fix(skills): keep curl credentials out of argv#2175
Conversation
|
ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR. |
|
Lost in the diff? Review this PR in Change Stack to follow the change map from intent to exact ranges. 📝 WalkthroughWalkthroughThis PR hardens API credential security in skill documentation by refactoring curl commands to pass credentials via stdin ( ChangesCredential security hardening
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/jira-integration/SKILL.md`:
- Around line 68-75: Add fail-fast validation in the jira_curl() helper: before
piping credentials to curl, check that the environment variables JIRA_EMAIL and
JIRA_API_TOKEN are set and non-empty, and if either is missing print a clear
error to stderr and exit non-zero; update the jira_curl() function (the shell
function defined as jira_curl) to perform these checks and only invoke curl when
both values are present, ensuring no further execution or network calls occur on
misconfiguration.
In `@skills/social-publisher/SKILL.md`:
- Around line 26-27: The build step currently constructs a curl config using
SC_API_KEY even when it's unset; add a pre-check that verifies the environment
variable SC_API_KEY is set and non-empty and fail fast with a clear error
message (e.g., print to stderr and exit non-zero) before running the printf/curl
sequence that builds the "Authorization: Bearer ..." header; update the logic
around the printf and curl invocation so they only run after SC_API_KEY
validation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d5ca8b51-0b10-42e5-9c28-39efee4cd586
📒 Files selected for processing (5)
docs/ja-JP/skills/jira-integration/SKILL.mddocs/zh-CN/skills/jira-integration/SKILL.mdskills/jira-integration/SKILL.mdskills/social-publisher/SKILL.mdtests/ci/secret-curl-flags.test.js
| For direct `curl` examples, keep credentials out of command-line arguments by passing the Jira user config on stdin: | ||
|
|
||
| ```bash | ||
| jira_curl() { | ||
| printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | | ||
| curl -s -K - "$@" | ||
| } | ||
| ``` |
There was a problem hiding this comment.
Add fail-fast checks for required Jira credentials in jira_curl().
jira_curl() should validate JIRA_EMAIL and JIRA_API_TOKEN before invoking curl, so misconfiguration fails immediately with a clear error instead of making ambiguous unauthenticated calls.
Suggested patch
jira_curl() {
+ : "${JIRA_EMAIL:?JIRA_EMAIL is required}"
+ : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
curl -s -K - "$@"
}As per coding guidelines, “Validate all user input at system boundaries using schema-based validation; fail fast with clear error messages” and “Never hardcode secrets...”.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/jira-integration/SKILL.md` around lines 68 - 75, Add fail-fast
validation in the jira_curl() helper: before piping credentials to curl, check
that the environment variables JIRA_EMAIL and JIRA_API_TOKEN are set and
non-empty, and if either is missing print a clear error to stderr and exit
non-zero; update the jira_curl() function (the shell function defined as
jira_curl) to perform these checks and only invoke curl when both values are
present, ensuring no further execution or network calls occur on
misconfiguration.
Source: Coding guidelines
| printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" | | ||
| curl -sS -K - https://getsocialclaw.com/v1/keys/validate |
There was a problem hiding this comment.
Fail fast when SC_API_KEY is unset before building the curl config.
Add an explicit required-variable check so the validation step errors clearly instead of sending an empty bearer token.
Suggested patch
+# Verify access
+: "${SC_API_KEY:?SC_API_KEY is required}"
printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" |
curl -sS -K - https://getsocialclaw.com/v1/keys/validateAs per coding guidelines, “Validate all user input at system boundaries... fail fast with clear error messages” and “Never hardcode secrets... use environment variables or a secret manager”.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" | | |
| curl -sS -K - https://getsocialclaw.com/v1/keys/validate | |
| # Verify access | |
| : "${SC_API_KEY:?SC_API_KEY is required}" | |
| printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" | | |
| curl -sS -K - https://getsocialclaw.com/v1/keys/validate |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/social-publisher/SKILL.md` around lines 26 - 27, The build step
currently constructs a curl config using SC_API_KEY even when it's unset; add a
pre-check that verifies the environment variable SC_API_KEY is set and non-empty
and fail fast with a clear error message (e.g., print to stderr and exit
non-zero) before running the printf/curl sequence that builds the
"Authorization: Bearer ..." header; update the logic around the printf and curl
invocation so they only run after SC_API_KEY validation.
Source: Coding guidelines
There was a problem hiding this comment.
3 issues found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="docs/ja-JP/skills/jira-integration/SKILL.md">
<violation number="1" location="docs/ja-JP/skills/jira-integration/SKILL.md:71">
P2: `jira_curl` interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.</violation>
<violation number="2" location="docs/ja-JP/skills/jira-integration/SKILL.md:72">
P2: Add fail-fast checks for `JIRA_EMAIL` and `JIRA_API_TOKEN` before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.
