opencode-skills-antigravity 0.0.8 → 1.0.0

package/README.md

@@ -1,31 +1,59 @@
-# opencode-skills-antigravity
+<div align="center">
 
-An [OpenCode CLI](https://opencode.ai/) plugin that bundles and manages the [Antigravity Awesome Skills](https://github.com/sickn33/antigravity-awesome-skills) repository for instant use.
+<img src="./docs/logo.svg" alt="OpenCode Skills Antigravity"/>
 
-## ✨ How it works
+<br/>
+<br/>
+<br/>
 
-This plugin ensures you always have the latest skills without any network latency at startup.
+[![npm version](https://img.shields.io/npm/v/opencode-skills-antigravity?style=for-the-badge&color=cb3837&label=npm)](https://www.npmjs.com/package/opencode-skills-antigravity)
+[![npm downloads](https://img.shields.io/npm/dm/opencode-skills-antigravity?style=for-the-badge&color=orange)](https://www.npmjs.com/package/opencode-skills-antigravity)
+[![license](https://img.shields.io/github/license/FrancoStino/opencode-skills-antigravity?style=for-the-badge&color=blue)](./LICENSE)
 
-- **Automated Updates:** A GitHub Action checks for updates in the [Antigravity Awesome Skills](https://github.com/sickn33/antigravity-awesome-skills) repository every hour. If new skills are found, it automatically bundles them and publishes a new version of the NPM package.
-- **Instant Deployment:** When you start OpenCode, the plugin instantly copies the pre-bundled skills to your local machine. This process works perfectly offline and ensures zero network latency during startup.
+</div>
 
-OpenCode automatically detects all skills and makes them available to the AI agent.
+# OpenCode Skills Antigravity
 
-You can then invoke any skill explicitly in your prompt:
+> An [OpenCode CLI](https://opencode.ai/) plugin that bundles and auto-syncs the [Antigravity Awesome Skills](https://github.com/sickn33/antigravity-awesome-skills) collection — delivered instantly, with zero network latency at startup.
 
-```bash
-opencode run /brainstorming help me plan a feature
-```
+---
+
+## Overview
+
+**OpenCode Skills Antigravity** bridges the OpenCode CLI with the Antigravity Awesome Skills repository. Instead of fetching skills on every startup, this plugin ships with a pre-bundled snapshot that gets copied directly to your local machine the moment OpenCode launches.
+
+The result: skills are always fresh (synced hourly via GitHub Actions), always available (even offline), and always instant.
+
+---
+
+## How It Works
+
+The plugin operates in two phases:
+
+**1. Automated upstream sync (CI)**
+
+A GitHub Actions workflow runs every hour, checking the [Antigravity Awesome Skills](https://github.com/sickn33/antigravity-awesome-skills) repository for changes. When new or updated skills are detected, the workflow:
+
+- Re-bundles the skill files into `bundled-skills/`
+- Bumps the package version (`patch`)
+- Creates a tagged GitHub Release
+- Publishes the new version to npm
+
+**2. Local deployment (startup)**
 
-Skills are also available as `/` commands directly in the OpenCode chat (e.g., `/brainstorming`).
+When OpenCode starts, the plugin runs and copies the pre-bundled skills from the npm package to:
 
-Or simply describe what you want and OpenCode will pick the right skill automatically.
+```
+~/.config/opencode/skills/
+```
 
-## 🚀 Installation
+No network calls, no latency, no failures. If the copy somehow fails, a silent fallback attempts to fetch via `npx antigravity-awesome-skills` in the background.
 
-### 1. Add the plugin to your global OpenCode config
+---
 
-Edit (or create) `~/.config/opencode/opencode.json`:
+## Installation
+
+Add the plugin to your global OpenCode configuration file at `~/.config/opencode/opencode.json`:
 
 ```json
 {
@@ -35,19 +63,110 @@ Edit (or create) `~/.config/opencode/opencode.json`:
 }
 ```
 
-OpenCode will automatically download the npm package on next startup via Bun. No manual `npm install` required.
+That's it. OpenCode will automatically download the npm package on next startup via Bun — no manual `npm install` needed.
+
+---
+
+## Usage
 
-## 📁 Skills location
+Once installed, all bundled skills are available in three ways:
 
-Skills are stored at:
+**Explicit invocation via CLI:**
+```bash
+opencode run /brainstorming help me plan a new feature
+opencode run /refactor clean up this function
+```
 
