@syengup/friday-channel-next 0.1.37 → 0.1.39

package/dist/src/agent/operator-scope.d.ts

@@ -0,0 +1,19 @@
+type ScopeLike = {
+    client?: {
+        connect?: {
+            scopes?: unknown;
+        };
+    };
+} | null | undefined;
+/**
+ * Adds the required operator scopes to a gateway-request-scope's
+ * `client.connect.scopes` array in place. Pure and idempotent.
+ * Returns the scopes that were actually added (empty if none / no array present).
+ */
+export declare function elevateScopeForSubagentSpawn(scope: ScopeLike): string[];
+/**
+ * Fetches the live plugin gateway-request-scope and elevates it so the dispatched
+ * agent can spawn subagents. Never throws — returns the scopes added (or []).
+ */
+export declare function ensureSubagentSpawnScope(): string[];
+export {};

package/dist/src/agent/operator-scope.js

@@ -0,0 +1,54 @@
+// Operator-scope elevation for friday-next agent dispatch.
+//
+// Why this exists: friday-next registers all its routes with auth:"plugin" (it does
+// its own device-token auth, not the gateway operator token). Core's
+// createPluginRouteRuntimeScope gives auth!="gateway" routes an EMPTY operator-scope
+// set. When an agent dispatched from such a route spawns a subagent, the spawn
+// re-enters the in-process gateway `agent` method, which requires `operator.write`
+// (core-descriptors: { name:"agent", scope:"operator.write" }). With an empty ambient
+// scope the spawn fails with `{"error":"missing scope: operator.write"}`.
+//
+// The subagent spawn reads getPluginRuntimeGatewayRequestScope() at spawn time and
+// uses that scope's client for authorization. Because AsyncLocalStorage returns the
+// SAME store object reference, mutating its client.connect.scopes once — before we
+// kick off the dispatch, while still inside the route's ALS context — propagates the
+// elevated scopes to every later reader, including the subagent spawn.
+//
+// Subagent lifecycle admin methods (sessions.patch/delete) are unaffected: core pins
+// those to ADMIN_SCOPE via a synthetic client, so only the `agent` method depends on
+// this ambient operator.write. See memory: subagent-spawn-missing-operator-write.
+import { getPluginRuntimeGatewayRequestScope } from "openclaw/plugin-sdk/plugin-runtime";
+/** Operator scopes the friday-next dispatch needs so agents can spawn subagents. */
+const REQUIRED_OPERATOR_SCOPES = ["operator.write", "operator.read"];
+/**
+ * Adds the required operator scopes to a gateway-request-scope's
+ * `client.connect.scopes` array in place. Pure and idempotent.
+ * Returns the scopes that were actually added (empty if none / no array present).
+ */
+export function elevateScopeForSubagentSpawn(scope) {
+    const connect = scope?.client?.connect;
+    if (!connect || !Array.isArray(connect.scopes)) {
+        return [];
+    }
+    const scopes = connect.scopes;
+    const added = [];
+    for (const scopeName of REQUIRED_OPERATOR_SCOPES) {
+        if (!scopes.includes(scopeName)) {
+            scopes.push(scopeName);
+            added.push(scopeName);
+        }
+    }
+    return added;
+}
+/**
+ * Fetches the live plugin gateway-request-scope and elevates it so the dispatched
+ * agent can spawn subagents. Never throws — returns the scopes added (or []).
+ */
+export function ensureSubagentSpawnScope() {
+    try {
+        return elevateScopeForSubagentSpawn(getPluginRuntimeGatewayRequestScope());
+    }
+    catch {
+        return [];
+    }
+}

package/dist/src/http/handlers/messages.js

@@ -21,6 +21,7 @@ import { registerFridaySessionDeviceMapping } from "../../friday-session.js";
 import { touchFridayInbound } from "../../friday-inbound-stats.js";
 import { fridayAttachmentLookupKey, fridayFilesPublicUrl, readFile, rememberInboundMediaName, resolveMediaAttachment, resolveMediaUrl, } from "./files.js";
 import { runFridayDispatch } from "../../agent/dispatch-bridge.js";
+import { ensureSubagentSpawnScope } from "../../agent/operator-scope.js";
 import { saveInboundMediaBuffer } from "../../agent/media-bridge.js";
 import { contextTokensFromUsageRecord, getRunMetadata, getRunRoute, hasRunFinalDelivered, markRunFinalDelivered, registerRunRoute, setRunMetadata, } from "../../run-metadata.js";
 import { createFridayNextLogger, setFridayNextLogLevel } from "../../logging.js";
@@ -506,6 +507,14 @@ export async function handleMessages(req, res) {
             sseEmitter.untrackRun(runId);
         }
     };
+    // Elevate the route's (empty) operator scope so the dispatched agent can spawn
+    // subagents. Must run here, synchronously inside the route's AsyncLocalStorage
+    // context, so the live scope object the subagent spawn later reads carries
+    // operator.write. See agent/operator-scope.ts.
+    const elevatedScopes = ensureSubagentSpawnScope();
+    if (elevatedScopes.length > 0) {
+        log("SCOPE_ELEVATED", normalizedDeviceId, runId, elevatedScopes.join(","));
+    }
     runAgent().catch((err) => {
         log("RUN_ERROR", normalizedDeviceId, runId, String(err), "error");
         sseEmitter.untrackRun(runId);

package/dist/src/skills-discovery.d.ts

@@ -17,12 +17,19 @@
  *                in another agent's workspace (main is just another agent, not a shared pool)
  *  - installed : managed skills dir (`<configDir>/skills`, sibling of the workspace)
  *  - built-in  : bundled core skills (`<openclaw>/skills`)
- *  - extra     : skills from ENABLED extensions (`<openclaw>/dist/extensions/<ext>/skills`,
- *                gated by `plugins.allow`/`entries.enabled` like ControlUI) + config
- *                `skills.load.extraDirs` — mirrors ControlUI's "EXTRA" bucket
- *                (core tags extension skills `source: "extension"`).
+ *  - extra     : everything ControlUI buckets as "EXTRA" —
+ *                  • `<configDir>/plugin-skills/` : OpenClaw's symlink dir where every ACTIVATED
+ *                    plugin's skills land, incl. third-party plugins (e.g. the miloco-* set)
+ *                  • `<workspace>/.agents/skills`  : project-level agents skills (target agent)
+ *                  • `~/.agents/skills`            : personal agents skills
+ *                  • config `skills.load.extraDirs`
+ *                  • ENABLED bundled extensions (`<openclaw>/dist/extensions/<ext>/skills`,
+ *                    gated by `plugins.allow`/`entries.enabled`) — now mostly redundant with
+ *                    plugin-skills, kept as a belt-and-suspenders fallback
  *
  * Dedup is by skill id, first source wins (workspace > installed > extra > built-in).
+ * The walk FOLLOWS symlinked directories — plugin-skills entries are symlinks, so without
+ * this the entire plugin-provided set is invisible.
  *
  * A skill's id is the `name:` field in its `SKILL.md` frontmatter (falling back to
  * the containing dir name) — NOT the dir name itself, which often differs (e.g. the

