š”ļø skillshare v0.16.9 Release Notes
Release date: 2026-03-03
TL;DR
v0.16.9 is the audit engine overhaul release ā rules management, security policy profiles, analyzer pipeline, finding enrichment, and 12+ new detection rules:
audit rulessubcommand ā browse, disable, enable, override severity, reset rules from CLI or interactive TUI- Security profiles ā
--profile strict|default|permissivesets threshold + dedupe in one flag - Global deduplication ā SHA-256 fingerprint-based finding dedup across all skills (now default)
- Analyzer pipeline ā
--analyzerflag to run specific analyzers; findings enriched with ruleId, analyzer, category, confidence, fingerprint - Category threat breakdown ā summary shows per-category counts (injection, exfiltration, credential, etc.)
- 12+ new detection rules ā interpreter tier (T6), invisible payloads, bidi attacks, DNS exfil, self-propagation, config poisoning, and more
- Regex prefilters ā conservative literal-substring prefilters reduce scan time
No breaking changes. Drop-in upgrade from v0.16.8.
Audit Rules Management
audit rules subcommand
Full lifecycle management for audit rules without editing YAML:
skillshare audit rules # interactive TUI browser
skillshare audit rules --format json # machine-readable listing
skillshare audit rules --severity HIGH # filter by severity
skillshare audit rules --pattern prompt-injection # filter by pattern
skillshare audit rules --disabled # show only disabled rules
skillshare audit rules disable <rule-id> # disable a single rule
skillshare audit rules disable --pattern <pattern> # disable all rules in a pattern
skillshare audit rules enable <rule-id> # re-enable a rule
skillshare audit rules severity <rule-id> HIGH # override severity
skillshare audit rules severity --pattern <p> MEDIUM # override pattern severity
skillshare audit rules reset # restore built-in defaults
skillshare audit rules init # create starter audit-rules.yamlAudit Rules TUI
Interactive bubbletea browser with:
- Accordion pattern groups (expand/collapse with Enter)
- Severity tabs: ALL / CRIT / HIGH / MED / LOW / INFO / OFF
- Text filter (
/to search) - Inline actions:
ddisable,eenable,sseverity override,Rreset - Split layout: left list + right detail panel
Pattern-Level Overrides
audit-rules.yaml now supports pattern-level entries that apply to all rules under a pattern:
rules:
prompt-injection:
disabled: true # disables all prompt-injection-* rules
credential-access:
severity: MEDIUM # downgrades all credential-access-* rulesSecurity Policy & Deduplication
--profile flag
Preset security profiles that configure threshold + deduplication in one flag:
| Profile | Block Threshold | Dedupe Mode | Use Case |
|---|---|---|---|
default
| CRITICAL | global | Standard scanning |
strict
| HIGH | global | CI gates, high-security environments |
permissive
| CRITICAL | legacy | Tutorial/demo skills, minimal blocking |
skillshare audit --profile strict # blocks on HIGH+, global dedupe
skillshare audit --profile permissive # blocks on CRITICAL only, per-skill dedupe--dedupe flag
Control finding deduplication independently:
global(default) ā deduplicates across all skills using SHA-256 fingerprints; keeps highest severity when duplicates existlegacyā per-skill deduplication only (v0.16.8 behavior)
skillshare audit --dedupe legacy # opt out of global dedupPolicy Display
Active policy is now shown in:
- Audit header ā profile name, threshold, dedupe mode
- Summary box ā "Policy: strict" (colorized by profile)
- TUI footer ā inline policy indicator
Analyzer Pipeline
--analyzer flag
Run only specific analyzers (repeatable):
skillshare audit --analyzer static # regex rules only
skillshare audit --analyzer dataflow # taint tracking only
skillshare audit --analyzer static --analyzer tier # combine multipleAvailable analyzers: static, dataflow, tier, integrity, structure, cross-skill.
Finding Enrichment
Every finding now carries Phase 2 traceability fields:
| Field | Type | Description |
|---|---|---|
ruleId
| string | Stable rule identifier (e.g., prompt-injection-1)
|
analyzer
| string | Which analyzer produced it (static, dataflow, tier, etc.)
|
category
| string | Threat category (injection, exfiltration, credential, obfuscation, privilege, integrity, structure, risk)
|
confidence
| float | 0ā1 confidence score |
fingerprint
| string | SHA-256 hash for deduplication |
These fields appear in JSON, SARIF, and Markdown output formats.
