@agentikos/omega-os 0.1.0 → 0.19.5

package/omega/Agentik_Engine/omega_engine/skill_discovery/__init__.py

@@ -0,0 +1,48 @@
+"""Skill discovery + safety audit for Claude Code skills.
+
+OmegaOS pulls skills from many sources: the curated SSOT, Anthropic's
+official marketplace, Vercel Labs' skills CLI, davila7 templates, ad-hoc
+GitHub repos. Each source is a different trust surface. This package is
+the safety net:
+
+  * ``marketplaces.py``  — the catalog of known marketplaces with a
+                            ``trust`` rating.
+  * ``auditor.py``        — static + heuristic safety check on a SKILL.md
+                            before it lands in ``~/.claude/skills/``.
+  * ``finder.py``         — search across marketplaces.
+  * ``installer.py``      — validated install with audit gate.
+
+The user's hard rule: every new skill must pass the auditor first.
+Malware patterns (shell-pipe-curl-bash, ``eval``, opaque base64 blobs)
+hard-fail; suspicious-but-legitimate patterns (broad ``allowed-tools``,
+external network calls) warn but don't block — the operator gets the
+report and decides.
+"""
+from omega_engine.skill_discovery.auditor import (
+    SkillAuditIssue,
+    SkillAuditVerdict,
+    audit_skill_file,
+    audit_skill_text,
+)
+from omega_engine.skill_discovery.finder import (
+    DiscoveredSkill,
+    discover_skills,
+    list_curated,
+)
+from omega_engine.skill_discovery.installer import (
+    SkillInstallResult,
+    install_skill_from_github,
+)
+from omega_engine.skill_discovery.marketplaces import (
+    Marketplace,
+    load_marketplaces,
+)
+
+
+__all__ = [
+    "Marketplace", "load_marketplaces",
+    "SkillAuditIssue", "SkillAuditVerdict",
+    "audit_skill_file", "audit_skill_text",
+    "DiscoveredSkill", "discover_skills", "list_curated",
+    "SkillInstallResult", "install_skill_from_github",
+]

