ai-omni-skills 1.2.21 → 1.2.22

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [1.2.22] - 2026-06-22
+
+### Added
+- **NVIDIA SkillSpector integration** — security scanning for AI skills
+  - `omni-skills security` — check SkillSpector status
+  - `omni-skills security scan` — scan skills for 64 vulnerability patterns
+  - Setup asks to install SkillSpector (default: yes)
+  - Doctor checks SkillSpector installation status
+  - README documents SkillSpector with NVIDIA reference
+- **Skill creation wizard** — create skills directly without going through an agent
+  - `omni-skills create [name]` — interactive wizard with SKILL.md template
+  - `omni-skills create from <file>` — convert existing file to skill
+- **Help hint** — quick-start banner at bottom of `omni-skills help`
+
+### Changed
+- Rename CLI command from `skills` to `omni-skills` (`skills` kept as backward-compatible alias)
+- Update all documentation examples to use `omni-skills`
+
 ## [1.2.20] - 2026-06-22
 
 ### Added

package/README.md

@@ -167,6 +167,9 @@ Tools with MCP support get the `skills` MCP server registered automatically. Too
 | `omni-skills doctor` | Health check: verify symlinks, config, indexes, and skill counts. |
 | `omni-skills report [--enhance]` | Usage statistics and heuristic improvement tips. |
 | `omni-skills init [--dry-run]` | Interactive setup: scan, classify, route, wire. |
+| `omni-skills security [scan]` | Check/install NVIDIA SkillSpector. Scan skills for vulnerabilities. |
+| `omni-skills create [name]` | Create a new skill with interactive wizard. |
+| `omni-skills create from <file>` | Convert an existing file into a skill. |
 | `omni-skills help` | Show help. |
 
 ---
@@ -264,6 +267,70 @@ Workflows live in your private repo under `workflows/` — they are personal, no
 
 ---
 
+## 🔒 Security Scanning (NVIDIA SkillSpector)
+
+Research shows **26.1% of AI skills contain vulnerabilities** and **5.2% show likely malicious intent**. Omni Skills integrates with [NVIDIA SkillSpector](https://github.com/NVIDIA/skillspector) to scan your skills before you install them.
+
+SkillSpector detects **64 vulnerability patterns** across **16 categories**:
+- Prompt injection, data exfiltration, privilege escalation
+- Supply chain attacks, malware, credential harvesting
+- Excessive agency, tool misuse, system prompt leakage
+
+### Quick Start
+
+```bash
+# Check SkillSpector status
+omni-skills security
+
+# Scan all skills in your canonical store
+omni-skills security scan
+
+# Scan without LLM (faster, static analysis only)
+omni-skills security scan --no-llm
+
+# Scan a specific skill directory
+omni-skills security scan ~/my-skills-private/clean-code
+```
+
+### Install SkillSpector
+
+```bash
+git clone https://github.com/NVIDIA/skillspector.git
+cd skillspector
+python3 -m venv .venv && source .venv/bin/activate
+pip install -e .
+```
+
+Or use Docker:
+```bash
+docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan
+```
+
+---
+
+## ✨ Creating New Skills
+
+Instead of creating skills through an agent and then moving them, create them directly:
+
+```bash
+# Interactive wizard
+omni-skills create
+
+# With name and description
+omni-skills create refine-requests "Refine ticket acceptance criteria"
+
+# Convert an existing file into a skill
+omni-skills create from ./my-instructions.md
+
+# Then index and sync
+omni-skills index
+omni-skills sync all
+```
+
+This creates a `SKILL.md` with proper frontmatter in your private skills store.
+
+---
+
 ## How to Store Your Skills
 
 This toolkit is **code only**. Your skills live in a separate repository (or two) that you control.

package/cli.js

@@ -68,6 +68,15 @@ Subcommands:
           Interactive seeker: scan tool skills dirs and known agent locations for
           new skills, classify them public/private/skip, then sync and index.
           --dry-run prints recommendations without prompting or writing.
+  security [scan [path] [--no-llm]]
+          Check security status of NVIDIA SkillSpector.
+          Scan skills for vulnerabilities (prompt injection, data exfiltration,
+          malware, etc.). Requires SkillSpector installation.
+  create [name] [description]
+          Create a new skill with interactive wizard.
+          Creates SKILL.md template in your private skills store.
+  create from <path> [name]
+          Convert an existing file into a skill.
   help    Show this help message
 
