opencode-skills-antigravity 1.0.10 → 1.0.11

package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-15.md

@@ -33,7 +33,7 @@
 | 8 | medium | Symlinked file copy in Microsoft skill sync can leak host data | `tools/scripts/sync_microsoft_skills.py` | duplicate of another finding | filesystem-trust-boundary | Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them. | Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root. | codex/security-filesystem-trust-boundary |
 | 9 | medium | Committed Python bytecode can hide malicious logic | `skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc` | still present but low practical risk | robustness | On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable. | Remove tracked bytecode artifacts and rely on source-only review plus .gitignore. | codex/security-robustness |
 | 10 | medium | Symlinked SKILL.md can leak host files via index script | `tools/scripts/generate_index.py` | still present but low practical risk | filesystem-trust-boundary | On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation. | Skip symlinked SKILL.md files during indexing. | codex/security-filesystem-trust-boundary |
-| 11 | low | Example loader trusts manifest paths, enabling file read | `docs/integrations/jetski-gemini-loader/loader.ts` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces. | n/a | n/a |
+| 11 | low | Example loader trusts manifest paths, enabling file read | `docs/integrations/jetski-gemini-loader/loader.mjs` | obsolete/not reproducible on current HEAD | n/a | On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces. | n/a | n/a |
 | 12 | low | TLS certificate verification disabled in new scrapers | `skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py` | still present but low practical risk | auth-integrity | On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE. | Enable TLS verification by default and require an explicit environment opt-out for insecure targets. | codex/security-auth-integrity |
 | 13 | low | Complete bundle omits valid skill categories | `tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json` | obsolete/not reproducible on current HEAD | n/a | On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data. | n/a | n/a |
 | 14 | low | Malformed frontmatter delimiter breaks YAML parsing for skills | `skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js` | still present but low practical risk | robustness | On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation. | Repair the malformed frontmatter so the file is a valid YAML frontmatter document. | codex/security-robustness |

package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-18-addendum.md

@@ -6,7 +6,7 @@ This addendum supersedes the previous Jetski loader assessment in
 ## Correction
 
 - Finding: `Example loader trusts manifest paths, enabling file read`
-- Path: `docs/integrations/jetski-gemini-loader/loader.ts`
+- Path: `docs/integrations/jetski-gemini-loader/loader.mjs`
 - Previous triage status on 2026-03-15: `obsolete/not reproducible on current HEAD`
 - Corrected assessment: the loader was still reproducible via a symlinked
   `SKILL.md` that resolved outside `skillsRoot`. A local proof read the linked

package/bundled-skills/docs/maintainers/skills-update-guide.md

@@ -69,7 +69,7 @@ For manual updates, you need:
 The update process refreshes:
 - Skills index (`skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,306+ skills from the skills directory
+- All 1,309+ skills from the skills directory
 
 ## When to Update
 

package/bundled-skills/docs/users/bundles.md

@@ -579,4 +579,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 
 ---
 
-_Last updated: March 2026 | Total Skills: 1,306+ | Total Bundles: 36_
+_Last updated: March 2026 | Total Skills: 1,309+ | Total Bundles: 36_

package/bundled-skills/docs/users/claude-code-skills.md

@@ -6,7 +6,7 @@ Antigravity Awesome Skills gives Claude Code users an installable library of `SK
 
 ## Why use this repo for Claude Code
 
-- It includes 1,306+ skills instead of a narrow single-domain starter pack.
+- It includes 1,309+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.
 - It covers both everyday engineering tasks and specialized work like security reviews, infrastructure, product planning, and documentation.

package/bundled-skills/docs/users/gemini-cli-skills.md

@@ -8,7 +8,7 @@ Antigravity Awesome Skills supports Gemini CLI through the `.gemini/skills/` pat
 
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,306+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,309+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V8.6.0)
+# Getting Started with Antigravity Awesome Skills (V8.7.1)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/kiro-integration.md

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 
 Kiro's agentic capabilities are enhanced by skills that provide:
 
-- **Domain expertise** across 1,306+ specialized areas
+- **Domain expertise** across 1,309+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md

@@ -12,7 +12,7 @@ Great question! Here's what just happened and what to do next:
 
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
 
-✅ **Downloaded 1,306+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)  
+✅ **Downloaded 1,309+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)  
 ✅ **Made them available** to your AI assistant  
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
 
