opencode-skills-antigravity 1.0.9 → 1.0.11

package/bundled-skills/cpp-pro/references/templates.md

@@ -0,0 +1,357 @@
+# Template Metaprogramming
+
+## Variadic Templates
+
+```cpp
+#include <iostream>
+#include <utility>
+
+// Fold expressions (C++17)
+template<typename... Args>
+auto sum(Args... args) {
+    return (args + ...);  // Unary right fold
+}
+
+template<typename... Args>
+void print(Args&&... args) {
+    ((std::cout << args << ' '), ...);  // Binary left fold
+    std::cout << '\n';
+}
+
+// Recursive variadic template
+template<typename T>
+void log(T&& value) {
+    std::cout << value << '\n';
+}
+
+template<typename T, typename... Args>
+void log(T&& first, Args&&... rest) {
+    std::cout << first << ", ";
+    log(std::forward<Args>(rest)...);
+}
+
+// Parameter pack expansion
+template<typename... Types>
+struct TypeList {
+    static constexpr size_t size = sizeof...(Types);
+};
+
+template<typename... Args>
+auto make_tuple_advanced(Args&&... args) {
+    return std::tuple<std::decay_t<Args>...>(std::forward<Args>(args)...);
+}
+```
+
+## SFINAE and if constexpr
+
+```cpp
+#include <type_traits>
+
+// SFINAE with std::enable_if (older style)
+template<typename T>
+std::enable_if_t<std::is_integral_v<T>, T>
+double_value(T value) {
+    return value * 2;
+}
+
+template<typename T>
+std::enable_if_t<std::is_floating_point_v<T>, T>
+double_value(T value) {
+    return value * 2.0;
+}
+
+// Modern: if constexpr (C++17)
+template<typename T>
+auto process(T value) {
+    if constexpr (std::is_integral_v<T>) {
+        return value * 2;
+    } else if constexpr (std::is_floating_point_v<T>) {
+        return value * 2.0;
+    } else {
+        return value;
+    }
+}
+
+// Detection idiom
+template<typename T, typename = void>
+struct has_serialize : std::false_type {};
+
+template<typename T>
+struct has_serialize<T, std::void_t<decltype(std::declval<T>().serialize())>>
+    : std::true_type {};
+
+template<typename T>
+constexpr bool has_serialize_v = has_serialize<T>::value;
+
+// Use with if constexpr
+template<typename T>
+void save(const T& obj) {
+    if constexpr (has_serialize_v<T>) {
+        obj.serialize();
+    } else {
+        // Default serialization
+    }
+}
+```
+
+## Type Traits
+
+```cpp
+#include <type_traits>
+
+// Custom type traits
+template<typename T>
+struct remove_all_pointers {
+    using type = T;
+};
+
+template<typename T>
+struct remove_all_pointers<T*> {
+    using type = typename remove_all_pointers<T>::type;
+};
+
+template<typename T>
+using remove_all_pointers_t = typename remove_all_pointers<T>::type;
+
+// Conditional types
+template<bool Condition, typename T, typename F>
+struct conditional_type {
+    using type = T;
+};
+
+template<typename T, typename F>
+struct conditional_type<false, T, F> {
+    using type = F;
+};
+
+// Compile-time type selection
+template<size_t N>
+struct best_integral_type {
+    using type = std::conditional_t<N <= 8, uint8_t,
+                 std::conditional_t<N <= 16, uint16_t,
+                 std::conditional_t<N <= 32, uint32_t, uint64_t>>>;
+};
+
+// Check for member functions
+template<typename T, typename = void>
+struct has_reserve : std::false_type {};
+
+template<typename T>
+struct has_reserve<T, std::void_t<decltype(std::declval<T>().reserve(size_t{}))>>
+    : std::true_type {};
+```
+
+## CRTP (Curiously Recurring Template Pattern)
+
+```cpp
+// Static polymorphism with CRTP
+template<typename Derived>
+class Shape {
+public:
+    double area() const {
+        return static_cast<const Derived*>(this)->area_impl();
+    }
+
+    void draw() const {
+        static_cast<const Derived*>(this)->draw_impl();
+    }
+};
+
+class Circle : public Shape<Circle> {
+    double radius_;
+public:
+    Circle(double r) : radius_(r) {}
+
+    double area_impl() const {
+        return 3.14159 * radius_ * radius_;
+    }
+
+    void draw_impl() const {
+        std::cout << "Drawing circle\n";
+    }
+};
+
+class Rectangle : public Shape<Rectangle> {
+    double width_, height_;
+public:
+    Rectangle(double w, double h) : width_(w), height_(h) {}
+
+    double area_impl() const {
+        return width_ * height_;
+    }
+
