From dcdbbb7e5c6fc648c4d3a222524718b00a57d13a Mon Sep 17 00:00:00 2001
From: Abhimanyu Saharan <desk.abhimanyu@gmail.com>
Date: Fri, 13 Feb 2026 23:21:47 +0000
Subject: [PATCH] fix(skills): re-validate pack URL before git clone

---
 backend/app/api/skills_marketplace.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/app/api/skills_marketplace.py b/backend/app/api/skills_marketplace.py
index 75edab7..ac42ce7 100644
--- a/backend/app/api/skills_marketplace.py
+++ b/backend/app/api/skills_marketplace.py
@@ -378,6 +378,9 @@ def _collect_pack_skills_from_repo(
 
 def _collect_pack_skills(source_url: str) -> list[PackSkillCandidate]:
     """Clone a pack repository and collect skills from index or `skills/**/SKILL.md`."""
+    # Defense-in-depth: validate again at point of use before invoking git.
+    _validate_pack_source_url(source_url)
+
     with TemporaryDirectory(prefix="skill-pack-sync-") as tmp_dir:
         repo_dir = Path(tmp_dir)
         try: