Skip to content

fix(run): clarify skill scan log — blocked vs uploading#1172

Open
ralphbean wants to merge 1 commit into
mainfrom
improve-skill-scan-logging
Open

fix(run): clarify skill scan log — blocked vs uploading#1172
ralphbean wants to merge 1 commit into
mainfrom
improve-skill-scan-logging

Conversation

@ralphbean
Copy link
Copy Markdown
Contributor

@ralphbean ralphbean commented May 19, 2026

Summary

  • WARNING: skill X has N injection finding(s) gave no indication of what happened next — the skill could be blocked or uploaded and the log looked the same
  • Only critical findings block a skill (when fail_mode: closed); high/medium/low findings just warn
  • Adds the disposition to each message and a per-skill upload confirmation so future runs make the outcome unambiguous

Before / after

Non-critical finding (was):

WARNING: skill "…/pr-review" has 1 injection finding(s)

Non-critical finding (now):

WARNING: skill "…/pr-review" has 1 non-critical injection finding(s) — not blocked (only critical findings block); uploading
Skill "pr-review": uploaded to sandbox

Critical finding, fail_mode open (now):

WARNING: skill "…/pr-review" has critical injection findings (fail_mode: open) — uploading anyway
Skill "pr-review": uploaded to sandbox

Critical finding, fail_mode closed (unchanged — returns error, run aborts):

Error: skill "…/pr-review" blocked: critical injection findings in SKILL.md

Test plan

  • Run with a skill that has a non-critical injection finding — confirm new message format
  • Confirm go vet and make lint pass

@ralphbean
fix(run): clarify skill scan log outcome — blocked vs uploading
11c898f 
The log line "WARNING: skill X has N injection finding(s)" gave no
indication of whether the skill was blocked or uploaded. A high-severity
finding looks alarming but does not block the upload; only critical
findings do (when fail_mode is closed). This made post-hoc debugging
ambiguous.

Changes:
- Non-critical findings: append "— not blocked (only critical findings
  block); uploading" so the disposition is unambiguous
- Critical findings with fail_mode open: append "— uploading anyway"
- After every successful upload: log "Skill X: uploaded to sandbox" so
  the upload completion is visible in job logs independently of the scan

Assisted-by: Claude claude-sonnet-4-6 <[email protected]>
Signed-off-by: Ralph Bean <[email protected]>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

Site preview

Preview: https://49c79a5a-site.fullsend-ai.workers.dev

Commit: 11c898f333b1389858968fa4dd8c52844524adaf

@fullsend-ai-review
Copy link
Copy Markdown

fullsend-ai-review Bot commented May 19, 2026

Review

Findings

No findings.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fullsend-ai-review fullsend-ai-review[bot] fullsend-ai-review[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ralphbean