+    void draw_impl() const {
+        std::cout << "Drawing rectangle\n";
+    }
+};
+
+// CRTP for mixin capabilities
+template<typename Derived>
+class Printable {
+public:
+    void print() const {
+        std::cout << static_cast<const Derived*>(this)->to_string() << '\n';
+    }
+};
+
+class User : public Printable<User> {
+    std::string name_;
+public:
+    User(std::string name) : name_(std::move(name)) {}
+
+    std::string to_string() const {
+        return "User: " + name_;
+    }
+};
+```
+
+## Template Template Parameters
+
+```cpp
+#include <vector>
+#include <list>
+#include <deque>
+
+// Template template parameter
+template<typename T, template<typename, typename> class Container>
+class Stack {
+    Container<T, std::allocator<T>> data_;
+
+public:
+    void push(const T& value) {
+        data_.push_back(value);
+    }
+
+    T pop() {
+        T value = data_.back();
+        data_.pop_back();
+        return value;
+    }
+
+    size_t size() const {
+        return data_.size();
+    }
+};
+
+// Usage with different containers
+Stack<int, std::vector> vector_stack;
+Stack<int, std::deque> deque_stack;
+Stack<int, std::list> list_stack;
+```
+
+## Compile-Time Computation
+
+```cpp
+#include <array>
+
+// Compile-time factorial
+constexpr int factorial(int n) {
+    return n <= 1 ? 1 : n * factorial(n - 1);
+}
+
+constexpr int fact_5 = factorial(5);  // Computed at compile time
+
+// Compile-time prime checking
+constexpr bool is_prime(int n) {
+    if (n < 2) return false;
+    for (int i = 2; i * i <= n; ++i) {
+        if (n % i == 0) return false;
+    }
+    return true;
+}
+
+// Generate compile-time array of primes
+template<size_t N>
+constexpr auto generate_primes() {
+    std::array<int, N> primes{};
+    int count = 0;
+    int candidate = 2;
+
+    while (count < N) {
+        if (is_prime(candidate)) {
+            primes[count++] = candidate;
+        }
+        ++candidate;
+    }
+
+    return primes;
+}
+
+constexpr auto first_10_primes = generate_primes<10>();
+```
+
+## Expression Templates
+
+```cpp
+// Lazy evaluation with expression templates
+template<typename E>
+class VecExpression {
+public:
+    double operator[](size_t i) const {
+        return static_cast<const E&>(*this)[i];
+    }
+
+    size_t size() const {
+        return static_cast<const E&>(*this).size();
+    }
+};
+
+class Vec : public VecExpression<Vec> {
+    std::vector<double> data_;
+
+public:
+    Vec(size_t n) : data_(n) {}
+
+    double operator[](size_t i) const { return data_[i]; }
+    double& operator[](size_t i) { return data_[i]; }
+    size_t size() const { return data_.size(); }
+
+    // Evaluate expression template
+    template<typename E>
+    Vec& operator=(const VecExpression<E>& expr) {
+        for (size_t i = 0; i < size(); ++i) {
+            data_[i] = expr[i];
+        }
+        return *this;
+    }
+};
+
+// Binary operation expression
+template<typename E1, typename E2>
+class VecSum : public VecExpression<VecSum<E1, E2>> {
+    const E1& lhs_;
+    const E2& rhs_;
+
+public:
+    VecSum(const E1& lhs, const E2& rhs) : lhs_(lhs), rhs_(rhs) {}
+
+    double operator[](size_t i) const {
+        return lhs_[i] + rhs_[i];
+    }
+
+    size_t size() const { return lhs_.size(); }
+};
+
+// Operator overload
+template<typename E1, typename E2>
+VecSum<E1, E2> operator+(const VecExpression<E1>& lhs,
+                         const VecExpression<E2>& rhs) {
+    return VecSum<E1, E2>(static_cast<const E1&>(lhs),
+                          static_cast<const E2&>(rhs));
+}
+
+// Usage: a = b + c + d  (no temporaries created!)
+```
+
+## Quick Reference
+
+| Technique | Use Case | Performance |
+|-----------|----------|-------------|
+| Variadic Templates | Variable arguments | Zero overhead |
+| SFINAE | Conditional compilation | Compile-time |
+| if constexpr | Type-based branching | Zero overhead |
+| CRTP | Static polymorphism | No vtable cost |
+| Expression Templates | Lazy evaluation | Eliminates temps |
+| Type Traits | Type introspection | Compile-time |
+| Fold Expressions | Parameter pack ops | Optimal |
+| Template Specialization | Type-specific impl | Zero overhead |