package/omega/Agentik_Engine/omega_engine/skill_discovery/auditor.py

@@ -0,0 +1,232 @@
+"""Skill safety auditor — block obvious malware before install.
+
+A SKILL.md can ship arbitrary instructions and tool grants. We treat
+each candidate skill as untrusted and run a battery of static checks
+that catch the most common attack patterns:
+
+  * ``curl … | sh`` and equivalents — remote code execution on install
+  * Opaque base64/hex blobs > N bytes — likely encoded payloads
+  * ``eval`` / ``exec(`` / ``os.system`` in inline scripts
+  * Network calls to unfamiliar hosts
+  * ``allowed-tools`` that grants ``Bash`` unrestricted (no glob)
+  * Hidden HTML/script injection in markdown
+  * Missing ``description`` / ``name`` (signals careless author)
+  * Excessive size (likely scraped content, not a real skill)
+
+Issues are tagged ``severity`` ∈ {block, warn, info}. The verdict
+function aggregates into a score (0-100) and a verified-or-not boolean.
+Block-severity issues hard-fail (verified=False, score capped).
+"""
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+
+# ---- patterns ----------------------------------------------------------------
+
+# `curl ... | sh` / `wget ... | bash` and similar pipe-and-execute patterns.
+_PIPE_EXEC_RE = re.compile(
+    r"(?:curl|wget|fetch)\b[^|;]*?\|\s*(?:sh|bash|zsh|fish|pwsh|python\d?)",
+    re.IGNORECASE,
+)
+
+# `eval(...)`, `exec(...)`, `os.system(...)`, `subprocess.call(... shell=True ...)`
+_EVAL_EXEC_RE = re.compile(
+    r"\b(eval|exec)\s*\(", re.IGNORECASE,
+)
+_OS_SYSTEM_RE = re.compile(
+    r"\b(os\.system|subprocess\.\w+\([^)]*shell\s*=\s*True)",
+    re.IGNORECASE,
+)
+
+# Long base64-looking blocks (40+ continuous base64 chars on one line).
+_BASE64_RE = re.compile(r"[A-Za-z0-9+/=]{120,}")
+
+# Catchy script tags inside markdown.
+_SCRIPT_TAG_RE = re.compile(r"<\s*script\b", re.IGNORECASE)
+
+# Unrestricted Bash grant: just `Bash` (no glob) is a red flag.
+_BASH_FREE_RE = re.compile(r"(?:^|\s)Bash(?!\(|[A-Za-z])")
+
+# Network calls to suspicious hosts (raw IPs, .ru/.cn/.tk).
+_SUSPICIOUS_HOST_RE = re.compile(
+    r"https?://(?:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|[^/\s]+\.(?:ru|cn|tk|onion))",
+    re.IGNORECASE,
+)
+
+# Hidden HTML comments that might mask code.
+_HTML_COMMENT_RE = re.compile(r"<!--.*?-->", re.DOTALL)
+
+
+# ---- data model --------------------------------------------------------------
+
+
+@dataclass(frozen=True)
+class SkillAuditIssue:
+    severity: str          # "block" | "warn" | "info"
+    rule: str              # short rule id (e.g. "pipe-exec")
+    message: str
+    excerpt: str = ""      # the offending snippet, trimmed
+
+
+@dataclass
+class SkillAuditVerdict:
+    skill_name: str
+    score: int                                    # 0-100
+    verified: bool                                # iff no block issues
+    issues: list[SkillAuditIssue] = field(default_factory=list)
+    metadata: dict[str, Any] = field(default_factory=dict)
+
+    @property
+    def block_count(self) -> int:
+        return sum(1 for i in self.issues if i.severity == "block")
+
+    @property
+    def warn_count(self) -> int:
+        return sum(1 for i in self.issues if i.severity == "warn")
+
+
+# ---- the audit ---------------------------------------------------------------
+
+
+def _split_frontmatter(text: str) -> tuple[dict[str, Any], str]:
+    """Split YAML frontmatter from the body. Returns (frontmatter, body)."""
+    m = re.match(r"^---\s*\n(.*?)\n---\s*\n", text, re.DOTALL)
+    if not m:
+        return {}, text
+    try:
+        front = yaml.safe_load(m.group(1)) or {}
+    except yaml.YAMLError:
+        front = {}
+    return (front if isinstance(front, dict) else {}), text[m.end():]
+
+
+def audit_skill_text(
+    text: str, *, skill_name: str = "<unnamed>",
+) -> SkillAuditVerdict:
+    """Audit a SKILL.md body in memory. Returns the structured verdict."""
+    issues: list[SkillAuditIssue] = []
+    front, body = _split_frontmatter(text)
+
+    # --- frontmatter sanity ---
+    if not front.get("name") and skill_name == "<unnamed>":
+        issues.append(SkillAuditIssue(
+            "warn", "missing-name",
+            "skill has no `name` in frontmatter or filename",
+        ))
+    if not front.get("description"):
+        issues.append(SkillAuditIssue(
+            "warn", "missing-description",
+            "skill has no `description` — operators can't tell what it does",
+        ))
+    allowed = front.get("allowed-tools") or ""
+    if isinstance(allowed, list):
+        allowed_str = " ".join(str(x) for x in allowed)
+    else:
+        allowed_str = str(allowed)
+    if _BASH_FREE_RE.search(" " + allowed_str + " "):
+        issues.append(SkillAuditIssue(
+            "warn", "unrestricted-bash",
+            "`allowed-tools` grants `Bash` without a glob — any shell "
+            "command runs without per-use approval",
+        ))
+    if front.get("disable-model-invocation") is False and not front.get("description"):
+        issues.append(SkillAuditIssue(
+            "warn", "auto-invoke-no-desc",
+            "auto-invocable skill with no description — Claude can't "
+            "decide when to use it",
+        ))
+
+    # --- body patterns ---
+    for match in _PIPE_EXEC_RE.finditer(body):
+        issues.append(SkillAuditIssue(
+            "block", "pipe-exec",
+            "downloads-and-executes pattern detected (curl|sh, wget|bash)",
+            excerpt=match.group(0)[:120],
+        ))
+    for match in _OS_SYSTEM_RE.finditer(body):
+        issues.append(SkillAuditIssue(
+            "block", "shell-true-exec",
+            "subprocess with shell=True or os.system — arbitrary command exec",
+            excerpt=match.group(0)[:120],
+        ))
+    # eval/exec is sometimes legitimate (e.g. in code samples) — flag as warn.
+    for match in _EVAL_EXEC_RE.finditer(body):
+        issues.append(SkillAuditIssue(
+            "warn", "eval-exec",
+            "eval/exec call present — may be safe but warrants review",
+            excerpt=match.group(0)[:120],
+        ))
+    for match in _BASE64_RE.finditer(body):
+        issues.append(SkillAuditIssue(
+            "block", "opaque-blob",
+            "long base64-looking block (likely encoded payload)",
+            excerpt=match.group(0)[:60] + "…",
+        ))
+    if _SCRIPT_TAG_RE.search(body):
+        issues.append(SkillAuditIssue(
+            "warn", "script-tag",
+            "<script> tag in markdown — unusual for a SKILL.md",
+        ))
+    # Hidden HTML comments — count them; rarely needed in a SKILL.md.
+    comments = list(_HTML_COMMENT_RE.finditer(body))
+    if len(comments) > 5:
+        issues.append(SkillAuditIssue(
+            "info", "many-html-comments",
+            f"{len(comments)} HTML comments — could be hiding intent",
+        ))
+    for match in _SUSPICIOUS_HOST_RE.finditer(body):
+        issues.append(SkillAuditIssue(
+            "warn", "suspicious-host",
+            f"URL points at a suspicious host: {match.group(0)[:80]}",
+        ))
+
+    # Excessive size flag.
+    if len(text) > 200_000:
+        issues.append(SkillAuditIssue(
+            "warn", "excessive-size",
+            f"SKILL.md is {len(text):,} bytes — much larger than typical",
+        ))
+
+    # --- score ---
+    block_n = sum(1 for i in issues if i.severity == "block")
+    warn_n = sum(1 for i in issues if i.severity == "warn")
+    info_n = sum(1 for i in issues if i.severity == "info")
+    # Hard cap: any block → score ≤ 30 + verified=False.
+    score = 100 - (block_n * 35) - (warn_n * 8) - (info_n * 2)
+    if block_n > 0:
+        score = min(score, 30)
+    score = max(0, min(100, score))
+
+    return SkillAuditVerdict(
+        skill_name=str(front.get("name") or skill_name),
+        score=score, verified=(block_n == 0),
+        issues=issues,
+        metadata={
+            "size_bytes": len(text),
+            "frontmatter_keys": sorted(front.keys()) if front else [],
+            "block": block_n, "warn": warn_n, "info": info_n,
+        },
+    )
+
+
+def audit_skill_file(path: str | Path) -> SkillAuditVerdict:
+    """Audit a SKILL.md by path."""
+    p = Path(path)
+    try:
+        text = p.read_text()
+    except OSError as exc:
+        return SkillAuditVerdict(
+            skill_name=p.stem,
+            score=0, verified=False,
+            issues=[SkillAuditIssue(
+                "block", "unreadable",
+                f"cannot read {p}: {exc}",
+            )],
+        )
+    return audit_skill_text(text, skill_name=p.parent.name)

