{
  "version": "1.0",
  "type": "repository",
  "interval": "day",
  "date": "2026-04-17",
  "generatedAt": "2026-05-14T23:36:28.292Z",
  "sourceLastUpdated": "2026-05-14T23:36:28.292Z",
  "contentFormat": "markdown",
  "contentHash": "ae7619f6fa25f7d6e165ae2cb54115f3ba7da85f7af65717c3fa4372f6da33a1",
  "entity": {
    "repoId": "elizaos-plugins/registry",
    "owner": "elizaos-plugins",
    "repo": "registry"
  },
  "content": "# elizaos-plugins/registry Daily Update (Apr 17, 2026)\n\n## OVERVIEW \nThe registry focused on security hardening and infrastructure maintenance today. Critical vulnerabilities regarding command injection and sandbox escapes were resolved, and the team moved to clean up automated release failure reporting to reduce noise in the issue tracker.\n\n## KEY TECHNICAL DEVELOPMENTS\n*   **Security Hardening**\n    *   Resolved command injection risks in window management functions by implementing strict `windowId` validation via regex.\n    *   Addressed sandbox escape vulnerabilities in the browser workspace by disabling `eval` in the JSDOM environment and clarifying desktop browser workspace execution boundaries.\n\n## NEWLY OPENED PULL REQUESTS\n*   [#344](https://github.com/elizaos-plugins/registry/pull/344): Add @thecolony/elizaos-plugin to registry.\n*   [#343](https://github.com/elizaos-plugins/registry/pull/343): Add megalaunch-elizaos-plugin.\n\n## CLOSED ISSUES\n*   **Security Vulnerability Patches**\n    *   Fixed command injection vulnerability in `window-list.ts` ([#6766](https://github.com/elizaos-plugins/registry/issues/6766)).\n    *   Resolved sandbox escape vector in `browser-workspace-web.ts` ([#6767](https://github.com/elizaos-plugins/registry/issues/6767)).\n*   **Release Workflow Cleanup**\n    *   Closed multiple automated release failure reports ([#6776](https://github.com/elizaos-plugins/registry/issues/6776), [#6777](https://github.com/elizaos-plugins/registry/issues/6777), [#6794](https://github.com/elizaos-plugins/registry/issues/6794), [#6797](https://github.com/elizaos-plugins/registry/issues/6797), [#6798](https://github.com/elizaos-plugins/registry/issues/6798)) as noise, with plans to remove the automated filing system.\n\n## NEW ISSUES\n*   None.\n\n## ACTIVE ISSUES\n*   [#6766](https://github.com/elizaos-plugins/registry/issues/6766): Addressed command injection via unsanitized `windowId`. The fix implements `validateWindowId()` to enforce strict alphanumeric/hex formatting and utilizes escaping functions for window titles to prevent shell injection.\n*   [#6767](https://github.com/elizaos-plugins/registry/issues/6767): Addressed sandbox escape via `new Function()`. The fix explicitly blocks `eval` in the JSDOM path and clarified that the desktop browser workspace executes within a browser tab context rather than the Node.js process, mitigating the risk of host system escalation."
}