```bash
jira_curl() {
: "${JIRA_EMAIL:?JIRA_EMAIL is required}"
: "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
curl -s -K - "$@"
}
```</violation>
</file>
<file name="tests/ci/secret-curl-flags.test.js">
<violation number="1" location="tests/ci/secret-curl-flags.test.js:84">
P2: The SocialClaw negative regex misses the `-H"..."` form, so this CI test can fail to catch a credential-leaking regression.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| 直接 `curl` 例では、Jira ユーザー設定を標準入力で渡し、認証情報がコマンドライン引数に出ないようにします。 | ||
|
|
||
| ```bash | ||
| jira_curl() { |
There was a problem hiding this comment.
P2: jira_curl interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At docs/ja-JP/skills/jira-integration/SKILL.md, line 71:
<comment>`jira_curl` interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.</comment>
<file context>
@@ -65,6 +65,15 @@ MCP が利用できない場合は、`curl` またはヘルパースクリプト
+直接 `curl` 例では、Jira ユーザー設定を標準入力で渡し、認証情報がコマンドライン引数に出ないようにします。
+
+```bash
+jira_curl() {
+ printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
+ curl -s -K - "$@"
</file context>
| assert.match(shell, /\bcurl -sS -K - https:\/\/getsocialclaw\.com\/v1\/keys\/validate/, 'Expected curl -K - validation call'); | ||
| assert.doesNotMatch( | ||
| shell, | ||
| /\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/, |
There was a problem hiding this comment.
P2: The SocialClaw negative regex misses the -H"..." form, so this CI test can fail to catch a credential-leaking regression.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At tests/ci/secret-curl-flags.test.js, line 84:
<comment>The SocialClaw negative regex misses the `-H"..."` form, so this CI test can fail to catch a credential-leaking regression.</comment>
<file context>
@@ -0,0 +1,96 @@
+ assert.match(shell, /\bcurl -sS -K - https:\/\/getsocialclaw\.com\/v1\/keys\/validate/, 'Expected curl -K - validation call');
+ assert.doesNotMatch(
+ shell,
+ /\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,
+ 'SocialClaw bearer token must not be passed with curl -H',
+ );
</file context>
| /\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/, | |
| /\bcurl\b[^\n]*-H\s*(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/, |
|
|
||
| ```bash | ||
| jira_curl() { | ||
| printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | |
There was a problem hiding this comment.
P2: Add fail-fast checks for JIRA_EMAIL and JIRA_API_TOKEN before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.
jira_curl() {
: "${JIRA_EMAIL:?JIRA_EMAIL is required}"
: "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
curl -s -K - "$@"
}Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At docs/ja-JP/skills/jira-integration/SKILL.md, line 72:
<comment>Add fail-fast checks for `JIRA_EMAIL` and `JIRA_API_TOKEN` before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.
```bash
jira_curl() {
: "${JIRA_EMAIL:?JIRA_EMAIL is required}"
: "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
curl -s -K - "$@"
}
```</comment>
<file context>
@@ -65,6 +65,15 @@ MCP が利用できない場合は、`curl` またはヘルパースクリプト
+
+```bash
+jira_curl() {
+ printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
+ curl -s -K - "$@"
+}
</file context>
| printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | | |
| : "${JIRA_EMAIL:?JIRA_EMAIL is required}" | |
| : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}" | |
| printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | |
* fix(skills): avoid curl credential argv leaks * test(ci): guard secret curl examples
Summary
Fixes #2165.
jira_curlwrapper that passesuser = ...through curl config stdin instead of-u "$JIRA_EMAIL:$JIRA_API_TOKEN"-H "Authorization: Bearer $SC_API_KEY"Verification
node tests/ci/secret-curl-flags.test.jsnode tests/ci/agent-instruction-safety.test.jsnode tests/run-all.js— 2623 passed, 0 failedSummary by cubic
Prevents credentials from appearing in
curlargv in Jira and SocialClaw skill docs by moving auth to stdin and adding CI to block regressions. Fixes #2165.jira_curlwrapper that pipesuser = "$JIRA_EMAIL:$JIRA_API_TOKEN"tocurl -K -; replace allcurl -uexamples in fetch, comments, transitions, and JQL sections.curl -K -in the key validation example; remove-H "Authorization: Bearer $SC_API_KEY".tests/ci/secret-curl-flags.test.jsto ensure examples use stdin config and never pass secrets via-u/--useror-H Authorization.Written for commit 73049c2. Summary will update on new commits.
Summary by CodeRabbit
Documentation
Tests