fix: remove auth header from skill example to pass security audit

runkids · runkids · commit 3c1a3b9d7fa4 · 2026-03-12T12:27:07.000+08:00
The curl example with Authorization Bearer token was flagged by
skillshare's security audit as potential data exfiltration.
Replaced with a simpler example that still demonstrates persistent
session variables across steps.
diff --git a/.skillignore b/.skillignore
@@ -0,0 +1 @@
+.skillshare/skills/*
diff --git a/README.md b/README.md
@@ -242,7 +242,7 @@ mdproof ships with `skills/SKILL.md` — install it once, and your AI agent know
 
 ```bash
 # Claude Code (via https://github.com/runkids/skillshare)
-skillshare install runkids/mdproof
+skillshare install runkids/mdproof/skills
 
 # Manual: copy skills/SKILL.md to your agent's skill directory
 ```
diff --git a/skills/SKILL.md b/skills/SKILL.md
@@ -158,13 +158,13 @@ All steps share a single bash process. Exports persist across steps:
 
 ```bash
 export API_URL=http://localhost:8080
-export TOKEN=$(curl -s $API_URL/auth | jq -r .token)
+export ITEM_COUNT=3
 ```
 
 ### Step 2: Use variables from step 1
 
 ```bash
-curl -s -H "Authorization: Bearer $TOKEN" $API_URL/users
+curl -s $API_URL/items?limit=$ITEM_COUNT
 ```
 
 Expected:
