Skip to content

scoring: add spec-security check (XML tags, reserved name prefixes) #73

Description

@spboyer

Problem

Sensei v1.2.0+ includes a spec-security check that validates:

  1. No XML angle brackets (< >) in frontmatter values (injection risk)
  2. Skill name does not use reserved prefixes (claude-, anthropic-)

Waza has no equivalent check.

Expected Behavior

Add a SpecSecurityChecker to internal/checks/ that:

  • Flags XML angle brackets in frontmatter description and other string fields
  • Flags skill names starting with claude- or anthropic- (reserved per Anthropic guide p31)
  • Returns StatusWarning for violations

References

  • spboyer/sensei references/scoring.md — spec-security check definition
  • Anthropic Complete Guide to Building Skills, p31

Acceptance Criteria

  • New SpecSecurityChecker in internal/checks/
  • Detects < > in frontmatter
  • Detects reserved name prefixes
  • Tests covering both cases

Metadata

Metadata

Assignees

No one assigned

    Labels

    go:needs-researchNeeds investigationsensei-parityParity with spboyer/sensei scoringsquadSquad triage inbox — Lead will assign to a membersquad:basherAssigned to Basher (Tester / QA)squad:linusAssigned to Linus (Backend Developer)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions