feat: add --path flag for subfolder filtering#11
Merged
trieloff merged 2 commits intotrieloff:mainfrom Feb 11, 2026
Merged
Conversation
Adds -p/--path <subfolder> option to restrict skill discovery to a specific subdirectory within the cloned repository. This enables parity with the Vercel Skills CLI's tree-URL syntax for repos that organize skills in nested directories. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="upskill">
<violation number="1" location="upskill:375">
P2: User-provided `--path` is concatenated without validation, allowing `../` to escape the cloned repo and scan/copy SKILL.md files outside the repository.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Canonicalize both the clone directory and the resolved search path using pwd -P, then verify the search path is within the clone root. This prevents ../ sequences from escaping the cloned repo. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
-p, --path <subfolder>option to restrict skill discovery to a specific subdirectory within the cloned reponpx skills add https://github.com/owner/repo/tree/main/path)This allows the adobe/skills README to document equivalent commands for both tools:
Test plan
upskill adobe/skills --path skills/aem/edge-delivery-services --listshows only EDS skillsupskill adobe/skills --path skills/aem/edge-delivery-services --allinstalls only EDS skillsupskill adobe/skills --path nonexistent/path --allfails with clear error--pathis unchangedmake testincludes new --path tests)🤖 Generated with Claude Code
Summary by cubic
Adds a -p/--path flag to filter skill discovery to a subfolder in the cloned repo. Validates the path after clone, prevents path traversal, and matches the Vercel Skills CLI tree-URL behavior.
Written for commit fbf5452. Summary will update on new commits.