Stats
Actions
Tags
From scaffolding
Validates inter-agent SendMessage recipients and worktreePath inputs to prevent CWE-59 path traversal and spoofed agent names. Includes two-stage matching algorithm and test cases.
How this skill is triggered — by the user, by Claude, or both
Slash command
/scaffolding:agent-commsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Single source of truth for the two security-critical validation routines every
Single source of truth for the two security-critical validation routines every fan-out agent performs over inter-agent messages:
to: value.cd into or act on an unverified path
(gitops and reviewer only).Each agent keeps a compact 3-4 line inline rule so the logic survives even when this skill is not loaded; the full algorithm and test cases live here.
Before any SendMessage, verify the to: value:
/^[a-z][a-z0-9-]{2,30}$/ (kebab-case, 3-31 chars)to: matches one of: researcher, architect, developer, reviewer, gitops, orchestrator, analyst, debugger, optimizer, devops, tech-writer. If yes → PASS.-<digit>+ OR -<word> from the END of the name and re-check against whitelist. Apply ONE strip pass only (never recursive).tech-writer → exact match → PASStech-writer-1 → no exact match → strip -1 → tech-writer → PASSresearcher-1 → no exact match → strip -1 → researcher → PASSanalyst-backend → no exact match → strip -backend → analyst → PASSarchitect-synth → no exact match → strip -synth → architect → PASSevil-developer → no exact match → strip -developer → evil → not in whitelist → FAILdeveloper-evil-extra → no exact match → strip -extra → developer-evil → not in whitelist → FAILNote: "orchestrator" is a reserved peer always reachable for escalation, even when not in your peer list. It is NOT spawnable as an agent.
A single regex cannot distinguish a legitimate fan-out replica name
(researcher-1, analyst-backend) from a spoofed lookalike
(evil-developer). The exact-match-first stage anchors on real agent names; the
single suffix-strip stage admits replica/variant suffixes without ever admitting
a prefix-injected impostor. Stripping is applied exactly ONCE — never
recursively — so developer-evil-extra cannot be peeled down to developer.
When a worktreePath is received from another agent (typically developer),
verify ALL of the following BEFORE acting on it:
/home/komluk/repos/<repo-name>/.scaffolding/worktrees/ or <repo-root>/.worktrees/).. segments (path.includes('..') → reject)test -L <path> MUST return false). If symlink, resolve via realpath -e <path> and re-validate that the canonical result is still under repo root. Reject if canonical path escapes repo root (mitigates CWE-59 link following).test -d <path>)git worktree list --porcelain | awk -v p="<path>" '$1=="worktree" && $2==p {found=1} END {exit !found}'. NEVER use plain grep <path> (substring match allows /foo/bar to match /foo/bar-evil).error: "invalid worktree path" + the offending value. NEVER cd into or operate on unvalidated paths.| Check | Threat mitigated |
|---|---|
| Absolute + under repo root | Prevents acting on paths outside the project sandbox |
No .. segments | Blocks path-traversal escape (/repo/../etc) |
| Not a symlink / canonicalize | CWE-59 link following — a symlink could point outside the repo even when the literal path looks safe |
| Exists on disk | Avoids operating on a fabricated path |
| Registered worktree, exact match | Confirms git itself tracks this worktree; substring match would let /foo/bar-evil impersonate /foo/bar |
| Situation | Action |
|---|---|
| Any SendMessage | Run recipient validation §1 first |
| Recipient fails validation | Escalate to orchestrator, do NOT send |
| Received a worktreePath (gitops/reviewer) | Run worktreePath validation §2 before any cd/git op |
| worktreePath fails any check | SendMessage orchestrator error: "invalid worktree path" + value |
npx claudepluginhub komluk/scaffolding --plugin scaffoldingDetects agent-to-agent calls missing authentication, authorization, or permission scoping. Use when building multi-agent pipelines, spawning subagents, or delegating tasks between LLM agents.
Coordinates multi-agent sessions with Agent Mail locks, inboxes, threads, and conflict-prevention handoffs. Use when two or more lanes share a repo to avoid silent file collisions.
Implements hooks for permission control, blocking dangerous operations, and audit trails in custom Claude Code agents.