fix: YAML type coercion detection, reference depth dedup, README accuracy

Brad Kinnard · Brad Kinnard · commit 8e7fed75ef9e · 2026-03-11T19:09:34.000-06:00
Unsolved problem solved:
- Added frontmatter.name.type and frontmatter.description.type rules
  that catch YAML safe_load silently converting bare values (true → bool,
  123 → int, null → None). Provides clear fix: quote the value.

Bugs fixed:
- check_reference_depth emitted duplicate diagnostics for ../../ paths
  (both depth-exceeded AND traverses-above). Changed to elif.
- README Rules table said 'Body exceeds' for sizing rules but code counts
  full file lines/tokens. Fixed to say 'File exceeds'.

Cleanup:
- Standardized on collections.abc.Callable (was typing.Callable in 2 files)
- Added action/entrypoint.py to CI compile check
- 171 tests passing (was 160)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -61,6 +61,7 @@ jobs:
           python -m py_compile src/skillcheck/rules/frontmatter.py
           python -m py_compile src/skillcheck/rules/references.py
           python -m py_compile src/skillcheck/rules/sizing.py
+          python -m py_compile action/entrypoint.py
 
   package:
     runs-on: ubuntu-latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Agent-scoped checks** — `--target-agent {claude,vscode,all}` scopes compatibility diagnostics to a specific agent.
 - **Skip flags** — `--skip-dirname-check` and `--skip-ref-check` for CI environments where filesystem context is unavailable.
 - **`-q`/`--quiet` flag** — suppresses all output; exit code only.
+- **YAML type coercion detection** — `frontmatter.name.type` and `frontmatter.description.type` catch when `yaml.safe_load` silently converts bare values like `true`, `123`, or `null` into non-string types. Provides clear fix advice (quote the value).
 - **YAML anchor detection** — `frontmatter.yaml-anchors` warns when YAML anchors/aliases silently copy values in frontmatter.
 - **Symlink escape detection** — `references.escape` errors when a file reference resolves outside the skill directory (CWE-59).
 - **GitHub Actions CI workflow** — test matrix across Python 3.10–3.13 on Ubuntu, macOS, and Windows; compile check; package build verification.
@@ -28,6 +29,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - `KNOWN_FRONTMATTER_FIELDS` expanded to include `model`, `context`, `agent`, `hooks`, `user-invocable`, `disable-model-invocation`, `skills`, `mode`, `tags`, `version`, `author`.
 - Token estimation uses a word-run + punctuation-run heuristic (~15% error) with optional `tiktoken` for ~5% error.
+- Standardized on `collections.abc.Callable` across all modules (was `typing.Callable` in some).
+
+### Fixed
+- `check_reference_depth` emitted duplicate diagnostics for `../../` paths (both depth-exceeded and traverses-above). Changed to `elif` so only the most specific warning fires.
+- README Rules table described sizing rules as "Body exceeds..." but the code counts full file lines/tokens. Table now says "File exceeds...".
 
 ## [0.1.0] - 2026-03-10
 
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ Validates against the [agentskills.io specification](https://agentskills.io/spec
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 [![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-3776ab.svg)](https://python.org)
 [![PyYAML](https://img.shields.io/badge/deps-PyYAML-yellow.svg)](https://pyyaml.org)
-[![Tests](https://img.shields.io/badge/tests-160%20passed-brightgreen.svg)](#testing)
+[![Tests](https://img.shields.io/badge/tests-171%20passed-brightgreen.svg)](#testing)
 
 </div>
 
@@ -212,13 +212,15 @@ Rules marked **spec** are derived from the [agentskills.io specification](https:
 | Rule ID | Severity | Source | What it checks |
 |---|---|---|---|
 | `frontmatter.name.required` | error | spec | `name` field must exist |
+| `frontmatter.name.type` | error | advisory | `name` must be a string (catches YAML coercion of `true`, `123`, `null`) |
 | `frontmatter.name.max-length` | error | spec | Name must be 64 characters or fewer |
 | `frontmatter.name.invalid-chars` | error | spec | Lowercase, numbers, hyphens only |
 | `frontmatter.name.leading-trailing-hyphen` | error | spec | No leading or trailing hyphens |
 | `frontmatter.name.consecutive-hyphens` | error | spec | No consecutive hyphens |
 | `frontmatter.name.reserved-word` | error | advisory | Not a reserved word (`claude`, `anthropic`) |
 | `frontmatter.name.directory-mismatch` | error | spec | Name must match parent directory (VS Code requirement) |
 | `frontmatter.description.required` | error | spec | `description` field must exist |
+| `frontmatter.description.type` | error | advisory | `description` must be a string (catches YAML coercion) |
 | `frontmatter.description.empty` | error | spec | Description must not be blank |
 | `frontmatter.description.max-length` | error | spec | Description must be 1024 characters or fewer |
 | `frontmatter.description.xml-tags` | error | advisory | No XML/HTML tags in description |
@@ -227,8 +229,8 @@ Rules marked **spec** are derived from the [agentskills.io specification](https:
 | `frontmatter.yaml-anchors` | warning | advisory | YAML anchors/aliases can silently copy values |
 | `description.quality-score` | info | advisory | Scores description 0-100 for agent discoverability |
 | `description.min-score` | warning | advisory | Description score below `--min-desc-score` threshold |
-| `sizing.body.line-count` | warning | spec | Body exceeds line threshold |
-| `sizing.body.token-estimate` | warning | spec | Body exceeds token threshold |
+| `sizing.body.line-count` | warning | spec | File exceeds line threshold |
+| `sizing.body.token-estimate` | warning | spec | File exceeds token threshold |
 | `disclosure.metadata-budget` | warning | spec | Frontmatter exceeds ~100 token metadata budget |
 | `disclosure.body-budget` | warning | spec | Body exceeds 5000 token instruction budget |
 | `disclosure.body-bloat` | info | advisory | Large code blocks, tables, or base64 in body |
diff --git a/src/skillcheck/rules/__init__.py b/src/skillcheck/rules/__init__.py
@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Callable
+from collections.abc import Callable
 
