From 3e6203acffdda2a4f6a332c339d3a53540e281ed Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Tue, 21 Apr 2026 00:35:49 +0000
Subject: [PATCH] fix(security): validate FEATURE arg in check-status.sh to
 prevent path traversal

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 skills/dev-lifecycle/scripts/check-status.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/skills/dev-lifecycle/scripts/check-status.sh b/skills/dev-lifecycle/scripts/check-status.sh
index bbf78cba..e506a47a 100755
--- a/skills/dev-lifecycle/scripts/check-status.sh
+++ b/skills/dev-lifecycle/scripts/check-status.sh
@@ -10,6 +10,12 @@ if [[ $# -lt 1 ]]; then
 fi
 
 FEATURE="$1"
+
+if [[ ! "$FEATURE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+  echo "Error: feature name must contain only letters, digits, hyphens, and underscores"
+  exit 1
+fi
+
 DOCS="docs/ai"
 
 exists() { [[ -f "$1" ]]; }