Category Threat Breakdown
Summary now includes a per-category count line across all output channels:
- CLI:
Threats: injection:3 credential:1 exfiltration:1(ANSI colored) - TUI:
Threats: inj:3 cred:1 exfil:1(lipgloss styled, short names) - JSON:
"byCategory": {"injection": 3, "credential": 1, ...} - Markdown: Threats column in summary table
Sorted by count (descending), then alphabetically.
New Detection Rules
Interpreter Tier (T6)
New command tier for Turing-complete runtimes:
| Tier | Label | Commands | Standalone Severity |
|---|---|---|---|
| T6 | interpreter
| python, python3, node, ruby, perl, lua, php, bun, deno, npx, tsx, pwsh, powershell | INFO |
Findings:
tier-interpreter(INFO) ā interpreter presenttier-interpreter-network(MEDIUM) ā interpreter + network commandscross-skill-cred-interpreter(MEDIUM) ā credential access in one skill + interpreter in another
Version-suffix stripping: python3.11 ā T6:interpreter. env python3 script.py ā T6:interpreter (no longer hidden behind env).
Prompt Injection (expanded)
| Rule | Severity | Detects |
|---|---|---|
| prompt-injection-1 (updated) | CRITICAL | SYSTEM:, OVERRIDE:, IGNORE:, ADMIN:, ROOT: prefixes
|
| prompt-injection-2 (new) | HIGH | Agent directive tags: <system>, </instructions>, </override>
|
| prompt-injection-3 (new) | CRITICAL | DEVELOPER MODE, DEV MODE, JAILBREAK, DAN MODE
|
| prompt-injection-4 (new) | CRITICAL | Output suppression: "don't tell the user", "hide this from the user" |
Invisible Payload (new pattern)
| Rule | Severity | Detects |
|---|---|---|
| hidden-unicode-1 | CRITICAL | Unicode tag characters U+E0001āU+E007F (0px width, processed by LLMs) |
Uses dedicated invisible-payload pattern to ensure CRITICAL findings are never suppressed in tutorial contexts.
Hidden Unicode (expanded)
| Rule | Severity | Detects |
|---|---|---|
| hidden-unicode-2 (new) | HIGH | Bidirectional text control U+202AāU+202E, U+2066āU+2069 (Trojan Source CVE-2021-42574) |
| hidden-unicode-3 (new) | MEDIUM | Soft hyphens U+00AD, directional marks U+200EāU+200F, invisible math operators U+2061āU+2064 |
Other New Rules
| Rule | Severity | Detects |
|---|---|---|
| config-manipulation-0 | HIGH | Instructions to modify MEMORY.md, CLAUDE.md, .cursorrules, etc.
|
| data-exfiltration-2 | MEDIUM | Markdown images with query parameters |
| data-exfiltration-3 | HIGH | DNS exfiltration via dig/nslookup/host with command substitution
|
| hidden-comment-injection-1 | HIGH | Prompt injection in markdown reference-link comments [//]: #
|
| self-propagation-0 | HIGH | "Add/inject this instruction to all/every/other files" |
| untrusted-install-0 | MEDIUM | npx -y / npx --yes (auto-execute)
|
| untrusted-install-1 | MEDIUM | pip install https:// (install from URL)
|
Table-Driven Credential Access
Credential rules are now generated from a data table covering 30+ sensitive paths Ć 5 access methods. Descriptive rule IDs: credential-access-ssh-private-key, credential-access-etc-shadow-copy, etc. Supports ~, $HOME, ${HOME} variants. Heuristic catch-all for unknown home dotdirs.
Performance
- Regex prefilters ā static analyzer applies conservative literal-substring checks before running regex. Rules with a
prefilterfield skip the full regex if the literal substring isn't present in the line. Reduces scan time on large skills with many rules.
