Skip to content

fix(requesthunt): address security audit failures on skills.sh#76

Merged
Jing-yilin merged 1 commit intodevelopfrom
fix/skill/requesthunt/security-audit-failures
Apr 19, 2026
Merged

fix(requesthunt): address security audit failures on skills.sh#76
Jing-yilin merged 1 commit intodevelopfrom
fix/skill/requesthunt/security-audit-failures

Conversation

@Jing-yilin
Copy link
Copy Markdown
Contributor

@Jing-yilin Jing-yilin commented Apr 19, 2026

Summary

Fixes security audit failures reported on skills.sh/requesthunt:

  • Gen Agent Trust Hub: FAIL (HIGH) — REMOTE_CODE_EXECUTION, PROMPT_INJECTION, COMMAND_EXECUTION
  • Socket: WARN — Anomaly (install trust + external content handling)
  • Snyk: FAIL (HIGH) — W007 (insecure credential handling), W011 (third-party content exposure), W012 (unverifiable external dependency)

Changes

All changes are in skills/requesthunt/SKILL.md:

1. CLI Installer (REMOTE_CODE_EXECUTION / W012 / Anomaly)

  • Added note that installer downloads from GitHub Releases and verifies SHA256 checksum
  • Added build-from-source alternative (cargo install --path cli)

2. API Key Handling (W007)

  • Changed from plaintext example (rh_live_your_key) to variable reference ($YOUR_KEY)
  • Recommend environment variable (REQUESTHUNT_API_KEY) as primary method
  • Demoted config set-key to secondary option with owner-only permissions note
  • Added security callout against hardcoding keys

3. Content Safety (PROMPT_INJECTION / W011)

  • Added new "Content Safety" section with explicit untrusted-input handling guidelines
  • Instructs agents to treat scraped content as untrusted, use boundaries, avoid executing raw content

Notes

The RequestHunt CLI project itself already implements all these security measures (SHA256 verification in install.sh, env var support, file permissions). These changes document existing protections in the skill SKILL.md so security scanners can detect them.

@Jing-yilin
fix(requesthunt): address security audit failures on skills.sh
5205ed1 
- Document SHA256 checksum verification and GitHub Releases source for CLI installer
- Add build-from-source alternative (cargo install)
- Recommend environment variable over plaintext command-line API key
- Use variable references ($YOUR_KEY) instead of example key literals
- Add Content Safety section with untrusted-input handling guidelines
- Add security note against hardcoding API keys in agent output

Addresses: Agent Trust Hub (FAIL), Socket (WARN), Snyk (FAIL) findings
for REMOTE_CODE_EXECUTION, PROMPT_INJECTION, COMMAND_EXECUTION, and
insecure credential handling (W007, W011, W012).
@Jing-yilin Jing-yilin merged commit 01a6b6b into develop Apr 19, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jing-yilin