[Feat] New API - Claude Skills API (Anthropic) #17042
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| api_base=api_base, endpoint="skills", skill_id=skill_id | ||
| ) | ||
|
|
||
| verbose_logger.debug("Get skill request - URL: %s", url) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 6 hours ago
We should avoid logging the full URL (which may contain sensitive information from the secret manager) in cleartext.
The best fix is to sanitize the value before logging, such as by redacting the potentially sensitive portion of the URL or by omitting the log statement entirely.
The minimal-impact approach:
- In
transform_get_skill_request, replace the debug statement on line 166 that logsurlwith a safe log.
Options: - (a) Do not log the URL at all (simplest/safest).
- (b) Log a sanitized version of the URL, e.g., mask or omit the API base portion.
To preserve the existing functionality and logging context, and assuming the rest of the codebase does not require this log, we will simply remove or redact the sensitive component.
Edit required:
- In
litellm/llms/anthropic/skills/transformation.py, intransform_get_skill_request, replace line 166:- Option 1: Remove the logging statement altogether.
- Option 2: Log only the path/endpoint, not the full
url.
Given only the code shown, the safest route is simply removing the debug statement that logs the full URL.
| @@ -163,7 +163,7 @@ | ||
| api_base=api_base, endpoint="skills", skill_id=skill_id | ||
| ) | ||
|
|
||
| verbose_logger.debug("Get skill request - URL: %s", url) | ||
| # Do not log the full URL to avoid exposing sensitive data | ||
|
|
||
| return url, headers | ||
|
|
| api_base=api_base, endpoint="skills", skill_id=skill_id | ||
| ) | ||
|
|
||
| verbose_logger.debug("Delete skill request - URL: %s", url) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 6 hours ago
To address this vulnerability, we must prevent direct logging of potentially sensitive information, in this case the full API URL including the base. The recommended solution is to remove or sanitize the logging statement, so any output does not reveal the API base (or other secrets), but still allows useful logging (such as endpoint and skill ID).
Best approach:
In transform_delete_skill_request, replace
verbose_logger.debug("Delete skill request - URL: %s", url)with a log statement that only includes safe metadata (e.g., the endpoint and skill ID, not the API base). For instance:
verbose_logger.debug("Delete skill request - Endpoint: skills, Skill ID: %s", skill_id)This maintains sufficient context for debugging without risking secret leakage.
Changes needed:
- Directly edit the affected logging line at line 195 in
litellm/llms/anthropic/skills/transformation.py. - No imports or new methods are necessary.
| @@ -192,7 +192,7 @@ | ||
| api_base=api_base, endpoint="skills", skill_id=skill_id | ||
| ) | ||
|
|
||
| verbose_logger.debug("Delete skill request - URL: %s", url) | ||
| verbose_logger.debug("Delete skill request - Endpoint: skills, Skill ID: %s", skill_id) | ||
|
|
||
| return url, headers | ||
|
|
… sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
… sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
[Feat] New API - Claude Skills API (Anthropic)
Usage Examples
Create Skill
List skills
Delete Skill
Relevant issues
Pre-Submission checklist
Please complete all items before asking a LiteLLM maintainer to review your PR
tests/litellm/directory, Adding at least 1 test is a hard requirement - see detailsmake test-unitType
🆕 New Feature
✅ Test
Changes