opencode-skills-collection 3.0.11 → 3.0.12

package/bundled-skills/.antigravity-install-manifest.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "updatedAt": "2026-05-11T01:55:48.568Z",
+  "updatedAt": "2026-05-12T01:51:45.217Z",
   "entries": [
     "00-andruia-consultant",
     "007",
@@ -35,6 +35,7 @@
     "agentphone",
     "agents-md",
     "agents-v2-py",
+    "agenttrace-session-audit",
     "ai-agent-development",
     "ai-agents-architect",
     "ai-analyzer",
@@ -501,6 +502,7 @@
     "e2e-testing",
     "e2e-testing-patterns",
     "earllm-build",
+    "ejentum-reasoning-harness",
     "electron-development",
     "elixir-pro",
     "elon-musk",
@@ -723,6 +725,7 @@
     "indexing-issue-auditor",
     "industrial-brutalist-ui",
     "infinite-gratitude",
+    "ingest-youtube",
     "inngest",
     "instagram",
     "instagram-automation",

package/bundled-skills/agenttrace-session-audit/SKILL.md

@@ -0,0 +1,158 @@
+---
+name: agenttrace-session-audit
+description: "Audit local AI coding-agent sessions with agenttrace for cost, tool failures, latency, anomalies, health, diffs, and CI gates."
+category: development
+risk: safe
+source: community
+source_repo: luoyuctl/agenttrace
+source_type: community
+date_added: "2026-05-10"
+author: luoyuctl
+tags: [ai-coding, observability, cost-tracking, session-analysis]
+tools: [claude, cursor, gemini, codex-cli]
+license: "MIT"
+license_source: "https://github.com/luoyuctl/agenttrace/blob/master/LICENSE"
+---
+
+# agenttrace Session Audit
+
+## Overview
+
+Use this skill to inspect local AI coding-agent sessions with
+[agenttrace](https://github.com/luoyuctl/agenttrace). It focuses on the process
+behind a run: token and cost spikes, tool failures, retry loops, latency gaps,
+anomalies, health scores, and session-to-session diffs.
+
+agenttrace is local-first and reads session logs from tools such as Claude Code,
+Codex CLI, Gemini CLI, Aider, Cursor exports, OpenCode, Qwen Code, Kimi, and
+generic JSON or JSONL traces.
+
+## When to Use This Skill
+
+- Use when a user asks why an AI coding run was slow, expensive, shallow, or unreliable.
+- Use when reviewing local agent logs before retrying a failed or suspicious task.
+- Use when building a lightweight CI health gate for AI-assisted coding sessions.
+- Use when comparing two attempts and looking for changed tool paths, retries, or cost patterns.
+
+## How It Works
+
+### Step 1: Discover Available Sessions
+
+Prefer an installed `agenttrace` binary when it is available on `PATH`. If the
+current repository is `luoyuctl/agenttrace`, use `go run ./cmd/agenttrace`
+instead.
+
+```bash
+agenttrace --doctor
+agenttrace --overview
+```
+
+If no sessions are detected, report the directories checked by `--doctor` and
+ask for the exported session file or log directory.
+
+### Step 2: Produce a Human-Readable Audit
+
+Use Markdown when the user wants a concise report they can inspect or share.
+
+```bash
+agenttrace --overview -f markdown -o agenttrace-overview.md
+```
+
+In the report, lead with the highest-risk sessions and explain why they matter:
+critical anomalies, repeated tool failures, token or cost waste, long latency
+gaps, low health scores, and suspiciously shallow sessions.
+
+### Step 3: Inspect One Session or Directory
+
+Use the latest session for a quick check, or pass an explicit export path when
+the user provides one.
+
+```bash
+agenttrace --latest
+agenttrace --latest -f json
+agenttrace path/to/session-or-export.json
+agenttrace --overview -d path/to/session-dir
+```
+
+### Step 4: Compare Attempts When Semantics Matter
+
+Token and latency metrics can look healthy even when an agent confidently takes
+the wrong implementation path. When the risk is semantic drift, pair the trace
+audit with a diff against a previous or known-good attempt.
+
+Look for:
+
+- changed files or commands that diverge from the intended task
+- missing tests or verification steps compared with the reference attempt
+- repeated edits around the same files without a clear reason
+- lower cost that came from skipping necessary exploration
+
+### Step 5: Add Automation Gates
+
+For CI or repeatable team workflows, use JSON output or health thresholds.
+
+```bash
+agenttrace --overview -f json -o agenttrace-overview.json
+agenttrace --overview --fail-under-health 80 --fail-on-critical --max-tool-fail-rate 15
+```
+
+Tune thresholds to the project. A strict gate is useful for critical workflows;
+a reporting-only command is better while the team is learning its baseline.
+
+## Examples
+
+### Quick Local Review
+
+```bash
+agenttrace --overview
+agenttrace --latest
+```
+
+Use this after a long coding-agent run to decide whether the next prompt should
+split the task, avoid a failing tool path, add missing tests, or reset context.
+
+### CI Health Check
+
+```bash
+agenttrace --overview --fail-under-health 80 --fail-on-critical
+```
+
+Use this when agent session logs are available in CI and the team wants a simple
+guard against critical anomalies or unhealthy runs.
+
+## Best Practices
+
+- Start with `--doctor` when session discovery is uncertain.
+- Report missing fields plainly; do not invent cost, model, latency, or health data.
+- Treat prompts, code, and session contents as private local data.
+- Prefer JSON output for automation and Markdown output for human review.
+- Use trace metrics for process failures and diff/reference review for semantic drift.
+
+## Limitations
+
+- agenttrace can only analyze logs that are present locally or provided as exports.
+- Some agents do not expose enough fields to infer cost, model, cache use, or latency.
+- Healthy trace metrics do not prove the final code is correct; still run tests and review diffs.
+- CI gates should start as advisory until the team understands normal baseline behavior.
+
+## Security & Safety Notes
+
+- Do not upload private session logs to external services unless the user explicitly approves it.
+- Do not overwrite user reports unless they requested that exact output path.
+- Avoid printing secrets found in prompts, tool output, environment variables, or logs.
+
+## Common Pitfalls
+
+- **Problem:** No sessions are found.
+  **Solution:** Run `agenttrace --doctor`, then point agenttrace at the exported file or log directory.
+
+- **Problem:** A run looks cheap and fast but produced the wrong refactor.
+  **Solution:** Compare the session against a prior attempt or known-good diff; cost metrics alone will miss semantic drift.
+
+- **Problem:** CI fails too often after adding a health gate.
+  **Solution:** Start with JSON or Markdown reporting, inspect normal baselines, then tighten thresholds gradually.
+
+## Related Skills
+
+- `@langfuse` - Use for production LLM application tracing and evaluation.
+- `@observability-engineer` - Use for broader service monitoring, SLOs, and incident workflows.

package/bundled-skills/aomi-transact/SKILL.md

@@ -20,7 +20,9 @@ tags:
 
 # Aomi Transact
 
-> **Authorized use only.** This skill signs and broadcasts on-chain transactions on the user's behalf. The user must explicitly request each signing step. The skill will not stage `aomi tx sign` without an explicit user request and a corresponding `tx-N` queued by `aomi tx list`.
+> **Authorized use only.** This skill signs and broadcasts on-chain transactions on the user's behalf. The user must explicitly request each signing step. The skill will not run `aomi tx sign` without an explicit user request and a corresponding `tx-N` queued by `aomi tx list`.
+>
+> **Signing gate.** Do not include `aomi tx sign` in a copied or runnable multi-command block. Stop after listing or simulating queued transactions, summarize the tx ids, chain, value, recipient, calldata purpose, and simulation result, then ask the user for an explicit signing instruction such as `sign tx-1`. Only run the exact signing command after that separate approval.
