ai-omni-skills 1.2.21 → 1.2.23

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [1.2.22] - 2026-06-22
+
+### Added
+- **NVIDIA SkillSpector integration** — security scanning for AI skills
+  - `omni-skills security` — check SkillSpector status
+  - `omni-skills security scan` — scan skills for 64 vulnerability patterns
+  - Setup asks to install SkillSpector (default: yes)
+  - Doctor checks SkillSpector installation status
+  - README documents SkillSpector with NVIDIA reference
+- **Skill creation wizard** — create skills directly without going through an agent
+  - `omni-skills create [name]` — interactive wizard with SKILL.md template
+  - `omni-skills create from <file>` — convert existing file to skill
+- **Help hint** — quick-start banner at bottom of `omni-skills help`
+
+### Changed
+- Rename CLI command from `skills` to `omni-skills` (`skills` kept as backward-compatible alias)
+- Update all documentation examples to use `omni-skills`
+
 ## [1.2.20] - 2026-06-22
 
 ### Added

package/INDEX.md

@@ -1,14 +1,60 @@
-# Skills Index
+# Skills index
 
-This file is auto-generated by `omni-skills index`.
+This index lists skills in this repo, ordered by recent usage.
 
-In the toolkit repo, this index is intentionally minimal. Once you set up your private skills store and run `omni-skills index`, this file will populate with your actual skills ordered by recent usage.
-
-## Getting Started
-
-```bash
-omni-skills setup    # Configure your private skills directory
-omni-skills index    # Generate your skills index
-```
-
-Your private skills index will be created at the root of your configured skills directory.
+| Skill | Description |
+| ----- | ----------- |
+| clean-code | Pragmatic coding standards - concise, direct, no over-engineering, no unnecessary comments |
+| agents-md-compliance-checker |  |
+| agents-md-sync-checker |  |
+| agp-9-upgrade | Upgrades, or migrates, an Android project to use Android Gradle Plugin (AGP) version 9. Do not use this skill for migrating Kotlin Multiplatform (KMP) projects. |
+| code-review-checklist | Code review guidelines covering code quality, security, and best practices. |
+| codebase-memory | Use the codebase knowledge graph for structural code queries. Triggers on: explore the codebase, understand the architecture, what functions exist, show me the structure, who calls this function, what does X call, trace the call chain, find callers of, show dependencies, impact analysis, dead code, unused functions, high fan-out, refactor candidates, code quality audit, graph query syntax, Cypher query examples, edge types, how to use search_graph. |
+| commit-suggest | Suggest a commit message for the current changes following this project's commit message guide. Use when asked to suggest, draft, propose, or write a commit message for the staged/unstaged changes. |
+| content-research-writer | Assists in writing high-quality content by conducting research, adding citations, improving hooks, iterating on outlines, and providing real-time feedback on each section. Transforms your writing process from solo effort to collaborative partnership. |
+| docker-expert | Docker containerization expert with deep knowledge of multi-stage builds, image optimization, container security, Docker Compose orchestration, and production deployment patterns. Use PROACTIVELY for Dockerfile optimization, container issues, image size problems, security hardening, networking, and orchestration challenges. |
+| edge-to-edge | Use this skill to migrate your Jetpack Compose app to add adaptive edge-to-edge support and troubleshoot common issues. Use this skill to fix UI components (like buttons or lists) that are obscured by or overlapping with the navigation bar or status bar, fix IME insets, and fix system bar legibility. |
+| finishing-a-development-branch | Use when implementation is complete, all tests pass, and you need to decide how to integrate the work - guides completion of development work by presenting structured options for merge, PR, or cleanup |
+| flutter-mobile-design | Use when designing, reviewing, critiquing, or improving Flutter mobile UI/UX. Covers widget composition, RTL Arabic typography, performance optimization, accessibility, Material 3 / iOS adaptation, and reading-app specifics. Tuned for Quran/Arabic reading apps built with Clean Architecture, BLoC, and GetIt — Quran content (Uthmani script, Mushaf layout, audio recitation). |
+| lead-research-assistant | Identifies high-quality leads for your product or service by analyzing your business, searching for target companies, and providing actionable contact strategies. Perfect for sales, business development, and marketing professionals. |
+| lint-and-validate | Automatic quality control, linting, and static analysis procedures. Use after every code modification to ensure syntax correctness and project standards. Triggers onKeywords: lint, format, check, validate, types, static analysis. |
+| migrate-xml-views-to-jetpack-compose | Provides a structured workflow for migrating an Android XML View to Jetpack Compose. This skill details the step-by-step process, from planning and dependency setup, to theming and layout migration, validation and XML cleanup. Use this skill when you need to migrate an XML View to Jetpack Compose in an Android project. It solves the problem of converting the UI of a legacy XML View into modern, declarative Compose components while maintaining interoperability. |
+| mmx-cli | Use mmx to generate text, images, video, speech, and music via the MiniMax AI platform. Use when the user wants to create media content, chat with MiniMax models, perform web search, or manage MiniMax API resources from the terminal. |
+| navigation-3 | Learn how to install and migrate to Jetpack Navigation 3, and how to implement features and patterns such as deep links, multiple backstacks, scenes (dialogs, bottom sheets, list-detail, two-pane, supporting pane), conditional navigation (such as logged-in navigation vs anonymous), returning results from flows, integration with Hilt, ViewModel, Kotlin, and view interoperability. |
+| nextjs-best-practices | Next.js App Router principles. Server Components, data fetching, routing patterns. |
+| nodejs-best-practices | Node.js development principles and decision-making. Framework selection, async patterns, security, and architecture. Teaches thinking, not copying. |
+| play-billing-library-version-upgrade | Use this skill when upgrading or migrating an Android project from any legacy Google Play Billing Library (PBL) version to the latest stable version of PBL. |
+| pr-review-rule-extractor |  |
+| process-pr-comments | Full PR review workflow for Bitbucket Server (non-GitHub). Use whenever the user wants to process, address, or work through PR review comments — e.g. "process PR comments", "let's address review feedback on PR 123", "apply PR review comments", "work through PR X". Handles branch checkout, fetching updates, scoring unresolved comments, getting user approval per comment, generating an implementation plan, suggesting a commit message, and drafting human-style replies to reviewers where a response is warranted. |
+| r8-analyzer | Analyzes Android build files and R8 keep rules to identify redundancies, broad package-wide rules, and rules that subsume library consumer keep rules. Use when developers want to optimize their app's size, remove redundant or overly broad keep rules, or troubleshoot Proguard configurations. |