 Config resolves from $SKILLS_CONFIG, then ~/.config/skills/config.json, then the
@@ -181,6 +190,42 @@ async function main() {
       await initSkills(loadConfig(), { dryRun: flags.dryRun });
       break;
     }
+    case 'security': {
+      const { showSecurityStatus, runSkillSpectorScan, showSecurityBanner } = await import('./lib/security.js');
+      const config = loadConfig();
+      const subcmd = positional[0];
+      if (subcmd === 'scan') {
+        const target = positional[1] || config.privatePath || config.publicPath || process.cwd();
+        showSecurityBanner();
+        const output = runSkillSpectorScan(target, {
+          noLLM: rest.includes('--no-llm'),
+          format: rest.find(a => a.startsWith('--format='))?.split('=')[1],
+          output: rest.find(a => a.startsWith('--output='))?.split('=')[1],
+          verbose: rest.includes('-V') || rest.includes('--verbose'),
+        });
+        if (output) console.log(output);
+      } else {
+        showSecurityStatus();
+      }
+      break;
+    }
+    case 'create': {
+      const { createSkill, createSkillFromFile } = await import('./lib/create-skill.js');
+      const config = loadConfig();
+      const subcmd = positional[0];
+      if (subcmd === 'from' && positional[1]) {
+        await createSkillFromFile(config, positional[1], {
+          name: positional[2],
+        });
+      } else {
+        await createSkill(config, {
+          name: positional[0],
+          description: positional[1],
+          targetDir: flags.privatePath || config.privatePath,
+        });
+      }
+      break;
+    }
     case 'help':
     case '-h':
     case undefined:

