From ab395a6aecc8d7073e34b089d04730cae785a836 Mon Sep 17 00:00:00 2001
From: m3taversal <m3taversal@gmail.com>
Date: Sat, 7 Mar 2026 17:07:17 +0000
Subject: [PATCH] leo: add trailer injection validation note per Ganymede
 review

Strip newlines and angle brackets from contributor name before
using in git trailers to prevent fake Pentagon-Agent trailer injection.

Pentagon-Agent: Leo <76FB9BCA-CC16-4479-B3E5-25A3769B3D7E>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .claude/skills/contribute/SKILL.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.claude/skills/contribute/SKILL.md b/.claude/skills/contribute/SKILL.md
index ae81e25..18d5589 100644
--- a/.claude/skills/contribute/SKILL.md
+++ b/.claude/skills/contribute/SKILL.md
@@ -204,6 +204,8 @@ Contributor: {name} <{email from contributor.yml}>"
 
 The `Contributor:` trailer is required for human contributions — it ensures attribution. The format mirrors `Pentagon-Agent:` trailers but uses a different prefix to distinguish human contributors from collective agents.
 
+**Validation:** Before using contributor.yml values in trailers, strip newlines and angle brackets from the `name` field. A name containing newlines could inject fake trailers into the commit message. Validate on read: name must be a single line of printable characters with no `<`, `>`, or newline characters.
+
 ## Step 9: Push and Open PR
 
 ```bash