package/bundled-skills/cpp-pro/resources/implementation-playbook.md

@@ -0,0 +1,43 @@
+# C++ Implementation Playbook
+
+**Date:** March 23, 2026  
+**Author:** champbreed  
+---
+
+## 1. RAII & Resource Management
+Always wrap raw resources in manager objects to ensure cleanup on scope exit.
+```cpp
+// Good: Scope-bound cleanup
+void process() {
+    auto data = std::make_unique<uint8_t[]>(1024);
+    // memory is freed automatically
+}
+```
+## 2. Smart Pointer Ownership
+- **unique_ptr**: Use for exclusive ownership.
+- **shared_ptr**: Use for shared ownership across components.
+- **weak_ptr**: Use to break circular reference cycles.
+
+## 3. Concurrency Safety
+Always use RAII-style locks like `std::lock_guard` or `std::unique_lock`.
+```cpp
+void update() {
+    std::lock_guard<std::mutex> lock(mutex_); // Released automatically
+    // thread-safe logic
+}
+```
+## 4. Move Semantics & Efficiency
+Avoid expensive copies by utilizing move constructors and `std::move`.
+```cpp
+void processData(std::vector<std::string>&& data) {
+    auto internalData = std::move(data); // Transfers ownership, no copy
+}
+```
+## 5. Modern STL Algorithms
+Prefer algorithms over manual loops for readability and optimization.
+
+```cpp
+void sortData(std::vector<int>& myVector) {
+    // Use std::ranges (C++20) for cleaner, safer iteration
+    std::ranges::sort(myVector);
+}

package/bundled-skills/docs/integrations/jetski-cortex.md

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Come usare antigravity-awesome-skills con Jetski/Cortex evitando l’overflow di contesto con 1.306+ skill."
+description: "Come usare antigravity-awesome-skills con Jetski/Cortex evitando l’overflow di contesto con 1.309+ skill."
 ---
 
-# Jetski/Cortex + Gemini: integrazione sicura con 1.306+ skill
+# Jetski/Cortex + Gemini: integrazione sicura con 1.309+ skill
 
 Questa guida mostra come integrare il repository `antigravity-awesome-skills` con un agente basato su **Jetski/Cortex + Gemini** (o framework simili) **senza superare il context window** del modello.
 
@@ -23,7 +23,7 @@ Non bisogna mai:
 - concatenare il contenuto di tutte le `SKILL.md` in un singolo system prompt;
 - reiniettare l’intera libreria per **ogni** richiesta.
 
-Con oltre 1.306 skill, questo approccio riempie il context window prima ancora di aggiungere i messaggi dell’utente, causando l’errore di truncation.
+Con oltre 1.309 skill, questo approccio riempie il context window prima ancora di aggiungere i messaggi dell’utente, causando l’errore di truncation.
 
 ---
 

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md

@@ -20,13 +20,13 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
 
-This pattern avoids context overflow when you have 1,306+ skills installed.
+This pattern avoids context overflow when you have 1,309+ skills installed.
 
 ---
 
 ## Files
 
-- `loader.ts`
+- `loader.mjs`
   - Implements:
     - `loadSkillIndex(indexPath)`;
     - `resolveSkillsFromMessages(messages, index, maxSkills)`;
@@ -45,7 +45,7 @@ import {
   loadSkillIndex,
   buildModelMessages,
   Message,
-} from "./loader";
+} from "./loader.mjs";
 
 const REPO_ROOT = "/path/to/antigravity-awesome-skills";
 const SKILLS_ROOT = REPO_ROOT;
@@ -86,7 +86,7 @@ Adapt the paths and model call to your environment.
 - **Do not** iterate through `skills/*/SKILL.md` and load everything at once.
 - This example:
   - assumes skills live under the same repo root as `data/skills_index.json`;
-  - uses Node.js `fs`/`path` APIs and TypeScript types for clarity.
+  - uses a plain Node.js ESM module so it can be imported directly without a TypeScript runtime.
 - In a real host:
   - wire `buildModelMessages` into the point where you currently assemble the prompt before `TrajectoryChatConverter`;
   - consider `overflowBehavior: "error"` if you want a clear user-facing failure instead of silently dropping extra skills;

package/bundled-skills/docs/integrations/jetski-gemini-loader/{loader.ts → loader.mjs}

@@ -1,27 +1,28 @@
 import fs from "fs";
 import path from "path";
 
-export type SkillMeta = {
-  id: string;
-  path: string;
-  name: string;
-  description?: string;
-  category?: string;
-  risk?: string;
-};
-
-export type Message = {
-  role: "system" | "user" | "assistant";
-  content: string;
-};
+/**
+ * @typedef {{
+ *   id: string,
+ *   path: string,
+ *   name: string,
+ *   description?: string,
+ *   category?: string,
+ *   risk?: string,
+ * }} SkillMeta
+ */
+
+/**
+ * @typedef {{
+ *   role: "system" | "user" | "assistant",
+ *   content: string,
+ * }} Message
+ */
 
 const SKILL_ID_REGEX = /@([a-zA-Z0-9-_./]+)/g;
 
-function collectReferencedSkillIds(
-  messages: Message[],
-  index: Map<string, SkillMeta>
-): string[] {
-  const referencedSkillIds = new Set<string>();
+function collectReferencedSkillIds(messages, index) {
+  const referencedSkillIds = new Set();
 
   for (const msg of messages) {
     for (const match of msg.content.matchAll(SKILL_ID_REGEX)) {
@@ -35,7 +36,7 @@ function collectReferencedSkillIds(
   return [...referencedSkillIds];
 }
 
-function assertValidMaxSkills(maxSkills: number): number {
+function assertValidMaxSkills(maxSkills) {
   if (!Number.isInteger(maxSkills) || maxSkills < 1) {
     throw new Error("maxSkills must be a positive integer.");
   }
@@ -43,10 +44,10 @@ function assertValidMaxSkills(maxSkills: number): number {
   return maxSkills;
 }
 
