Skip to content

Add SafeSkill security badge (20/100 — Blocked)#2

Open
OyaAIProd wants to merge 1 commit into
sleep2agi:mainfrom
OyaAIProd:safeskill-scan-1778465218959
Open

Add SafeSkill security badge (20/100 — Blocked)#2
OyaAIProd wants to merge 1 commit into
sleep2agi:mainfrom
OyaAIProd:safeskill-scan-1778465218959

Conversation

@OyaAIProd
Copy link
Copy Markdown

@OyaAIProd OyaAIProd commented May 11, 2026

🔴 SafeSkill Security Scan Results

Metric Value
Overall Score 20/100 (Blocked)
Code Score 55/100
Content Score 54/100
Findings 2092 findings detected (137 critical)
Taint Flows 1969
Files Scanned 17
Scan Duration 7.9s

Top Findings

  • 🔴 critical: Imports child_process module (channel/commhub-channel.ts:18)
  • 🔴 critical: Spawns child process (channel/commhub-channel.ts:47)
  • 🔴 critical: Imports child_process module (agent-network/bin/cli.ts:15)
  • 🔴 critical: Spawns child process (agent-network/bin/cli.ts:233)
  • 🔴 critical: Spawns child process (agent-network/bin/cli.ts:290)

View full report on SafeSkill

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

@OyaAIProd
Add SafeSkill security badge (20/100)
141794b 
Signed-off-by: SafeSkill Scanner <mk@oya.ai>
This was referenced May 12, 2026
Closed
Open
Open
Merged
s2agi pushed a commit that referenced this pull request May 12, 2026
@vansin
test(qa): R9 — HUB-07 SSE 重连契约(fire-and-forget + get_inbox backlog)
42cf59c 
issue #31 R9:commhub SSE 断重连 L1 contract test。

11 步硬断言:
- subscriber-A 注册 + report_status
- SSE #1 connect + 收 task-1 live push
- kill SSE #1(模拟网络断)
- admin 发 task-2(subscriber-A 离线)
- SSE #2 reconnect — 看到 connected,不重放 task-2
- get_inbox via MCP 拿到 task-2 backlog
- task-3 live push 正常流

抠出 3 个非显然契约(写进 report):
1. SSE push 是 fire-and-forget — 没订阅者时丢
2. backlog 在 inbox 表(DB)— 重连后必须 get_inbox 主动拉
3. connected 事件不带 inbox_count — SDK 必须 unconditional poll

SDK 设计含义:朴素重连 = 静默丢任务,真 agent-node 必须 reconnect → get_inbox。

踩坑修复:cleanup() 中 'kill "${VAR:-0}"' 当 VAR=0 时变成 kill 0,
广播信号到整个 process group,导致 script PASS 后 exit 非 0。改为先判空再 kill。

scripts/qa.sh L1_TESTS 加 qa-hub-07-sse-reconnect。本地双跑 ALL PASS ~20s。
不动业务代码。
@s2agi s2agi mentioned this pull request May 12, 2026
Open
s2agi added a commit that referenced this pull request May 13, 2026
@s2agi @vansin
docs(demos): 产品速会 standup demo 提案(refs #27) (#28)
b539b8f 
* docs(demos): 产品速会 standup demo 提案(refs #27)

通信demo马 demo backlog #2 起草。通信龙 review #25 时选本案为
优先级 #2,PASS 「AI 新闻编辑室」(模式与 translation-pipeline 重合)。

5 agent (host + 3 reporter + recorder) 序列化轮询 + 累积 barrier 模式,
跟 PR 审查室 #26 (同步并行扇出 + barrier 合并) 形成「并行 vs 序列」
核心编排范式对比。CLI `anet demo standup --topic ... --reporters 3`
对齐 anet demo debate。

提案文档含 3 个留给通信龙的 review 问题(reporter 数量参数化 /
host 二轮 probe / recorder 输出风格)。

Refs #27

* docs(demos): standup 提案 v2 — 通信龙 review 3 问题答复落地

Q1 reporter 数量:参数化 --reporters <n> 默认 3 范围 2-6 (min 2 防退化对话,
max 6 控总 agent ≤ 8)。