package/lib/create-skill.js

@@ -0,0 +1,180 @@
+import { mkdirSync, writeFileSync, existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import readline from 'node:readline';
+
+const SKILL_TEMPLATE = `---
+name: {{NAME}}
+description: {{DESCRIPTION}}
+triggers: {{TRIGGERS}}
+---
+
+# {{NAME}}
+
+{{DESCRIPTION}}
+
+## When to Use
+
+- Trigger condition 1
+- Trigger condition 2
+
+## Instructions
+
+1. Step one
+2. Step two
+3. Step three
+
+## Notes
+
+- Add any important notes or edge cases here
+- Keep this section updated as you refine the skill
+`;
+
+function ask(rl, question) {
+  return new Promise((resolve) => {
+    rl.question(question, resolve);
+  });
+}
+
+export async function createSkill(config, options = {}) {
+  const { privatePath } = config;
+  if (!privatePath) {
+    console.error('❌ No privatePath configured. Run `omni-skills setup` first.');
+    process.exit(1);
+  }
+
+  const isTty = process.stdin.isTTY && process.stdout.isTTY;
+  const rl = isTty ? readline.createInterface({ input: process.stdin, output: process.stdout }) : null;
+
+  // Determine target directory
+  let targetDir = options.targetDir || privatePath;
+  if (!existsSync(targetDir)) {
+    console.error(`❌ Target directory does not exist: ${targetDir}`);
+    console.log('Run `omni-skills setup` to configure your skills directory.');
+    process.exit(1);
+  }
+
+  let skillName = options.name;
+  let description = options.description;
+  let triggers = options.triggers;
+  let openEditor = options.openEditor ?? true;
+
+  if (isTty && !skillName) {
+    skillName = (await ask(rl, 'Skill name (kebab-case, e.g. "refine-requests"): ')).trim();
+  }
+
+  if (!skillName) {
+    console.error('❌ Skill name is required.');
+    process.exit(1);
+  }
+
+  // Validate skill name
+  const validName = /^[a-z0-9-]+$/.test(skillName);
+  if (!validName) {
+    console.error('❌ Skill name must be kebab-case (lowercase letters, numbers, hyphens only).');
+    process.exit(1);
+  }
+
+  const skillDir = join(targetDir, skillName);
+  if (existsSync(skillDir)) {
+    console.error(`❌ Skill "${skillName}" already exists at ${skillDir}`);
+    process.exit(1);
+  }
+
+  if (isTty && !description) {
+    description = (await ask(rl, 'Description (one sentence, what this skill does): ')).trim();
+  }
+
+  if (!description) {
+    description = `Use this skill when working with ${skillName}.`;
+  }
+
+  if (isTty && !triggers) {
+    triggers = (await ask(rl, 'Trigger keywords (comma-separated, e.g. "refine, clarify, review"): ')).trim();
+  }
+
+  if (!triggers) {
+    triggers = skillName;
+  }
+
+  // Create skill directory and file
+  mkdirSync(skillDir, { recursive: true });
+  const skillFile = join(skillDir, 'SKILL.md');
+
+  const content = SKILL_TEMPLATE
+    .replace(/{{NAME}}/g, skillName)
+    .replace(/{{DESCRIPTION}}/g, description)
+    .replace(/{{TRIGGERS}}/g, triggers);
+
+  writeFileSync(skillFile, content, 'utf8');
+
+  console.log(`✅ Created skill: ${skillName}`);
+  console.log(`   Path: ${skillFile}`);
+  console.log('');
+  console.log('Next steps:');
+  console.log('  1. Edit SKILL.md to add your instructions');
+  console.log('  2. Run `omni-skills index` to regenerate the skill index');
+  console.log('  3. Run `omni-skills sync all` to wire into all tools');
+  console.log('');
+
+  if (isTty && openEditor) {
+    const answer = (await ask(rl, 'Open in editor? [y/n] (default: y): ')).trim().toLowerCase();
+    if (answer === '' || answer === 'y' || answer === 'yes') {
+      const { execSync } = await import('node:child_process');
+      const editor = process.env.EDITOR || 'code';
+      try {
+        execSync(`${editor} "${skillFile}"`, { stdio: 'inherit' });
+      } catch {
+        console.log(`Could not open editor. Edit manually: ${skillFile}`);
+      }
+    }
+  }
+
+  if (rl) rl.close();
+  return { skillName, skillDir, skillFile };
+}
+
+export async function createSkillFromFile(config, sourcePath, options = {}) {
+  if (!existsSync(sourcePath)) {
+    console.error(`❌ Source file does not exist: ${sourcePath}`);
+    process.exit(1);
+  }
+
+  const { privatePath } = config;
+  if (!privatePath) {
+    console.error('❌ No privatePath configured. Run `omni-skills setup` first.');
+    process.exit(1);
+  }
+
+  const sourceName = sourcePath.split('/').pop().replace(/\.md$/, '');
+  const skillName = options.name || sourceName.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+
+  const skillDir = join(privatePath, skillName);
+  if (existsSync(skillDir)) {
+    console.error(`❌ Skill "${skillName}" already exists.`);
+    process.exit(1);
+  }
+
+  mkdirSync(skillDir, { recursive: true });
+  const skillFile = join(skillDir, 'SKILL.md');
+
+  let content = readFileSync(sourcePath, 'utf8');
+
+  // If content doesn't have frontmatter, add it
+  if (!content.trim().startsWith('---')) {
+    const description = options.description || `Converted from ${sourceName}`;
+    content = `---\nname: ${skillName}\ndescription: ${description}\n---\n\n${content}`;
+  }
+
+  writeFileSync(skillFile, content, 'utf8');
+
+  console.log(`✅ Created skill from file: ${skillName}`);
+  console.log(`   Source: ${sourcePath}`);
+  console.log(`   Path: ${skillFile}`);
+  console.log('');
+  console.log('Next steps:');
+  console.log('  1. Review and edit SKILL.md');
+  console.log('  2. Run `omni-skills index` to regenerate the skill index');
+  console.log('  3. Run `omni-skills sync all` to wire into all tools');
+
+  return { skillName, skillDir, skillFile };
+}

package/lib/doctor.js

@@ -246,6 +246,20 @@ export async function runDoctor(config) {
   }
   console.log('');
 