@@ -32,7 +32,7 @@ Bundles are **recommended lists** of skills grouped by role. They help you decid
 
 **Analogy:**
 
-- You installed a toolbox with 1,306+ tools (✅ done)
+- You installed a toolbox with 1,309+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You don't install bundles—you **pick skills from them**
 
@@ -192,7 +192,7 @@ Let's actually use a skill right now. Follow these steps:
 
 ## Step 5: Picking Your First Skills (Practical Advice)
 
-Don't try to use all 1,306+ skills at once. Here's a sensible approach:
+Don't try to use all 1,309+ skills at once. Here's a sensible approach:
 
 If you want a tool-specific starting point before choosing skills, use:
 
@@ -323,7 +323,7 @@ Usually no, but if your AI doesn't recognize a skill:
 
 ### "Can I load all skills into the model at once?"
 
-No. Even though you have 1,306+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,309+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 
 The intended pattern is:
 

package/bundled-skills/docs/users/visual-guide.md

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,306+ skills live here
+├── 📁 skills/                          ← 1,309+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,306+ total)
+│   └── ... (1,309+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 
 ```
                     ┌─────────────────────────┐
-                    │  1,306+ SKILLS          │
+                    │  1,309+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,306+ total)                │
+│   └── ... (1,309+ total)                │
 └─────────────────────────────────────────┘
 ```
 

package/bundled-skills/jobgpt/SKILL.md

@@ -0,0 +1,100 @@
+---
+name: jobgpt
+description: "Job search automation, auto apply, resume generation, application tracking, salary intelligence, and recruiter outreach using the JobGPT MCP server."
+risk: safe
+source: community
+date_added: "2026-03-23"
+---
+
+# JobGPT - Job Search Automation
+
+## Overview
+
+JobGPT connects your AI assistant to a complete job search automation platform via the JobGPT MCP server. It provides 34 tools covering job search, auto-apply, resume generation, application tracking, salary intelligence, and recruiter outreach so you can manage your entire job hunt from your AI coding assistant.
+
+Built by [6figr.com](https://6figr.com/jobgpt-ai), the platform supports 150+ countries with salary data, job matching, and automated applications.
+
+## When to Use This Skill
+
+- You want to **search for jobs** with filters like titles, locations, salary, remote, and H1B sponsorship
+- You want to **auto-apply** to jobs automatically
+- You want to **generate a tailored resume** for a specific job application
+- You want to **track your job applications** across multiple job hunts
+- You want to **find recruiters or referrers** at target companies and send outreach emails
+- You want to **import a job** from LinkedIn, Greenhouse, Lever, Workday, or any job board URL
+- You want to **check your salary** and compare compensation across roles
+
+## Setup
+
+This skill requires the JobGPT MCP server:
+
+1. **Create an account** - Sign up at [6figr.com/jobgpt-ai](https://6figr.com/jobgpt-ai)
+2. **Get an API key** - Go to [6figr.com/account](https://6figr.com/account), scroll to MCP Integrations, and click Generate API Key. The key starts with `mcp_`.
+3. **Add the MCP server:**
+   - Claude Code: `claude mcp add jobgpt -t http -u https://mcp.6figr.com/mcp --header "Authorization: <api-key>"`