package/dist/src/skills-discovery.js

@@ -17,12 +17,19 @@
  *                in another agent's workspace (main is just another agent, not a shared pool)
  *  - installed : managed skills dir (`<configDir>/skills`, sibling of the workspace)
  *  - built-in  : bundled core skills (`<openclaw>/skills`)
- *  - extra     : skills from ENABLED extensions (`<openclaw>/dist/extensions/<ext>/skills`,
- *                gated by `plugins.allow`/`entries.enabled` like ControlUI) + config
- *                `skills.load.extraDirs` — mirrors ControlUI's "EXTRA" bucket
- *                (core tags extension skills `source: "extension"`).
+ *  - extra     : everything ControlUI buckets as "EXTRA" —
+ *                  • `<configDir>/plugin-skills/` : OpenClaw's symlink dir where every ACTIVATED
+ *                    plugin's skills land, incl. third-party plugins (e.g. the miloco-* set)
+ *                  • `<workspace>/.agents/skills`  : project-level agents skills (target agent)
+ *                  • `~/.agents/skills`            : personal agents skills
+ *                  • config `skills.load.extraDirs`
+ *                  • ENABLED bundled extensions (`<openclaw>/dist/extensions/<ext>/skills`,
+ *                    gated by `plugins.allow`/`entries.enabled`) — now mostly redundant with
+ *                    plugin-skills, kept as a belt-and-suspenders fallback
  *
  * Dedup is by skill id, first source wins (workspace > installed > extra > built-in).
+ * The walk FOLLOWS symlinked directories — plugin-skills entries are symlinks, so without
+ * this the entire plugin-provided set is invisible.
  *
  * A skill's id is the `name:` field in its `SKILL.md` frontmatter (falling back to
  * the containing dir name) — NOT the dir name itself, which often differs (e.g. the
@@ -36,6 +43,7 @@
  * `skills[]` config, already returned separately by the config view.
  */
 import fs from "node:fs";
+import os from "node:os";
 import path from "node:path";
 import { createRequire } from "node:module";
 import { getFridayAgentForwardRuntime } from "./agent-forward-runtime.js";
@@ -100,9 +108,24 @@ function collectSkills(root, source, out, depth = 0) {
         return; // a skill is a leaf — don't treat its internals as nested skills
     }
     for (const e of entries) {
-        if (e.isDirectory() && !e.name.startsWith(".") && !IGNORED_WALK_DIRS.has(e.name)) {
-            collectSkills(path.join(root, e.name), source, out, depth + 1);
+        if (e.name.startsWith(".") || IGNORED_WALK_DIRS.has(e.name))
+            continue;
+        const full = path.join(root, e.name);
+        // Follow symlinked dirs: `readdirSync(withFileTypes)` reports a symlink as
+        // `isSymbolicLink()` (never `isDirectory()`), and OpenClaw publishes plugin
+        // skills as symlinks under `<configDir>/plugin-skills/` — so without this the
+        // entire plugin-skills (e.g. the miloco-* set) source would be silently skipped.
+        let isDir = e.isDirectory();
+        if (!isDir && e.isSymbolicLink()) {
+            try {
+                isDir = fs.statSync(full).isDirectory();
+            }
+            catch {
+                isDir = false; // broken/unreadable symlink
+            }
         }
+        if (isDir)
+            collectSkills(full, source, out, depth + 1);
     }
 }
 let cachedOpenClawRoot;
@@ -216,24 +239,44 @@ export function discoverAvailableSkills(cfg, agentId) {
         // leaked main's skills into every other agent's catalog.
         try {
             const ws = resolveWs(cfg, agentId);
-            if (ws)
+            if (ws) {
                 sources.push({ dir: path.join(ws, "skills"), source: "workspace" });
+                // Project-level agents skills: `<workspace>/.agents/skills` (core source
+                // `agents-skills-project`), scoped to this same target agent's workspace.
+                sources.push({ dir: path.join(ws, ".agents", "skills"), source: "extra" });
+            }
         }
         catch {
             // skip unresolvable workspace
         }
-        // Managed skills dir: `<configDir>/skills`. It is agent-independent; anchor it off the
-        // DEFAULT agent's workspace parent (the default workspace lives directly under configDir,
-        // whereas non-default workspaces may be nested under it).
+        // Managed (`<configDir>/skills`) + plugin-skills (`<configDir>/plugin-skills`) dirs. Both are
+        // agent-independent; anchor off the DEFAULT agent's workspace parent (the default workspace
+        // lives directly under configDir, whereas non-default workspaces may be nested under it).
         try {
             const defaultWs = resolveWs(cfg, resolveDefaultAgentId(c));
-            if (defaultWs)
-                sources.push({ dir: path.join(path.dirname(defaultWs), "skills"), source: "installed" });
+            if (defaultWs) {
+                const configDir = path.dirname(defaultWs);
+                sources.push({ dir: path.join(configDir, "skills"), source: "installed" });
+                // OpenClaw symlinks every ACTIVATED plugin's skills (incl. third-party plugins under
+                // `<configDir>/extensions/*`, e.g. the miloco-* set) into `<configDir>/plugin-skills/`
+                // and loads it as an "extra" source. The old dist/extensions scan only caught BUNDLED
+                // extensions, so plugin-provided skills were missing entirely.
+                sources.push({ dir: path.join(configDir, "plugin-skills"), source: "extra" });
+            }
         }
         catch {
             // skip unresolvable managed dir
         }
     }
+    // Personal agents skills: `~/.agents/skills` (core source `agents-skills-personal`).
+    try {
+        const home = os.homedir();
+        if (home)
+            sources.push({ dir: path.join(home, ".agents", "skills"), source: "extra" });
+    }
+    catch {
+        // home dir unresolvable on this platform — skip
+    }
     const extraDirs = c?.skills?.load?.extraDirs;
     if (Array.isArray(extraDirs)) {
         for (const d of extraDirs)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@syengup/friday-channel-next",
-  "version": "0.1.37",
+  "version": "0.1.39",
   "description": "OpenClaw Friday Next Apple channel plugin",
   "license": "MIT",
   "type": "module",
@@ -12,19 +12,6 @@
     "tsconfig.json",
     "openclaw.plugin.json"
   ],
-  "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "lint": "eslint .",
-    "lint:fix": "eslint . --fix",
-    "format": "prettier --write .",
-    "format:check": "prettier --check .",
-    "prepublishOnly": "pnpm build && rm -rf dist/attachments",
-    "test": "npm run test:unit && npm run test:e2e",
-    "test:unit": "vitest run",
-    "test:e2e": "vitest run --config vitest.e2e.config.ts",
-    "test:smoke": "node scripts/e2e-smoke.mjs",
-    "test:msg-live": "node scripts/message-roundtrip-live.mjs"
-  },
   "bin": {
     "friday-channel-next": "install.js"
   },
@@ -75,5 +62,17 @@
     "typescript-eslint": "^8.61.1",
     "vitest": "^4.1.5",
     "zod": "^4.3.6"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "test": "npm run test:unit && npm run test:e2e",
+    "test:unit": "vitest run",
+    "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "test:smoke": "node scripts/e2e-smoke.mjs",
+    "test:msg-live": "node scripts/message-roundtrip-live.mjs"
   }
-}
+}