+**Slash commands in the OpenCode chat:**
 ```
-~/.config/opencode/skills/
+/brainstorming
+/refactor
+/document
+```
+
+**Natural language — OpenCode picks the right skill automatically:**
+```
+"Help me brainstorm ideas for a REST API design"
+"Refactor this function to be more readable"
 ```
 
-OpenCode scans this directory automatically at startup.
+---
+
+## CI/CD Pipeline
+
+The release pipeline is fully automated and self-contained:
+
+```
+[Hourly Cron]
+      │
+      ▼
+Auto-Sync Skills ──── no changes ───▶ (skip)
+      │
+   changes detected
+      │
+      ▼
+Bump patch version + commit + tag
+      │
+      ▼
+Create GitHub Release
+      │
+      ▼
+Publish to npm
+      │
+      ▼
+Sync main → develop
+```
+
+Manual releases (minor/major/patch) can also be triggered via the **Create Release** workflow dispatch in the Actions tab.
+
+---
+
+## Project Structure
+
+```
+opencode-skills-antigravity/
+├── src/
+│   └── index.ts          # Plugin entry point — copies bundled skills on startup
+├── bundled-skills/        # Pre-bundled skills snapshot (auto-updated by CI)
+├── dist/                  # Compiled TypeScript output
+├── .github/
+│   └── workflows/
+│       ├── sync-skills.yml   # Hourly skill sync + auto-publish
+│       ├── release.yml       # Manual version bump + GitHub Release
+│       ├── publish.yml       # npm publish on new release
+│       └── merge-branch.yml  # Keeps develop in sync with main
+├── package.json
+└── tsconfig.json
+```
+
+---
+
+## Development
+
+**Requirements:** Node.js ≥ 20, TypeScript ≥ 5
+
+```bash
+# Install dependencies
+npm install
+
+# Build
+npm run build
+
+# Output is in dist/
+```
+
+The plugin is written in TypeScript and compiled to ESNext with full type declarations. It targets ES2022 and uses ESM module resolution.
+
+---
+
+## Contributing
+
+Issues and pull requests are welcome at [github.com/FrancoStino/opencode-skills-antigravity](https://github.com/FrancoStino/opencode-skills-antigravity/issues).
+
+If you'd like to contribute new skills to the upstream collection, head over to [antigravity-awesome-skills](https://github.com/sickn33/antigravity-awesome-skills) — they'll be automatically picked up and bundled here within the hour.
 
+---
 
-## 📄 License
+## License
 
 MIT © [Davide Ladisa](https://www.davideladisa.it/)

package/bundled-skills/007/scripts/full_audit.py

@@ -1081,6 +1081,7 @@ def run_audit(
     inj_report: dict = {"findings": [], "score": 100, "total_findings": 0}
     quick_report: dict = {"findings": [], "score": 100, "total_findings": 0}
     all_findings: list[dict] = []
+    report_findings: list[dict] = []
 
     if need_scanners:
         logger.info("Running scanners for phases %s...", [p for p in phases_list if p >= 3])
@@ -1121,6 +1122,7 @@ def run_audit(
             + quick_report.get("findings", [])
         )
         all_findings = score_calculator._deduplicate_findings(raw)
+        report_findings = score_calculator.redact_findings_for_report(all_findings)
 
     # ------------------------------------------------------------------
     # Collect source files if needed for phase 6
@@ -1142,7 +1144,7 @@ def run_audit(
     if 2 in phases_list:
         # Phase 2 benefits from phase 1 data and findings
         surface = phases_data.get("phase1") or _phase1_surface_mapping(target, verbose=verbose)
-        phases_data["phase2"] = _phase2_threat_modeling_hints(surface, all_findings)
+        phases_data["phase2"] = _phase2_threat_modeling_hints(surface, report_findings)
 
     if 3 in phases_list:
         phases_data["phase3"] = _phase3_security_checklist(
@@ -1164,10 +1166,10 @@ def run_audit(
                 )
 
     if 4 in phases_list:
-        phases_data["phase4"] = _phase4_red_team_scenarios(all_findings, auth_score)
+        phases_data["phase4"] = _phase4_red_team_scenarios(report_findings, auth_score)
 
     if 5 in phases_list:
-        phases_data["phase5"] = _phase5_blue_team_recommendations(all_findings, auth_score)
+        phases_data["phase5"] = _phase5_blue_team_recommendations(report_findings, auth_score)
 
     if 6 in phases_list:
         phases_data["phase6"] = _phase6_verdict(
@@ -1227,7 +1229,7 @@ def run_audit(
         "phases_run": phases_list,
         "phases": phases_data,
         "total_findings": len(all_findings),
-        "findings": all_findings,
+        "findings": report_findings,
         "report_path": str(report_path),
     }
 

package/bundled-skills/007/scripts/score_calculator.py

@@ -64,6 +64,17 @@ import quick_scan  # noqa: E402
 # ---------------------------------------------------------------------------
 logger = setup_logging("007-score-calculator")
 