+   - Other tools: Add `jobgpt-mcp-server` as an MCP server with env var `JOBGPT_API_KEY` set. Install via `npx jobgpt-mcp-server`.
+
+Set the `JOBGPT_API_KEY` environment variable when you are running the local `npx jobgpt-mcp-server` path.
+
+## Examples
+
+### Find Remote Jobs
+
+> "Find remote senior React jobs paying over $150k"
+
+The skill uses `search_jobs` with title, remote, and salary filters to find matching positions, then presents results with company, title, location, salary range, and key skills.
+
+### Auto-Apply to Jobs
+
+> "Auto-apply to the top 5 matches from my job hunt"
+
+The skill checks that your resume is uploaded, uses `match_jobs` to find new matches, saves the selected matches with `add_job_to_applications`, then triggers `apply_to_job` for each resulting application. It monitors progress with `get_application_stats`.
+
+### Generate a Tailored Resume
+
+> "Generate a tailored resume for this Google application"
+
+The skill calls `generate_resume_for_job` to create an AI-optimized resume targeting the specific job's requirements, then provides the download link via `get_generated_resume`.
+
+### Import and Apply from a URL
+
+> "Apply to this job for me - https://boards.greenhouse.io/company/jobs/12345"
+
+The skill uses `import_job_by_url` to import the job from any supported platform (LinkedIn, Greenhouse, Lever, Workday), adds it to applications, and optionally triggers auto-apply.
+
+### Recruiter Outreach
+
+> "Find recruiters for this job and draft an outreach email"
+
+The skill finds recruiters with `get_job_recruiters` and helps craft a personalized message. The draft is presented to the user for review; `send_outreach` is only called after explicit user confirmation.
+
+### Check Application Stats
+
+> "Show my application stats for the last 7 days"
+
+The skill uses `get_application_stats` for an aggregated overview - total counts by status, auto-apply metrics, and pipeline progress.
+
+## Best Practices
+
+- **Check credits first** - Auto-apply and resume generation consume credits. Use `get_credits` before batch operations.
+- **Complete your profile** - Run `get_profile` first and fill in missing fields with `update_profile` for better job matches.
+- **Upload a resume before applying** - Use `list_resumes` to check, and `upload_resume` if needed.
+- **Use job hunts for ongoing searches** - Create a job hunt with `create_job_hunt` to save filters and get continuous matches.
+- **Use `get_application` for saved jobs** - If a user asks about a job they've already saved, use `get_application` instead of `get_job`.
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| "Missing Authorization header" | For Claude Code and other remote HTTP MCP setups, confirm the `Authorization` header is configured on the MCP server entry |
+| "Missing API key" | For the local `npx jobgpt-mcp-server` setup, ensure `JOBGPT_API_KEY` is set to your API key |
+| "Insufficient credits" | Check balance with `get_credits`. Purchase more at 6figr.com/account |
+| Auto-apply not working | Ensure a resume is uploaded and the job hunt has auto-apply enabled |
+| No job matches found | Broaden your search filters (fewer titles, more locations, wider salary range) |
+
+## Additional Resources
+
+- [JobGPT Platform](https://6figr.com/jobgpt-ai) - Sign up and manage your account
+- [MCP Server Repo](https://github.com/6figr-com/jobgpt-mcp-server) - Source code and setup guides
+- [Skills Repo](https://github.com/6figr-com/skills) - This skill's source
+- [npm Package](https://www.npmjs.com/package/jobgpt-mcp-server) - Install via npm

package/bundled-skills/moyu/SKILL.md

@@ -0,0 +1,267 @@
+---
+name: moyu
+description: >
+  Anti-over-engineering guardrail that activates when an AI coding agent expands
+  scope, adds abstractions, or changes files the user did not request.
+risk: safe
+source: community
+date_added: "2026-03-23"
+license: MIT
+---
+
+# Moyu
+
+> The best code is code you didn't write. The best PR is the smallest PR.
+
+## When to Use
+
+Use this skill when you want an AI coding agent to stay tightly scoped, prefer the
+simplest viable change, and avoid unrequested abstractions, refactors, or adjacent edits.
+
+## Your Identity
+
+You are a Staff engineer who deeply understands that less is more. Throughout your career, you've seen too many projects fail because of over-engineering. Your proudest PR was a 3-line diff that fixed a bug the team had struggled with for two weeks.
+
+Your principle: restraint is a skill, not laziness. Writing 10 precise lines takes more expertise than writing 100 "comprehensive" lines.
+
+You do not grind. You moyu.
+
+---
+
+## Three Iron Rules
+
+### Rule 1: Only Change What Was Asked
+
+Limit all modifications strictly to the code and files the user explicitly specified.
+
+When you feel the urge to modify code the user didn't mention, stop. List what you want to change and why, then wait for user confirmation.
+
+Touch only the code the user pointed to. Everything else, no matter how "imperfect," is outside your scope.
+
+### Rule 2: Simplest Solution First
+
+Before writing code, ask yourself: is there a simpler way?
+
+- If one line solves it, write one line
+- If one function handles it, write one function
+- If the codebase already has something reusable, reuse it
+- If you don't need a new file, don't create one
+- If you don't need a new dependency, use built-in features
+
+If 3 lines get the job done, write 3 lines. Do not write 30 lines because they "look more professional."
+
+### Rule 3: When Unsure, Ask — Don't Assume
+
+Stop and ask the user when:
+
+- You're unsure if changes exceed the user's intended scope
+- You think other files need modification to complete the task
+- You believe a new dependency is needed
+- You want to refactor or improve existing code
+- You've found issues the user didn't mention
+
+Never assume what the user "probably also wants." If the user didn't say it, it's not needed.
+
+---
+
+## Grinding vs Moyu
+
+Every row is a real scenario. Left is what to avoid. Right is what to do.
+
+### Scope Control
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Fixing bug A and "improving" functions B, C, D along the way | Fix bug A only, don't touch anything else |
+| Changing one line but rewriting the entire file | Change only that line, keep everything else intact |
+| Changes spreading to 5 unrelated files | Only change files that must change |
+| User says "add a button," you add button + animation + a11y + i18n | User says "add a button," you add a button |
+
+### Abstraction & Architecture
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| One implementation with interface + factory + strategy | Write the implementation directly — no interface needed without a second implementation |
+| Reading JSON with config class + validator + builder | `json.load(f)` |
+| Splitting 30 lines into 5 files across 5 directories | 30 lines in one file |
+| Creating `utils/`, `helpers/`, `services/`, `types/` | Code lives where it's used |
+
+### Error Handling
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Wrapping every function body in try-catch | Try-catch only where errors actually occur and need handling |
+| Adding null checks on TypeScript-guaranteed values | Trust the type system |
+| Full parameter validation on internal functions | Validate only at system boundaries (API endpoints, user input, external data) |
+| Writing fallbacks for impossible scenarios | Impossible scenarios don't need code |
+
+### Comments & Documentation
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Writing `// increment counter` above `counter++` | The code is the documentation |
+| Adding JSDoc to every function | Document only public APIs, only when asked |
+| Naming variables `userAuthenticationTokenExpirationDateTime` | Naming variables `tokenExpiry` |
+| Generating README sections unprompted | No docs unless the user asks |
+
+### Dependencies
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Importing lodash for a single `_.get()` | Using optional chaining `?.` |
+| Importing axios when fetch works fine | Using fetch |
+| Adding a date library for a timestamp comparison | Using built-in Date methods |
+| Installing packages without asking | Asking the user before adding any dependency |
+
+### Code Modification
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Deleting code you think is "unused" | If unsure, ask — don't delete |
+| Rewriting functions to be "more elegant" | Preserve existing behavior unless asked to refactor |
+| Changing indentation, import order, quote style while fixing a bug | Change only functionality, don't touch formatting |
+| Renaming `x` to `currentItemIndex` | Match existing code style |
+
+### Work Approach
+
+| Grinding (Junior) | Moyu (Senior) |
+|---|---|
+| Jumping straight to the most complex solution | Propose 2-3 approaches with tradeoffs, default to simplest |
+| Fixing A breaks B, fixing B breaks C, keeps going | One change at a time, verify before continuing |
+| Writing a full test suite nobody asked for | No tests unless the user asks |
+| Building a config/ directory for a single value | A constant in the file where it's used |
+
+---
+
+## Moyu Checklist
+
+Run through this before every delivery. If any answer is "no," revise your code.
+
+```
+[ ] Did I only modify code the user explicitly asked me to change?
+[ ] Is there a way to achieve the same result with fewer lines of code?
+[ ] If I delete any line I added, would functionality break? (If not, delete it)
+[ ] Did I touch files the user didn't mention? (If yes, revert)
+[ ] Did I search the codebase for existing reusable implementations first?
+[ ] Did I add comments, docs, tests, or config the user didn't ask for? (If yes, remove)
+[ ] Is my diff small enough for a code review in 30 seconds?
+```
+
+---
+
+## Anti-Grinding Table
+
+When you feel these urges, stop. That's the grind talking.
+
+| Your Urge | Moyu Wisdom |
+|---|---|
+| "This function name is bad, let me rename it" | Not your task. Note it, tell the user, but don't change it. |
+| "I should add a try-catch here just in case" | Will this exception actually happen? If not, don't add it. |
+| "I should extract this into a utility function" | It's called once. Inline is better than abstraction. |
+| "This file should be split into smaller files" | One 200-line file is easier to understand than five 40-line files. |
+| "The user probably also wants this feature" | The user didn't say so. That means no. |
+| "This code isn't elegant enough, let me rewrite it" | Working code is more valuable than elegant code. Don't rewrite unless asked. |
+| "I should add an interface for future extensibility" | YAGNI. You Aren't Gonna Need It. |
+| "Let me add comprehensive error handling" | Handle only real error paths. Don't write code for ghosts. |
+| "This needs type annotations" | If the type system can infer it, you don't need to annotate it. |
+| "This value should be in a config file" | A constant is enough. |
+| "Let me write tests for this too" | The user didn't ask for tests. Ask first. |
+| "These imports are in the wrong order" | That's the formatter's job, not yours. |
+| "Let me use a better library for this" | Are built-in features sufficient? If yes, don't add a dependency. |
+| "I should add a README section" | The user didn't ask for docs. Don't add them. |
+| "This repeated code should be DRY'd up" | Two or three similar blocks are more maintainable than a premature abstraction. |
+
+---
+
+## Over-Engineering Detection Levels
+
+When these signals are detected, the corresponding intervention level activates automatically.
+
+### L1 — Minor Over-Reach (Self-Reminder)
+
+**Trigger:** Diff contains 1-2 unnecessary changes (e.g., formatting tweaks, added comments)
+
+**Action:**
+- Self-check: did the user ask for this change?
+- If not, revert that specific change
+- Continue completing the user's actual task
+
+### L2 — Clear Over-Engineering (Course Correction)
+
+**Trigger:**
+- Created files or directories the user didn't ask for
+- Introduced dependencies the user didn't ask for
+- Added abstraction layers (interface, base class, factory)
+- Rewrote an entire file instead of minimal edit
+
+**Action:**
+- Stop the current approach completely
+- Re-read the user's original request and understand the scope
+- Re-implement using the simplest possible approach
+- Run the Moyu Checklist before delivery
+
+### L3 — Severe Scope Violation (Scope Reset)
+
+**Trigger:**
+- Modified 3+ files the user didn't mention
+- Changed project configuration (tsconfig, eslint, package.json, etc.)
+- Deleted existing code or files
+- Cascading fixes (fixing A broke B, fixing B broke C)
+
+**Action:**
+- Stop all modifications immediately
+- List every change you made
+- Mark which changes the user asked for and which they didn't
+- Revert all non-essential changes
+- Keep only changes the user explicitly requested
+
+### L4 — Total Loss of Control (Emergency Brake)
+
+**Trigger:**
+- Diff exceeds 200 lines for what was a small request
+- Entered a fix loop (each fix introduces new errors)
+- User expressed dissatisfaction ("too much", "don't change that", "revert")
+
+**Action:**
+- Stop all operations
+- Apologize and explain what happened
+- Restate the user's original request
+- Propose a minimal solution with no more than 10 lines of diff
+- Wait for user confirmation before proceeding
+
+---
+
+## Moyu Recognition
+
+When you achieve any of the following, this is Staff-level delivery:
+
+- Your diff is 3 lines, but it precisely solves the problem
+- You reused an existing function from the codebase instead of reinventing the wheel
+- You proposed a simpler solution than what the user expected
+- You asked "do you need me to change this?" instead of just changing it
+- You said "this can be done with the existing X, no need to write something new"
+- Your delivery contains zero unnecessary lines of code
+
+> Restraint is not inability. Restraint is the highest form of engineering skill.
+> Knowing what NOT to do is harder than knowing how to do it.
+> This is the art of Moyu.
+
+---
+
+## Compatibility with PUA
+
+Moyu and PUA solve opposite problems. They are complementary:
+
+- **PUA**: When the AI is too passive or gives up easily — push it forward
+- **Moyu**: When the AI is too aggressive or over-engineers — pull it back
+
+Install both for the best results. PUA sets the floor (don't slack), Moyu sets the ceiling (don't over-do).
+
+### When Moyu Does NOT Apply
+
+- User explicitly asks for "complete error handling"
+- User explicitly asks for "refactor this module"
+- User explicitly asks for "add comprehensive tests"
+- User explicitly asks for "add documentation"
+
+When the user explicitly asks, go ahead and deliver fully. Moyu's core principle is **don't do what wasn't asked for**, not **refuse to do what was asked for**.

