Context
Two security audits flagged the codebase-to-course skill metadata and docs.
Snyk findings
- W007 (HIGH): risky credential handling from verbatim code-snippet guidance.
- W011 (MEDIUM): third-party content exposure from arbitrary repo intake.
- W012 (MEDIUM): unverifiable external dependency risk from runtime external clone flow.
Socket finding
- README.md flagged as Obfuscated File (HIGH), likely a false positive but still fails audit.
Proposed fixes
- Remove auto-clone guidance for external URLs; treat external repos as untrusted input.
- Require trusted local checkout paths and never execute analyzed repo code.
- Replace verbatim snippet policy with logic fidelity plus mandatory secret redaction.
- Add explicit secret leakage prevention rules (.env, keys, tokens, passwords, dumps).
- Normalize markdown punctuation and symbols to ASCII to reduce obfuscation false positives.
- Add explicit Security note in README describing safe output behavior.
Acceptance criteria
- Snyk W007/W011/W012 addressed in SKILL.md and reflected in README.md.
- README.md includes explicit security posture language.
- Skill functionality remains the same except stronger security guardrails.
Context
Two security audits flagged the codebase-to-course skill metadata and docs.
Snyk findings
Socket finding
Proposed fixes
Acceptance criteria