+_SENSITIVE_FINDING_KEYS = {
+    "snippet",
+    "secret",
+    "token",
+    "password",
+    "access_token",
+    "app_secret",
+    "authorization_code",
+    "client_secret",
+}
+
 
 # ---------------------------------------------------------------------------
 # Positive-signal patterns (auth, encryption, resilience, monitoring)
@@ -360,6 +371,51 @@ def _bar(score: float, width: int = 20) -> str:
     return "[" + "#" * filled + "." * (width - filled) + "]"
 
 
+def _redact_report_value(value):
+    """Recursively redact sensitive values from report payloads."""
+    if isinstance(value, dict):
+        return {key: _redact_report_value(value[key]) for key in value}
+    if isinstance(value, list):
+        return [_redact_report_value(item) for item in value]
+    return value
+
+
+def redact_findings_for_report(findings: list[dict]) -> list[dict]:
+    """Return findings safe to serialize in user-facing reports."""
+    redacted: list[dict] = []
+
+    for finding in findings:
+        safe_finding: dict = {}
+        finding_type = str(finding.get("type", "")).lower()
+
+        for key, value in finding.items():
+            key_lower = key.lower()
+            if key_lower in _SENSITIVE_FINDING_KEYS:
+                safe_finding[key] = "[redacted]"
+                continue
+            if finding_type == "secret" and key_lower in {"entropy", "match", "raw", "value"}:
+                safe_finding[key] = "[redacted]"
+                continue
+            safe_finding[key] = _redact_report_value(value)
+
+        redacted.append(safe_finding)
+
+    return redacted
+
+
+def build_safe_scanner_summaries(scanner_summaries: dict[str, dict]) -> dict[str, dict]:
+    """Return scanner summaries with primitive numeric values only."""
+    safe_summaries: dict[str, dict] = {}
+
+    for scanner_name, summary in scanner_summaries.items():
+        safe_summaries[scanner_name] = {
+            "findings": int(summary.get("findings", 0)),
+            "score": float(summary.get("score", 0)),
+        }
+
+    return safe_summaries
+
+
 def format_text_report(
     target: str,
     domain_scores: dict[str, float],
@@ -430,6 +486,7 @@ def build_json_report(
     elapsed: float,
 ) -> dict:
     """Build a structured JSON report."""
+    safe_findings = redact_findings_for_report(all_findings)
     return {
         "report": "score_calculator",
         "target": target,
@@ -444,7 +501,7 @@ def build_json_report(
             "emoji": verdict["emoji"],
         },
         "scanner_summaries": scanner_summaries,
-        "findings": all_findings,
+        "findings": safe_findings,
     }
 
 
@@ -564,6 +621,9 @@ def run_score(
     all_findings_raw = secrets_findings + dep_findings + inj_findings + quick_findings
     all_findings = _deduplicate_findings(all_findings_raw)
     total_findings = len(all_findings)
+    safe_findings = redact_findings_for_report(all_findings)
+    safe_total_findings = len(safe_findings)
+    safe_scanner_summaries = build_safe_scanner_summaries(scanner_summaries)
 
     logger.info(
         "Aggregated %d raw findings -> %d unique (deduplicated)",
@@ -613,8 +673,8 @@ def run_score(
         result=f"final_score={final_score}, verdict={verdict['label']}",
         details={
             "domain_scores": domain_scores,
-            "total_findings": total_findings,
-            "scanner_summaries": scanner_summaries,
+            "total_findings": safe_total_findings,
+            "scanner_summaries": safe_scanner_summaries,
             "duration_seconds": round(elapsed, 3),
         },
     )
@@ -627,9 +687,9 @@ def run_score(
         domain_scores=domain_scores,
         final_score=final_score,
         verdict=verdict,
-        scanner_summaries=scanner_summaries,
+        scanner_summaries=safe_scanner_summaries,
         all_findings=all_findings,
-        total_findings=total_findings,
+        total_findings=safe_total_findings,
         elapsed=elapsed,
     )
 