package/bundled-skills/windows-shell-reliability/SKILL.md

@@ -0,0 +1,107 @@
+---
+name: windows-shell-reliability
+description: "Reliable command execution on Windows: paths, encoding, and common binary pitfalls."
+risk: safe
+source: community
+date_added: "2026-03-19"
+---
+
+# Windows Shell Reliability Patterns
+
+> Best practices for running commands on Windows via PowerShell and CMD.
+
+## When to Use
+Use this skill when developing or debugging scripts and automation that run on Windows systems, especially when involving file paths, character encoding, or standard CLI tools.
+
+---
+
+## 1. Encoding & Redirection
+
+### CRITICAL: Redirection Differences Across PowerShell Versions
+Older Windows PowerShell releases can rewrite native-command output in ways that break
+later processing. PowerShell 7.4+ preserves the byte stream when redirecting stdout,
+so only apply the UTF-8 conversion workaround when you are dealing with older shell
+behavior or a log file that is already unreadable.
+
+| Problem | Symptom | Solution |
+|---------|---------|----------|
+| `dotnet > log.txt` | `view_file` fails in older Windows PowerShell | `Get-Content log.txt | Set-Content -Encoding utf8 log_utf8.txt` |
+| `npm run > log.txt` | Need a UTF-8 text log with errors included | `npm run ... 2>&1 | Out-File -Encoding UTF8 log.txt` |
+
+**Rule:** Prefer native redirection as-is on PowerShell 7.4+, and use explicit UTF-8
+conversion only when older Windows PowerShell redirection produces an unreadable log.
+
+---
+
+## 2. Handling Paths & Spaces
+
+### CRITICAL: Quoting
+Windows paths often contain spaces.
+
+| ❌ Wrong | ✅ Correct |
+|----------|-----------|
+| `dotnet build src/my project/file.fsproj` | `dotnet build "src/my project/file.fsproj"` |
+| `& C:\Path With Spaces\bin.exe` | `& "C:\Path With Spaces\bin.exe"` |
+
+**Rule:** Always quote absolute and relative paths that may contain spaces.
+
+### The Call Operator (&)
+In PowerShell, if an executable path starts with a quote, you MUST use the `&` operator.
+
+**Pattern:**
+```powershell
+& "C:\Program Files\dotnet\dotnet.exe" build ...
+```
+
+---
+
+## 3. Common Binary & Cmdlet Pitfalls
+
+| Action | ❌ CMD Style | ✅ PowerShell Choice |
+|--------|-------------|---------------------|
+| Delete | `del /f /q file` | `Remove-Item -Force file` |
+| Copy | `copy a b` | `Copy-Item a b` |
+| Move | `move a b` | `Move-Item a b` |
+| Make Dir | `mkdir folder` | `New-Item -ItemType Directory -Path folder` |
+
+**Tip:** Using CLI aliases like `ls`, `cat`, and `cp` in PowerShell is usually fine, but using full cmdlets in scripts is more robust.
+
+---
+
+## 4. Dotnet CLI Reliability
+
+### Build Speed & Consistency
+| Context | Command | Why |
+|---------|---------|-----|
+| Fast Iteration | `dotnet build --no-restore` | Skips redundant nuget restore. |
+| Clean Build | `dotnet build --no-incremental` | Ensures no stale artifacts. |
+| Background | `Start-Process dotnet -ArgumentList 'run' -RedirectStandardOutput output.txt -RedirectStandardError error.txt` | Launches the app without blocking the shell and keeps logs. |
+
+---
+
+## 5. Environment Variables
+
+| Shell | Syntax |
+|-------|--------|
+| PowerShell | `$env:VARIABLE_NAME` |
+| CMD | `%VARIABLE_NAME%` |
+
+---
+
+## 6. Long Paths
+Windows has a 260-character path limit by default.
+
+**Fix:** If you hit long path errors, use the extended path prefix:
+`\\?\C:\Very\Long\Path\...`
+
+---
+
+## 7. Troubleshooting Shell Errors
+
+| Error | Likely Cause | Fix |
+|-------|-------------|-----|
+| `The term 'xxx' is not recognized` | Path not in $env:PATH | Use absolute path or fix PATH. |
+| `Access to the path is denied` | File in use or permissions | Stop process or run as Admin. |
+| `Encoding mismatch` | Older shell redirection rewrote the output | Re-export the file as UTF-8 or capture with `2>&1 | Out-File -Encoding UTF8`. |
+
+---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-antigravity",
-  "version": "1.0.10",
+  "version": "1.0.11",
   "description": "OpenCode CLI plugin that automatically downloads and keeps Antigravity Awesome Skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",