Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

kreuzberg-dev/.ai-rulez/skills/security-limits-dos-protection

Name: .ai-rulez/skills/security-limits-dos-protection
Author: kreuzberg-dev

.ai-rulez/skills/security-limits-dos-protection/SKILL.md

npx skillsauth add kreuzberg-dev/kreuzberg .ai-rulez/skills/security-limits-dos-protection

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

priority: critical

Security Limits & DoS Protection

Overview

Defense-in-depth DoS protection via SecurityLimits and validator helpers in crates/kreuzberg/src/extractors/security.rs. All archive and complex format extractors MUST use these.

SecurityLimits Struct

| Field | Default | Purpose | |-------|---------|---------| | max_archive_size | 500 MB | Uncompressed archive size limit | | max_compression_ratio | 100:1 | Zip bomb detection threshold | | max_files_in_archive | 10,000 | Archive file count limit | | max_nesting_depth | 100 | Structure nesting limit | | max_entity_length | 32 | XML entity length limit | | max_content_size | 100 MB | String growth per document | | max_iterations | 10M | Loop iteration limit | | max_xml_depth | 100 | XML nesting depth | | max_table_cells | 100K | Table cell count limit |

Access via config.security_limits.clone().unwrap_or_default().

Validators

ZipBombValidator (archives)

let limits = config.security_limits.clone().unwrap_or_default();
let validator = ZipBombValidator::new(limits);
validator.validate(&mut archive)?;  // Checks ratio, size, file count

StringGrowthValidator (content accumulation)

let mut validator = StringGrowthValidator::new(limits.max_content_size);
validator.check_append(text.len())?;  // Call before each append
content.push_str(&text);

DepthValidator (nesting)

let mut depth = DepthValidator::new(limits.max_nesting_depth);
depth.push()?;  // Entering nested structure
// ... process ...
depth.pop();     // Exiting

IterationValidator (loops)

let mut iter = IterationValidator::new(limits.max_iterations);
for item in collection {
    iter.check_iteration()?;
}

TableValidator (spreadsheets/tables)

let mut validator = TableValidator::new(limits.max_table_cells);
validator.add_cells(rows * cols)?;

When to Apply

| Format Family | Required Validators | |--------------|-------------------| | Archives (ZIP/TAR/7z/GZIP) | ZipBombValidator before extraction | | Office XML (DOCX/PPTX/ODT) | DepthValidator + StringGrowthValidator | | XML/HTML | DepthValidator + StringGrowthValidator | | Spreadsheets (XLSX/ODS) | TableValidator + StringGrowthValidator | | Any loop-heavy processing | IterationValidator |

Critical Rules

NEVER skip security validation for user-provided content
Always default if config.security_limits is None
Validate BEFORE extraction (fail fast)
Errors return KreuzbergError::validation(msg)

kreuzberg-dev/.ai-rulez/skills/security-limits-dos-protection

.ai-rulez/skills/security-limits-dos-protection/SKILL.md

security limits dos protection

7,129 stars

testing

Updated Mar 27, 2026

$ install --global

skillsauth

npx skillsauth add kreuzberg-dev/kreuzberg .ai-rulez/skills/security-limits-dos-protection

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 28, 2026, 6:17 AM36.4s1 file scanned

SKILL.md

description:: security limits dos protection
priority:: critical

priority: critical

Security Limits & DoS Protection

Overview

Defense-in-depth DoS protection via SecurityLimits and validator helpers in crates/kreuzberg/src/extractors/security.rs. All archive and complex format extractors MUST use these.

SecurityLimits Struct

Access via config.security_limits.clone().unwrap_or_default().

Validators

ZipBombValidator (archives)

let limits = config.security_limits.clone().unwrap_or_default();
let validator = ZipBombValidator::new(limits);
validator.validate(&mut archive)?;  // Checks ratio, size, file count

StringGrowthValidator (content accumulation)

let mut validator = StringGrowthValidator::new(limits.max_content_size);
validator.check_append(text.len())?;  // Call before each append
content.push_str(&text);

DepthValidator (nesting)

let mut depth = DepthValidator::new(limits.max_nesting_depth);
depth.push()?;  // Entering nested structure
// ... process ...
depth.pop();     // Exiting

IterationValidator (loops)

let mut iter = IterationValidator::new(limits.max_iterations);
for item in collection {
    iter.check_iteration()?;
}

TableValidator (spreadsheets/tables)

let mut validator = TableValidator::new(limits.max_table_cells);
validator.add_cells(rows * cols)?;

When to Apply

Critical Rules

NEVER skip security validation for user-provided content
Always default if config.security_limits is None
Validate BEFORE extraction (fail fast)
Errors return KreuzbergError::validation(msg)

Related Skills

kreuzberg-dev/kreuzberg

tools

VerifiedTrustedCommunity

Extract text, tables, metadata, and images from 91+ document formats (PDF, Office, images, HTML, email, archives, academic) using Kreuzberg. Use when writing code that calls Kreuzberg APIs in Python, Node.js/TypeScript, Rust, or CLI. Covers installation, extraction (sync/async), configuration (OCR, chunking, output format), batch processing, error handling, and plugins.

7,479SKILL.mdUpdated Mar 20, 2026

kreuzberg-dev/kreuzberg

kreuzberg-dev/test-execution-patterns

testing

VerifiedTrustedCommunity

test execution patterns

7,479SKILL.mdUpdated Mar 20, 2026

kreuzberg-dev/test-execution-patterns

kreuzberg-dev/ocr-backend-management

development

VerifiedTrustedCommunity

ocr uackend management

7,479SKILL.mdUpdated Mar 20, 2026

kreuzberg-dev/ocr-backend-management

kreuzberg-dev/.ai-rulez/skills/mime-detection-routing

data-ai

VerifiedTrustedCommunity

mime detection routing

7,479SKILL.mdUpdated Mar 20, 2026

kreuzberg-dev/.ai-rulez/skills/mime-detection-routing

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/kreuzberg-dev/kreuzberg.git

# Copy into Claude Code skills folder (global)
cp -r kreuzberg/.ai-rulez/skills/security-limits-dos-protection ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

kreuzberg-dev/kreuzberg

7,129 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT