opencode-skills-antigravity 0.0.7 → 0.0.9

package/README.md

@@ -1,4 +1,4 @@
-# opencode-skills-antigravity
+# OpenCode Skills Antigravity
 
 An [OpenCode CLI](https://opencode.ai/) plugin that bundles and manages the [Antigravity Awesome Skills](https://github.com/sickn33/antigravity-awesome-skills) repository for instant use.
 
@@ -14,14 +14,16 @@ OpenCode automatically detects all skills and makes them available to the AI age
 You can then invoke any skill explicitly in your prompt:
 
 ```bash
-opencode run @brainstorming help me plan a feature
+opencode run /brainstorming help me plan a feature
 ```
 
+Skills are also available as `/` commands directly in the OpenCode chat (e.g., `/brainstorming`).
+
 Or simply describe what you want and OpenCode will pick the right skill automatically.
 
 ## 🚀 Installation
 
-### 1. Add the plugin to your global OpenCode config
+### Add the plugin to your global OpenCode config
 
 Edit (or create) `~/.config/opencode/opencode.json`:
 

package/bundled-skills/007/scripts/full_audit.py

@@ -1081,6 +1081,7 @@ def run_audit(
     inj_report: dict = {"findings": [], "score": 100, "total_findings": 0}
     quick_report: dict = {"findings": [], "score": 100, "total_findings": 0}
     all_findings: list[dict] = []
+    report_findings: list[dict] = []
 
     if need_scanners:
         logger.info("Running scanners for phases %s...", [p for p in phases_list if p >= 3])
@@ -1121,6 +1122,7 @@ def run_audit(
             + quick_report.get("findings", [])
         )
         all_findings = score_calculator._deduplicate_findings(raw)
+        report_findings = score_calculator.redact_findings_for_report(all_findings)
 
     # ------------------------------------------------------------------
     # Collect source files if needed for phase 6
@@ -1142,7 +1144,7 @@ def run_audit(
     if 2 in phases_list:
         # Phase 2 benefits from phase 1 data and findings
         surface = phases_data.get("phase1") or _phase1_surface_mapping(target, verbose=verbose)
-        phases_data["phase2"] = _phase2_threat_modeling_hints(surface, all_findings)
+        phases_data["phase2"] = _phase2_threat_modeling_hints(surface, report_findings)
 
     if 3 in phases_list:
         phases_data["phase3"] = _phase3_security_checklist(
@@ -1164,10 +1166,10 @@ def run_audit(
                 )
 
     if 4 in phases_list:
-        phases_data["phase4"] = _phase4_red_team_scenarios(all_findings, auth_score)
+        phases_data["phase4"] = _phase4_red_team_scenarios(report_findings, auth_score)
 
     if 5 in phases_list:
-        phases_data["phase5"] = _phase5_blue_team_recommendations(all_findings, auth_score)
+        phases_data["phase5"] = _phase5_blue_team_recommendations(report_findings, auth_score)
 
     if 6 in phases_list:
         phases_data["phase6"] = _phase6_verdict(
@@ -1227,7 +1229,7 @@ def run_audit(
         "phases_run": phases_list,
         "phases": phases_data,
         "total_findings": len(all_findings),
-        "findings": all_findings,
+        "findings": report_findings,
         "report_path": str(report_path),
     }
 

package/bundled-skills/007/scripts/score_calculator.py

@@ -64,6 +64,17 @@ import quick_scan  # noqa: E402
 # ---------------------------------------------------------------------------
 logger = setup_logging("007-score-calculator")
 
+_SENSITIVE_FINDING_KEYS = {
+    "snippet",
+    "secret",
+    "token",
+    "password",
+    "access_token",
+    "app_secret",
+    "authorization_code",
+    "client_secret",
+}
+
 
 # ---------------------------------------------------------------------------
 # Positive-signal patterns (auth, encryption, resilience, monitoring)
@@ -360,6 +371,51 @@ def _bar(score: float, width: int = 20) -> str:
     return "[" + "#" * filled + "." * (width - filled) + "]"
 