+| receiving-code-review | Use when receiving code review feedback, before implementing suggestions, especially if feedback seems unclear or technically questionable - requires technical rigor and verification, not performative agreement or blind implementation |
+| requesting-code-review | Use when completing tasks, implementing major features, or before merging to verify work meets requirements |
+| skill-seeker | Scan for orphaned skills, unclassified instruction files (AGENTS.md, CLAUDE.md, GEMINI.md, etc.), and newly created agent configurations. Help the user decide whether each should be public or private, and move them to the correct canonical location. Use when the user says "find new skills", "organize my skills", "what skills are not tracked", "classify my agents.md", "seeker", or "sync my skills". |
+| speckit-agent-context-update | Refresh the managed Spec Kit section in the coding agent context file |
+| speckit-analyze | Perform a non-destructive cross-artifact consistency and quality analysis across spec.md, plan.md, and tasks.md after task generation. |
+| speckit-checklist | Generate a custom checklist for the current feature based on user requirements. |
+| speckit-clarify | Identify underspecified areas in the current feature spec by asking up to 5 highly targeted clarification questions and encoding answers back into the spec. |
+| speckit-constitution | Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync. |
+| speckit-git-commit | Auto-commit changes after a Spec Kit command completes |
+| speckit-git-feature | Create a feature branch with sequential or timestamp numbering |
+| speckit-git-initialize | Initialize a Git repository with an initial commit |
+| speckit-git-remote | Detect Git remote URL for GitHub integration |
+| speckit-git-validate | Validate current branch follows feature branch naming conventions |
+| speckit-implement | Execute the implementation plan by processing and executing all tasks defined in tasks.md |
+| speckit-plan | Execute the implementation planning workflow using the plan template to generate design artifacts. |
+| speckit-specify | Create or update the feature specification from a natural language feature description. |
+| speckit-tasks | Generate an actionable, dependency-ordered tasks.md for the feature based on available design artifacts. |
+| speckit-taskstoissues | Convert existing tasks into actionable, dependency-ordered GitHub issues for the feature based on available design artifacts. |
+| systematic-debugging | Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes |
+| testing-patterns | Jest testing patterns, factory functions, mocking strategies, and TDD workflow. Use when writing unit tests, creating test factories, or following TDD red-green-refactor cycle. |
+| ticket-refinement | Refine a ticket by comparing its acceptance criteria against an existing/legacy implementation and the current codebase, then produce a ready-to-paste Jira/Linear comment flagging only what's contradictory, ambiguous, missing, or genuinely new work. Use when preparing for a refinement/grooming session and you have a ticket's ACs (and optionally designs) to validate before sprint planning. |
+| typescript-expert | TypeScript and JavaScript expert with deep knowledge of type-level programming, performance optimization, monorepo management, migration strategies, and modern tooling. Use PROACTIVELY for any TypeScript/JavaScript issues including complex type gymnastics, build performance, debugging, and architectural decisions. If a specialized expert is a better fit, I will recommend switching and stop. |
+| using-git-worktrees | Use when starting feature work that needs isolation from current workspace or before executing implementation plans - creates isolated git worktrees with smart directory selection and safety verification |
+| vercel-react-best-practices | React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements. |
+| verification-before-completion | Use when about to claim work is complete, fixed, or passing, before committing or creating PRs - requires running verification commands and confirming output before making any success claims; evidence before assertions always |
+| ponytail | Forces the laziest solution that actually works, simplest, shortest, most minimal. Channels a senior dev who has seen everything: question whether the task needs to exist at all (YAGNI), reach for the standard library before custom code, native platform features before dependencies, one line before fifty. Supports intensity levels: lite, full (default), ultra. Use whenever the user says "ponytail", "be lazy", "lazy mode", "simplest solution", "minimal solution", "yagni", "do less", or "shortest path", and whenever they complain about over-engineering, bloat, boilerplate, or unnecessary dependencies. |
+| ponytail-audit | Whole-repo audit for over-engineering. Like ponytail-review, but scans the entire codebase instead of a diff: a ranked list of what to delete, simplify, or replace with stdlib/native equivalents. Use when the user says "audit this codebase", "audit for over-engineering", "what can I delete from this repo", "find bloat", "ponytail-audit", or "/ponytail-audit". One-shot report, does not apply fixes. |
+| ponytail-debt | Harvest every `ponytail:` comment in the codebase into a debt ledger, so the deliberate shortcuts and deferrals ponytail leaves behind get tracked instead of rotting into "later means never". Use when the user says "ponytail debt", "/ponytail-debt", "what did ponytail defer", "list the shortcuts", "ponytail ledger", or "what did we mark to do later". One-shot report, changes nothing. |
+| ponytail-gain | Show ponytail's measured impact as a compact scoreboard: less code, less cost, more speed, from the benchmark medians. One-shot display, not a persistent mode, and not a per-repo number. Trigger: /ponytail-gain, "ponytail gain", "what does ponytail save", "show ponytail impact", "ponytail scoreboard". |
+| ponytail-help | Quick-reference card for all ponytail modes, skills, and commands. One-shot display, not a persistent mode. Trigger: /ponytail-help, "ponytail help", "what ponytail commands", "how do I use ponytail". |
+| ponytail-review | Code review focused exclusively on over-engineering. Finds what to delete: reinvented standard library, unneeded dependencies, speculative abstractions, dead flexibility. One line per finding: location, what to cut, what replaces it. Use when the user says "review for over-engineering", "what can we delete", "is this over-engineered", "simplify review", or invokes /ponytail-review. Complements correctness-focused review, this one only hunts complexity. |

package/README.md

@@ -167,6 +167,9 @@ Tools with MCP support get the `skills` MCP server registered automatically. Too
 | `omni-skills doctor` | Health check: verify symlinks, config, indexes, and skill counts. |
 | `omni-skills report [--enhance]` | Usage statistics and heuristic improvement tips. |
 | `omni-skills init [--dry-run]` | Interactive setup: scan, classify, route, wire. |
+| `omni-skills security [scan]` | Check/install NVIDIA SkillSpector. Scan skills for vulnerabilities. |
+| `omni-skills create [name]` | Create a new skill with interactive wizard. |
+| `omni-skills create from <file>` | Convert an existing file into a skill. |
 | `omni-skills help` | Show help. |
 
