github runkids/skillshare v0.15.4
on GitHub

latest releases: v0.18.9, v0.18.8, v0.18.7...
one month ago

🛡️ skillshare v0.15.4 Release Notes

Release date: 2026-02-23

TL;DR

v0.15.4 is a supply-chain security hardening release focused on making install, update, and audit robust against malicious skill content:

  1. Post-update audit gate with rollbackupdate auto-scans and blocks on findings at/above the active threshold
  2. Post-install audit gate for --trackinstall --track now runs the same security gate
  3. Unified threshold policy + override flags — install/update both support --audit-threshold, --threshold, -T (including shorthand like -T h)
  4. Content hash pinning — SHA-256 integrity verification detects tampering between updates
  5. --diff flag — shows file-level change summary after update
  6. Structural markdown link parsing — audit rules use a full parser, reducing false positives
  7. Severity-based color ramp — color-coded audit output for faster triage

What's New

1) Post-update security audit gate

skillshare update now runs a security audit after pulling changes. Findings at or above the active threshold trigger a block and rollback: 

skillshare update team-skills
# ✓ Pulled latest changes
# ⚠ Security audit found threshold-matching findings — rolling back...
# ✗ Update blocked: threshold gate triggered

skillshare update team-skills --skip-audit   # Bypass the gate
skillshare update team-skills -T h           # Override threshold to HIGH for this run

Key details:

  • Interactive mode: prompts to apply anyway; decline triggers rollback
  • Non-interactive mode (CI/piped): fails closed — automatically rolls back and exits non-zero
  • Tracked repos use git reset for rollback; regular-skill updates fail closed by preserving the existing installation until audit passes
  • Batch update --all counts blocked repos in summary and causes non-zero exit code

2) Post-install audit gate for --track

Previously, install --track bypassed all supply-chain security checks. Now it runs the same threshold gate: 

skillshare install https://github.com/org/skills --track
# ✓ Cloned repository
# ⚠ Security audit found findings at/above threshold
# ✗ Install blocked — repository removed

skillshare install https://github.com/org/skills --track --skip-audit
skillshare install https://github.com/org/skills --track -T h
  • Fresh installs: blocked repos are removed entirely
  • Tracked repo updates: rolled back via git reset

3) --diff flag for update

See what changed after an update: 

skillshare update team-skills --diff
# ✓ Updated team-skills
#   +  new-file.md           (added)
#   ~  SKILL.md              +12 -3
#   -  deprecated.md         (deleted)
  • Tracked repos: line-level counts via git diff
  • Regular skills: file hash comparison showing added/modified/deleted files

4) Content hash pinning and integrity verification

install and update now record SHA-256 hashes of all skill files in .skillshare-meta.json. Subsequent audit runs detect:

  • content-tampered — file hash doesn't match recorded baseline
  • content-missing — expected file no longer exists
  • content-unexpected — new file appeared without going through install/update 
skillshare audit my-skill
# [1/1] ✗ my-skill    0.2s
#       └─ HIGH: File content does not match install-time hash (lib.js)
#          Pattern: content-tampered

5) source-repository-link audit rule

New HIGH severity rule detects markdown links labeled "source repo" or "source repository" pointing to external URLs: 

└─ HIGH: Markdown link labeled 'source repository' points to external URL (SKILL.md:8)
   Pattern: source-repository-link-0

These links may be used for supply-chain redirect attacks — tricking users or agents into visiting a malicious repo.

6) Structural markdown link parsing

Audit rules (external-link, source-repository-link) now use a full structural markdown parser instead of regex. The parser correctly handles:

  • Inline links with titles: [text](url "title")
  • Reference-style links: [text][ref] with [ref]: url
  • Autolinks: <https://example.com>
  • HTML anchor tags: <a href="...">

And correctly skips:

  • Fenced code blocks (```)
  • Inline code spans (`[not a link](url)`)
  • Image links (![alt](url))

This significantly reduces false positives when skills contain code examples with URLs.

Note: this extends the link-audit groundwork from PR #39 (dangling-link and external-link detection).

7) Severity-based visual improvements

Risk floor: audit risk label is now the higher of the score-based label and a floor derived from the most severe finding. A single HIGH finding always gets at least a high risk label, regardless of overall score.

Color ramp: audit output uses consistent color coding for faster triage:

  • CRITICAL → red
  • HIGH → orange
  • MEDIUM → yellow
  • LOW/INFO → gray

Applies to batch summary lines, severity counts, and single-skill risk labels.

Risk score in update output: CLI and Web UI now display the risk label and score after updating regular skills (e.g., "Security: LOW (12/100)"). Web UI toast notifications include the same information.

Bug Fixes

Uninstall group directory config cleanup

Uninstalling a group directory (e.g., frontend/) now properly removes member skill entries (e.g., frontend/react, frontend/vue) from config.yaml via prefix matching.

--skip-audit passthrough

The flag is now consistently honored for both tracked repos and regular skills during update and install.

Server rollback error reporting

Web UI update endpoint now implements the post-pull threshold gate with automatic rollback on findings at/above threshold, matching CLI behavior.

Audit rollback error accuracy

Rollback failures now report whether the reset succeeded ("rolled back") or failed ("malicious content may remain") instead of silently ignoring errors.

Audit error propagation

File hash computation now propagates walk/hash errors instead of silently skipping, ensuring complete integrity baselines.

Upgrading

# Homebrew
brew upgrade skillshare

# Go install
go install github.com/runkids/skillshare/cmd/skillshare@v0.15.4

# Self-upgrade
skillshare upgrade

Changelog

  • 479b0ee docs(changelog): credit PR #39 link-audit groundwork
  • d2b085a feat(ui): redesign audit page with enhanced visual hierarchy
  • 2171dc4 feat: add --diff and audit visibility for regular skill updates
  • 438b5b5 feat: add air hot-reload config for Go backend
  • a2a86c9 feat: add source-repository-link rule and severity-based risk floor (#39)
  • 1369186 feat: add structural markdown link parsing for audit rules
  • a5f84c2 feat: auto-audit gate after update with rollback and --diff summary (#39)
  • 62bd821 feat: content hash pinning and integrity verification (#39)
  • 1637b19 feat: integrate air hot-reload into devcontainer
  • c59ae5a feat: severity-based color ramp for audit output
  • bd76ec9 feat: surface audit risk score in update API and UI
  • cd5902c feat: unify update audit threshold gate and docs
  • 9700474 feat: use air hot-reload in ui-dev targets
  • edd5bab fix(ci): harden redteam signal mutation script
  • ca60592 fix(ui): remove unused threshold param from BlockStamp
  • 3ad814d fix: add audit gate to install --track and tracked repo updates
  • a0bfe99 fix: batch update error propagation, skip-audit passthrough, and security hardening (#39)
  • 41c80f3 fix: harden error handling in security-critical audit paths
  • 6656877 fix: make air install non-fatal during devcontainer setup
  • 70dec0a fix: resolve air binary path and use entrypoint config
  • 5ce6507 fix: server rollback error reporting and isSecurityError classification
  • ea33edd fix: uninstall group directory now removes member skills from config.yaml
  • b93d8f1 fix: wait for API port and fix project-mode cwd with air
  • 52dcdc8 refactor: deduplicate auditGateAfterPull via scan function parameter
Check out latest releases or
releases around runkids/skillshare v0.15.4

Don't miss a new skillshare release

NewReleases is sending notifications on new releases.

Get notifications