 
+def _redact_report_value(value):
+    """Recursively redact sensitive values from report payloads."""
+    if isinstance(value, dict):
+        return {key: _redact_report_value(value[key]) for key in value}
+    if isinstance(value, list):
+        return [_redact_report_value(item) for item in value]
+    return value
+
+
+def redact_findings_for_report(findings: list[dict]) -> list[dict]:
+    """Return findings safe to serialize in user-facing reports."""
+    redacted: list[dict] = []
+
+    for finding in findings:
+        safe_finding: dict = {}
+        finding_type = str(finding.get("type", "")).lower()
+
+        for key, value in finding.items():
+            key_lower = key.lower()
+            if key_lower in _SENSITIVE_FINDING_KEYS:
+                safe_finding[key] = "[redacted]"
+                continue
+            if finding_type == "secret" and key_lower in {"entropy", "match", "raw", "value"}:
+                safe_finding[key] = "[redacted]"
+                continue
+            safe_finding[key] = _redact_report_value(value)
+
+        redacted.append(safe_finding)
+
+    return redacted
+
+
+def build_safe_scanner_summaries(scanner_summaries: dict[str, dict]) -> dict[str, dict]:
+    """Return scanner summaries with primitive numeric values only."""
+    safe_summaries: dict[str, dict] = {}
+
+    for scanner_name, summary in scanner_summaries.items():
+        safe_summaries[scanner_name] = {
+            "findings": int(summary.get("findings", 0)),
+            "score": float(summary.get("score", 0)),
+        }
+
+    return safe_summaries
+
+
 def format_text_report(
     target: str,
     domain_scores: dict[str, float],
@@ -430,6 +486,7 @@ def build_json_report(
     elapsed: float,
 ) -> dict:
     """Build a structured JSON report."""
+    safe_findings = redact_findings_for_report(all_findings)
     return {
         "report": "score_calculator",
         "target": target,
@@ -444,7 +501,7 @@ def build_json_report(
             "emoji": verdict["emoji"],
         },
         "scanner_summaries": scanner_summaries,
-        "findings": all_findings,
+        "findings": safe_findings,
     }
 
 
@@ -564,6 +621,9 @@ def run_score(
     all_findings_raw = secrets_findings + dep_findings + inj_findings + quick_findings
     all_findings = _deduplicate_findings(all_findings_raw)
     total_findings = len(all_findings)
+    safe_findings = redact_findings_for_report(all_findings)
+    safe_total_findings = len(safe_findings)
+    safe_scanner_summaries = build_safe_scanner_summaries(scanner_summaries)
 
     logger.info(
         "Aggregated %d raw findings -> %d unique (deduplicated)",
@@ -613,8 +673,8 @@ def run_score(
         result=f"final_score={final_score}, verdict={verdict['label']}",
         details={
             "domain_scores": domain_scores,
-            "total_findings": total_findings,
-            "scanner_summaries": scanner_summaries,
+            "total_findings": safe_total_findings,
+            "scanner_summaries": safe_scanner_summaries,
             "duration_seconds": round(elapsed, 3),
         },
     )
@@ -627,9 +687,9 @@ def run_score(
         domain_scores=domain_scores,
         final_score=final_score,
         verdict=verdict,
-        scanner_summaries=scanner_summaries,
+        scanner_summaries=safe_scanner_summaries,
         all_findings=all_findings,
-        total_findings=total_findings,
+        total_findings=safe_total_findings,
         elapsed=elapsed,
     )
 
@@ -641,8 +701,8 @@ def run_score(
             domain_scores=domain_scores,
             final_score=final_score,
             verdict=verdict,
-            scanner_summaries=scanner_summaries,
-            total_findings=total_findings,
+            scanner_summaries=safe_scanner_summaries,
+            total_findings=safe_total_findings,
             elapsed=elapsed,
         ))
 

package/bundled-skills/algorithmic-art/templates/viewer.html

@@ -20,7 +20,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Generative Art Viewer</title>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.7.0/p5.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.7.0/p5.min.js" integrity="sha512-bcfltY+lNLlNxz38yBBm/HLaUB1gTV6I0e+fahbF9pS6roIdzUytozWdnFV8ZnM6cSAG5EbmO0ag0a/fLZSG4Q==" crossorigin="anonymous"></script>
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;500;600&family=Lora:wght@400;500&display=swap" rel="stylesheet">
@@ -596,4 +596,4 @@
         });
     </script>
 </body>
-</html>
+</html>

package/bundled-skills/apify-actorization/SKILL.md

@@ -45,10 +45,9 @@ Verify CLI is logged in:
 apify info  # Should return your username
 ```
 
-If not logged in, check if `APIFY_TOKEN` environment variable is defined. If not, ask the user to generate one at https://console.apify.com/settings/integrations, then:
+If not logged in, check if `APIFY_TOKEN` environment variable is defined. If not, ask the user to generate one at https://console.apify.com/settings/integrations, add it to their shell or secret manager without putting the literal token in command history, then run:
 
 ```bash
-export APIFY_TOKEN="your_token_here"
 apify login
 ```
 

package/bundled-skills/apify-actorization/references/cli-actorization.md

@@ -33,12 +33,12 @@ Reference the [cli-start template Dockerfile](https://github.com/apify/actor-tem
 ```dockerfile
 FROM apify/actor-node:20
 
-# Install ubi for easy GitHub release installation
-RUN curl --silent --location \
-    https://raw.githubusercontent.com/houseabsolute/ubi/master/bootstrap/bootstrap-ubi.sh | sh
+# Install ubi from a package source or a verified release artifact
+# Example: use your base image package manager or vendor a pinned binary in the build context
+# RUN apt-get update && apt-get install -y ubi
 
 # Install your CLI tool from GitHub releases (example)
-# RUN ubi --project your-org/your-tool --in /usr/local/bin
+# RUN install -m 0755 ./vendor/your-tool /usr/local/bin/your-tool
 
 # Or install apify-cli and jq manually
 RUN npm install -g apify-cli

package/bundled-skills/docs/COMMUNITY_GUIDELINES.md

@@ -1,3 +1,3 @@
 # Community Guidelines
 
-This document moved to [`contributors/community-guidelines.md`](contributors/community-guidelines.md).
+This document moved to [`../CODE_OF_CONDUCT.md`](../CODE_OF_CONDUCT.md).

package/bundled-skills/docs/contributors/community-guidelines.md

@@ -1,33 +1,4 @@
-# Code of Conduct
+# Community Guidelines
 
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Enforcement
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1.
-
-[homepage]: https://www.contributor-covenant.org
+The canonical project policy now lives in the repository root at
+[`CODE_OF_CONDUCT.md`](../../CODE_OF_CONDUCT.md).

package/bundled-skills/docs/integrations/jetski-gemini-loader/loader.ts

@@ -83,16 +83,34 @@ export async function loadSkillBodies(
 ): Promise<string[]> {
   const bodies: string[] = [];
   const rootPath = path.resolve(skillsRoot);
+  const rootRealPath = await fs.promises.realpath(rootPath);
 
   for (const meta of metas) {
-    const fullPath = path.resolve(rootPath, meta.path, "SKILL.md");
-    const relativePath = path.relative(rootPath, fullPath);
+    const skillDirPath = path.resolve(rootPath, meta.path);
+    const relativePath = path.relative(rootPath, skillDirPath);
 
     if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
       throw new Error(`Skill path escapes skills root: ${meta.id}`);
     }
 