 ---
@@ -264,6 +267,70 @@ Workflows live in your private repo under `workflows/` — they are personal, no
 
 ---
 
+## 🔒 Security Scanning (NVIDIA SkillSpector)
+
+Research shows **26.1% of AI skills contain vulnerabilities** and **5.2% show likely malicious intent**. Omni Skills integrates with [NVIDIA SkillSpector](https://github.com/NVIDIA/skillspector) to scan your skills before you install them.
+
+SkillSpector detects **64 vulnerability patterns** across **16 categories**:
+- Prompt injection, data exfiltration, privilege escalation
+- Supply chain attacks, malware, credential harvesting
+- Excessive agency, tool misuse, system prompt leakage
+
+### Quick Start
+
+```bash
+# Check SkillSpector status
+omni-skills security
+
+# Scan all skills in your canonical store
+omni-skills security scan
+
+# Scan without LLM (faster, static analysis only)
+omni-skills security scan --no-llm
+
+# Scan a specific skill directory
+omni-skills security scan ~/my-skills-private/clean-code
+```
+
+### Install SkillSpector
+
+```bash
+git clone https://github.com/NVIDIA/skillspector.git
+cd skillspector
+python3 -m venv .venv && source .venv/bin/activate
+pip install -e .
+```
+
+Or use Docker:
+```bash
+docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan
+```
+
+---
+
+## ✨ Creating New Skills
+
+Instead of creating skills through an agent and then moving them, create them directly:
+
+```bash
+# Interactive wizard
+omni-skills create
+
+# With name and description
+omni-skills create refine-requests "Refine ticket acceptance criteria"
+
+# Convert an existing file into a skill
+omni-skills create from ./my-instructions.md
+
+# Then index and sync
+omni-skills index
+omni-skills sync all
+```
+
+This creates a `SKILL.md` with proper frontmatter in your private skills store.
+
+---
+
 ## How to Store Your Skills
 
 This toolkit is **code only**. Your skills live in a separate repository (or two) that you control.

package/cli.js

@@ -68,6 +68,15 @@ Subcommands:
           Interactive seeker: scan tool skills dirs and known agent locations for
           new skills, classify them public/private/skip, then sync and index.
           --dry-run prints recommendations without prompting or writing.
+  security [scan [path] [--no-llm]]
+          Check security status of NVIDIA SkillSpector.
+          Scan skills for vulnerabilities (prompt injection, data exfiltration,
+          malware, etc.). Requires SkillSpector installation.
+  create [name] [description]
+          Create a new skill with interactive wizard.
+          Creates SKILL.md template in your private skills store.
+  create from <path> [name]
+          Convert an existing file into a skill.
   help    Show this help message
 
 Config resolves from $SKILLS_CONFIG, then ~/.config/skills/config.json, then the
@@ -181,6 +190,42 @@ async function main() {
       await initSkills(loadConfig(), { dryRun: flags.dryRun });
       break;
     }
+    case 'security': {
+      const { showSecurityStatus, runSkillSpectorScan, showSecurityBanner } = await import('./lib/security.js');
+      const config = loadConfig();
+      const subcmd = positional[0];
+      if (subcmd === 'scan') {
+        const target = positional[1] || config.privatePath || config.publicPath || process.cwd();
+        showSecurityBanner();
+        const output = runSkillSpectorScan(target, {
+          noLLM: rest.includes('--no-llm'),
+          format: rest.find(a => a.startsWith('--format='))?.split('=')[1],
+          output: rest.find(a => a.startsWith('--output='))?.split('=')[1],
+          verbose: rest.includes('-V') || rest.includes('--verbose'),
+        });
+        if (output) console.log(output);
+      } else {
+        showSecurityStatus();
+      }
+      break;
+    }
+    case 'create': {
+      const { createSkill, createSkillFromFile } = await import('./lib/create-skill.js');
+      const config = loadConfig();
+      const subcmd = positional[0];
+      if (subcmd === 'from' && positional[1]) {
+        await createSkillFromFile(config, positional[1], {
+          name: positional[2],
+        });
+      } else {
+        await createSkill(config, {
+          name: positional[0],
+          description: positional[1],
+          targetDir: flags.privatePath || config.privatePath,
+        });
+      }
+      break;
+    }
     case 'help':
     case '-h':
     case undefined:

