)) {
+    findings.push("danger:data-html:data:text/html URL detected");
+  }
+
+  if (SHELL_INJECTION.test(content)) {
+    findings.push("danger:shell-injection:shell command pattern detected");
+  }
+
+  // CAUTION checks
+  let cautionCount = 0;
+  for (const { regex, label } of CAUTION_PATTERNS) {
+    if (regex.test(content)) {
+      findings.push(`caution:${label}`);
+      cautionCount++;
+    }
+  }
+
+  // Derive label
+  const hasDanger = findings.some((f) => f.startsWith("danger:"));
+  let label: RiskLabel;
+  if (hasDanger) {
+    label = "danger";
+  } else if (cautionCount >= 2) {
+    label = "caution";
+  } else {
+    label = "safe";
+  }
+
+  return { label, findings };
+}
+
+/** Strip zero-width Unicode chars and ANSI escape codes from content */
+export function sanitizeContent(content: string): string {
+  return content
+    .replace(INVISIBLE_UNICODE, "")
+    .replace(ANSI_ESCAPE, "");
+}

apps/web/app/routes/api.skill-detail.ts

@@ -3,6 +3,7 @@ import { getDb } from "~/lib/db";
 import { skills, ratings, reviews, favorites } from "~/lib/db/schema";
 import { eq, desc, count, avg } from "drizzle-orm";
 import { getSession } from "~/lib/auth/session-helpers";
+import { scanContent, sanitizeContent } from "~/lib/security/content-scanner";
 
 /** Detect stub content: short + ends with "## Author\n{author}" */
 function isStubContent(content: string, author: string): boolean {
@@ -59,11 +60,15 @@ export async function loader({ params, request, context }: LoaderFunctionArgs) {
     if (skill.source_url && isStubContent(skill.content, skill.author)) {
       const realContent = await fetchRealContent(skill.source_url);
       if (realContent) {
-        skill.content = realContent;
+        const cleanContent = sanitizeContent(realContent);
+        const scanResult = scanContent(cleanContent);
+        skill.content = cleanContent;
+        skill.risk_label = scanResult.label;
         // Persist to DB so future requests are fast (fire-and-forget)
         db.update(skills)
-          .set({ content: realContent, updated_at: new Date() })
+          .set({ content: cleanContent, risk_label: scanResult.label, updated_at: new Date() })
           .where(eq(skills.id, skill.id))
+          .execute()
           .catch(() => {});
       }
     }

apps/web/app/routes/api.skill-register.ts

@@ -16,6 +16,7 @@ import { scanGitHubRepo } from "~/lib/github/scan-github-repo";
 import { indexSkill } from "~/lib/vectorize/index-skill";
 import { authenticateRequest } from "~/lib/auth/authenticate-request";
 import { validateRepoOwnership } from "~/lib/github/validate-repo-ownership";
+import { scanContent, sanitizeContent } from "~/lib/security/content-scanner";
 
 const GITHUB_REPO_PATTERN = /^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/;
 const SAFE_PATH_PATTERN = /^[a-zA-Z0-9._\-/]+$/;
@@ -201,12 +202,16 @@ async function insertAndIndexSkill(
   const skillId = crypto.randomUUID();
   const now = new Date();
 
+  // Sanitize first, then scan the clean version so label reflects stored content
+  const cleanContent = sanitizeContent(ghSkill.content);
+  const scanResult = scanContent(cleanContent);
+
   await db.insert(skills).values({
     id: skillId,
     name: ghSkill.name,
     slug: ghSkill.slug,
     description: ghSkill.description,
-    content: ghSkill.content,
+    content: cleanContent,
     author: ghSkill.author,
     source_url: ghSkill.source_url,
     category: ghSkill.category,
@@ -218,6 +223,7 @@ async function insertAndIndexSkill(
     rating_count: 0,
     github_stars: ghSkill.github_stars,
     install_count: 0,
+    risk_label: scanResult.label,
     created_at: now,
     updated_at: now,
   });
@@ -228,7 +234,7 @@ async function insertAndIndexSkill(
       id: skillId,
       name: ghSkill.name,
       description: ghSkill.description,
-      content: ghSkill.content,
+      content: cleanContent,
       category: ghSkill.category,
       is_paid: false,
       avg_rating: 0,

apps/web/app/routes/skill-detail.tsx

@@ -21,7 +21,7 @@ import {
 } from "~/lib/db/skill-detail-queries";
 import { useState } from "react";
 import { useFetcher } from "react-router";
-import { FileText } from "lucide-react";
+import { FileText, ShieldAlert } from "lucide-react";
 
 export async function loader({ params, request, context }: LoaderFunctionArgs) {
   const slug = params.slug;
@@ -118,6 +118,20 @@ export default function SkillDetail() {
             )}
           </div>
 
+          {/* Risk warning banner */}
+          {data.skill.risk_label === "danger" && (
+            <div className="mb-6 rounded-lg border border-red-500/30 bg-red-500/10 px-4 py-3 text-sm text-red-400">
+              <ShieldAlert className="mr-2 inline h-4 w-4" />
+              Suspicious content patterns detected. Review carefully before use.
+            </div>
+          )}
+          {data.skill.risk_label === "caution" && (
+            <div className="mb-6 rounded-lg border border-yellow-500/30 bg-yellow-500/10 px-4 py-3 text-sm text-yellow-400">
+              <ShieldAlert className="mr-2 inline h-4 w-4" />
+              Some content patterns flagged for review.
+            </div>
+          )}
+
           {/* Use this skill */}
           <div className="mb-8 space-y-3">
             <p className="text-xs font-medium uppercase tracking-wider text-sx-fg-subtle">Use this skill</p>
@@ -149,7 +163,7 @@ export default function SkillDetail() {
           {/* Description / Content (rendered as markdown) */}
           <div className="mb-10">
             {data.skill.content && data.skill.content !== data.skill.description ? (
-              <SkillContentRenderer content={data.skill.content} />
+              <SkillContentRenderer content={data.skill.content} riskLabel={data.skill.risk_label ?? undefined} />
             ) : (
               <p className="text-sx-fg-muted leading-relaxed">{data.skill.description}</p>
             )}

apps/web/drizzle/migrations/0006_same_mikhail_rasputin.sql

@@ -0,0 +1 @@
+ALTER TABLE `skills` ADD `risk_label` text DEFAULT 'unknown';