package/src/agent/operator-scope.test.ts

@@ -0,0 +1,66 @@
+import { describe, it, expect, vi } from "vitest";
+
+// The helper imports the live scope getter from core; the pure function under test
+// never calls it, but the module-level import must resolve. Mock it so the unit test
+// does not depend on the OpenClaw dist runtime.
+const getScope = vi.fn();
+vi.mock("openclaw/plugin-sdk/plugin-runtime", () => ({
+  getPluginRuntimeGatewayRequestScope: () => getScope(),
+}));
+
+import { elevateScopeForSubagentSpawn, ensureSubagentSpawnScope } from "./operator-scope.js";
+
+function makeScope(scopes: string[]) {
+  return { client: { connect: { role: "operator", scopes } } };
+}
+
+describe("elevateScopeForSubagentSpawn", () => {
+  it("adds operator.write + operator.read to an empty plugin-route scope", () => {
+    // friday-next routes register with auth:"plugin", which core gives EMPTY operator
+    // scopes. Subagent spawn re-enters the gateway `agent` method (requires
+    // operator.write) and fails with "missing scope: operator.write" without this.
+    const scope = makeScope([]);
+    const added = elevateScopeForSubagentSpawn(scope);
+    expect(scope.client.connect.scopes).toContain("operator.write");
+    expect(scope.client.connect.scopes).toContain("operator.read");
+    expect(added).toEqual(["operator.write", "operator.read"]);
+  });
+
+  it("is idempotent — does not duplicate already-present scopes", () => {
+    const scope = makeScope(["operator.write"]);
+    const added = elevateScopeForSubagentSpawn(scope);
+    expect(added).toEqual(["operator.read"]);
+    expect(scope.client.connect.scopes.filter((s) => s === "operator.write")).toHaveLength(1);
+  });
+
+  it("preserves unrelated existing scopes", () => {
+    const scope = makeScope(["operator.admin"]);
+    elevateScopeForSubagentSpawn(scope);
+    expect(scope.client.connect.scopes).toContain("operator.admin");
+    expect(scope.client.connect.scopes).toContain("operator.write");
+  });
+
+  it("returns [] and never throws when no scope/client is present", () => {
+    expect(elevateScopeForSubagentSpawn(undefined)).toEqual([]);
+    expect(elevateScopeForSubagentSpawn(null)).toEqual([]);
+    expect(elevateScopeForSubagentSpawn({})).toEqual([]);
+    expect(elevateScopeForSubagentSpawn({ client: { connect: {} } })).toEqual([]);
+  });
+});
+
+describe("ensureSubagentSpawnScope", () => {
+  it("elevates the live scope returned by the SDK getter", () => {
+    const scope = makeScope([]);
+    getScope.mockReturnValue(scope);
+    const added = ensureSubagentSpawnScope();
+    expect(added).toEqual(["operator.write", "operator.read"]);
+    expect(scope.client.connect.scopes).toContain("operator.write");
+  });
+
+  it("swallows errors from the getter and returns []", () => {
+    getScope.mockImplementation(() => {
+      throw new Error("no scope");
+    });
+    expect(ensureSubagentSpawnScope()).toEqual([]);
+  });
+});