package/lib/create-skill.js

@@ -0,0 +1,180 @@
+import { mkdirSync, writeFileSync, existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import readline from 'node:readline';
+
+const SKILL_TEMPLATE = `---
+name: {{NAME}}
+description: {{DESCRIPTION}}
+triggers: {{TRIGGERS}}
+---
+
+# {{NAME}}
+
+{{DESCRIPTION}}
+
+## When to Use
+
+- Trigger condition 1
+- Trigger condition 2
+
+## Instructions
+
+1. Step one
+2. Step two
+3. Step three
+
+## Notes
+
+- Add any important notes or edge cases here
+- Keep this section updated as you refine the skill
+`;
+
+function ask(rl, question) {
+  return new Promise((resolve) => {
+    rl.question(question, resolve);
+  });
+}
+
+export async function createSkill(config, options = {}) {
+  const { privatePath } = config;
+  if (!privatePath) {
+    console.error('❌ No privatePath configured. Run `omni-skills setup` first.');
+    process.exit(1);
+  }
+
+  const isTty = process.stdin.isTTY && process.stdout.isTTY;
+  const rl = isTty ? readline.createInterface({ input: process.stdin, output: process.stdout }) : null;
+
+  // Determine target directory
+  let targetDir = options.targetDir || privatePath;
+  if (!existsSync(targetDir)) {
+    console.error(`❌ Target directory does not exist: ${targetDir}`);
+    console.log('Run `omni-skills setup` to configure your skills directory.');
+    process.exit(1);
+  }
+
+  let skillName = options.name;
+  let description = options.description;
+  let triggers = options.triggers;
+  let openEditor = options.openEditor ?? true;
+
+  if (isTty && !skillName) {
+    skillName = (await ask(rl, 'Skill name (kebab-case, e.g. "refine-requests"): ')).trim();
+  }
+
+  if (!skillName) {
+    console.error('❌ Skill name is required.');
+    process.exit(1);
+  }
+
+  // Validate skill name
+  const validName = /^[a-z0-9-]+$/.test(skillName);
+  if (!validName) {
+    console.error('❌ Skill name must be kebab-case (lowercase letters, numbers, hyphens only).');
+    process.exit(1);
+  }
+
+  const skillDir = join(targetDir, skillName);
+  if (existsSync(skillDir)) {
+    console.error(`❌ Skill "${skillName}" already exists at ${skillDir}`);
+    process.exit(1);
+  }
+
+  if (isTty && !description) {
+    description = (await ask(rl, 'Description (one sentence, what this skill does): ')).trim();
+  }
+
+  if (!description) {
+    description = `Use this skill when working with ${skillName}.`;
+  }
+
+  if (isTty && !triggers) {
+    triggers = (await ask(rl, 'Trigger keywords (comma-separated, e.g. "refine, clarify, review"): ')).trim();
+  }
+
+  if (!triggers) {
+    triggers = skillName;
+  }
+
+  // Create skill directory and file
+  mkdirSync(skillDir, { recursive: true });
+  const skillFile = join(skillDir, 'SKILL.md');
+
+  const content = SKILL_TEMPLATE
+    .replace(/{{NAME}}/g, skillName)
+    .replace(/{{DESCRIPTION}}/g, description)
+    .replace(/{{TRIGGERS}}/g, triggers);
+
+  writeFileSync(skillFile, content, 'utf8');
+
+  console.log(`✅ Created skill: ${skillName}`);
+  console.log(`   Path: ${skillFile}`);
+  console.log('');
+  console.log('Next steps:');
+  console.log('  1. Edit SKILL.md to add your instructions');
+  console.log('  2. Run `omni-skills index` to regenerate the skill index');
+  console.log('  3. Run `omni-skills sync all` to wire into all tools');
+  console.log('');
+
+  if (isTty && openEditor) {
+    const answer = (await ask(rl, 'Open in editor? [y/n] (default: y): ')).trim().toLowerCase();
+    if (answer === '' || answer === 'y' || answer === 'yes') {
+      const { execSync } = await import('node:child_process');
+      const editor = process.env.EDITOR || 'code';
+      try {
+        execSync(`${editor} "${skillFile}"`, { stdio: 'inherit' });
+      } catch {
+        console.log(`Could not open editor. Edit manually: ${skillFile}`);
+      }
+    }
+  }
+
+  if (rl) rl.close();
+  return { skillName, skillDir, skillFile };
+}
+
+export async function createSkillFromFile(config, sourcePath, options = {}) {
+  if (!existsSync(sourcePath)) {
+    console.error(`❌ Source file does not exist: ${sourcePath}`);
+    process.exit(1);
+  }
+
+  const { privatePath } = config;
+  if (!privatePath) {
+    console.error('❌ No privatePath configured. Run `omni-skills setup` first.');
+    process.exit(1);
+  }
+
+  const sourceName = sourcePath.split('/').pop().replace(/\.md$/, '');
+  const skillName = options.name || sourceName.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+
+  const skillDir = join(privatePath, skillName);
+  if (existsSync(skillDir)) {
+    console.error(`❌ Skill "${skillName}" already exists.`);
+    process.exit(1);
+  }
+
+  mkdirSync(skillDir, { recursive: true });
+  const skillFile = join(skillDir, 'SKILL.md');
+
+  let content = readFileSync(sourcePath, 'utf8');
+
+  // If content doesn't have frontmatter, add it
+  if (!content.trim().startsWith('---')) {
+    const description = options.description || `Converted from ${sourceName}`;
+    content = `---\nname: ${skillName}\ndescription: ${description}\n---\n\n${content}`;
+  }
+
+  writeFileSync(skillFile, content, 'utf8');
+
+  console.log(`✅ Created skill from file: ${skillName}`);
+  console.log(`   Source: ${sourcePath}`);
+  console.log(`   Path: ${skillFile}`);
+  console.log('');
+  console.log('Next steps:');
+  console.log('  1. Review and edit SKILL.md');
+  console.log('  2. Run `omni-skills index` to regenerate the skill index');
+  console.log('  3. Run `omni-skills sync all` to wire into all tools');
+
+  return { skillName, skillDir, skillFile };
+}

package/lib/doctor.js

@@ -246,6 +246,20 @@ export async function runDoctor(config) {
   }
   console.log('');
 
+  // 6. Security check (SkillSpector)
+  console.log('[security]');
+  const { isSkillSpectorInstalled, findSkillSpector } = await import('./security.js');
+  if (isSkillSpectorInstalled()) {
+    const path = findSkillSpector();
+    console.log(`  ✓ NVIDIA SkillSpector installed (${path})`);
+    console.log('    Run `omni-skills security scan` to check skills for vulnerabilities');
+  } else {
+    console.log('  ⚠ NVIDIA SkillSpector not installed (optional)');
+    console.log('    Detects 64 vulnerability patterns in AI skills');
+    console.log('    Install: https://github.com/NVIDIA/skillspector');
+  }
+  console.log('');
+
   // Summary
   if (issues.length === 0) {
     console.log('✓ All checks passed. The skills ecosystem is healthy.');
@@ -254,6 +268,6 @@ export async function runDoctor(config) {
     for (const issue of issues) {
       console.log(issue);
     }
-    console.log('\nRun `skills sync all` to fix most symlink issues.');
+    console.log('\nRun `omni-skills sync all` to fix most symlink issues.');
   }
 }