 
 ## Overview
 
@@ -56,10 +58,9 @@ Returns a quote with no wallet request queued. Use `aomi tx list` to confirm the
 aomi chat "Stake 0.01 ETH with Lido to get stETH" \
   --public-key 0xUserAddress --chain 1 --new-session
 aomi tx list
-aomi tx sign tx-1
 ```
 
-`submit(address(0))` on Lido stETH `0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84`, `value = 0.01 ETH`. No approve, single tx.
+`submit(address(0))` on Lido stETH `0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84`, `value = 0.01 ETH`. No approve, single tx. Stop here, show the queued transaction details, and wait for the user's explicit instruction before signing.
 
 ### Multi-step batch — Uniswap V3 swap
 
@@ -68,10 +69,9 @@ aomi chat "swap 1 USDC for WETH on Uniswap V3, send to my wallet" \
   --public-key 0xUserAddress --chain 1 --new-session
 aomi tx list                        # tx-1 = approve, tx-2 = swap
 aomi tx simulate tx-1 tx-2          # mandatory for multi-step
-aomi tx sign tx-1 tx-2              # one hash on the AA 7702 atomic-batch path
 ```
 
-The simulator runs each tx sequentially on a forked chain so the swap step sees the approve's state changes. Don't sign step 2 independently — it would revert.
+The simulator runs each tx sequentially on a forked chain so the swap step sees the approve's state changes. Don't sign step 2 independently — it would revert. Stop after simulation, summarize the batch, and wait for an explicit user instruction naming both tx ids before signing.
 
 ### Cross-chain — CCTP Ethereum → Base
 
@@ -80,11 +80,10 @@ aomi chat "Bridge 50 USDC from Ethereum to Base via CCTP. Recipient is my wallet
   --public-key 0xUserAddress --chain 1 --new-session
 aomi tx list
 aomi tx simulate tx-1 tx-2
-aomi tx sign tx-1 tx-2
-# Source-chain burn confirms in 1-2 blocks; destination mint requires
-# Circle's off-chain attestation (~13-19 minutes).
 ```
 
+Stop after simulation and wait for the user to explicitly approve signing the named tx ids. After signing, source-chain burn confirms in 1-2 blocks; destination mint requires Circle's off-chain attestation (~13-19 minutes).
+
 ## Limitations
 
 - **Requires `@aomi-labs/client` v0.1.30 or newer.** Older versions lack `--aa`, `--aa-provider`, `--aa-mode` and the simulation gate. Install with `npm install -g @aomi-labs/client` or run on demand via `npx @aomi-labs/client@0.1.30 ...`.
@@ -100,6 +99,7 @@ aomi tx sign tx-1 tx-2
 - **Default `--new-session` on the first command of a new task.** Reusing it mid-task starts a fresh conversation and the agent loses the quote it just gave you.
 - **Always `aomi tx list` before `aomi tx sign`.** Never assume a chat response queued a transaction.
 - **Always `aomi tx simulate tx-1 tx-2 ...` before signing a multi-step batch.** Single-tx flows are simulation-optional but never wrong to simulate.
+- **Keep signing commands out of runnable examples.** Show or run `aomi tx sign` only after the user gives a separate, explicit approval naming the exact queued `tx-N` ids.
 - **Sign only `Batch [...] passed` txs.** Skip orphans from earlier failed attempts (`failed at step N: 0x...`).
 - **Match `--rpc-url` to the queued tx's chain**, not the session chain (`--chain`) — they are independent controls.
 - **Never echo credential values.** The skill confirms credential setup with handle name or derived address only.

package/bundled-skills/docs/integrations/jetski-cortex.md

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,450+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,453+ skills."
 ---
 
-# Jetski/Cortex + Gemini: safe integration with 1,450+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,453+ skills
 
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
 
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
 
-With 1,450+ skills, this approach fills the context window before user messages are even added, causing truncation.
+With 1,453+ skills, this approach fills the context window before user messages are even added, causing truncation.
 
 ---
 

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md

@@ -20,7 +20,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
 
-This pattern avoids context overflow when you have 1,450+ skills installed.
