Scope skill mutations to caller owner

SkillsManager.update_skill walks every SKILL.md on disk and matches by slug only; the 'owner' key in its scalar_keys whitelist meant a caller could pass updates={'owner': 'attacker', 'description': 'pwned'} and the first matching file on disk got silently re-owned. Two users with the same slug under different category directories (which is supported by the on-disk layout <category>/<name>/SKILL.md) could each stomp the other's skill via the manage_skills tool or the in-process callers in tool_implementations.py (edit, patch, publish, delete). update_skill and delete_skill now require the caller's owner and only match a file whose parsed owner field matches. The default of None means 'no scope' and only matches ownerless skills, so an unsafe call without an explicit owner is now a no-op. 'owner' is also removed from scalar_keys so the updates dict cannot be used to reassign ownership even when the manager is called from an in-process path that didn't supply the owner argument. The in-process callers in tool_implementations.py are updated to pass owner=owner (which was already in scope at every call site) so the HTTP and agent paths both go through the scoped check. The HTTP route at routes/skills_routes.py:1499 was already owner-scoped via sm.load(owner=user); the fix brings the in-process path up to the same standard.
2026-06-01 21:59:43 +01:00
parent 5dd5847d4b
commit d42e6a7acc
3 changed files with 220 additions and 9 deletions
--- a/services/memory/skills.py
+++ b/services/memory/skills.py
@@ -363,19 +363,33 @@ class SkillsManager:

        return sk.to_dict()

-    def update_skill(self, skill_id: str, updates: Dict) -> bool:
+    def update_skill(self, skill_id: str, updates: Dict, owner: Optional[str] = None) -> bool:
        """`skill_id` is the slug name. Allows updating any field plus
-        renames if `name` changes (file is moved on disk)."""
+        renames if `name` changes (file is moved on disk).
+
+        The call is owner-scoped: it matches a skill on disk only if
+        `skill.owner == owner` (string compare; both empty-string and
+        None mean "ownerless"). When `owner is None` (the default), the
+        call only matches skills whose own `owner` field is empty —
+        callers that want to edit an owned skill must pass the matching
+        owner explicitly. This prevents a caller with one owner from
+        mutating a file owned by another user that happens to share
+        the same slug across category directories. The `owner` key in
+        `updates` is also ignored — ownership is not an editable field
+        via this path; rename or admin tooling is required for that.
+        """
        for path in self._iter_skill_files():
            sk = self._read_skill(path)
            if not sk or sk.name != skill_id:
                continue
+            if (sk.owner or "") != (owner or ""):
+                continue
+
            old_dir = os.path.dirname(path)

-            # Apply updates in a Skill-shape friendly way
            scalar_keys = (
                "description", "version", "category", "status", "confidence",
-                "source", "teacher_model", "owner", "when_to_use",
+                "source", "teacher_model", "when_to_use",
                "body_extra",
            )
            for k in scalar_keys:
@@ -421,11 +435,13 @@ class SkillsManager:
            return True
        return False

-    def delete_skill(self, skill_id: str) -> bool:
+    def delete_skill(self, skill_id: str, owner: Optional[str] = None) -> bool:
        for path in self._iter_skill_files():
            sk = self._read_skill(path)
            if not sk or sk.name != skill_id:
                continue
+            if (sk.owner or "") != (owner or ""):
+                continue
            skill_dir = os.path.dirname(path)
            try:
                # Remove the whole skill dir