package/lib/security.js

@@ -0,0 +1,129 @@
+import { existsSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+const SKILLSPECTOR_PATHS = [
+  'skillspector',
+  join(homedir(), '.local', 'bin', 'skillspector'),
+  '/usr/local/bin/skillspector',
+  '/usr/bin/skillspector',
+];
+
+export function findSkillSpector() {
+  for (const path of SKILLSPECTOR_PATHS) {
+    try {
+      execSync(`which ${path}`, { stdio: 'ignore' });
+      return path;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+export function isSkillSpectorInstalled() {
+  return findSkillSpector() !== null;
+}
+
+export function getSkillSpectorVersion() {
+  const path = findSkillSpector();
+  if (!path) return null;
+  try {
+    const output = execSync(`${path} --version`, { encoding: 'utf8', timeout: 5000 });
+    return output.trim();
+  } catch {
+    return null;
+  }
+}
+
+export function runSkillSpectorScan(targetPath, options = {}) {
+  const path = findSkillSpector();
+  if (!path) {
+    console.error('❌ SkillSpector not found.');
+    console.log('');
+    console.log('🔒 NVIDIA SkillSpector — Security Scanner for AI Skills');
+    console.log('   Detects 64 vulnerability patterns across 16 categories');
+    console.log('   (prompt injection, data exfiltration, privilege escalation, etc.)');
+    console.log('');
+    console.log('Install:');
+    console.log('  git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('  cd skillspector');
+    console.log('  python3 -m venv .venv && source .venv/bin/activate');
+    console.log('  pip install -e .');
+    console.log('');
+    console.log('Or via Docker:');
+    console.log('  docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan');
+    console.log('');
+    console.log('📎 https://github.com/NVIDIA/skillspector');
+    return null;
+  }
+
+  const args = ['scan', targetPath];
+  if (options.noLLM) args.push('--no-llm');
+  if (options.format) args.push('--format', options.format);
+  if (options.output) args.push('--output', options.output);
+  if (options.verbose) args.push('-V');
+
+  try {
+    const output = execSync(`${path} ${args.join(' ')}`, {
+      encoding: 'utf8',
+      timeout: 120000,
+      stdio: 'pipe',
+    });
+    return output;
+  } catch (err) {
+    if (err.stdout) return err.stdout;
+    if (err.stderr) return err.stderr;
+    return err.message;
+  }
+}
+
+export function showSecurityStatus() {
+  const path = findSkillSpector();
+  if (path) {
+    const version = getSkillSpectorVersion();
+    console.log('✅ NVIDIA SkillSpector is installed');
+    if (version) console.log(`   Version: ${version}`);
+    console.log(`   Path: ${path}`);
+    console.log('');
+    console.log('Usage:');
+    console.log('  omni-skills security scan           # Scan all skills');
+    console.log('  omni-skills security scan --dir ./  # Scan specific directory');
+    console.log('  omni-skills security scan --no-llm   # Static analysis only (faster)');
+  } else {
+    console.log('⚠️  NVIDIA SkillSpector is not installed');
+    console.log('');
+    console.log('🔒 Why install it?');
+    console.log('   • Scans AI skills for 64 vulnerability patterns');
+    console.log('   • Detects prompt injection, data exfiltration, malware');
+    console.log('   • 26.1% of skills contain vulnerabilities (research-backed)');
+    console.log('');
+    console.log('Install:');
+    console.log('  git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('  cd skillspector');
+    console.log('  python3 -m venv .venv && source .venv/bin/activate');
+    console.log('  pip install -e .');
+    console.log('');
+    console.log('Or use Docker:');
+    console.log('  docker run --rm -v "$PWD:/scan" ghcr.io/nvidia/skillspector scan /scan');
+    console.log('');
+    console.log('📎 https://github.com/NVIDIA/skillspector');
+  }
+}
+
+export function showSecurityBanner() {
+  console.log('');
+  console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+  console.log('  🔒 NVIDIA SkillSpector — Security for AI Skills');
+  console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+  console.log('');
+  console.log('Research shows 26.1% of skills contain vulnerabilities.');
+  console.log('SkillSpector detects 64 patterns across 16 categories:');
+  console.log('  • Prompt injection, data exfiltration, privilege escalation');
+  console.log('  • Supply chain attacks, malware, credential harvesting');
+  console.log('  • Excessive agency, tool misuse, system prompt leakage');
+  console.log('');
+  console.log('📎 https://github.com/NVIDIA/skillspector');
+  console.log('');
+}

package/lib/setup.js

@@ -218,7 +218,7 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
         type: 'stale-template',
         project: proj.name,
         count: staleTemplates.length,
-        action: `skills classify ${proj.path} --dry-run`,
+        action: `omni-skills classify ${proj.path} --dry-run`,
       });
     }
   }
@@ -236,7 +236,7 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     suggestions.push({
       type: 'orphaned-skills',
       count: orphanedSkills,
-      action: 'skills check --move --dry-run',
+      action: 'omni-skills check --move --dry-run',
     });
   }
   
@@ -291,15 +291,72 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     console.log(`  ✓ Created example skill in ${resolvedPublic}/example-skill/`);
   }
 
-  // 7. Create SHARED.md
-  // 7. Create SHARED.md
+  // 7. Create SHARED.md with strong omni-skills rule
   const sharedPath = absPath(join(resolvedPublic, 'SHARED.md'));
   if (!existsSync(sharedPath)) {
-    writeFileSync(sharedPath, '# SHARED.md\n\nThis file contains shared instructions that apply to all AI tools.\nIt is automatically symlinked into each tool\'s global instruction file.\n\nAdd your cross-tool rules here.\n');
+    writeFileSync(sharedPath, '# Shared Instructions
+
+This file contains shared instructions that apply to all AI tools.
+It is automatically symlinked into each tool's global instruction file.
+
+---
+
+## 🔴 CRITICAL: Omni Skills Creation Rule
+
+**DO NOT create skills directly in any AI tool's directory.**
+**DO NOT write SKILL.md files to ~/.claude/skills/, ~/.codex/skills/, ~/.kimi/skills/, etc.**
+
+When the user wants to create, install, or modify a skill:
+
+1. **STOP** — Do not write the file directly.
+2. **SAY**: "I'll create that using `omni-skills` so it syncs to all your tools."
+3. **RUN**: `omni-skills create <skill-name>`
+4. **THEN**: `omni-skills index && omni-skills sync all`
+
+**Why this matters:**
+- Tool directories are **symlinked** from the canonical store. Writing directly creates orphans.
+- Direct creation means other tools won't see the skill. Only `omni-skills sync` wires everything.
+- If you create directly, the next `omni-skills doctor` will flag it as a broken/foreign symlink.
+
+**The ONLY way to create a skill is:**
+```bash
+omni-skills create <name>        # Interactive wizard
+omni-skills index                # Regenerate index
+omni-skills sync all             # Sync to all tools
+omni-skills doctor               # Verify
+```
+
+**If the user pastes skill content**, run `omni-skills create from <file>` instead of writing to a tool dir.
+
+---
+
+Add your cross-tool rules below.
+');
     console.log(`  ✓ Created SHARED.md in ${resolvedPublic}/`);
   }
 
