diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6a53b6d..43c50d8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -150,6 +150,23 @@ markdownlint '**/*.md' --ignore node_modules --fix - No line length limits - Allowed HTML: `

`, ``, ``, `` +### Shell Pattern Escaping + +When documenting bash execution patterns in skill files, use `[BANG]` instead of `!` to prevent unintended execution during skill loading ([Claude Code #12781](https://github.com/anthropics/claude-code/issues/12781)). + +```markdown + +Current branch: [BANG]`git branch --show-current` + + +``` + +**Important**: + +- This applies to skill files that get loaded into context +- Command files (`.claude/commands/*.md`) use actual `!` syntax +- See [SECURITY.md](SECURITY.md#shell-pattern-escaping-with-bang-placeholder) for full details + ## Component-Specific Guidelines ### Commands (`/plugin-dev:*`) diff --git a/SECURITY.md b/SECURITY.md index 8e62b0b..e97a632 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -72,6 +72,34 @@ When a security vulnerability is confirmed: 4. **Markdown Linting**: Run `markdownlint` before committing to catch potential issues 5. **Test Locally**: Always test with `cc --plugin-dir plugins/plugin-dev` before pushing +## Known Security Mitigations + +### Shell Pattern Escaping with [BANG] Placeholder + +**Issue**: [Claude Code #12781](https://github.com/anthropics/claude-code/issues/12781) + +Due to a Claude Code issue, inline bash execution patterns (exclamation mark followed by backtick) inside fenced code blocks can be executed when skills are loaded—even when they appear as documentation examples. + +**Mitigation**: This plugin uses a `[BANG]` placeholder instead of `!` in skill documentation that shows bash execution patterns. + +```markdown + +Current branch: !`git branch --show-current` + + +Current branch: [BANG]`git branch --show-current` +``` + +**For maintainers**: + +- Do NOT "fix" `[BANG]` back to `!` - this is intentional +- When adding new documentation with bash patterns, use `[BANG]` +- Audit command: `grep -rn '!`' plugins/plugin-dev/skills/ --include='*.md' | grep -v '\[BANG\]'` +- See [CONTRIBUTING.md](CONTRIBUTING.md) for documentation guidelines +- Reference: [command-development skill](plugins/plugin-dev/skills/command-development/SKILL.md) lines 340-378 + +**History**: Fixed in PR #142 (v0.2.0) + ## Scope This security policy applies to: @@ -125,4 +153,4 @@ _No security issues have been reported yet._ --- -**Note:** _This security policy was last updated: December 7, 2025_ +**Note:** _This security policy was last updated: December 13, 2025_ diff --git a/plugins/plugin-dev/skills/command-development/references/testing-strategies.md b/plugins/plugin-dev/skills/command-development/references/testing-strategies.md index 422fb62..912de8c 100644 --- a/plugins/plugin-dev/skills/command-development/references/testing-strategies.md +++ b/plugins/plugin-dev/skills/command-development/references/testing-strategies.md @@ -676,8 +676,9 @@ echo "Test: \$1 and \$2" > .claude/commands/test-args.md # Check allowed-tools grep "allowed-tools" .claude/commands/my-command.md -# Verify command syntax -grep '!`' .claude/commands/my-command.md +# Verify command has bash execution syntax (! followed by backtick) +# Note: Command files use actual ! syntax, not [BANG] placeholder +grep -E '!\x60' .claude/commands/my-command.md # Test command manually date