-export function loadSkillIndex(indexPath: string): Map<string, SkillMeta> {
+export function loadSkillIndex(indexPath) {
   const raw = fs.readFileSync(indexPath, "utf8");
-  const arr = JSON.parse(raw) as SkillMeta[];
-  const map = new Map<string, SkillMeta>();
+  const arr = JSON.parse(raw);
+  const map = new Map();
 
   for (const meta of arr) {
     map.set(meta.id, meta);
@@ -55,15 +56,11 @@ export function loadSkillIndex(indexPath: string): Map<string, SkillMeta> {
   return map;
 }
 
-export function resolveSkillsFromMessages(
-  messages: Message[],
-  index: Map<string, SkillMeta>,
-  maxSkills: number
-): SkillMeta[] {
+export function resolveSkillsFromMessages(messages, index, maxSkills) {
   const skillLimit = assertValidMaxSkills(maxSkills);
   const referencedSkillIds = collectReferencedSkillIds(messages, index);
 
-  const metas: SkillMeta[] = [];
+  const metas = [];
   for (const id of referencedSkillIds) {
     const meta = index.get(id);
     if (meta) {
@@ -77,11 +74,8 @@ export function resolveSkillsFromMessages(
   return metas;
 }
 
-export async function loadSkillBodies(
-  skillsRoot: string,
-  metas: SkillMeta[]
-): Promise<string[]> {
-  const bodies: string[] = [];
+export async function loadSkillBodies(skillsRoot, metas) {
+  const bodies = [];
   const rootPath = path.resolve(skillsRoot);
   const rootRealPath = await fs.promises.realpath(rootPath);
 
@@ -95,13 +89,17 @@ export async function loadSkillBodies(
 
     const skillDirStat = await fs.promises.lstat(skillDirPath);
     if (!skillDirStat.isDirectory() || skillDirStat.isSymbolicLink()) {
-      throw new Error(`Skill directory must be a regular directory inside the skills root: ${meta.id}`);
+      throw new Error(
+        `Skill directory must be a regular directory inside the skills root: ${meta.id}`,
+      );
     }
 
     const fullPath = path.join(skillDirPath, "SKILL.md");
     const skillFileStat = await fs.promises.lstat(fullPath);
     if (!skillFileStat.isFile() || skillFileStat.isSymbolicLink()) {
-      throw new Error(`SKILL.md must be a regular file inside the skills root: ${meta.id}`);
+      throw new Error(
+        `SKILL.md must be a regular file inside the skills root: ${meta.id}`,
+      );
     }
 
     const realPath = await fs.promises.realpath(fullPath);
@@ -117,14 +115,7 @@ export async function loadSkillBodies(
   return bodies;
 }
 
-export async function buildModelMessages(options: {
-  baseSystemMessages: Message[];
-  trajectory: Message[];
-  skillIndex: Map<string, SkillMeta>;
-  skillsRoot: string;
-  maxSkillsPerTurn?: number;
-  overflowBehavior?: "truncate" | "error";
-}): Promise<Message[]> {
+export async function buildModelMessages(options) {
   const {
     baseSystemMessages,
     trajectory,
@@ -136,19 +127,16 @@ export async function buildModelMessages(options: {
   const skillLimit = assertValidMaxSkills(maxSkillsPerTurn);
   const referencedSkillIds = collectReferencedSkillIds(trajectory, skillIndex);
 
-  if (
-    overflowBehavior === "error" &&
-    referencedSkillIds.length > skillLimit
-  ) {
+  if (overflowBehavior === "error" && referencedSkillIds.length > skillLimit) {
     throw new Error(
-      `Too many skills requested in a single turn. Reduce @skill-id usage to ${skillLimit} or fewer.`
+      `Too many skills requested in a single turn. Reduce @skill-id usage to ${skillLimit} or fewer.`,
     );
   }
 
   const selectedMetas = resolveSkillsFromMessages(
     trajectory,
     skillIndex,
-    skillLimit
+    skillLimit,
   );
 
   if (selectedMetas.length === 0) {
@@ -157,7 +145,7 @@ export async function buildModelMessages(options: {
 
   const skillBodies = await loadSkillBodies(skillsRoot, selectedMetas);
 