-  // 8. Generate config.json
+  // 8. Ask about SkillSpector (default: yes)
+  let installSkillSpector = true;
+  if (process.stdin.isTTY && process.stdout.isTTY) {
+    const readline = await import('node:readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise((resolve) => {
+      rl.question('\n🔒 NVIDIA SkillSpector — Security Scanner for AI Skills\n   Detects 64 vulnerability patterns (prompt injection, data exfiltration, malware)\n   Research: 26.1% of skills contain vulnerabilities\n   Install? [Y/n] (default: yes): ', resolve);
+    });
+    rl.close();
+    installSkillSpector = answer.trim().toLowerCase() !== 'n' && answer.trim().toLowerCase() !== 'no';
+  }
+
+  if (installSkillSpector) {
+    console.log('\n📎 SkillSpector: https://github.com/NVIDIA/skillspector');
+    console.log('   Install: git clone https://github.com/NVIDIA/skillspector.git');
+    console.log('            cd skillspector && python3 -m venv .venv && source .venv/bin/activate');
+    console.log('            pip install -e .');
+    console.log('   Then run: omni-skills security scan');
+  }
+  console.log('');
+
+  // 9. Generate config.json
   console.log('\nGenerating config...');
   const configDir = absPath('~/.config/skills');
   if (!existsSync(configDir)) {
@@ -329,9 +386,10 @@ export async function runSetup({ publicPath, privatePath, toolkitDir } = {}) {
     console.log('  2. Run `skills classify <path>` to sort instruction files');
     console.log('  3. Run `skills check --move` to rescue orphaned skills');
   }
-  console.log('  Run `skills index` to generate indexes');
-  console.log('  Run `skills sync all` to wire into your AI tools');
-  console.log('  Run `skills doctor` to verify everything is healthy');
+  console.log('  Run `omni-skills index` to generate indexes');
+  console.log('  Run `omni-skills sync all` to wire into your AI tools');
+  console.log('  Run `omni-skills doctor` to verify everything is healthy');
+  console.log('  Run `omni-skills security` to check security status');
   console.log('  Run `node verify.js` to run the full verification suite');
   console.log('');
   console.log('For more info: https://github.com/moatazhamada/ai-omni-skills');
@@ -513,7 +571,7 @@ function generateConfig(answers) {
     sharedFile: join(answers.publicPath, 'SHARED.md'),
     indexTargets: [answers.publicPath, answers.privatePath],
     usageLog: "~/.config/skills/usage.jsonl",
-    mcpServerName: "skills",
+    mcpServerName: "omni-skills",
     mcpCommand: "node",
     mcpArgs: [join(answers.toolkitDir, "cli.js"), "mcp"],
     hooks: [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-omni-skills",
-  "version": "1.2.21",
+  "version": "1.2.23",
   "type": "module",
   "description": "Unify scattered AI skills across all your tools. One canonical store. 26 AI tools. Zero drift.",
   "bin": {

package/ponytail/SKILL.md

@@ -0,0 +1,101 @@
+---
+name: ponytail
+description: >
+  Forces the laziest solution that actually works, simplest, shortest, most
+  minimal. Channels a senior dev who has seen everything: question whether the
+  task needs to exist at all (YAGNI), reach for the standard library before
+  custom code, native platform features before dependencies, one line before
+  fifty. Supports intensity levels: lite, full (default), ultra. Use whenever
+  the user says "ponytail", "be lazy", "lazy mode", "simplest solution",
+  "minimal solution", "yagni", "do less", or "shortest path", and whenever
+  they complain about over-engineering, bloat, boilerplate, or unnecessary
+  dependencies.
+argument-hint: "[lite|full|ultra]"
+license: MIT
+---
+
+# Ponytail
+
+You are a lazy senior developer. Lazy means efficient, not careless. You have
+seen every over-engineered codebase and been paged at 3am for one. The best
+code is the code never written.
+
+## Persistence
+
+ACTIVE EVERY RESPONSE. No drift back to over-building. Still active if
+unsure. Off only: "stop ponytail" / "normal mode". Default: **full**.
+Switch: `/ponytail lite|full|ultra`.
+
+## The ladder
+
+Stop at the first rung that holds:
+
+1. **Does this need to exist at all?** Speculative need = skip it, say so in one line. (YAGNI)
+2. **Stdlib does it?** Use it.
+3. **Native platform feature covers it?** `<input type="date">` over a picker lib, CSS over JS, DB constraint over app code.
+4. **Already-installed dependency solves it?** Use it. Never add a new one for what a few lines can do.
+5. **Can it be one line?** One line.
+6. **Only then:** the minimum code that works.
+
+The ladder is a reflex, not a research project. Two rungs work → take the
+higher one and move on. The first lazy solution that works is the right one.
+
+## Rules
+
+- No unrequested abstractions: no interface with one implementation, no factory for one product, no config for a value that never changes.
+- No boilerplate, no scaffolding "for later", later can scaffold for itself.
+- Deletion over addition. Boring over clever, clever is what someone decodes at 3am.
+- Fewest files possible. Shortest working diff wins.
+- Complex request? Ship the lazy version and question it in the same response, "Did X; Y covers it. Need full X? Say so." Never stall on an answer you can default.
+- Two stdlib options, same size? Take the one that's correct on edge cases. Lazy means writing less code, not picking the flimsier algorithm.
+- Mark deliberate simplifications with a `ponytail:` comment (`// ponytail: this exists`), simple reads as intent, not ignorance. Shortcut with a known ceiling (global lock, O(n²) scan, naive heuristic)? The comment names the ceiling and the upgrade path: `# ponytail: global lock, per-account locks if throughput matters`.
+
+## Output
+
+Code first. Then at most three short lines: what was skipped, when to add it.
+No essays, no feature tours, no design notes. If the explanation is longer
+than the code, delete the explanation, every paragraph defending a
+simplification is complexity smuggled back in as prose. Explanation the user
+explicitly asked for (a report, a walkthrough, per-phase notes) is not debt,
+give it in full, the rule is only against unrequested prose.
+
+Pattern: `[code] → skipped: [X], add when [Y].`
+
+## Intensity
+
+| Level | What change |
+|-------|------------|
+| **lite** | Build what's asked, but name the lazier alternative in one line. User picks. |
+| **full** | The ladder enforced. Stdlib and native first. Shortest diff, shortest explanation. Default. |
+| **ultra** | YAGNI extremist. Deletion before addition. Ship the one-liner and challenge the rest of the requirement in the same breath. |
+
+Example: "Add a cache for these API responses."
+- lite: "Done, cache added. FYI: `functools.lru_cache` covers this in one line if you'd rather not own a cache class."
+- full: "`@lru_cache(maxsize=1000)` on the fetch function. Skipped custom cache class, add when lru_cache measurably falls short."
+- ultra: "No cache until a profiler says so. When it does: `@lru_cache`. A hand-rolled TTL cache class is a bug farm with a hit rate."
+
+## When NOT to be lazy
+
+Never simplify away: input validation at trust boundaries, error handling
+that prevents data loss, security measures, accessibility basics, anything
+explicitly requested. User insists on the full version → build it, no
+re-arguing.
+
+Hardware is never the ideal on paper: a real clock drifts, a real sensor
+reads off, a PCA9685 runs a few percent fast. Leave the calibration knob, not
+just less code, the physical world needs tuning a minimal model can't see.
+
+Lazy code without its check is unfinished. Non-trivial logic (a branch, a
+loop, a parser, a money/security path) leaves ONE runnable check behind, the
+smallest thing that fails if the logic breaks: an `assert`-based
+`demo()`/`__main__` self-check or one small `test_*.py`. No frameworks, no
+fixtures, no per-function suites unless asked. Trivial one-liners need no
+test, YAGNI applies to tests too.
+
+## Boundaries
+
+Ponytail governs what you build, not how you talk (pair with Caveman for
+terse prose). "stop ponytail" / "normal mode": revert. Level persists until
+changed or session end.
+
+The shortest path to done is the right path.