 from skillcheck import config
 from skillcheck.parser import ParsedSkill
@@ -33,6 +33,8 @@
     check_name_max_length,
     check_name_required,
     check_name_reserved_words,
+    check_name_type,
+    check_description_type,
     check_unknown_fields,
     check_yaml_anchors,
 )
@@ -44,12 +46,14 @@
 
 _FRONTMATTER_RULES: list[Callable[[ParsedSkill], list[Diagnostic]]] = [
     check_name_required,
+    check_name_type,
     check_name_max_length,
     check_name_charset,
     check_name_leading_trailing_hyphen,
     check_name_consecutive_hyphens,
     check_name_reserved_words,
     check_description_required,
+    check_description_type,
     check_description_non_empty,
     check_description_max_length,
     check_description_no_xml_tags,
diff --git a/src/skillcheck/rules/frontmatter.py b/src/skillcheck/rules/frontmatter.py
@@ -60,6 +60,50 @@ def check_name_required(skill: ParsedSkill) -> list[Diagnostic]:
     return []
 
 
+def check_name_type(skill: ParsedSkill) -> list[Diagnostic]:
+    """Ensure ``name`` is a string, not a YAML-coerced boolean/number/null.
+
+    ``yaml.safe_load`` silently converts bare values like ``true``, ``123``,
+    and ``null`` into Python ``bool``, ``int``, and ``None``.  When this
+    happens, every downstream rule sees corrupted data (e.g., ``str(True)``
+    becomes ``'True'`` and then fails charset checks for uppercase ``T``).
+    """
+    name = skill.frontmatter.get("name")
+    if name is None:
+        return []  # handled by check_name_required
+    if isinstance(name, str):
+        return []
+    yaml_type = type(name).__name__
+    return [Diagnostic(
+        rule="frontmatter.name.type",
+        severity=Severity.ERROR,
+        message=(
+            f"Field 'name' must be a string but YAML parsed it as {yaml_type} "
+            f"({name!r}). Quote the value: name: \"{name}\""
+        ),
+        line=_field_line(skill.raw_text, "name"),
+    )]
+
+
+def check_description_type(skill: ParsedSkill) -> list[Diagnostic]:
+    """Ensure ``description`` is a string, not a YAML-coerced type."""
+    desc = skill.frontmatter.get("description")
+    if desc is None:
+        return []  # handled by check_description_required
+    if isinstance(desc, str):
+        return []
+    yaml_type = type(desc).__name__
+    return [Diagnostic(
+        rule="frontmatter.description.type",
+        severity=Severity.ERROR,
+        message=(
+            f"Field 'description' must be a string but YAML parsed it as {yaml_type} "
+            f"({desc!r}). Quote the value: description: \"{desc}\""
+        ),
+        line=_field_line(skill.raw_text, "description"),
+    )]
+
+
 def check_name_max_length(skill: ParsedSkill) -> list[Diagnostic]:
     name = skill.frontmatter.get("name")
     if name is None:
diff --git a/src/skillcheck/rules/references.py b/src/skillcheck/rules/references.py
@@ -117,8 +117,7 @@ def check_reference_depth(skill: ParsedSkill) -> list[Diagnostic]:
                     f"Keep file references one level deep from SKILL.md."
                 ),
             ))
-        # Also flag parent traversal
-        if ref.startswith(".."):
+        elif ref.startswith(".."):
             diagnostics.append(Diagnostic(
                 rule="references.depth-exceeded",
                 severity=Severity.WARNING,
diff --git a/src/skillcheck/rules/sizing.py b/src/skillcheck/rules/sizing.py
@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Callable
+from collections.abc import Callable
 