package/omega/Agentik_Engine/omega_engine/skill_discovery/finder.py

@@ -0,0 +1,94 @@
+"""Skill discovery — search the curated marketplaces.
+
+We don't try to be a general crawler. We rely on:
+
+  * The local SSOT catalog (``claude-plugins.yaml``) — every skill the
+    installer already knows about.
+  * The ``find-skills`` skill (Vercel Labs) — once installed, it's the
+    expert agent for live discovery via ``npx skills find``.
+
+This module's job: return a normalised list of *known* skills, with
+their marketplace + trust attribution, and let the CLI pass the list to
+the auditor before any actual install.
+"""
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+from omega_engine.skill_discovery.marketplaces import (
+    Marketplace,
+    load_marketplaces,
+)
+
+
+@dataclass
+class DiscoveredSkill:
+    name: str
+    description: str
+    marketplace_id: str
+    marketplace_trust: str
+    scope: str                   # "user" | "project" | "local"
+    recommended: bool = False
+    secrets: list[str] = None    # type: ignore[assignment]
+    category: str = ""
+
+    def __post_init__(self) -> None:
+        if self.secrets is None:
+            self.secrets = []
+
+
+def list_curated(omega_home: str | Path) -> list[DiscoveredSkill]:
+    """Read the curated skill list from the SSOT catalog."""
+    path = (Path(omega_home) / "Agentik_SSOT" / "claude-plugins"
+            / "claude-plugins.yaml")
+    if not path.exists():
+        return []
+    data = yaml.safe_load(path.read_text()) or {}
+    markets = {m.id: m for m in load_marketplaces(omega_home)}
+    out: list[DiscoveredSkill] = []
+    for entry in data.get("catalog") or []:
+        mid = entry.get("marketplace", "")
+        m = markets.get(mid)
+        out.append(DiscoveredSkill(
+            name=entry.get("name", entry.get("id", "?")),
+            description=entry.get("description", ""),
+            marketplace_id=mid,
+            marketplace_trust=(m.trust if m else "low"),
+            scope=entry.get("scope", "user"),
+            recommended=bool(entry.get("recommended", False)),
+            secrets=list(entry.get("secrets") or []),
+            category=entry.get("category", ""),
+        ))
+    return out
+
+
+def discover_skills(
+    omega_home: str | Path,
+    *,
+    query: str | None = None,
+    min_trust: str = "low",
+    recommended_only: bool = False,
+) -> list[DiscoveredSkill]:
+    """Search the local catalog. ``query`` matches name + description
+    (case-insensitive substring). ``min_trust`` filters by marketplace
+    trust level. ``recommended_only`` returns only the curated picks.
+    """
+    from omega_engine.skill_discovery.marketplaces import trust_floor
+    floor = trust_floor(min_trust)
+    out: list[DiscoveredSkill] = []
+    q = (query or "").strip().lower()
+    for s in list_curated(omega_home):
+        if recommended_only and not s.recommended:
+            continue
+        if trust_floor(s.marketplace_trust) < floor:
+            continue
+        if q:
+            hay = f"{s.name} {s.description}".lower()
+            if q not in hay:
+                continue
+        out.append(s)
+    return out