-    const text = await fs.promises.readFile(fullPath, "utf8");
+    const skillDirStat = await fs.promises.lstat(skillDirPath);
+    if (!skillDirStat.isDirectory() || skillDirStat.isSymbolicLink()) {
+      throw new Error(`Skill directory must be a regular directory inside the skills root: ${meta.id}`);
+    }
+
+    const fullPath = path.join(skillDirPath, "SKILL.md");
+    const skillFileStat = await fs.promises.lstat(fullPath);
+    if (!skillFileStat.isFile() || skillFileStat.isSymbolicLink()) {
+      throw new Error(`SKILL.md must be a regular file inside the skills root: ${meta.id}`);
+    }
+
+    const realPath = await fs.promises.realpath(fullPath);
+    const realRelativePath = path.relative(rootRealPath, realPath);
+    if (realRelativePath.startsWith("..") || path.isAbsolute(realRelativePath)) {
+      throw new Error(`SKILL.md resolves outside the skills root: ${meta.id}`);
+    }
+
+    const text = await fs.promises.readFile(realPath, "utf8");
     bodies.push(text);
   }
 

package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-18-addendum.md

@@ -0,0 +1,22 @@
+# Security Findings Triage Addendum (2026-03-18)
+
+This addendum supersedes the previous Jetski loader assessment in
+`security-findings-triage-2026-03-15.md`.
+
+## Correction
+
+- Finding: `Example loader trusts manifest paths, enabling file read`
+- Path: `docs/integrations/jetski-gemini-loader/loader.ts`
+- Previous triage status on 2026-03-15: `obsolete/not reproducible on current HEAD`
+- Corrected assessment: the loader was still reproducible via a symlinked
+  `SKILL.md` that resolved outside `skillsRoot`. A local proof read the linked
+  file contents successfully.
+
+## Current Status
+
+- The loader now rejects symlinked skill directories and symlinked `SKILL.md`
+  files.
+- The loader now resolves the real path for `SKILL.md` and rejects any target
+  outside the configured `skillsRoot`.
+- Regression coverage lives in
+  `tools/scripts/tests/jetski_gemini_loader.test.js`.

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V8.1.0)
+# Getting Started with Antigravity Awesome Skills (V8.2.0)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/walkthrough.md

@@ -1,42 +1,46 @@
-# Walkthrough: Release v8.1.0 Maintenance Sweep
+# Walkthrough: Release v8.2.0 Maintenance Sweep
 
 ## Overview
 
-This walkthrough captures the maintainer-side documentation and release preparation work for **v8.1.0** after the 2026-03-17 PR merge batch.
+This walkthrough captures the maintainer-side documentation and release publication work for **v8.2.0** after the 2026-03-18 maintenance sweep.
 
 ## Changes Verified
 
 ### 1. Community PR batch integrated
 
-- **PR #324**: Added `progressive-web-app`
-- **PR #325**: Added `vibers-code-review`
-- **PR #326**: Repaired invalid YAML frontmatter in existing skills
-- **PR #329**: Added `trpc-fullstack`
-- **PR #330**: Aligned FAQ risk labels and documented the active `skill-review` check
-- **PR #331**: Removed a broken reference from `skills/data-scientist/SKILL.md`
+- **PR #333**: Repaired missing required frontmatter fields in `skill-anatomy` and `adapter-patterns`
+- **PR #336**: Added `astro`, `hono`, `pydantic-ai`, and `sveltekit`
+- **PR #338**: Repaired malformed markdown in `browser-extension-builder`
+- **PR #343**: Added missing metadata labels to `devcontainer-setup`
+- **PR #340**: Added `openclaw-github-repo-commander`
+- **PR #334**: Added `goldrush-api`
+- **PR #345**: Added `Wolfe-Jam/faf-skills` to README source attributions
 
 ### 2. Release-facing docs refreshed
 
 - **README.md**:
-  - Current release updated to **v8.1.0**
+  - Current release updated to **v8.2.0**
   - Release summary text aligned with the merged PR batch
   - Contributor acknowledgements kept in sync with the latest merge set
 - **docs/users/getting-started.md**:
-  - Version header updated to **v8.1.0**
-- **docs/users/faq.md**:
-  - Active `skill-review` workflow guidance retained as the current contributor check
+  - Version header updated to **v8.2.0**
 - **CHANGELOG.md**:
-  - Added the release notes section for **8.1.0**
+  - Added the release notes section for **8.2.0**
 