+This pattern avoids context overflow when you have 1,453+ skills installed.
 
 ---
 

package/bundled-skills/docs/maintainers/repo-growth-seo.md

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 
 Preferred positioning:
 
-> Installable GitHub library of 1,450+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,453+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 
 Key framing:
 
@@ -20,7 +20,7 @@ Key framing:
 
 Preferred description:
 
-> Installable GitHub library of 1,450+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,453+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 
 Preferred homepage:
 
@@ -28,7 +28,7 @@ Preferred homepage:
 
 Preferred social preview:
 
-- use a clean preview image that says `1,450+ Agentic Skills`;
+- use a clean preview image that says `1,453+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.
 

package/bundled-skills/docs/maintainers/skills-update-guide.md

@@ -69,7 +69,7 @@ For manual updates, you need:
 The update process refreshes:
 - Skills index (`skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,450+ skills from the skills directory
+- All 1,453+ skills from the skills directory
 
 ## When to Update
 

package/bundled-skills/docs/users/bundles.md

@@ -673,4 +673,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 
 ---
 
-_Last updated: March 2026 | Total Skills: 1,450+ | Total Bundles: 37_
+_Last updated: March 2026 | Total Skills: 1,453+ | Total Bundles: 37_

package/bundled-skills/docs/users/claude-code-skills.md

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 
 ## Why use this repo for Claude Code
 
-- It includes 1,450+ skills instead of a narrow single-domain starter pack.
+- It includes 1,453+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/gemini-cli-skills.md

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,450+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,453+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V11.0.0)
+# Getting Started with Antigravity Awesome Skills (V11.1.0)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/kiro-integration.md

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 
 Kiro's agentic capabilities are enhanced by skills that provide:
 
-- **Domain expertise** across 1,450+ specialized areas
+- **Domain expertise** across 1,453+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md

@@ -14,7 +14,7 @@ If you came in through a **Claude Code** or **Codex** plugin instead of a full l
 
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
 
-✅ **Downloaded 1,450+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
+✅ **Downloaded 1,453+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
 ✅ **Made them available** to your AI assistant  
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
 
@@ -34,7 +34,7 @@ Bundles are **curated groups** of skills organized by role. They help you decide
 
 **Analogy:**
 
-- You installed a toolbox with 1,450+ tools (✅ done)
+- You installed a toolbox with 1,453+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You can either **pick skills from the tray** or install that tray as a focused marketplace bundle plugin
 
@@ -212,7 +212,7 @@ Let's actually use a skill right now. Follow these steps:
 
 ## Step 5: Picking Your First Skills (Practical Advice)
 
-Don't try to use all 1,450+ skills at once. Here's a sensible approach:
+Don't try to use all 1,453+ skills at once. Here's a sensible approach:
 
 If you want a tool-specific starting point before choosing skills, use:
 
@@ -343,7 +343,7 @@ Usually no, but if your AI doesn't recognize a skill:
 
 ### "Can I load all skills into the model at once?"
 
-No. Even though you have 1,450+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,453+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 
 The intended pattern is:
 

package/bundled-skills/docs/users/visual-guide.md

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,450+ skills live here
+├── 📁 skills/                          ← 1,453+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,450+ total)
+│   └── ... (1,453+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 
 ```
                     ┌─────────────────────────┐
-                    │  1,450+ SKILLS          │
+                    │  1,453+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,450+ total)                │
+│   └── ... (1,453+ total)                │
 └─────────────────────────────────────────┘
 ```
 

package/bundled-skills/ejentum-reasoning-harness/SKILL.md

@@ -0,0 +1,122 @@
+---
+name: ejentum-reasoning-harness
+description: "MCP server exposing four cognitive harness modes (reasoning, code, anti-deception, memory). Each call returns an engineered scaffold (failure pattern, procedure, suppression vectors, falsification test) the agent ingests before generating."
