fix(skill-creator): exclude .git and VCS internals from .skill archives (#23180)

The packager included .git directory contents in .skill archives, causing unnecessary bloat, metadata leakage, and poor artifact hygiene. Hard-exclude .git, .svn, .hg, __pycache__, and node_modules from packaged archives. These paths are never useful in distributable skills. Fixes #23149 Co-authored-by: Cursor <cursoragent@cursor.com>
2026-03-12 07:20:45 +00:00 · 2026-02-23 04:24:11 +08:00
parent 3f64d4ad7b
commit 3bfe990c33
1 changed files with 6 additions and 0 deletions
--- a/skills/skill-creator/scripts/package_skill.py
+++ b/skills/skill-creator/scripts/package_skill.py
@@ -64,6 +64,8 @@ def package_skill(skill_path, output_dir=None):

    skill_filename = output_path / f"{skill_name}.skill"

+    EXCLUDED_DIRS = {".git", ".svn", ".hg", "__pycache__", "node_modules"}
+
    # Create the .skill file (zip format)
    try:
        with zipfile.ZipFile(skill_filename, "w", zipfile.ZIP_DEFLATED) as zipf:
@@ -75,6 +77,10 @@ def package_skill(skill_path, output_dir=None):
                    print("   This is a security restriction to prevent including arbitrary files.")
                    return None

+                rel_parts = file_path.relative_to(skill_path).parts
+                if any(part in EXCLUDED_DIRS for part in rel_parts):
+                    continue
+
                if file_path.is_file():
                    # Calculate the relative path within the zip
                    arcname = file_path.relative_to(skill_path.parent)