-  const skillMessages: Message[] = skillBodies.map((body) => ({
+  const skillMessages = skillBodies.map((body) => ({
     role: "system",
     content: body,
   }));

package/bundled-skills/docs/maintainers/repo-growth-seo.md

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 
 Preferred positioning:
 
-> Installable GitHub library of 1,306+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,309+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 
 Key framing:
 
@@ -20,7 +20,7 @@ Key framing:
 
 Preferred description:
 
-> Installable GitHub library of 1,306+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,309+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 
 Preferred homepage:
 
@@ -28,7 +28,7 @@ Preferred homepage:
 
 Preferred social preview:
 
-- use a clean preview image that says `1,306+ Agentic Skills`;
+- use a clean preview image that says `1,309+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.
 

package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-15.csv

@@ -9,7 +9,7 @@ https://chatgpt.com/codex/security/findings/24940dbf717081919c799c7f3e1481e6,sic
 https://chatgpt.com/codex/security/findings/ad700289b03c8191a2b256e0b9a72e24,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked file copy in Microsoft skill sync can leak host data,"The newly added `scripts/sync_microsoft_skills.py` copies all non-SKILL files from the cloned Microsoft repository into `skills/official/microsoft`. It uses `Path.is_file()` and `shutil.copy2()` without disabling symlink following. If an attacker can introduce a symlinked file in the upstream repo (or a compromised mirror), the script will dereference it and copy the target file contents (e.g., `/proc/self/environ`, `~/.ssh/*`) into the skills directory. When run in CI or a maintainer environment, this enables unintended disclosure of host files and secrets through the generated artifacts.",medium,new,2026-03-13T21:49:30.432277Z,2026-02-11 20:36:09 +0500,ar27111994@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,17bce709dedfbbdbcc836c0ca24eaa85713fca66,scripts/sync_microsoft_skills.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/sync_microsoft_skills.py,duplicate of another finding,Microsoft sync resolved symlinked skill directories and copied files without proving the resolved source stayed inside the cloned repo.,filesystem-trust-boundary,Symlink file copying in .github/skills sync leaks host files,Same origin/main behavior as finding 7: the Microsoft sync path trusted resolved symlink targets and copied files from them.,Fix once in sync_microsoft_skills.py by constraining resolved paths to the clone root.,python3 tools/scripts/tests/test_sync_microsoft_skills_security.py,codex/security-filesystem-trust-boundary
 https://chatgpt.com/codex/security/findings/7dd6119817408191b7e18678576a958a,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Committed Python bytecode can hide malicious logic,"This update introduces compiled Python bytecode files (core.cpython-314.pyc and design_system.cpython-314.pyc) into the repository. When search.py imports core or design_system, Python will prefer a valid __pycache__ bytecode file over the source module if the timestamp/hash matches the runtime interpreter. This enables a supply‑chain backdoor: malicious code could be embedded in the .pyc while the .py source remains benign, leading to arbitrary code execution when users run the skill scripts.",medium,new,2026-03-13T22:32:57.904438Z,2026-01-16 17:34:54 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,faf478f38907e0929f921bcff73557d57ea97247,skills/ui-ux-pro-max/scripts/search.py | skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc | skills/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc,still present but low practical risk,Compiled Python bytecode was committed alongside source.,robustness,Committed Python bytecode can hide malicious logic,"On origin/main, tracked __pycache__ artifacts were still present under skills/ui-ux-pro-max/scripts, which is review-hostile but not independently exploitable.",Remove tracked bytecode artifacts and rely on source-only review plus .gitignore.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness
 https://chatgpt.com/codex/security/findings/eee41bc6b7bc819186c798ae59fa94a2,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlinked SKILL.md can leak host files via index script,"scripts/generate_index.py walks the skills tree and opens any SKILL.md it finds. Because it does not verify that SKILL.md is a regular file within the skills directory, a contributor can add a SKILL.md symlink pointing to a sensitive file on the build host (e.g., ~/.ssh/id_rsa or /proc/self/environ). When maintainers run the script, it will read that file and embed the extracted content into skills_index.json, which may later be committed or published as an artifact. This is a supply-chain info disclosure risk introduced by the new script.",medium,new,2026-03-13T22:33:24.826296Z,2026-01-14 20:49:05 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,d32f89a21169fbc77bed59b325e3df17f85d2fad,scripts/generate_index.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/scripts/generate_index.py,still present but low practical risk,Index generation read symlinked SKILL.md files without checking that the target stayed inside the repo.,filesystem-trust-boundary,Symlinked SKILL.md can leak host files via index script,"On origin/main, generate_index.py opened every SKILL.md it found via os.walk and did not skip symlinked SKILL.md files, so a malicious local symlink could exfiltrate another file into index metadata generation.",Skip symlinked SKILL.md files during indexing.,python3 tools/scripts/tests/test_frontmatter_parsing_security.py,codex/security-filesystem-trust-boundary
-https://chatgpt.com/codex/security/findings/c0c1181e19dc81919d5b20f2288dc348,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"Example loader trusts manifest paths, enabling file read","The added example loader builds file paths from skills_index.json metadata and reads SKILL.md without validating that the resolved path stays within the skills root or that it is not a symlink. If a malicious contributor supplies a crafted skills_index.json entry or a symlinked SKILL.md in the skills tree, a user who runs this loader and references that skill can end up reading and sending local file contents to the model. This is an information disclosure risk in supply-chain scenarios and should be mitigated by normalizing paths, enforcing a skillsRoot prefix check, and rejecting symlinks via lstat/realpath.",low,new,2026-03-13T20:55:25.060750Z,2026-03-11 15:42:35 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a41f1a4d613c8c0acb424abaa11b6a6f84f3f0ba,examples/jetski-gemini-loader/loader.ts,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,docs/integrations/jetski-gemini-loader/loader.ts,obsolete/not reproducible on current HEAD,Historical manifest-path trust in the Jetski loader example.,,,"On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces.",n/a,n/a,
+https://chatgpt.com/codex/security/findings/c0c1181e19dc81919d5b20f2288dc348,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,"Example loader trusts manifest paths, enabling file read","The added example loader builds file paths from skills_index.json metadata and reads SKILL.md without validating that the resolved path stays within the skills root or that it is not a symlink. If a malicious contributor supplies a crafted skills_index.json entry or a symlinked SKILL.md in the skills tree, a user who runs this loader and references that skill can end up reading and sending local file contents to the model. This is an information disclosure risk in supply-chain scenarios and should be mitigated by normalizing paths, enforcing a skillsRoot prefix check, and rejecting symlinks via lstat/realpath.",low,new,2026-03-13T20:55:25.060750Z,2026-03-11 15:42:35 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,a41f1a4d613c8c0acb424abaa11b6a6f84f3f0ba,examples/jetski-gemini-loader/loader.mjs,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,docs/integrations/jetski-gemini-loader/loader.mjs,obsolete/not reproducible on current HEAD,Historical manifest-path trust in the Jetski loader example.,,,"On origin/main, the loader example resolves the requested file and rejects any path whose path.relative escapes the configured skills root, so the reported direct file read no longer reproduces.",n/a,n/a,
