npm - @ai-skills.ai/agentskills - Versions diffs - 0.2.2 - Mend

@ai-skills.ai/agentskills 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,32 @@
+# @ai-skills.ai/agentskills
+Official installer CLI for AI Skills.
+## Usage
+```bash
+npx @ai-skills.ai/agentskills init --api-key <key>
+```
+Install a single skill:
+```bash
+npx @ai-skills.ai/agentskills init --api-key <key> --skill douyin-traffic-dashboard
+```
+Where `<key>` is your API key from [ai-skills.ai](https://ai-skills.ai) dashboard.
+The CLI will:
+1. Persist `AISKILLS_API_KEY` to `~/.ai-skills/env.sh` (mode `0600`) and source it from your shell config
+2. Refresh the current runtime environment from that user-level API key before installation
+3. Run `npx skills add <registry> --skill '*'` to install all skills, or `--skill <skillId>` for a single skill
+4. Let the downstream `skills` CLI prompt for target platforms/agents (e.g. Claude Code, Codex)
+**Note:** Your API key is never placed on the command line. The installer relies on the user environment that `init` has just persisted and synchronized.
+## Development
+```bash
+npm test
+```

package/bin/agentskills.js ADDED Viewed

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+import { main } from '../src/init.js';
+const exitCode = await main(process.argv.slice(2));
+process.exit(exitCode);

package/package.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "@ai-skills.ai/agentskills",
+  "version": "0.2.2",
+  "description": "AI Skills installer CLI",
+  "type": "module",
+  "bin": {
+    "agentskills": "bin/agentskills.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "test": "node --test",
+    "check": "node --test"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/init.js ADDED Viewed