+  // 6. Security check (SkillSpector)
+  console.log('[security]');
+  const { isSkillSpectorInstalled, findSkillSpector } = await import('./security.js');
+  if (isSkillSpectorInstalled()) {
+    const path = findSkillSpector();
+    console.log(`  ✓ NVIDIA SkillSpector installed (${path})`);
+    console.log('    Run `omni-skills security scan` to check skills for vulnerabilities');
+  } else {
+    console.log('  ⚠ NVIDIA SkillSpector not installed (optional)');
+    console.log('    Detects 64 vulnerability patterns in AI skills');
+    console.log('    Install: https://github.com/NVIDIA/skillspector');
+  }
+  console.log('');
+
   // Summary
   if (issues.length === 0) {
     console.log('✓ All checks passed. The skills ecosystem is healthy.');
@@ -254,6 +268,6 @@ export async function runDoctor(config) {
     for (const issue of issues) {
       console.log(issue);
     }
-    console.log('\nRun `skills sync all` to fix most symlink issues.');
+    console.log('\nRun `omni-skills sync all` to fix most symlink issues.');
   }
 }

package/lib/security.js

@@ -0,0 +1,129 @@
+import { existsSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+const SKILLSPECTOR_PATHS = [
+  'skillspector',
+  join(homedir(), '.local', 'bin', 'skillspector'),
+  '/usr/local/bin/skillspector',
+  '/usr/bin/skillspector',
+];
+
+export function findSkillSpector() {
+  for (const path of SKILLSPECTOR_PATHS) {
+    try {
+      execSync(`which ${path}`, { stdio: 'ignore' });
+      return path;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+export function isSkillSpectorInstalled() {
+  return findSkillSpector() !== null;
+}
+
+export function getSkillSpectorVersion() {
+  const path = findSkillSpector();
+  if (!path) return null;
+  try {
+    const output = execSync(`${path} --version`, { encoding: 'utf8', timeout: 5000 });
+    return output.trim();
+  } catch {
+    return null;
+  }
+}
+
+export function runSkillSpectorScan(targetPath, options = {}) {
+  const path = findSkillSpector();
+  if (!path) {
+    console.error('❌ SkillSpector not found.');
+    console.log('');
+    console.log('🔒 NVIDIA SkillSpector — Security Scanner for AI Skills');
+    console.log('   Detects 64 vulnerability patterns across 16 categories');
+    console.log('   (prompt injection, data exfiltration, privilege escalation, etc.)');
+    console.log('');
+    console.log('Install:');
+    console.log('  git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('  cd skillspector');
+    console.log('  python3 -m venv .venv && source .venv/bin/activate');
+    console.log('  pip install -e .');
+    console.log('');
+    console.log('Or via Docker:');
+    console.log('  docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan');
+    console.log('');
+    console.log('📎 https://github.com/NVIDIA/skillspector');
+    return null;
+  }
+
+  const args = ['scan', targetPath];
+  if (options.noLLM) args.push('--no-llm');
+  if (options.format) args.push('--format', options.format);
+  if (options.output) args.push('--output', options.output);
+  if (options.verbose) args.push('-V');
+
+  try {
+    const output = execSync(`${path} ${args.join(' ')}`, {
+      encoding: 'utf8',
+      timeout: 120000,
+      stdio: 'pipe',
+    });
+    return output;
+  } catch (err) {
+    if (err.stdout) return err.stdout;
+    if (err.stderr) return err.stderr;
+    return err.message;
+  }
+}
+
+export function showSecurityStatus() {
+  const path = findSkillSpector();
+  if (path) {
+    const version = getSkillSpectorVersion();
+    console.log('✅ NVIDIA SkillSpector is installed');
+    if (version) console.log(`   Version: ${version}`);
+    console.log(`   Path: ${path}`);
+    console.log('');
+    console.log('Usage:');
+    console.log('  omni-skills security scan           # Scan all skills');
+    console.log('  omni-skills security scan --dir ./  # Scan specific directory');
+    console.log('  omni-skills security scan --no-llm   # Static analysis only (faster)');
+  } else {
+    console.log('⚠️  NVIDIA SkillSpector is not installed');
+    console.log('');
+    console.log('🔒 Why install it?');
+    console.log('   • Scans AI skills for 64 vulnerability patterns');
+    console.log('   • Detects prompt injection, data exfiltration, malware');
+    console.log('   • 26.1% of skills contain vulnerabilities (research-backed)');
+    console.log('');
+    console.log('Install:');
+    console.log('  git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('  cd skillspector');
+    console.log('  python3 -m venv .venv && source .venv/bin/activate');
+    console.log('  pip install -e .');
+    console.log('');
+    console.log('Or use Docker:');
+    console.log('  docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan');
+    console.log('');
+    console.log('📎 https://github.com/NVIDIA/skillspector');
+  }
+}
+
+export function showSecurityBanner() {
+  console.log('');
+  console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+  console.log('  🔒 NVIDIA SkillSpector — Security for AI Skills');
+  console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+  console.log('');
+  console.log('Research shows 26.1% of skills contain vulnerabilities.');
+  console.log('SkillSpector detects 64 patterns across 16 categories:');
+  console.log('  • Prompt injection, data exfiltration, privilege escalation');
+  console.log('  • Supply chain attacks, malware, credential harvesting');
+  console.log('  • Excessive agency, tool misuse, system prompt leakage');
+  console.log('');
+  console.log('📎 https://github.com/NVIDIA/skillspector');
+  console.log('');
+}