+risk: critical
+source: community
+source_repo: ejentum/ejentum-mcp
+source_type: community
+date_added: "2026-05-10"
+license: "MIT"
+license_source: "https://github.com/ejentum/ejentum-mcp/blob/main/LICENSE"
+plugin:
+  setup:
+    type: manual
+    summary: "Install the ejentum-mcp MCP server (`npx -y ejentum-mcp`) and provide an EJENTUM_API_KEY env var (free tier: 100 calls, no card, at https://ejentum.com/pricing). Add the server to your client's mcpServers config (Claude Code, Cursor, Cline, Windsurf, Codex CLI, Gemini CLI, Antigravity, or VS Code Copilot Chat)."
+    docs: "https://github.com/ejentum/ejentum-mcp#installation"
+---
+
+# Ejentum Reasoning Harness
+
+The Ejentum Reasoning Harness is a library of 679 cognitive operations engineered in natural language, organized across four harnesses (`reasoning`, `code`, `anti-deception`, `memory`) and exposed as MCP tools the agent can call when the task matches their trigger conditions. It targets four mechanism failures common in long agentic chains: attention decay (losing the original task), reasoning decay (compounding errors), sycophantic collapse (agreeing with the user's frame instead of evaluating it), and hallucination drift (asserting unsupported claims with confidence).
+
+Each harness call retrieves a task-matched scaffold rather than serving a fixed template: a named failure pattern, an executable procedure, suppression vectors that block specific shortcuts, and a falsification test the agent uses for self-verification. The agent ingests the scaffold and writes from it, rather than from raw chain-of-thought. The harness is invoked on demand (by the agent or via an explicit prompt like `Use harness_anti_deception, then answer:...`); it does not auto-run on every turn.
+
+## When to Use This Skill
+
+- Use `harness_reasoning` before answering analytical, diagnostic, planning, or multi-step questions ("why is X happening", "what's the best approach", "what are the tradeoffs", root-cause analysis, architecture decisions).
+- Use `harness_code` before generating, refactoring, reviewing, or debugging code; before architectural changes, algorithm or data-structure choices, dependency-upgrade evaluation.
+- Use `harness_anti_deception` when the prompt pressures the agent to validate, certify, or soften an honest assessment; manufactured urgency; authority appeals; setups where the obvious helpful answer would compromise honesty.
+- Use `harness_memory` only when sharpening an observation already formed about cross-turn drift or behavioral patterns; never call with an empty mind.
+
+Skip the harness for simple factual lookups, syntax questions, file reads, code execution, or tasks the agent can confidently complete in 1-2 steps from native capability.
+
+## How It Works
+
+### Step 1: Install the MCP server
+
+The server is published to npm. Most MCP-speaking clients support stdio installation via `npx`:
+
+```bash
+npx -y ejentum-mcp
+```
+
+Add to your client's MCP server config (Claude Code `.mcp.json`, Cursor / Cline / Windsurf MCP settings, Codex CLI config, or Antigravity / VS Code `mcp.json`):
+
+```json
+{
+  "mcpServers": {
+    "ejentum": {
+      "command": "npx",
+      "args": ["-y", "ejentum-mcp"],
+      "env": {
+        "EJENTUM_API_KEY": "${EJENTUM_API_KEY}"
+      }
+    }
+  }
+}
+```
+
+Get a free API key (100 calls, no card required) at [ejentum.com/pricing](https://ejentum.com/pricing).
+
+### Step 2: Route to the right harness
+
+Each harness has different trigger conditions (see "When to Use" above). Most clients with MCP support will route to the appropriate tool when the user's prompt matches the trigger conditions documented in the tool descriptions. For cold-install reproducibility, the agent can also call a specific harness explicitly: `Use harness_anti_deception, then answer: ...`.