Bug Fixes
- Regex bypass vulnerabilities ā fixed prompt injection rules bypassed by leading whitespace or mixed case; fixed data-exfiltration image exclude allowing
.png?stolen_data; fixeddd if=/etc/shadowmislabeled asdestructive-commands - SSH public key false positive ā
.pubfiles no longer trigger CRITICAL credential-access findings - Catch-all regex bypass ā heuristic catch-all no longer silenced by known credential paths on the same line
- Structured output ANSI leak ā
--format json/sarif/markdownno longer leaks cursor codes - Severity-only merge ā editing only severity in
audit-rules.yamlno longer drops regex patterns - Profile threshold fallback ā profile presets correctly set threshold when config has no explicit
block_threshold - TreeSpinner ghost cursor ā fixed missing
WithWritercausing cursor codes on structured output - TUI summary overflow ā category threat breakdown renders on a separate line for narrow terminals
Upgrade
skillshare upgrade
# or
go install github.com/runkids/skillshare/cmd/skillshare@v0.16.9No migration needed. All changes are additive. The default dedupe mode changed from legacy to global ā use --dedupe legacy or set dedupe_mode: legacy in config to opt out.
Changelog
- ef26da2 chore: update docs
- adae3ee feat(audit): add Analyzer interface, registry, and pipeline refactoring
- dbe759e feat(audit): add CLI rules subcommand, severity override, reset, and redesign Web UI
- 9eabb29 feat(audit): add CompiledRule type with ListRules and PatternSummary
- e7d1018 feat(audit): add Finding schema fields ā RuleID, Analyzer, Category, Confidence, Fingerprint
- 47ee1ed feat(audit): add Policy type and ResolvePolicy with profile presets
- 9997114 feat(audit): add ToggleRule/TogglePattern for programmatic rule management
- 459c322 feat(audit): add category breakdown to summary across all output channels
- b5372b1 feat(audit): add global deduplication with composite key
- 53fdf0b feat(audit): add semantic coloring to CLI summary box Threats line
- 1b284e9 feat(audit): add semantic coloring to TUI summary footer
- 885f072 feat(audit): add table-driven credential detection and 12 new security rules
- 0b3fc11 feat(audit): add two-level TUI for audit rules browsing and toggling
- ef5a36c feat(audit): change default dedupe mode from legacy to global
- c86886e feat(audit): colorize policy values, show audit config in status
- 7a6ba45 feat(audit): expand prompt injection detection, add interpreter tier and credential rules
- 33578fb feat(audit): show policy in header/summary/TUI, suppress clean lines in batch
- beb4a1e feat(audit): support pattern-level rules in audit-rules.yaml merge
- 0d04399 feat(audit): surface Phase 2 fields (ruleId, analyzer, category) across all output channels
- d1e7f65 feat(audit): wire --analyzer CLI flag, config field, and update docs
- d185f21 feat(audit): wire --profile/--dedupe flags, dedupe pipeline, and policy output
- 3465100 feat(config): add profile and dedupe_mode to AuditConfig and schemas
- 474bf3e feat(devcontainer): standalone lifecycle without VS Code dependency
- 3f8d425 feat(server): add compiled rules listing and toggle API endpoints
- 5d95650 fix(audit): close regex bypass vulnerabilities and improve code reuse
- 5f0b294 fix(audit): improve policy line readability on dark terminals
- 07f70ab fix(audit): let profile presets set threshold when config has no explicit block_threshold
- 6d9545c fix(audit): populate policy fields before TUI launch and update docs
- 1caba25 fix(audit): prevent severity-only merge from wiping rules and enable --pattern from ignoring ID-level disables
- 1676d7d fix(audit): suppress pterm cursor codes leaking into structured stdout
- 7d49f4a fix(devcontainer): expose ports for standalone docker compose usage
- ae60c52 fix(ui): add missing WithWriter to TreeSpinner to eliminate ghost cursor
- 714d5f9 perf(audit): reduce regex scans with conservative prefilters
- a723177 refactor(audit): extract render and policy helpers, name anonymous struct
- bcbbaaf refactor(audit): remove noisy rules, recalibrate credential severities
- 6aac917 refactor(audit): simplify registry, dedupe, colorize, and API signatures
- a97cf9e refactor(audit): simplify rules code, fix N+1 I/O, and extract shared helpers