 https://chatgpt.com/codex/security/findings/bafe0096db1081919bad2ba2ec243f5e,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,TLS certificate verification disabled in new scrapers,"The newly added leiloeiros scraping utilities disable TLS certificate verification for all HTTP requests and Playwright page loads. The base scraper uses httpx.AsyncClient with verify=False and Playwright contexts with ignore_https_errors=True, and the fallback scraper repeats verify=False. This allows active network attackers to intercept or tamper with scraped content, potentially poisoning downstream data or leaking any credentials used by the scraper.",low,new,2026-03-13T21:25:34.569244Z,2026-03-07 10:04:07 +0100,renatogracie@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,61ec71c5c7b9b9eaa12504452deda8da8677ba48,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/junta-leiloeiros/scripts/scraper/base_scraper.py | skills/junta-leiloeiros/scripts/web_scraper_fallback.py,still present but low practical risk,HTTP scrapers disabled TLS verification by default.,auth-integrity,TLS certificate verification disabled in new scrapers,"On origin/main, both the base scraper and the direct fallback client instantiated HTTP clients with verify=False / ignore_https_errors=True, which weakens transport integrity but is a local-run scraper risk rather than an application RCE.",Enable TLS verification by default and require an explicit environment opt-out for insecure targets.,python3 tools/scripts/tests/test_junta_tls_security.py,codex/security-auth-integrity
 https://chatgpt.com/codex/security/findings/e9dcff2b3f0481918fc76060bd837fb8,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Complete bundle omits valid skill categories,"The new tools/lib/skill-filter.js defines SKILL_CATEGORIES with hardcoded values (core, architecture, etc.) that are not aligned with the real categories stored in skills_index.json (e.g., ""development""). The ""complete"" bundle derives its category list from Object.keys(SKILL_CATEGORIES), so any real category not present in the hardcoded list is silently excluded. This means getSkillsByBundle('complete') will omit many skills, defeating the intent of a complete bundle and potentially confusing consumers who expect full coverage.",low,new,2026-03-13T21:04:11.988883Z,2026-03-07 10:02:18 +0100,169171880+Sayeem3051@users.noreply.github.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,5f6f94b53f9b8afa02d020775a0a172af009baaa,tools/lib/skill-filter.js | skills_index.json,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,tools/lib/skill-filter.js | tools/scripts/build-catalog.js | data/bundles.json,obsolete/not reproducible on current HEAD,Historical bundle-category omission in a helper path no longer driving shipped bundle data.,,,"On origin/main, shipped bundle data is generated by tools/scripts/build-catalog.js into data/bundles.json; the reported omission in tools/lib/skill-filter.js does not drive current shipped catalog data.",n/a,n/a,
 https://chatgpt.com/codex/security/findings/279041383cc08191abdb9dfa99a03f7c,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Malformed frontmatter delimiter breaks YAML parsing for skills,"The commit replaces valid `license:` fields with lines that start with `---`, e.g. `--- Unknown` in `skills/alpha-vantage/SKILL.md`. The frontmatter parser in `lib/skill-utils.js` reads the block between the first and next `---` line and then parses it as YAML. A `---` marker inside the block is treated as a YAML document delimiter, which makes the frontmatter invalid or splits it into multiple documents. As a result, validators and index generation will report frontmatter parse errors and drop metadata for these skills. This is a regression introduced by the automated fixes.",low,new,2026-03-13T21:09:11.726502Z,2026-03-06 09:18:57 +0100,samujackson1337@gmail.com,,,false,user-fuMnwbfSqxaibK03vsOVrTVI:github-1134426800,93d6badcee41fbacc26b427d3f8d5665ea25b7e6,skills/alpha-vantage/SKILL.md | lib/skill-utils.js,,226f10c2a62fc182b4e93458bddea2e60f9b0cb9,skills/alpha-vantage/SKILL.md | tools/lib/skill-utils.js,still present but low practical risk,Malformed local SKILL.md frontmatter caused parser drift and validation noise.,robustness,Malformed frontmatter delimiter breaks YAML parsing for skills,"On origin/main, skills/alpha-vantage/SKILL.md still contained an extra delimiter token (--- Unknown), which caused parser warnings and broken metadata interpretation.",Repair the malformed frontmatter so the file is a valid YAML frontmatter document.,node tools/scripts/tests/repo_hygiene_security.test.js,codex/security-robustness