[SECURITY] No integrity verification for GitHub skill downloads (supply chain risk) #29
Description
Severity: P2
Summary
apc install owner/repo --skill foo fetches SKILL.md from GitHub over HTTPS but performs no integrity verification (checksum, signature, or commit pinning). A supply chain attack on the source GitHub repository would silently install malicious skill content to all AI tools on the machine.
Affected Code
src/skills.py — fetch_skill_from_repo():
resp = httpx.get(url, follow_redirects=True, timeout=15)
# ... parses and saves without any hash checkAttack Scenario
- Attacker gains write access to a popular skills repo (e.g. via compromised maintainer account, dependency confusion, or social engineering)
- Attacker modifies
skills/foo/SKILL.mdto contain prompt injection payloads - Users running
apc install owner/repo --skill fooinstall the malicious skill silently - Next time the AI tool reads its config, the injected instructions execute
Impact
- Silent installation of prompt injection payloads into AI tool configs
- No warning or verification step warns the user about content change
- Malicious skills could instruct the AI to exfiltrate data, run dangerous commands, etc.
Recommended Mitigations
- Commit pinning: Support
apc install owner/repo@<sha> --skill footo pin to a specific commit hash - Checksum manifest: Skills repos can publish a
checksums.jsonlisting SHA256 hashes per skill;apc installcan verify before writing - Content preview: Before installing, show the skill content diff and require explicit confirmation (especially for
-ybypassing) - Signature support: Support GPG/sigstore signatures for skill authors
At minimum, display the commit SHA being fetched so users can audit:
Fetching frontend-design from owner/repo @ abc1234 (main)
References
- CWE-494: Download of Code Without Integrity Check
- SLSA supply chain security framework