package/src/agent/operator-scope.ts

@@ -0,0 +1,63 @@
+// Operator-scope elevation for friday-next agent dispatch.
+//
+// Why this exists: friday-next registers all its routes with auth:"plugin" (it does
+// its own device-token auth, not the gateway operator token). Core's
+// createPluginRouteRuntimeScope gives auth!="gateway" routes an EMPTY operator-scope
+// set. When an agent dispatched from such a route spawns a subagent, the spawn
+// re-enters the in-process gateway `agent` method, which requires `operator.write`
+// (core-descriptors: { name:"agent", scope:"operator.write" }). With an empty ambient
+// scope the spawn fails with `{"error":"missing scope: operator.write"}`.
+//
+// The subagent spawn reads getPluginRuntimeGatewayRequestScope() at spawn time and
+// uses that scope's client for authorization. Because AsyncLocalStorage returns the
+// SAME store object reference, mutating its client.connect.scopes once — before we
+// kick off the dispatch, while still inside the route's ALS context — propagates the
+// elevated scopes to every later reader, including the subagent spawn.
+//
+// Subagent lifecycle admin methods (sessions.patch/delete) are unaffected: core pins
+// those to ADMIN_SCOPE via a synthetic client, so only the `agent` method depends on
+// this ambient operator.write. See memory: subagent-spawn-missing-operator-write.
+import { getPluginRuntimeGatewayRequestScope } from "openclaw/plugin-sdk/plugin-runtime";
+
+/** Operator scopes the friday-next dispatch needs so agents can spawn subagents. */
+const REQUIRED_OPERATOR_SCOPES = ["operator.write", "operator.read"] as const;
+
+type ScopeLike =
+  | {
+      client?: { connect?: { scopes?: unknown } };
+    }
+  | null
+  | undefined;
+
+/**
+ * Adds the required operator scopes to a gateway-request-scope's
+ * `client.connect.scopes` array in place. Pure and idempotent.
+ * Returns the scopes that were actually added (empty if none / no array present).
+ */
+export function elevateScopeForSubagentSpawn(scope: ScopeLike): string[] {
+  const connect = scope?.client?.connect;
+  if (!connect || !Array.isArray(connect.scopes)) {
+    return [];
+  }
+  const scopes = connect.scopes as string[];
+  const added: string[] = [];
+  for (const scopeName of REQUIRED_OPERATOR_SCOPES) {
+    if (!scopes.includes(scopeName)) {
+      scopes.push(scopeName);
+      added.push(scopeName);
+    }
+  }
+  return added;
+}
+
+/**
+ * Fetches the live plugin gateway-request-scope and elevates it so the dispatched
+ * agent can spawn subagents. Never throws — returns the scopes added (or []).
+ */
+export function ensureSubagentSpawnScope(): string[] {
+  try {
+    return elevateScopeForSubagentSpawn(getPluginRuntimeGatewayRequestScope());
+  } catch {
+    return [];
+  }
+}

