mosaic/agent-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: Remove vercel-deploy (data exfiltration), annotate LD_PRELOAD shims

Browse Source 
Security audit findings:
- CRITICAL: vercel-deploy uploaded entire project to external endpoint — REMOVED
- ANNOTATED: docx/pptx/xlsx soffice.py LD_PRELOAD shims — security warnings added
- README updated to 93 skills with full security audit section and Vue/Vite ecosystem

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-16 16:39:04 -06:00
parent f5792c40be
commit 798fce9487
7 changed files with 52 additions and 367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
skills/xlsx/scripts/office/soffice.py
View File

@@ -1,3 +1,7 @@
# MOSAIC STACK SECURITY NOTE: This script contains an LD_PRELOAD shim that
# compiles C code at runtime to hook socket() system calls. Legitimate sandbox
# workaround for Claude.ai — should NEVER activate on our Docker Swarm infra.
# If it does, investigate why AF_UNIX is blocked. Audited: 2026-02-16.
"""
Helper for running LibreOffice (soffice) in environments where AF_UNIX
sockets may be blocked (e.g., sandboxed VMs). Detects the restriction