package/lib/setup.js

@@ -218,7 +218,7 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
         type: 'stale-template',
         project: proj.name,
         count: staleTemplates.length,
-        action: `skills classify ${proj.path} --dry-run`,
+        action: `omni-skills classify ${proj.path} --dry-run`,
       });
     }
   }
@@ -236,7 +236,7 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     suggestions.push({
       type: 'orphaned-skills',
       count: orphanedSkills,
-      action: 'skills check --move --dry-run',
+      action: 'omni-skills check --move --dry-run',
     });
   }
   
@@ -299,7 +299,28 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     console.log(`  ✓ Created SHARED.md in ${resolvedPublic}/`);
   }
 
-  // 8. Generate config.json
+  // 8. Ask about SkillSpector (default: yes)
+  let installSkillSpector = true;
+  if (process.stdin.isTTY && process.stdout.isTTY) {
+    const readline = await import('node:readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise((resolve) => {
+      rl.question('\n🔒 NVIDIA SkillSpector — Security Scanner for AI Skills\n   Detects 64 vulnerability patterns (prompt injection, data exfiltration, malware)\n   Research: 26.1% of skills contain vulnerabilities\n   Install? [Y/n] (default: yes): ', resolve);
+    });
+    rl.close();
+    installSkillSpector = answer.trim().toLowerCase() !== 'n' && answer.trim().toLowerCase() !== 'no';
+  }
+
+  if (installSkillSpector) {
+    console.log('\n📎 SkillSpector: https://github.com/NVIDIA/skillspector');
+    console.log('   Install: git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('            cd skillspector && python3 -m venv .venv && source .venv/bin/activate');
+    console.log('            pip install -e .');
+    console.log('   Then run: omni-skills security scan');
+  }
+  console.log('');
+
+  // 9. Generate config.json
   console.log('\nGenerating config...');
   const configDir = absPath('~/.config/skills');
   if (!existsSync(configDir)) {
@@ -329,9 +350,10 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     console.log('  2. Run `skills classify <path>` to sort instruction files');
     console.log('  3. Run `skills check --move` to rescue orphaned skills');
   }
-  console.log('  Run `skills index` to generate indexes');
-  console.log('  Run `skills sync all` to wire into your AI tools');
-  console.log('  Run `skills doctor` to verify everything is healthy');
+  console.log('  Run `omni-skills index` to generate indexes');
+  console.log('  Run `omni-skills sync all` to wire into your AI tools');
+  console.log('  Run `omni-skills doctor` to verify everything is healthy');
+  console.log('  Run `omni-skills security` to check security status');
   console.log('  Run `node verify.js` to run the full verification suite');
   console.log('');
   console.log('For more info: https://github.com/moatazhamada/ai-omni-skills');
@@ -513,7 +535,7 @@ function generateConfig(answers) {
     sharedFile: join(answers.publicPath, 'SHARED.md'),
     indexTargets: [answers.publicPath, answers.privatePath],
     usageLog: "~/.config/skills/usage.jsonl",
-    mcpServerName: "skills",
+    mcpServerName: "omni-skills",
     mcpCommand: "node",
     mcpArgs: [join(answers.toolkitDir, "cli.js"), "mcp"],
     hooks: [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-omni-skills",
-  "version": "1.2.21",
+  "version": "1.2.22",
   "type": "module",
   "description": "Unify scattered AI skills across all your tools. One canonical store. 26 AI tools. Zero drift.",
   "bin": {