package/src/http/handlers/messages.ts

@@ -48,6 +48,7 @@ import {
   resolveMediaUrl,
 } from "./files.js";
 import { runFridayDispatch } from "../../agent/dispatch-bridge.js";
+import { ensureSubagentSpawnScope } from "../../agent/operator-scope.js";
 import { saveInboundMediaBuffer } from "../../agent/media-bridge.js";
 import {
   contextTokensFromUsageRecord,
@@ -674,6 +675,15 @@ export async function handleMessages(req: IncomingMessage, res: ServerResponse):
     }
   };
 
+  // Elevate the route's (empty) operator scope so the dispatched agent can spawn
+  // subagents. Must run here, synchronously inside the route's AsyncLocalStorage
+  // context, so the live scope object the subagent spawn later reads carries
+  // operator.write. See agent/operator-scope.ts.
+  const elevatedScopes = ensureSubagentSpawnScope();
+  if (elevatedScopes.length > 0) {
+    log("SCOPE_ELEVATED", normalizedDeviceId, runId, elevatedScopes.join(","));
+  }
+
   runAgent().catch((err) => {
     log("RUN_ERROR", normalizedDeviceId, runId, String(err), "error");
     sseEmitter.untrackRun(runId);

package/src/openclaw.d.ts

@@ -93,6 +93,16 @@ declare module "openclaw/plugin-sdk/reply-dispatch-runtime" {
   export const dispatchReplyWithDispatcher: (...args: any[]) => any;
 }
 
+declare module "openclaw/plugin-sdk/plugin-runtime" {
+  /**
+   * Returns the request-local plugin gateway-request-scope (operator client/scopes,
+   * context) when called from within a plugin HTTP-route handler's async context.
+   */
+  export const getPluginRuntimeGatewayRequestScope: () =>
+    | { client?: { connect?: { scopes?: string[] } } }
+    | undefined;
+}
+
 declare module "openclaw/plugin-sdk/status-helpers" {
   export type ChannelAccountSnapshot = any;
 }

package/src/skills-discovery.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, afterEach } from "vitest";
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
@@ -22,6 +22,8 @@ function makeSkills(parent: string, ids: string[]): void {
 
 describe("discoverAvailableSkills", () => {
   let root: string;
+  let emptyHome: string;
+  let savedHome: string | undefined;
 
   function wire(configRoot: string, cfg: unknown): void {
     setFridayAgentForwardRuntime({
@@ -39,10 +41,21 @@ describe("discoverAvailableSkills", () => {
     } as never);
   }
 
+  beforeEach(() => {
+    // Isolate `~/.agents/skills` (a real discovery source) from the dev machine's
+    // home so exact-match assertions don't pick up the operator's actual skills.
+    savedHome = process.env.HOME;
+    emptyHome = fs.mkdtempSync(path.join(os.tmpdir(), "friday-home-"));
+    process.env.HOME = emptyHome;
+  });
+
   afterEach(() => {
+    if (savedHome === undefined) delete process.env.HOME;
+    else process.env.HOME = savedHome;
     resetFridayAgentForwardRuntimeForTest();
     resetOpenClawRootCacheForTest();
     if (root) fs.rmSync(root, { recursive: true, force: true });
+    if (emptyHome) fs.rmSync(emptyHome, { recursive: true, force: true });
   });
 
   it("scans only the target agent's own workspace (not the default agent's), plus managed + extra dirs, deduped and sorted", () => {
@@ -118,6 +131,42 @@ describe("discoverAvailableSkills", () => {
     expect(result.find((s) => s.id === "self-improvement")?.description).toBe("x");
   });
 