package/ponytail-audit/SKILL.md

@@ -0,0 +1,41 @@
+---
+name: ponytail-audit
+description: >
+  Whole-repo audit for over-engineering. Like ponytail-review, but scans the
+  entire codebase instead of a diff: a ranked list of what to delete, simplify,
+  or replace with stdlib/native equivalents. Use when the user says "audit this
+  codebase", "audit for over-engineering", "what can I delete from this repo",
+  "find bloat", "ponytail-audit", or "/ponytail-audit". One-shot report, does
+  not apply fixes.
+---
+
+ponytail-review, repo-wide. Scan the whole tree instead of a diff. Rank
+findings biggest cut first.
+
+## Tags
+
+Same as ponytail-review:
+
+- `delete:` dead code, unused flexibility, speculative feature. Replacement: nothing.
+- `stdlib:` hand-rolled thing the standard library ships. Name the function.
+- `native:` dependency or code doing what the platform already does. Name the feature.
+- `yagni:` abstraction with one implementation, config nobody sets, layer with one caller.
+- `shrink:` same logic, fewer lines. Show the shorter form.
+
+## Hunt
+
+Deps the stdlib or platform already ships, single-implementation interfaces,
+factories with one product, wrappers that only delegate, files exporting one
+thing, dead flags and config, hand-rolled stdlib.
+
+## Output
+
+One line per finding, ranked: `<tag> <what to cut>. <replacement>. [path]`.
+End with `net: -<N> lines, -<M> deps possible.` Nothing to cut: `Lean already. Ship.`
+
+## Boundaries
+
+Scope: over-engineering and complexity only. Correctness bugs, security holes,
+and performance are explicitly out of scope. Route them to a normal review
+pass. Lists findings, applies nothing. One-shot.
+"stop ponytail-audit" or "normal mode" to revert.

package/ponytail-debt/SKILL.md

@@ -0,0 +1,44 @@
+---
+name: ponytail-debt
+description: >
+  Harvest every `ponytail:` comment in the codebase into a debt ledger, so the
+  deliberate shortcuts and deferrals ponytail leaves behind get tracked instead
+  of rotting into "later means never". Use when the user says "ponytail debt",
+  "/ponytail-debt", "what did ponytail defer", "list the shortcuts", "ponytail
+  ledger", or "what did we mark to do later". One-shot report, changes nothing.
+---
+
+Every deliberate ponytail shortcut is marked with a `ponytail:` comment naming
+its ceiling and upgrade path. This collects them into one ledger so a deferral
+can't quietly become permanent.
+
+## Scan
+
+Grep the repo for comment markers, skipping `node_modules`, `.git`, and build
+output:
+
+`grep -rnE '(#|//) ?ponytail:' .`  (add other comment prefixes if your stack uses them)
+
+Each hit is one ledger row. The comment prefix keeps prose that merely mentions
+the convention out of the ledger.
+
+## Output
+
+One row per marker, grouped by file:
+
+`<file>:<line>, <what was simplified>. ceiling: <the limit named>. upgrade: <the trigger to revisit>.`
+
+The convention is `ponytail: <ceiling>, <upgrade path>`, so pull the ceiling
+and the trigger straight from the comment. Want an owner per row too? add
+`git blame -L<line>,<line>`.
+
+Flag the rot risk: any `ponytail:` comment that names no upgrade path or
+trigger gets a `no-trigger` tag, those are the ones that silently rot.
+
+End with `<N> markers, <M> with no trigger.` Nothing found: `No ponytail: debt. Clean ledger.`
+
+## Boundaries
+
+Reads and reports only, changes nothing. To persist it, ask and it writes the
+ledger to a file (e.g. `PONYTAIL-DEBT.md`). One-shot. "stop ponytail-debt" or
+"normal mode" to revert.

package/ponytail-gain/SKILL.md

@@ -0,0 +1,50 @@
+---
+name: ponytail-gain
+description: >
+  Show ponytail's measured impact as a compact scoreboard: less code, less
+  cost, more speed, from the benchmark medians. One-shot display, not a
+  persistent mode, and not a per-repo number. Trigger: /ponytail-gain,
+  "ponytail gain", "what does ponytail save", "show ponytail impact",
+  "ponytail scoreboard".
+---
+
+# Ponytail Gain
+
+Display this scoreboard when invoked. One-shot: do NOT change mode, write flag
+files, or persist anything.
+
+The figures are the published benchmark medians (5 everyday tasks: email
+validator, debounce, CSV sum, countdown timer, rate limiter; three models:
+Haiku, Sonnet, Opus). They are measured, not computed from the current repo.
+Source: `benchmarks/` and the README.
+
+## Scoreboard
+
+Render plain ASCII bars. The bar length shows the measured range; the label
+carries the exact figure:
+
+```
+  ponytail gain                     benchmark median · 5 tasks · 3 models
+
+  Lines of code   no-skill  ████████████████████  100%
+                  ponytail  ██▌·················    6–20%   ▼ 80–94%
+  Cost            no-skill  ████████████████████  100%
+                  ponytail  █████▌··············   23–53%  ▼ 47–77%
+  Speed           ponytail  ▸ 3–6× faster
+
+  This repo:  /ponytail-debt  (shortcuts you deferred)
+              /ponytail-audit (what's still cuttable)
+```
+
+## Honesty boundary
+
+These are benchmark medians, not this repo. NEVER print a per-repo savings
+number ("you saved X lines/tokens here"): the unbuilt version was never
+written, so there is no real baseline to subtract from in a live repo. The
+only real per-repo figures come from `/ponytail-debt` (a counted ledger), and
+this card points there instead of inventing one.
+
+## Boundaries
+
+One-shot display. Edits nothing, changes no mode.
+"stop ponytail" or "normal mode": revert.

