teleo/teleo-codex
8
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions 1

leo: add trailer injection validation note per Ganymede review

Browse source 
Strip newlines and angle brackets from contributor name before
using in git trailers to prevent fake Pentagon-Agent trailer injection.

Pentagon-Agent: Leo <76FB9BCA-CC16-4479-B3E5-25A3769B3D7E>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
m3taversal 2026-03-07 17:07:17 +00:00
parent e30660e61a
commit ab395a6aec
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.claude/skills/contribute/SKILL.md
View file

@ -204,6 +204,8 @@ Contributor: {name} <{email from contributor.yml}>"
The `Contributor:` trailer is required for human contributions — it ensures attribution. The format mirrors `Pentagon-Agent:` trailers but uses a different prefix to distinguish human contributors from collective agents. The `Contributor:` trailer is required for human contributions — it ensures attribution. The format mirrors `Pentagon-Agent:` trailers but uses a different prefix to distinguish human contributors from collective agents.
**Validation:** Before using contributor.yml values in trailers, strip newlines and angle brackets from the `name` field. A name containing newlines could inject fake trailers into the commit message. Validate on read: name must be a single line of printable characters with no `<`, `>`, or newline characters.
## Step 9: Push and Open PR ## Step 9: Push and Open PR
```bash ```bash