SkillTotal AI Component Security Scan
Version updated for https://github.com/pezhik/skilltotal to version v0.24.0.
- This action is used across all versions by ? repositories.
Action Type
This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed
Changed
- Prompt-injection/secret precision (ruleset 25): two more FPs on defensive/security content
closed, recall-preserving. (1) A
-----BEGIN PRIVATE KEY-----format marker held as a string constant (auth code building a PEM, e.g.@ai-sdk/google-vertex) no longer flagsST-SECRET-EMBEDDED— the pattern now requires actual base64 key material after the marker; a real multi-line key still fires. (2) A credential path cited inside a markdown inline-code span in a security guide (`write to ~/.ssh`, e.g.claude-blog) is routed toneeds_reviewinstead ofST-SENS-PATH— scoped to markdown, so a JS template literal in code and a bare path in prose still fire. Both removed spuriousST-COMBO-EXFILescalations. New unit tests + negative corpus samples; FP floor and benign corpus stay at zero.