-### 3. Release protocol to run
+### 3. Maintenance fixes verified
+
+- **Issue #344**: Corrected `.claude-plugin/marketplace.json` to use `source: "./"` and added a regression test for the Claude Code marketplace entry
+- **.github/MAINTENANCE.md**: Documented the maintainer flow for fork-gated workflows and stale PR metadata
+
+### 4. Release protocol executed
 
 - `npm run release:preflight`
 - `npm run security:docs`
 - `npm run validate:strict` (diagnostic, optional blocker)
-- `npm run release:prepare -- 8.1.0`
-- `npm run release:publish -- 8.1.0`
+- `npm run release:prepare -- 8.2.0`
+- `npm run release:publish -- 8.2.0`
 
 ## Expected Outcome
 
 - Documentation, changelog, and generated metadata all agree on the release state.
-- The repository is ready for the `v8.1.0` tag and GitHub release.
+- The repository published the `v8.2.0` tag and GitHub release successfully.

package/bundled-skills/dotnet-backend-patterns/resources/implementation-playbook.md

@@ -793,7 +793,7 @@ public class ProductsApiTests : IClassFixture<WebApplicationFactory<Program>>
 
 ## Resources
 
-- **assets/service-template.cs**: Complete service implementation template
-- **assets/repository-template.cs**: Repository pattern implementation
+- **assets/service-template.cs.template**: Complete service implementation template
+- **assets/repository-template.cs.template**: Repository pattern implementation
 - **references/ef-core-best-practices.md**: EF Core optimization guide
 - **references/dapper-patterns.md**: Advanced Dapper usage patterns

package/bundled-skills/instagram/scripts/auth.py

@@ -19,6 +19,7 @@ from __future__ import annotations
 
 import argparse
 import asyncio
+import html
 import json
 import os
 import sys
@@ -47,6 +48,15 @@ db = Database()
 db.init()
 
 
+def _mask_secret(value: str, keep: int = 4) -> str:
+    """Mask secret-like values before showing them in terminal output."""
+    if not value:
+        return "(hidden)"
+    if len(value) <= keep:
+        return "*" * len(value)
+    return f"{value[:keep]}...masked"
+
+
 # ── OAuth Callback Server ────────────────────────────────────────────────────
 
 class OAuthCallbackHandler(BaseHTTPRequestHandler):
@@ -71,7 +81,8 @@ class OAuthCallbackHandler(BaseHTTPRequestHandler):
             self.send_response(400)
             self.send_header("Content-Type", "text/html; charset=utf-8")
             self.end_headers()
-            self.wfile.write(f"<html><body><h2>Erro: {error}</h2></body></html>".encode())
+            safe_error = html.escape(error, quote=True)
+            self.wfile.write(f"<html><body><h2>Erro: {safe_error}</h2></body></html>".encode())
         else:
             self.send_response(404)
             self.end_headers()
@@ -84,7 +95,7 @@ def wait_for_oauth_code() -> Optional[str]:
     """Inicia servidor local e espera pelo código de autorização."""
     server = HTTPServer(("localhost", OAUTH_REDIRECT_PORT), OAuthCallbackHandler)
     server.timeout = 120  # 2 minutos
-    print(f"Aguardando autorização em http://localhost:{OAUTH_REDIRECT_PORT}/callback ...")
+    print("Aguardando autorização no callback OAuth local...")
     print("(Timeout: 2 minutos)\n")
 
     while OAuthCallbackHandler.authorization_code is None:
@@ -285,10 +296,8 @@ async def setup() -> None:
         f"response_type=code"
     )
 
-    print(f"\nAbrindo browser para autorização...")
-    # Mask client_id in auth URL to avoid logging credentials
-    masked_url = auth_url.replace(app_id, app_id[:4] + "...masked") if app_id else auth_url
-    print(f"URL: {masked_url}\n")
+    print("\nAbrindo browser para autorização...")
+    print("A URL de autorização e o App ID não serão exibidos para evitar vazamento de credenciais.\n")
     webbrowser.open(auth_url)
 
     # Esperar callback