package/ponytail-help/SKILL.md

@@ -0,0 +1,69 @@
+---
+name: ponytail-help
+description: >
+  Quick-reference card for all ponytail modes, skills, and commands.
+  One-shot display, not a persistent mode. Trigger: /ponytail-help,
+  "ponytail help", "what ponytail commands", "how do I use ponytail".
+---
+
+# Ponytail Help
+
+Display this reference card when invoked. One-shot, do NOT change mode,
+write flag files, or persist anything.
+
+## Levels
+
+| Level | Trigger | What change |
+|-------|---------|-------------|
+| **Lite** | `/ponytail lite` | Build what's asked, name the lazier alternative in one line. |
+| **Full** | `/ponytail` | The ladder enforced: YAGNI → stdlib → native → one line → minimum. Default. |
+| **Ultra** | `/ponytail ultra` | YAGNI extremist. Deletion before addition. Challenges requirements before building. |
+
+Level sticks until changed or session end.
+
+## Skills
+
+| Skill | Trigger | What it does |
+|-------|---------|--------------|
+| **ponytail** | `/ponytail` | Lazy mode itself. Simplest solution that works. |
+| **ponytail-review** | `/ponytail-review` | Over-engineering review: `L42: yagni: factory, one product. Inline.` |
+| **ponytail-gain** | `/ponytail-gain` | Measured-impact scoreboard: less code, less cost, more speed. |
+| **ponytail-help** | `/ponytail-help` | This card. |
+
+Codex uses `@ponytail`, `@ponytail-review`, and `@ponytail-help`; Claude Code
+and OpenCode use the slash-command forms above (OpenCode ships `/ponytail` and
+`/ponytail-review`).
+
+## Deactivate
+
+Say "stop ponytail" or "normal mode". Resume anytime with `/ponytail`.
+`/ponytail off` also works.
+
+## Configure Default Mode
+
+Default mode = `full`, auto-active every session. Change it:
+
+**Environment variable** (highest priority):
+```bash
+export PONYTAIL_DEFAULT_MODE=ultra
+```
+
+**Config file** (`~/.config/ponytail/config.json`, Windows: `%APPDATA%\ponytail\config.json`):
+```json
+{ "defaultMode": "lite" }
+```
+
+Set `"off"` to disable auto-activation on session start, activate manually
+with `/ponytail` when wanted.
+
+Resolution: env var > config file > `full`.
+
+## Update
+
+Enable auto-update once: open `/plugin`, go to Marketplaces, pick ponytail, Enable auto-update. Claude Code then pulls new versions at startup (run `/reload-plugins` when it prompts). Manual refresh: `/plugin marketplace update ponytail` then `/reload-plugins`.
+
+If `/plugin` is not recognized, your Claude Code is out of date. Update it (`npm install -g @anthropic-ai/claude-code@latest`, or `brew upgrade claude-code`) and restart. Other hosts use their own update flow.
+
+## More
+
+Full docs + examples: https://github.com/DietrichGebert/ponytail

package/ponytail-review/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: ponytail-review
+description: >
+  Code review focused exclusively on over-engineering. Finds what to delete:
+  reinvented standard library, unneeded dependencies, speculative abstractions,
+  dead flexibility. One line per finding: location, what to cut, what replaces
+  it. Use when the user says "review for over-engineering", "what can we
+  delete", "is this over-engineered", "simplify review", or invokes
+  /ponytail-review. Complements correctness-focused review, this one only
+  hunts complexity.
+---
+
+Review diffs for unnecessary complexity. One line per finding: location, what
+to cut, what replaces it. The diff's best outcome is getting shorter.
+
+## Format
+
+`L<line>: <tag> <what>. <replacement>.`, or `<file>:L<line>: ...` for
+multi-file diffs.
+
+Tags:
+
+- `delete:` dead code, unused flexibility, speculative feature. Replacement: nothing.
+- `stdlib:` hand-rolled thing the standard library ships. Name the function.
+- `native:` dependency or code doing what the platform already does. Name the feature.
+- `yagni:` abstraction with one implementation, config nobody sets, layer with one caller.
+- `shrink:` same logic, fewer lines. Show the shorter form.
+
+## Examples
+
+❌ "This EmailValidator class might be more complex than necessary, have you
+considered whether all these validation rules are needed at this stage?"
+
+✅ `L12-38: stdlib: 27-line validator class. "@" in email, 1 line, real validation is the confirmation mail.`
+
+✅ `L4: native: moment.js imported for one format call. Intl.DateTimeFormat, 0 deps.`
+
+✅ `repo.py:L88: yagni: AbstractRepository with one implementation. Inline it until a second one exists.`
+
+✅ `L52-71: delete: retry wrapper around an idempotent local call. Nothing replaces it.`
+
+✅ `L30-44: shrink: manual loop builds dict. dict(zip(keys, values)), 1 line.`
+
+## Scoring
+
+End with the only metric that matters: `net: -<N> lines possible.`
+
+If there is nothing to cut, say `Lean already. Ship.` and stop.
+
+## Boundaries
+
+Scope: over-engineering and complexity only. Correctness bugs, security holes,
+and performance are explicitly out of scope. Route them to a normal review
+pass, not this one. A single smoke test or `assert`-based
+self-check is the ponytail minimum, not bloat, never flag it for deletion.
+Does not apply the fixes, only lists them.
+"stop ponytail-review" or "normal mode": revert to verbose review style.