v4-readiness
Generates a v4 upgrade readiness checklist for forks, ensuring operators are prepared for changes before the v4 release.
Install this skill
Security score
The v4-readiness skill was audited on Jun 14, 2026 and we found 30 security issues across 1 threat category, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 8 | > **${var}** — Optional. Pass `dry-run` to skip the notification (article still writes, log still appends). Pass a fork repo slug (e.g. `someuser/aeon`) to read remote `aeon.yml` + `skills.json` from |
Template literal with variable interpolation in command context
| 29 | No new secrets. No new env vars. No new state files. Pure local file I/O over the fork's own working tree, plus optional `gh api` for the `${var}=owner/repo` remote-survey mode. |
Template literal with variable interpolation in command context
| 38 | - `apps/mcp-server/src/index.ts` — MCP server tool-naming Review row scans for the `aeon-${skill_slug}` convention. Optional input (forks without MCP omit this directory). |
Template literal with variable interpolation in command context
| 45 | - `articles/v4-readiness-${today}.md` — the full per-fork readiness report. |
Template literal with variable interpolation in command context
| 46 | - `memory/logs/${today}.md` — log block. |
Template literal with variable interpolation in command context
| 48 | If `${var}` is a fork slug instead of `dry-run` or empty, replace every local file read with `gh api repos/${var}/contents/<path>` and decode the base64 content. Custom-skill scan via `gh api repos/${ |
Template literal with variable interpolation in command context
| 61 | | `articles/${skill}-${today}.md` output convention | per-skill | Consumed by chains, dashboard, syndicate-article — too many readers to break | |
Template literal with variable interpolation in command context
| 64 | | `${today}` template variable | SKILL.md prose | Substituted by the runner; no plan to change | |
Template literal with variable interpolation in command context
| 79 | | MCP server tool naming (`aeon-${skill_slug}`) | `apps/mcp-server/src/index.ts` | Naming convention for forks consuming the MCP | |
Template literal with variable interpolation in command context
| 116 | - If `${var}` matches `^dry-run$` → `MODE=dry-run`. No notification, article still writes. |
Template literal with variable interpolation in command context
| 117 | - Else if `${var}` matches `^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$` → `MODE=remote`, `TARGET=${var}`. All file reads go through `gh api repos/${TARGET}/contents/...`. |
Template literal with variable interpolation in command context
| 118 | - Else if `${var}` is empty → `MODE=local`, `TARGET=$(gh repo view --json nameWithOwner --jq .nameWithOwner)`. |
Template literal with variable interpolation in command context
| 119 | - Anything else → log `V4_READINESS_BAD_VAR: ${var}` and exit (no notify, no article). |
Template literal with variable interpolation in command context
| 131 | | `aeon.yml` | direct read | `gh api repos/${TARGET}/contents/aeon.yml --jq .content \| base64 -d` | required | |
Template literal with variable interpolation in command context
| 134 | | Custom skills | `ls skills/` minus skills present in `skills.json` install rows | `gh api repos/${TARGET}/contents/skills` JSON | required | |
Template literal with variable interpolation in command context
| 135 | | `.github/workflows/chain-runner.yml` | direct read | `gh api repos/${TARGET}/contents/.github/workflows/chain-runner.yml ...` | optional | |
Template literal with variable interpolation in command context
| 136 | | `.outputs/` (listing only — file names suffice) | `ls .outputs/ 2>/dev/null` | `gh api repos/${TARGET}/contents/.outputs` | optional | |
Template literal with variable interpolation in command context
| 137 | | `apps/mcp-server/src/index.ts` | direct read | `gh api repos/${TARGET}/contents/apps/mcp-server/src/index.ts ...` | optional | |
Template literal with variable interpolation in command context
| 138 | | `apps/dashboard/lib/catalog.ts` | direct read | `gh api repos/${TARGET}/contents/apps/dashboard/lib/catalog.ts ...` | optional | |
Template literal with variable interpolation in command context
| 144 | <!-- Issue #184 H1 audit, 2026-05-24: every file named in a Review row's `Where it lives` cell must also appear in this Inputs table. If you add a new Review row, add its file here too (or mark the Re |
Template literal with variable interpolation in command context
| 163 | For each custom-skill candidate: confirm it exists on disk (`skills/${name}/SKILL.md`) and is **not** present in the upstream-fingerprint heuristic (skills with `install: ./add-skill aaronjmars/aeon $ |
Template literal with variable interpolation in command context
| 182 | Path: `articles/v4-readiness-${today}.md`. Overwrite if exists. |
Template literal with variable interpolation in command context
| 184 | ```markdown |
Template literal with variable interpolation in command context
| 255 | ``` |
Template literal with variable interpolation in command context
| 277 | ### 8. Log to `memory/logs/${today}.md` |
Template literal with variable interpolation in command context
| 279 | ``` |
Template literal with variable interpolation in command context
| 301 | | `V4_READINESS_BAD_VAR` | `${var}` was non-empty, non-`dry-run`, not a `owner/repo` slug | No | |
Template literal with variable interpolation in command context
| 307 | **Remote mode (`var=owner/repo`).** Each input read is a single `gh api repos/${TARGET}/contents/${path}` call. `gh` handles auth via the workflow's `GITHUB_TOKEN`, so there is no env-var-in-curl patt |
Piping content to bash shell
| 59 | | `./notify "message"` interface | bash | Operator-facing CLI; documented in CLAUDE.md | |
Piping content to bash shell
| 63 | | `gh api` and `gh pr create` usage in skills | bash | GitHub CLI is stable; sandbox workaround for env-var-in-headers | |