@@ -641,8 +701,8 @@ def run_score(
             domain_scores=domain_scores,
             final_score=final_score,
             verdict=verdict,
-            scanner_summaries=scanner_summaries,
-            total_findings=total_findings,
+            scanner_summaries=safe_scanner_summaries,
+            total_findings=safe_total_findings,
             elapsed=elapsed,
         ))
 

package/bundled-skills/algorithmic-art/templates/viewer.html

@@ -20,7 +20,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Generative Art Viewer</title>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.7.0/p5.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.7.0/p5.min.js" integrity="sha512-bcfltY+lNLlNxz38yBBm/HLaUB1gTV6I0e+fahbF9pS6roIdzUytozWdnFV8ZnM6cSAG5EbmO0ag0a/fLZSG4Q==" crossorigin="anonymous"></script>
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;500;600&family=Lora:wght@400;500&display=swap" rel="stylesheet">
@@ -596,4 +596,4 @@
         });
     </script>
 </body>
-</html>
+</html>

package/bundled-skills/apify-actorization/SKILL.md

@@ -45,10 +45,9 @@ Verify CLI is logged in:
 apify info  # Should return your username
 ```
 
-If not logged in, check if `APIFY_TOKEN` environment variable is defined. If not, ask the user to generate one at https://console.apify.com/settings/integrations, then:
+If not logged in, check if `APIFY_TOKEN` environment variable is defined. If not, ask the user to generate one at https://console.apify.com/settings/integrations, add it to their shell or secret manager without putting the literal token in command history, then run:
 
 ```bash
-export APIFY_TOKEN="your_token_here"
 apify login
 ```
 

package/bundled-skills/apify-actorization/references/cli-actorization.md

@@ -33,12 +33,12 @@ Reference the [cli-start template Dockerfile](https://github.com/apify/actor-tem
 ```dockerfile
 FROM apify/actor-node:20
 
-# Install ubi for easy GitHub release installation
-RUN curl --silent --location \
-    https://raw.githubusercontent.com/houseabsolute/ubi/master/bootstrap/bootstrap-ubi.sh | sh
+# Install ubi from a package source or a verified release artifact
+# Example: use your base image package manager or vendor a pinned binary in the build context
+# RUN apt-get update && apt-get install -y ubi
 
 # Install your CLI tool from GitHub releases (example)
-# RUN ubi --project your-org/your-tool --in /usr/local/bin
+# RUN install -m 0755 ./vendor/your-tool /usr/local/bin/your-tool
 
 # Or install apify-cli and jq manually
 RUN npm install -g apify-cli

package/bundled-skills/docs/COMMUNITY_GUIDELINES.md

@@ -1,3 +1,3 @@
 # Community Guidelines
 
-This document moved to [`contributors/community-guidelines.md`](contributors/community-guidelines.md).
+This document moved to [`../CODE_OF_CONDUCT.md`](../CODE_OF_CONDUCT.md).

package/bundled-skills/docs/contributors/community-guidelines.md

@@ -1,33 +1,4 @@
-# Code of Conduct
+# Community Guidelines
 
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Enforcement
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1.
-
-[homepage]: https://www.contributor-covenant.org
+The canonical project policy now lives in the repository root at
+[`CODE_OF_CONDUCT.md`](../../CODE_OF_CONDUCT.md).

package/bundled-skills/docs/integrations/jetski-gemini-loader/loader.ts

@@ -83,16 +83,34 @@ export async function loadSkillBodies(
 ): Promise<string[]> {
   const bodies: string[] = [];
   const rootPath = path.resolve(skillsRoot);
+  const rootRealPath = await fs.promises.realpath(rootPath);
 
   for (const meta of metas) {
-    const fullPath = path.resolve(rootPath, meta.path, "SKILL.md");
-    const relativePath = path.relative(rootPath, fullPath);
+    const skillDirPath = path.resolve(rootPath, meta.path);
+    const relativePath = path.relative(rootPath, skillDirPath);
 
     if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
       throw new Error(`Skill path escapes skills root: ${meta.id}`);
     }
 
-    const text = await fs.promises.readFile(fullPath, "utf8");
+    const skillDirStat = await fs.promises.lstat(skillDirPath);
+    if (!skillDirStat.isDirectory() || skillDirStat.isSymbolicLink()) {
+      throw new Error(`Skill directory must be a regular directory inside the skills root: ${meta.id}`);
+    }
+
+    const fullPath = path.join(skillDirPath, "SKILL.md");
+    const skillFileStat = await fs.promises.lstat(fullPath);
+    if (!skillFileStat.isFile() || skillFileStat.isSymbolicLink()) {
+      throw new Error(`SKILL.md must be a regular file inside the skills root: ${meta.id}`);
+    }
+
+    const realPath = await fs.promises.realpath(fullPath);
+    const realRelativePath = path.relative(rootRealPath, realPath);
+    if (realRelativePath.startsWith("..") || path.isAbsolute(realRelativePath)) {
+      throw new Error(`SKILL.md resolves outside the skills root: ${meta.id}`);
+    }
+
+    const text = await fs.promises.readFile(realPath, "utf8");
     bodies.push(text);
   }
 