 from skillcheck.parser import ParsedSkill
 from skillcheck.result import Diagnostic, Severity
diff --git a/tests/test_references.py b/tests/test_references.py
@@ -152,8 +152,26 @@ def test_parent_traversal_flagged(tmp_path):
     )
     skill = parse(f)
     diagnostics = check_reference_depth(skill)
-    assert len(diagnostics) >= 1
-    assert any("traverses above" in d.message for d in diagnostics)
+    # ../../other/file.py is depth 3 — the depth check catches it.
+    # Only one diagnostic should fire (no duplicate from startswith check).
+    assert len(diagnostics) == 1
+    assert diagnostics[0].rule == "references.depth-exceeded"
+    assert "3 levels deep" in diagnostics[0].message
+
+
+def test_single_dotdot_traversal_flagged(tmp_path):
+    """../file.txt has depth 1 — only the startswith('..') traversal warning fires."""
+    skill_dir = tmp_path / "my-skill"
+    skill_dir.mkdir()
+    f = skill_dir / "SKILL.md"
+    f.write_text(
+        "---\nname: my-skill\ndescription: Single dotdot.\n---\n"
+        "See [up](../notes.txt) for context.\n"
+    )
+    skill = parse(f)
+    diagnostics = check_reference_depth(skill)
+    assert len(diagnostics) == 1
+    assert "traverses above" in diagnostics[0].message
 
 
 def test_shallow_ref_passes(tmp_path):
diff --git a/tests/test_yaml_types.py b/tests/test_yaml_types.py
@@ -0,0 +1,122 @@
+"""Tests for YAML type coercion detection in frontmatter.
+
+yaml.safe_load silently converts bare values:
+  name: true    →  bool
+  name: 123     →  int
+  name: 1.5     →  float
+  name: null    →  None
+
+These produce confusing downstream errors.  The type check rules catch
+them early with a clear fix (quote the value).
+"""
+
+import pytest
+
+from skillcheck.parser import parse
+from skillcheck.result import Severity
+from skillcheck.rules.frontmatter import check_description_type, check_name_type
+
+
+# ---------------------------------------------------------------------------
+# frontmatter.name.type
+# ---------------------------------------------------------------------------
+
+
+def test_name_boolean_detected(tmp_path):
+    """name: true → parsed as bool, should fire type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: true\ndescription: Boolean name.\n---\nBody.\n")
+    skill = parse(f)
+    diagnostics = check_name_type(skill)
+    assert len(diagnostics) == 1
+    assert diagnostics[0].rule == "frontmatter.name.type"
+    assert diagnostics[0].severity == Severity.ERROR
+    assert "bool" in diagnostics[0].message
+    assert 'name: "True"' in diagnostics[0].message
+
+
+def test_name_integer_detected(tmp_path):
+    """name: 123 → parsed as int, should fire type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: 123\ndescription: Numeric name.\n---\nBody.\n")
+    skill = parse(f)
+    diagnostics = check_name_type(skill)
+    assert len(diagnostics) == 1
+    assert "int" in diagnostics[0].message
+
+
+def test_name_float_detected(tmp_path):
+    """name: 1.5 → parsed as float, should fire type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: 1.5\ndescription: Float name.\n---\nBody.\n")
+    skill = parse(f)
+    diagnostics = check_name_type(skill)
+    assert len(diagnostics) == 1
+    assert "float" in diagnostics[0].message
+
+
+def test_name_string_passes(tmp_path):
+    """name: my-skill → string, no type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: my-skill\ndescription: Valid.\n---\nBody.\n")
+    skill = parse(f)
+    assert check_name_type(skill) == []
+
+
+def test_name_none_skipped(tmp_path):
+    """name absent → handled by check_name_required, not type check."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\ndescription: No name.\n---\nBody.\n")
+    skill = parse(f)
+    assert check_name_type(skill) == []
+
+
+def test_name_quoted_true_passes(tmp_path):
+    """name: "true" → stays as string, no type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text('---\nname: "true"\ndescription: Quoted boolean.\n---\nBody.\n')
+    skill = parse(f)
+    assert check_name_type(skill) == []
+
+
+# ---------------------------------------------------------------------------
+# frontmatter.description.type
+# ---------------------------------------------------------------------------
+
+
+def test_description_boolean_detected(tmp_path):
+    """description: true → parsed as bool, should fire type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: my-skill\ndescription: true\n---\nBody.\n")
+    skill = parse(f)
+    diagnostics = check_description_type(skill)
+    assert len(diagnostics) == 1
+    assert diagnostics[0].rule == "frontmatter.description.type"
+    assert diagnostics[0].severity == Severity.ERROR
+    assert "bool" in diagnostics[0].message
+
+
+def test_description_integer_detected(tmp_path):
+    """description: 42 → parsed as int, should fire type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: my-skill\ndescription: 42\n---\nBody.\n")
+    skill = parse(f)
+    diagnostics = check_description_type(skill)
+    assert len(diagnostics) == 1
+    assert "int" in diagnostics[0].message
+
+
+def test_description_string_passes(tmp_path):
+    """description: Some text → string, no type error."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: my-skill\ndescription: Validates things.\n---\nBody.\n")
+    skill = parse(f)
+    assert check_description_type(skill) == []
+
+
+def test_description_none_skipped(tmp_path):
+    """description absent → handled by check_description_required."""
+    f = tmp_path / "SKILL.md"
+    f.write_text("---\nname: my-skill\n---\nBody.\n")
+    skill = parse(f)
+    assert check_description_type(skill) == []