Q2 host probe 二轮:v1 砍,纯序列化是核心卖点。如未来要 probe 单独做
第四个 demo "AI 风险评估会"。

Q3 recorder 输出:(b+a) 组合 — 顶部 manager 摘要 + 底部 dev transcript
单文件双 reader 满足。同 debate 输出格式思路(转录 + 评委判决并列)。

关键设计 ack 项(host/recorder 单独 agent + 编排范式对比矩阵)全部
通过。Backlog: 第三个 demo 提案暂不主动出,等实施完跑通真用户反馈。

Refs #27

* docs(demos): standup 提案 v3 — 加 §UX 反馈 + §测试规格

通信龙 pivot ack 落地,Vincent 2026-05-12 定调"用户能掌控多 agent +
充分测试"(refs feedback_demo_quality_over_count)。

§UX 反馈(在控感)— P0:
- 指挥棒序列可视:host→A→host→B→host→C→recorder 在 CLI 滚动条上看得到
- 启动序 + 实时进度 feed 总步数公式 2N+5
- Dashboard URL terminal hyperlink Cmd+Click 支持
- 失败路径友好提示:reporters 边界 / host 卡死 / reporter 超时 / recorder 跑题
- 末尾输出:preview + 路径 + 下一步 paste 到 Slack/飞书/Notion ready-to-act

§测试规格(test29-standup-room)— P1:
- 3 样本 covering happy/boring/edge: 3-person / 6-person / blocker-heavy
- Golden 结构断言(section / sub-section / line 计数 / owner 标记)非 verbatim
- Mock LLM provider 协议(与 PR 审查室共用 tests/MOCK-LLM-PROTOCOL.md)
- 三层覆盖 unit 80% / integration 60% / e2e 40%
- 10 条回归 case 标 P0/P1/P2 优先级(CI/nightly/release)

总长度 379 行(< 通信龙 600 行上限)。

Refs #27

---------

Co-authored-by: vansin <msnode@163.com>
s2agi pushed a commit that referenced this pull request May 13, 2026
@vansin
docs(round-218 / message-lifecycle.md 状态收尾 + R206 chain 续): docs/mess…
177ef29 
…age-lifecycle.md (内部 design doc, 2026-04-10 草稿) 描述 P0/P1 改动状态跟当前 v0.8.2 source 不同步 — 设计意图大部分已落地但 doc 里仍用 '需改' / '需要' futurist 语言 + commhub-channel.ts XML 注入格式 design 跟实际未采纳, verify (1) cli.ts:1125 SSE handler 已 ['new_task', 'broadcast'].includes(ev.type), P0 #2 '需改' 状态 stale; (2) server/src/tools.ts:589 send_reply + tools.ts:667 send_ack 已 shipped, P1 #1 实际已落地; (3) db.ts:71 + db.ts:97 inbox.in_reply_to 字段 shipped (注意字段名是 'in_reply_to' 不是设计草稿的 'reply_to'), P1 #2 已落地; (4) channel/commhub-channel.ts:125 实际描述 channel XML 格式是 'source=commhub task_id=... priority=... from=...' (属性名 from= 不是 sender=, 没有 type= 属性), 旧 doc 'channel 注入时带类型标记' 示例 'sender=指挥室 type=task' 实际未采纳, 类型区分靠 SSE event type + inbox row.type 字段不在 XML 里露出; (5) cli.ts:887 vs 旧 doc cli.ts:886 off-by-one. R218 fix: (1) cli.ts 行号 886 → 887 + ref link (2) channel XML 示例 attr 名 'sender=' → 'from=' + 去掉 fictional 'type=' 属性 + 加 ::: warning '设计意图 type= 未采纳' 解释类型区分实际机制 (3) P1 完整实现段改成 4-row 状态 table 标 ✅ shipped (1/2/3 行落地位置 link) + ❌ 未采纳 (4) (4) P0 改动清单 #2 '需改' → '✅ cli.ts:1125 link' + #4 CLAUDE.md '需改' → '✅ R195 chain 模板已加' (5) 删 '只需要改 #2' 误导语 (因为 #2 已 done). 内部 doc 单语
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OyaAIProd