+  it("discovers plugin-skills (symlinks), plus project + personal agents skills as 'extra'", () => {
+    root = fs.mkdtempSync(path.join(os.tmpdir(), "friday-disc-"));
+    const configRoot = path.join(root, "configdir");
+    const operatorWs = path.join(configRoot, "workspace", "agents", "operator");
+
+    // target agent's own workspace skills
+    makeSkills(path.join(operatorWs, "skills"), ["own-skill"]);
+    // project-level agents skills: <workspace>/.agents/skills
+    makeSkills(path.join(operatorWs, ".agents", "skills"), ["project-skill"]);
+    // personal agents skills: <home>/.agents/skills  (HOME isolated in beforeEach)
+    makeSkills(path.join(emptyHome, ".agents", "skills"), ["personal-skill"]);
+
+    // plugin-skills: real plugin skill dirs SYMLINKED into <configDir>/plugin-skills/,
+    // exactly how OpenClaw publishes third-party plugin skills (e.g. the miloco-* set).
+    const pluginPkg = path.join(root, "miloco-openclaw-plugin", "skills");
+    makeSkills(pluginPkg, ["miloco-devices", "miloco-notify"]);
+    const pluginSkillsDir = path.join(configRoot, "plugin-skills");
+    fs.mkdirSync(pluginSkillsDir, { recursive: true });
+    for (const id of ["miloco-devices", "miloco-notify"]) {
+      fs.symlinkSync(path.join(pluginPkg, id), path.join(pluginSkillsDir, id), "dir");
+    }
+
+    const cfg = { agents: { list: [{ id: "main", default: true }, { id: "operator" }] } };
+    wire(configRoot, cfg);
+
+    const result = discoverAvailableSkills(cfg, "operator");
+    const bySource = Object.fromEntries(result.map((s) => [s.id, s.source]));
+    expect(bySource).toEqual({
+      "own-skill": "workspace",
+      "project-skill": "extra",
+      "personal-skill": "extra",
+      "miloco-devices": "extra", // followed through the symlink — the miloco regression
+      "miloco-notify": "extra",
+    });
+  });
+
   it("returns [] without throwing when nothing is resolvable", () => {
     resetFridayAgentForwardRuntimeForTest();
     expect(discoverAvailableSkills({}, "main")).toEqual([]);

package/src/skills-discovery.ts

@@ -17,12 +17,19 @@
  *                in another agent's workspace (main is just another agent, not a shared pool)
  *  - installed : managed skills dir (`<configDir>/skills`, sibling of the workspace)
  *  - built-in  : bundled core skills (`<openclaw>/skills`)
- *  - extra     : skills from ENABLED extensions (`<openclaw>/dist/extensions/<ext>/skills`,
- *                gated by `plugins.allow`/`entries.enabled` like ControlUI) + config
- *                `skills.load.extraDirs` — mirrors ControlUI's "EXTRA" bucket
- *                (core tags extension skills `source: "extension"`).
+ *  - extra     : everything ControlUI buckets as "EXTRA" —
+ *                  • `<configDir>/plugin-skills/` : OpenClaw's symlink dir where every ACTIVATED
+ *                    plugin's skills land, incl. third-party plugins (e.g. the miloco-* set)
+ *                  • `<workspace>/.agents/skills`  : project-level agents skills (target agent)
+ *                  • `~/.agents/skills`            : personal agents skills
+ *                  • config `skills.load.extraDirs`
+ *                  • ENABLED bundled extensions (`<openclaw>/dist/extensions/<ext>/skills`,
+ *                    gated by `plugins.allow`/`entries.enabled`) — now mostly redundant with
+ *                    plugin-skills, kept as a belt-and-suspenders fallback
  *
  * Dedup is by skill id, first source wins (workspace > installed > extra > built-in).
+ * The walk FOLLOWS symlinked directories — plugin-skills entries are symlinks, so without
+ * this the entire plugin-provided set is invisible.
  *
  * A skill's id is the `name:` field in its `SKILL.md` frontmatter (falling back to
  * the containing dir name) — NOT the dir name itself, which often differs (e.g. the
@@ -37,6 +44,7 @@
  */
 