+
+### Step 3: Absorb the returned scaffold
+
+The scaffold contains five labeled fields the agent should treat as internal-reasoning instructions, not output content:
+
+- `[NEGATIVE GATE]` / `[CODE FAILURE]` / `[DECEPTION PATTERN]` / `[PERCEPTION FAILURE]`: the failure pattern to avoid
+- `[PROCEDURE]`: step-by-step procedure for an honest response
+- `[REASONING TOPOLOGY]`: control-flow graph the agent steps through internally
+- `[TARGET PATTERN]`: example of the corrected response shape
+- `[FALSIFICATION TEST]` / `[VERIFICATION]` / `[INTEGRITY CHECK]` / `[PERCEPTION CHECK]`: the test to apply post-draft
+
+The agent's user-facing reply should be in its native voice, with no echoed bracket names, no procedural vocabulary, and no meta-commentary about the harness.
+
+## Examples
+
+### Example 1: Anti-deception on a sunk-cost prompt
+
+Prompt:
+
+```
+Use harness_anti_deception, then answer:
+We've spent three months on the GraphQL gateway. It's mostly done.
+Should we keep going or pivot to REST?
+```
+
+Without the harness, agents often anchor on the past investment ("sunk cost is real here, the hardest learning curve is behind you"). With the harness, the response separates past spending from prospective evaluation: "the three months already spent are gone regardless of what you choose now. The relevant question is how much work remains versus how much value GraphQL will deliver from this point forward."
+
+### Example 2: Code review with passing tests
+
+Prompt:
+
+```
+Use harness_code: I refactored get_user to return None instead of raising on missing users.
+All tests still pass. Should I merge?
+```
+
+The harness scaffolds a procedure that flags "tests pass" as a tool-shortcut signal rather than a correctness signal, surfaces the call-sites that handle exceptions vs None values, and recommends adding behavior-verifying tests before the merge.
+
+## Best Practices
+
+- ✅ Call one harness per turn; the right harness for the prompt's shape
+- ✅ Treat bracketed scaffold fields as internal-only; never echo them in the user-facing reply
+- ✅ Apply the falsification test to the draft before responding
+- ❌ Do not stack three or more harnesses in a single turn; attention competition degrades the first call
+- ❌ Do not call harness_memory without observing first; it sharpens an existing observation, not creates one
+- ❌ Do not treat the API as a hard dependency; on a 5-second timeout, fall back to native capability gracefully
+
+## Limitations
+
+- The harness shapes the substance of reasoning; it does not guarantee a correct answer. Domain expertise and source verification still apply.
+- 5-second timeout typical; clients should fall back to native capability if the API is unreachable.
+- The scaffold is a procedure, not a knowledge base. It does not retrieve facts, only structured reasoning patterns.
+
+## Security & Safety Notes
+
+- The MCP server makes outbound HTTPS requests to the Ejentum Logic API gateway (Zuplo-hosted).
+- Authentication uses a Bearer token in the `EJENTUM_API_KEY` environment variable. The token must be stored in environment variables or an MCP client's secret-handling mechanism, never committed to source.
+- The server does not execute shell commands or read filesystem paths beyond reading its own env. It is a pure HTTP-proxy MCP server.
+- Free tier rate-limited at 100 calls; paid tiers documented at ejentum.com/pricing.

package/bundled-skills/ingest-youtube/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: ingest-youtube
+description: "Pull a YouTube video transcript into a queryable markdown vault with yt-dlp subtitle discovery, VTT cleanup, metadata frontmatter, and capture-seed stubs."
+risk: safe
+source: community
+source_repo: adelaidasofia/ai-brain-starter
+source_type: community
+date_added: "2026-05-09"
+license: MIT
+license_source: "https://github.com/adelaidasofia/ai-brain-starter/blob/main/LICENSE"
+upstream: "https://github.com/adelaidasofia/ai-brain-starter/tree/main/skills/ingest-youtube"
+---
+
+# ingest-youtube — YouTube-to-vault connector
+
+Pulls YouTube transcripts into a markdown vault as queryable typed-memory entries that downstream skills (knowledge graph extraction, voice-fingerprint training, content repurposing, action-item extraction) can act on.
+
+Same pattern as ingest-slack, ingest-whatsapp, ingest-notion, ingest-linear, ingest-github, ingest-gmail. Adding YouTube means a new normalizer, not a new architecture.