package/omega/Agentik_Engine/omega_engine/skill_discovery/installer.py

@@ -0,0 +1,129 @@
+"""Validated skill installer — audit before write.
+
+Two paths a skill can come from:
+
+  1. The Claude Code plugin marketplace (``claude plugin install
+     <name>@<marketplace>``). Step 45 of the OmegaOS installer handles
+     this for the curated list. We don't duplicate that path here.
+
+  2. Direct from a GitHub repo — `omega skill install <name>
+     --from github:<org>/<repo>[/<path>]`. We clone, locate the
+     ``SKILL.md``, run the auditor, and only on a clean verdict copy
+     it into ``Agentik_SSOT/skills/<name>/``. ``omega sync`` then
+     projects it to ``~/.claude/skills/``.
+
+We refuse to install if the auditor returns ``verified=False`` unless
+the operator explicitly passes ``allow_blocked=True``.
+"""
+from __future__ import annotations
+
+import shutil
+import subprocess
+import tempfile
+from dataclasses import dataclass
+from pathlib import Path
+
+from omega_engine.skill_discovery.auditor import (
+    SkillAuditVerdict,
+    audit_skill_file,
+)
+
+
+@dataclass
+class SkillInstallResult:
+    skill_name: str
+    installed: bool
+    skill_path: Path | None
+    audit: SkillAuditVerdict | None = None
+    reason: str = ""
+
+
+def _clone(repo: str, dest: Path) -> bool:
+    """Shallow-clone a GitHub repo into ``dest``. Returns True on success."""
+    proc = subprocess.run(
+        ["git", "clone", "--depth", "1",
+         f"https://github.com/{repo}.git", str(dest)],
+        check=False, capture_output=True, text=True, timeout=120,
+    )
+    return proc.returncode == 0
+
+
+def install_skill_from_github(
+    omega_home: str | Path,
+    skill_name: str,
+    *,
+    repo: str,
+    sub_path: str = "",
+    allow_blocked: bool = False,
+) -> SkillInstallResult:
+    """Install one skill from a GitHub repo.
+
+    Args:
+        omega_home: ``$OMEGA_HOME`` — destination is
+            ``$OMEGA_HOME/Agentik_SSOT/skills/<skill_name>/``.
+        skill_name: the directory name the skill will live under.
+        repo: ``org/repo`` (no ``github:`` prefix; no URL).
+        sub_path: optional path inside the repo where the SKILL.md
+            lives (e.g. ``skills/find-skills``). If empty, we try
+            ``skills/<skill_name>/`` then the repo root.
+        allow_blocked: install even if the auditor returns
+            ``verified=False``. Hard-fail by default.
+
+    Returns: ``SkillInstallResult``.
+    """
+    home = Path(omega_home)
+    target = home / "Agentik_SSOT" / "skills" / skill_name
+
+    with tempfile.TemporaryDirectory() as tmp:
+        tmp_path = Path(tmp)
+        clone_dir = tmp_path / "src"
+        if not _clone(repo, clone_dir):
+            return SkillInstallResult(
+                skill_name=skill_name, installed=False, skill_path=None,
+                reason=f"git clone github:{repo} failed",
+            )
+
+        # Find the SKILL.md.
+        candidates = []
+        if sub_path:
+            candidates.append(clone_dir / sub_path / "SKILL.md")
+        candidates += [
+            clone_dir / "skills" / skill_name / "SKILL.md",
+            clone_dir / skill_name / "SKILL.md",
+            clone_dir / "SKILL.md",
+        ]
+        skill_md = next((p for p in candidates if p.exists()), None)
+        if skill_md is None:
+            return SkillInstallResult(
+                skill_name=skill_name, installed=False, skill_path=None,
+                reason=f"no SKILL.md found in {repo} "
+                f"(looked at {[str(c.relative_to(clone_dir)) for c in candidates]})",
+            )
+
+        # Audit.
+        verdict = audit_skill_file(skill_md)
+        if not verdict.verified and not allow_blocked:
+            return SkillInstallResult(
+                skill_name=skill_name, installed=False, skill_path=None,
+                audit=verdict,
+                reason=(
+                    f"audit blocked install: {verdict.block_count} block + "
+                    f"{verdict.warn_count} warn issue(s)"
+                ),
+            )
+
+        # Copy the skill directory (SKILL.md + any siblings — scripts/, examples/).
+        skill_dir = skill_md.parent
+        target.mkdir(parents=True, exist_ok=True)
+        for item in skill_dir.iterdir():
+            dest = target / item.name
+            if item.is_dir():
+                if dest.exists():
+                    shutil.rmtree(dest)
+                shutil.copytree(item, dest)
+            else:
+                shutil.copy(item, dest)
+        return SkillInstallResult(
+            skill_name=skill_name, installed=True, skill_path=target,
+            audit=verdict,
+        )