@@ -0,0 +1,262 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { spawnSync } from 'node:child_process';
+export const API_KEY_ENV_NAME = 'AISKILLS_API_KEY';
+export const MANAGED_ENV_DIR = '.ai-skills';
+export const MANAGED_ENV_FILE = 'env.sh';
+// Hardcoded registry — same for all users
+export const DEFAULT_REGISTRY_URL = 'https://github.com/allinherog-star/ai-skills';
+// Security constants
+const SPAWN_TIMEOUT_MS = 120_000; // 2 minutes max for npx install
+/**
+ * Parses CLI arguments for the init command.
+ * Accepts --api-key (required) and ignores unknown flags silently.
+ */
+export function parseCliArgs(argv) {
+  const args = Array.from(argv);
+  const command = args[0] || '';
+  let apiKey = '';
+  let skill = '';
+  for (let i = 1; i < args.length; i += 1) {
+    const current = args[i];
+    if (current === '--api-key') {
+      apiKey = args[i + 1] || '';
+      i += 1;
+      continue;
+    }
+    if (current.startsWith('--api-key=')) {
+      apiKey = current.slice('--api-key='.length);
+      continue;
+    }
+    if (current === '--skill') {
+      skill = args[i + 1] || '';
+      i += 1;
+      continue;
+    }
+    if (current.startsWith('--skill=')) {
+      skill = current.slice('--skill='.length);
+    }
+  }
+  return { command, apiKey, skill };
+}
+/**
+ * Validates that a URL uses HTTPS.
+ * Security: Prevents man-in-the-middle attacks by enforcing TLS.
+ */
+export function requireHttpsUrl(urlString, context = 'URL') {
+  try {
+    const url = new URL(urlString);
+    if (url.protocol !== 'https:') {
+      throw new Error(`${context} must use HTTPS`);
+    }
+    return url;
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(`${context} must be a valid URL`);
+    }
+    throw err;
+  }
+}
+/**
+ * Validates install flags to prevent command injection.
+ * Only allows specific safe flags for `npx skills add`.
+ */
+export function validateInstallFlags(flags) {
+  if (!Array.isArray(flags)) {
+    return [];
+  }
+  const ALLOWED_FLAGS = new Set([
+    '--force',
+    '-f',
+    '--dry-run',
+    '--verbose',
+    '-v',
+  ]);
+  return flags.filter(flag => {
+    if (typeof flag !== 'string') return false;
+    // Block any flag that looks like shell injection
+    if (flag.includes(';') || flag.includes('&&') || flag.includes('||')) return false;
+    if (flag.includes('$(...)') || flag.includes('`')) return false;
+    return ALLOWED_FLAGS.has(flag);
+  });
+}
+export function normalizeInstallSkill(skill) {
+  if (typeof skill !== 'string') {
+    return '*';
+  }
+  const normalized = skill.trim();
+  if (!normalized) {
+    return '*';
+  }
+  if (normalized === '*') {
+    return normalized;
+  }
+  if (!/^[a-z0-9-]{1,128}$/.test(normalized)) {
+    throw new Error('Invalid skill id');
+  }
+  return normalized;
+}
+/**
+ * Sanitizes a string for safe shell embedding in single-quoted strings.
+ */
+export function shellEscape(value) {
+  if (typeof value !== 'string') {
+    throw new Error('shellEscape requires a string');
+  }
+  let escaped = value.replace(/\x00/g, '');
+  escaped = escaped.replace(/\\/g, '\\\\');
+  escaped = escaped.replace(/'/g, "'\\''");
+  return escaped;
+}
+function ensureLine(filePath, line, fsImpl) {
+  const existing = fsImpl.existsSync(filePath) ? fsImpl.readFileSync(filePath, 'utf8') : '';
+  if (existing.includes(line)) return;
+  const next = existing && !existing.endsWith('\n') ? `${existing}\n` : existing;
+  fsImpl.writeFileSync(filePath, `${next}${line}\n`, 'utf8');
+}
+export function persistApiKey(apiKey, options = {}) {
+  const platform = options.platform || process.platform;
+  const homedir = options.homedir || os.homedir;
+  const fsImpl = options.fsImpl || fs;
+  const spawnSyncImpl = options.spawnSyncImpl || spawnSync;
+  if (!apiKey) {
+    throw new Error('Missing API key');
+  }
+  // Security: Validate API key format (basic sanity check)
+  if (!/^[\x20-\x7E]+$/.test(apiKey)) {
+    throw new Error('Invalid API key format');
+  }
+  if (platform === 'win32') {
+    const result = spawnSyncImpl('setx', [API_KEY_ENV_NAME, apiKey], {
+      stdio: 'ignore',
+      windowsHide: true,
+      timeout: 5000,
+    });
+    if (result?.error) throw result.error;
+    if ((result?.status || 0) !== 0) {
+      throw new Error(`Failed to persist ${API_KEY_ENV_NAME} with setx`);
+    }
+    return;
+  }
+  const home = homedir();
+  const managedDir = path.join(home, MANAGED_ENV_DIR);
+  const envFile = path.join(managedDir, MANAGED_ENV_FILE);
+  const sourceLine = `[ -f "$HOME/${MANAGED_ENV_DIR}/${MANAGED_ENV_FILE}" ] && . "$HOME/${MANAGED_ENV_DIR}/${MANAGED_ENV_FILE}"`;
+  fsImpl.mkdirSync(managedDir, { recursive: true });
+  fsImpl.writeFileSync(envFile, `export ${API_KEY_ENV_NAME}='${shellEscape(apiKey)}'\n`, {
+    encoding: 'utf8',
+    mode: 0o600,
+  });
+  fsImpl.chmodSync(envFile, 0o600);
+  ['.zshrc', '.bashrc', '.bash_profile', '.profile'].forEach((fileName) => {
+    ensureLine(path.join(home, fileName), sourceLine, fsImpl);
+  });
+}
+export function runSkillsInstall(options = {}) {
+  const {
+    registryUrl = DEFAULT_REGISTRY_URL,
+    installFlags = [],
+    skill = '*',
+    spawnSyncImpl = options.spawnSyncImpl || spawnSync,
+    platform = options.platform || process.platform,
+    envObject = options.envObject || process.env,
+  } = options;
+  const validatedFlags = validateInstallFlags(installFlags);
+  const normalizedSkill = normalizeInstallSkill(skill);
+  // Always pre-select the requested skill set; validatedFlags adds user-supplied safe ones
+  const flags = ['--skill', normalizedSkill, ...validatedFlags];
+  requireHttpsUrl(registryUrl, 'registry-url');
+  const binary = platform === 'win32' ? 'npx.cmd' : 'npx';
+  const args = ['skills', 'add', registryUrl, ...flags];
+  // Install inherits the already-prepared runtime env instead of treating
+  // the API key as an install-only override.
+  const result = spawnSyncImpl(binary, args, {
+    stdio: 'inherit',
+    env: { ...envObject },
+    timeout: SPAWN_TIMEOUT_MS,
+    windowsHide: true,
+  });
+  if (result?.error) {
+    throw result.error;
+  }
+  return result?.status || 0;
+}
+export async function runInitCommand(apiKey, options = {}) {
+  const logger = options.logger || console;
+  persistApiKey(apiKey, options);
+  process.env[API_KEY_ENV_NAME] = apiKey;
+  const installEnv = {
+    ...(options.envObject || process.env),
+    [API_KEY_ENV_NAME]: apiKey,
+  };
+  logger.log(`Persisted ${API_KEY_ENV_NAME}`);
+  return runSkillsInstall({
+    spawnSyncImpl: options.spawnSyncImpl,
+    platform: options.platform,
+    envObject: installEnv,
+    skill: options.skill,
+  });
+}
+export function renderUsage() {
+  return [
+    'Usage:',
+    '  npx @ai-skills.ai/agentskills init --api-key <key>',
+    '',
+    'Options:',
+    '  --api-key <key>    API key from ai-skills.ai dashboard',
+    '  --skill <skillId>  Install one specific skill instead of the full bundle',
+  ].join('\n');
+}
+export async function main(argv = process.argv.slice(2), options = {}) {
+  const logger = options.logger || console;
+  const { command, apiKey, skill } = parseCliArgs(argv);
+  if (command !== 'init' || !apiKey) {
+    logger.error(renderUsage());
+    return 1;
+  }
+  try {
+    return await runInitCommand(apiKey, {
+      ...options,
+      skill: options.skill ?? skill,
+    });
+  } catch (error) {
+    logger.error(error instanceof Error ? error.message : String(error));
+    return 1;
+  }
+}