mosaic/agent-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: Remove vercel-deploy (data exfiltration), annotate LD_PRELOAD shims

Browse Source 
Security audit findings:
- CRITICAL: vercel-deploy uploaded entire project to external endpoint — REMOVED
- ANNOTATED: docx/pptx/xlsx soffice.py LD_PRELOAD shims — security warnings added
- README updated to 93 skills with full security audit section and Vue/Vite ecosystem

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-16 16:39:04 -06:00
parent f5792c40be
commit 798fce9487
7 changed files with 52 additions and 367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
README.md
View File

@@ -1,8 +1,22 @@
# Agent Skills
Complete agent skill fleet for Mosaic Stack. 78 skills across 10 domains — coding, business development, design, marketing, writing, orchestration, document generation, and more. Platform-aware — works with both GitHub (`gh`) and Gitea (`tea`) via our abstraction scripts.
Complete agent skill fleet for Mosaic Stack. 93 skills across 11 domains — coding, business development, design, marketing, writing, orchestration, document generation, Vue/Vite ecosystem, and more. Platform-aware — works with both GitHub (`gh`) and Gitea (`tea`) via our abstraction scripts.
## Skills (78)
## Security Audit
All skills were reviewed on 2026-02-16. Findings:
| ID | Severity | Skill | Issue | Action |
|----|----------|-------|-------|--------|
| C-001 | **CRITICAL** | `vercel-deploy` | Uploads entire project to external endpoint via `curl` | **REMOVED** |
| C-002 | **ANNOTATED** | `docx`, `pptx`, `xlsx` | LD_PRELOAD shim compiles C at runtime to hook `socket()` | Security warnings added — legitimate sandbox workaround, should never activate on Docker Swarm |
| W-001 | WARNING | `using-superpowers` | Forces aggressive auto-loading via `<EXTREMELY-IMPORTANT>` tags | Awareness only — review before enabling |
| W-002 | WARNING | `mcp-builder` | Can connect to arbitrary MCP servers | Awareness only — review server URLs |
| W-003 | WARNING | `create-agent` | Uses `Function()` constructor (eval equivalent) | Awareness only — review generated code |
88 of 93 skills passed all checks as clean instruction-only SKILL.md files.
## Skills (93)
### Code Quality & Review (5)
@@ -122,7 +136,28 @@ Complete agent skill fleet for Mosaic Stack. 78 skills across 10 domains — cod
| `paywall-upgrade-cro` | Paywall/upgrade conversion optimization | coreyhaines31 |
| `free-tool-strategy` | Free tool as marketing strategy | coreyhaines31 |
### Meta / Skill Authoring & Deployment (5)
### Vue/Vite Ecosystem (16)
| Skill | Purpose | Origin |
|-------|---------|--------|
| `vue` | Vue.js development patterns | antfu |
| `vue-best-practices` | Vue.js best practices and conventions | antfu |
| `vue-router-best-practices` | Vue Router patterns and guards | antfu |
| `vue-testing-best-practices` | Vue component testing patterns | antfu |
| `vueuse-functions` | VueUse composable function patterns | antfu |
| `nuxt` | Nuxt.js framework patterns | antfu |
| `vite` | Vite build tool configuration and plugins | antfu |
| `vitest` | Vitest testing framework patterns | antfu |
| `vitepress` | VitePress documentation site patterns | antfu |
| `slidev` | Slidev presentation framework | antfu |
| `pnpm` | pnpm package manager patterns | antfu |
| `turborepo` | Turborepo monorepo patterns | antfu |
| `unocss` | UnoCSS atomic CSS engine | antfu |
| `tsdown` | tsdown TypeScript bundler | antfu |
| `pinia` | Pinia state management | antfu |
| `antfu` | Anthony Fu's coding conventions | antfu |
### Meta / Skill Authoring (4)
| Skill | Purpose | Origin |
|-------|---------|--------|
@@ -130,7 +165,6 @@ Complete agent skill fleet for Mosaic Stack. 78 skills across 10 domains — cod
| `skill-creator` | Anthropic's skill creation guide | anthropics |
| `mcp-builder` | Building MCP (Model Context Protocol) servers | anthropics |
| `webapp-testing` | Web application testing patterns | anthropics |
| `vercel-deploy` | Vercel deployment patterns | vercel-labs |
## Source Repositories
@@ -139,8 +173,9 @@ Complete agent skill fleet for Mosaic Stack. 78 skills across 10 domains — cod
| [anthropics/skills](https://github.com/anthropics/skills) | 16 | Documents, design, MCP, testing |
| [obra/superpowers](https://github.com/obra/superpowers) | 14 | Agent workflows, TDD, code review, planning |
| [coreyhaines31/marketingskills](https://github.com/coreyhaines31/marketingskills) | 25 | Marketing, CRO, SEO, growth |
| [antfu/skills](https://github.com/antfu/skills) | 16 | Vue, Vite, Vitest, pnpm, Nuxt |
| [better-auth/skills](https://github.com/better-auth/skills) | 5 | Authentication patterns |
| [vercel-labs/agent-skills](https://github.com/vercel-labs/agent-skills) | 5 | React, design, Vercel |
| [vercel-labs/agent-skills](https://github.com/vercel-labs/agent-skills) | 4 | React, design |
| [vercel-labs/next-skills](https://github.com/vercel-labs/next-skills) | 1 | Next.js 15+ |
| [vercel/ai](https://github.com/vercel/ai) | 1 | AI SDK |
| [halthelobster/proactive-agent](https://github.com/halthelobster/proactive-agent) | 1 | Agent architecture |