package/omega/Agentik_Engine/omega_engine/skill_discovery/marketplaces.py

@@ -0,0 +1,80 @@
+"""Marketplace catalog — every trusted source of Claude Code skills.
+
+The catalog itself lives in YAML at
+``Agentik_SSOT/claude-plugins/claude-plugins.yaml`` (extended in this
+PR with ``trust`` and a few non-builtin marketplaces). This module
+loads + filters it.
+
+Trust levels:
+
+  * ``high``   — Anthropic, Vercel Labs, other vetted vendors. Auditor
+                 still runs but warnings rarely block.
+  * ``medium`` — community marketplaces (davila7, thedotmack, etc.).
+                 Auditor warnings get surfaced to the operator.
+  * ``low``    — random GitHub repos. Auditor hard-fails on anything
+                 suspicious.
+"""
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+
+@dataclass
+class Marketplace:
+    id: str
+    source: str
+    description: str
+    trust: str = "medium"        # "high" | "medium" | "low"
+    builtin: bool = False
+
+    @property
+    def is_github(self) -> bool:
+        return self.source.startswith("github:")
+
+    @property
+    def github_repo(self) -> str | None:
+        if not self.is_github:
+            return None
+        return self.source.split(":", 1)[1]
+
+    @property
+    def github_url(self) -> str | None:
+        repo = self.github_repo
+        return f"https://github.com/{repo}" if repo else None
+
+
+def load_marketplaces(omega_home: str | Path) -> list[Marketplace]:
+    """Read the marketplace list from the SSOT catalog."""
+    path = (Path(omega_home) / "Agentik_SSOT" / "claude-plugins"
+            / "claude-plugins.yaml")
+    if not path.exists():
+        return []
+    data = yaml.safe_load(path.read_text()) or {}
+    out: list[Marketplace] = []
+    for m in data.get("marketplaces") or []:
+        out.append(Marketplace(
+            id=m["id"],
+            source=m.get("source", ""),
+            description=m.get("description", ""),
+            trust=m.get("trust", "medium"),
+            builtin=bool(m.get("builtin", False)),
+        ))
+    return out
+
+
+def get_marketplace(
+    omega_home: str | Path, marketplace_id: str,
+) -> Marketplace | None:
+    for m in load_marketplaces(omega_home):
+        if m.id == marketplace_id:
+            return m
+    return None
+
+
+def trust_floor(trust: str) -> int:
+    """Numeric trust floor — higher = more trust."""
+    return {"high": 3, "medium": 2, "low": 1}.get(trust.lower(), 0)