 import fs from "node:fs";
+import os from "node:os";
 import path from "node:path";
 import { createRequire } from "node:module";
 import { getFridayAgentForwardRuntime } from "./agent-forward-runtime.js";
@@ -107,9 +115,21 @@ function collectSkills(
     return; // a skill is a leaf — don't treat its internals as nested skills
   }
   for (const e of entries) {
-    if (e.isDirectory() && !e.name.startsWith(".") && !IGNORED_WALK_DIRS.has(e.name)) {
-      collectSkills(path.join(root, e.name), source, out, depth + 1);
+    if (e.name.startsWith(".") || IGNORED_WALK_DIRS.has(e.name)) continue;
+    const full = path.join(root, e.name);
+    // Follow symlinked dirs: `readdirSync(withFileTypes)` reports a symlink as
+    // `isSymbolicLink()` (never `isDirectory()`), and OpenClaw publishes plugin
+    // skills as symlinks under `<configDir>/plugin-skills/` — so without this the
+    // entire plugin-skills (e.g. the miloco-* set) source would be silently skipped.
+    let isDir = e.isDirectory();
+    if (!isDir && e.isSymbolicLink()) {
+      try {
+        isDir = fs.statSync(full).isDirectory();
+      } catch {
+        isDir = false; // broken/unreadable symlink
+      }
     }
+    if (isDir) collectSkills(full, source, out, depth + 1);
   }
 }
 
@@ -227,22 +247,42 @@ export function discoverAvailableSkills(cfg: unknown, agentId: string): Discover
     // leaked main's skills into every other agent's catalog.
     try {
       const ws = resolveWs(cfg, agentId);
-      if (ws) sources.push({ dir: path.join(ws, "skills"), source: "workspace" });
+      if (ws) {
+        sources.push({ dir: path.join(ws, "skills"), source: "workspace" });
+        // Project-level agents skills: `<workspace>/.agents/skills` (core source
+        // `agents-skills-project`), scoped to this same target agent's workspace.
+        sources.push({ dir: path.join(ws, ".agents", "skills"), source: "extra" });
+      }
     } catch {
       // skip unresolvable workspace
     }
-    // Managed skills dir: `<configDir>/skills`. It is agent-independent; anchor it off the
-    // DEFAULT agent's workspace parent (the default workspace lives directly under configDir,
-    // whereas non-default workspaces may be nested under it).
+    // Managed (`<configDir>/skills`) + plugin-skills (`<configDir>/plugin-skills`) dirs. Both are
+    // agent-independent; anchor off the DEFAULT agent's workspace parent (the default workspace
+    // lives directly under configDir, whereas non-default workspaces may be nested under it).
     try {
       const defaultWs = resolveWs(cfg, resolveDefaultAgentId(c));
-      if (defaultWs)
-        sources.push({ dir: path.join(path.dirname(defaultWs), "skills"), source: "installed" });
+      if (defaultWs) {
+        const configDir = path.dirname(defaultWs);
+        sources.push({ dir: path.join(configDir, "skills"), source: "installed" });
+        // OpenClaw symlinks every ACTIVATED plugin's skills (incl. third-party plugins under
+        // `<configDir>/extensions/*`, e.g. the miloco-* set) into `<configDir>/plugin-skills/`
+        // and loads it as an "extra" source. The old dist/extensions scan only caught BUNDLED
+        // extensions, so plugin-provided skills were missing entirely.
+        sources.push({ dir: path.join(configDir, "plugin-skills"), source: "extra" });
+      }
     } catch {
       // skip unresolvable managed dir
     }
   }
 
+  // Personal agents skills: `~/.agents/skills` (core source `agents-skills-personal`).
+  try {
+    const home = os.homedir();
+    if (home) sources.push({ dir: path.join(home, ".agents", "skills"), source: "extra" });
+  } catch {
+    // home dir unresolvable on this platform — skip
+  }
+
   const extraDirs = (
     (c?.skills as Record<string, unknown> | undefined)?.load as Record<string, unknown> | undefined
   )?.extraDirs;