package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-18-addendum.md

@@ -0,0 +1,22 @@
+# Security Findings Triage Addendum (2026-03-18)
+
+This addendum supersedes the previous Jetski loader assessment in
+`security-findings-triage-2026-03-15.md`.
+
+## Correction
+
+- Finding: `Example loader trusts manifest paths, enabling file read`
+- Path: `docs/integrations/jetski-gemini-loader/loader.ts`
+- Previous triage status on 2026-03-15: `obsolete/not reproducible on current HEAD`
+- Corrected assessment: the loader was still reproducible via a symlinked
+  `SKILL.md` that resolved outside `skillsRoot`. A local proof read the linked
+  file contents successfully.
+
+## Current Status
+
+- The loader now rejects symlinked skill directories and symlinked `SKILL.md`
+  files.
+- The loader now resolves the real path for `SKILL.md` and rejects any target
+  outside the configured `skillsRoot`.
+- Regression coverage lives in
+  `tools/scripts/tests/jetski_gemini_loader.test.js`.

package/bundled-skills/dotnet-backend-patterns/resources/implementation-playbook.md

@@ -793,7 +793,7 @@ public class ProductsApiTests : IClassFixture<WebApplicationFactory<Program>>
 
 ## Resources
 
-- **assets/service-template.cs**: Complete service implementation template
-- **assets/repository-template.cs**: Repository pattern implementation
+- **assets/service-template.cs.template**: Complete service implementation template
+- **assets/repository-template.cs.template**: Repository pattern implementation
 - **references/ef-core-best-practices.md**: EF Core optimization guide
 - **references/dapper-patterns.md**: Advanced Dapper usage patterns

package/bundled-skills/instagram/scripts/auth.py

@@ -19,6 +19,7 @@ from __future__ import annotations
 
 import argparse
 import asyncio
+import html
 import json
 import os
 import sys
@@ -47,6 +48,15 @@ db = Database()
 db.init()
 
 
+def _mask_secret(value: str, keep: int = 4) -> str:
+    """Mask secret-like values before showing them in terminal output."""
+    if not value:
+        return "(hidden)"
+    if len(value) <= keep:
+        return "*" * len(value)
+    return f"{value[:keep]}...masked"
+
+
 # ── OAuth Callback Server ────────────────────────────────────────────────────
 
 class OAuthCallbackHandler(BaseHTTPRequestHandler):
@@ -71,7 +81,8 @@ class OAuthCallbackHandler(BaseHTTPRequestHandler):
             self.send_response(400)
             self.send_header("Content-Type", "text/html; charset=utf-8")
             self.end_headers()
-            self.wfile.write(f"<html><body><h2>Erro: {error}</h2></body></html>".encode())
+            safe_error = html.escape(error, quote=True)
+            self.wfile.write(f"<html><body><h2>Erro: {safe_error}</h2></body></html>".encode())
         else:
             self.send_response(404)
             self.end_headers()
@@ -84,7 +95,7 @@ def wait_for_oauth_code() -> Optional[str]:
     """Inicia servidor local e espera pelo código de autorização."""
     server = HTTPServer(("localhost", OAUTH_REDIRECT_PORT), OAuthCallbackHandler)
     server.timeout = 120  # 2 minutos
-    print(f"Aguardando autorização em http://localhost:{OAUTH_REDIRECT_PORT}/callback ...")
+    print("Aguardando autorização no callback OAuth local...")
     print("(Timeout: 2 minutos)\n")
 
     while OAuthCallbackHandler.authorization_code is None:
@@ -285,10 +296,8 @@ async def setup() -> None:
         f"response_type=code"
     )
 
-    print(f"\nAbrindo browser para autorização...")
-    # Mask client_id in auth URL to avoid logging credentials
-    masked_url = auth_url.replace(app_id, app_id[:4] + "...masked") if app_id else auth_url
-    print(f"URL: {masked_url}\n")
+    print("\nAbrindo browser para autorização...")
+    print("A URL de autorização e o App ID não serão exibidos para evitar vazamento de credenciais.\n")
     webbrowser.open(auth_url)
 
     # Esperar callback