The system enforces strict path safety rules on all ZIP entries and manifest-declared paths. These rules apply at build time viaDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/ChatGPT-SKILL-SYSTEM/llms.txt
Use this file to discover all available pages before exploring further.
build_packages.py and again at runtime during unpack and load. Any unsafe path causes an immediate hard fail — there is no silent normalization, no automatic correction, and no fallback to a guessed safe form.
Safe relative path rules
A path is considered a safe relative path when it satisfies all of the following conditions:- Not absolute — does not start with
/ - No
..traversal — no..segment anywhere in the path - No backslash separators — uses
/only, never\ - No empty path segments — no
//or trailing/ - No drive letters — no
C:,D:, or similar Windows-style prefixes - No wrapper-directory-as-root — the ZIP must not have a single top-level directory surrounding all content
is_safe_relative_path function in build_packages.py enforces this rule on every ZIP entry and every manifest-declared path. It checks: non-empty string, no \ character, does not start with /, is not otherwise absolute, does not begin with a drive-letter pattern ([A-Za-z]:), no .. in path parts, and no empty segments when split by /.
ZIP entry separator rule
All ZIP entries in every package — core and skill — must use POSIX/ path separators. The \ character is never permitted as a path separator in a ZIP entry name.
\. The build script writes all entries using Path.as_posix() and validates the written ZIP immediately after creation to confirm no backslash entries were introduced.
Core path policy
Core path policy is stricter than skill path policy. The following rules apply exclusively to paths declared insideSYSTEM_CORE/MANIFEST.json.
- Direct filenames only — mounted paths must be bare filenames with no subdirectory component.
SEMANTICS.mdis valid;subdir/SEMANTICS.mdis not. - Allowed extensions — only
.mdand.json. - Must resolve under
SYSTEM_CORE/— every path inload_sequenceandoptional_load_sequenceis resolved asSYSTEM_CORE/<path>. A path that references anything outsideSYSTEM_CORE/is invalid. - No absolute paths or
..— the same safe-relative rules apply.
SYSTEM_CORE/ENTRY.md, SYSTEM_CORE/README.md, and so on.
SKILLS/README.md is not mountable and must not appear in the core manifest. It is a physical placeholder for the skills directory and must not be used as a list of active skills.Skill path policy
Skill packages have a more permissive path policy than the core, but all safe-relative rules still apply.- Nested folders are allowed — a skill ZIP may include internal folders (
docs/,tools/,templates/, etc.) and those paths may appear in manifest fields. load_sequenceentries may be nested — for exampledocs/reference.mdis a validload_sequenceentry as long as it is a safe relative path and the file is a UTF-8 textual file.- All declared paths must be safe relative — every entry in
load_sequence,support_files,tool_files, andasset_filesmust pass the safe-relative-path check. load_sequencefiles must be AI-only textual — no scripts, no binary assets, no unavailable external resources.
docs/columns.md is a nested path valid for support_files. Scripts like tools/profile_csv.py are valid in tool_files — they are never mounted or run automatically.
Wrapper directory rule
The single wrapper directory error is the most common packaging mistake. A skill ZIP must not have a single top-level directory surrounding all of its contents.MANIFEST.json must appear at the ZIP root.
Valid — MANIFEST.json at ZIP root
MANIFEST.json is one level deep inside csv-profiler/ instead of at the ZIP root. The runtime detects this as a single wrapper directory and hard-fails.
The build script checks this by examining the set of top-level entries. If there is exactly one top-level entry and it is not MANIFEST.json, the build fails with:
SYSTEM_CORE/ and SKILLS/ must be the two top-level entries.
Build-time enforcement
Thebuild_packages.py script enforces all path rules before a ZIP is considered valid. The enforcement sequence is:
- Write the ZIP — all entries are written using
Path.as_posix()to guarantee POSIX separators. - Re-read entry names — the written ZIP is immediately re-opened and all entry names are validated.
- Check for backslashes — any
\in any entry name causes an immediate hard fail. - Check safe-relative on every entry —
is_safe_relative_pathis called for every entry name. - Check manifest-declared paths — every path in
load_sequence,support_files,tool_files, andasset_filesis individually validated before the ZIP is written. - Check wrapper directory — the set of top-level ZIP entries is inspected to detect a single wrapper directory.
SystemExit at the first failure and prints a descriptive error message. No partially-built ZIP is left in place after a failure.
Commands
Full reference for SKILL CORE UNPACK, SKILL UNPACK, and SKILL LOAD.
Runtime Limits
What the system explicitly does not provide.
Manifest Reference
Every manifest field for core and skill packages.
Mental Model
How the session-first model and skill activation work.