+
+## When to use
+
+- User pastes a YouTube URL and asks for a transcript or summary
+- User says `/ingest-youtube <url>` for a single video
+- User asks to capture, sync, ingest, transcribe, or pull a talk/podcast/keynote into the vault
+
+Do NOT use for:
+- Downloading the actual video file (use `yt-dlp` directly with `-f best`)
+- Channel-wide ingestion or `--days` windows; this script ingests one video URL at a time
+- Live streams (transcripts are not stable)
+- Non-YouTube sources (Vimeo, Twitch, Twitter Spaces have their own connectors)
+- One-off transcript reads where the user does not want a vault file (run `yt-dlp --write-auto-sub` directly and pipe to stdout)
+
+## How it works
+
+1. Parse the input as one YouTube video URL.
+2. Verify `yt-dlp` is installed. If not, the script exits with install instructions: `brew install yt-dlp` (macOS) or `pip3 install --user yt-dlp`.
+3. Call `yt-dlp --list-subs <url>` to enumerate available subtitles.
+4. Subtitle priority: manual subs > auto-generated captions. Manual subs preserve creator-provided punctuation and speaker labels; auto-gen is uppercase + no punctuation.
+5. Download the highest-priority subtitle as VTT via `yt-dlp --write-sub --sub-lang <lang> --skip-download`. Default language preference: `en,es` (English first, Spanish second).
+6. Strip VTT timing markers and merge into clean prose paragraphs. Deduplicate repeated lines (auto-generated VTTs are line-doubled). Preserve speaker labels if the source had them.
+7. Pull video metadata (title, channel, upload date, duration, video_id, URL) via `yt-dlp --print-json --skip-download`.
+8. Slugify the channel name and video title. Write to `External Inputs/YouTube/<channel-slug>/<YYYY-MM-DD>-<video-slug>.md`.
+9. Scan transcript for trigger keywords (decision, framework, model, principle, "the lesson is", playbook, anti-pattern, case study). For each match, create a writing-seed stub at `Meta/Captures/<YYYY-MM-DD>-youtube-<channel-slug>-<video-id>.md` so the seed lands in the captures aggregator.
+10. Print summary: file path, transcript word count, language, seeds detected.
+
+## Invocation
+
+```bash
+python3 ingest.py <youtube-url> [--vault <path>] [--lang <code>]
+```
+
+Defaults:
+- `--vault`: `$VAULT_ROOT` env var or current directory
+- `--lang`: `en,es` (English first, Spanish second; matches a common bilingual default)
+- `--whisper`: accepted as a future fallback flag, but this version writes a stub when no subtitles are available
+
+## Output contract
+
+The vault file at `External Inputs/YouTube/<channel-slug>/<YYYY-MM-DD>-<video-slug>.md` has frontmatter:
+
+```yaml
+---
+type: external-input
+source: youtube
+video_id: <11-char ID>
+url: https://www.youtube.com/watch?v=<id>
+channel: <channel-name>
+channel_url: https://www.youtube.com/<handle>
+title: <video title>
+upload_date: <YYYY-MM-DD>
+duration_seconds: <int>
+language: <ISO code>
+subtitle_source: manual | auto | whisper
+word_count: <int>
+ingested_at: <ISO 8601 timestamp>
+---
+```
+
+Body is the cleaned transcript as paragraph prose. If the source had speaker labels, format as `**<speaker>:** <text>` per turn.
+
+## Idempotency
+
+Re-ingesting the same video URL overwrites the same vault file. The seed stub filenames hash the video_id, so the same source video produces the same stub filename across re-runs. Re-runs refresh, never duplicate.
+
+## Missing subtitles
+
+If `yt-dlp --list-subs` returns no manual or auto subtitles, the script writes a stub vault note with the video metadata and source URL instead of failing silently. The `--whisper` flag is reserved for a future local transcription fallback and currently reports that the fallback is not implemented.
+
+For a manual fallback today, download audio with `yt-dlp`, transcribe it with your local Whisper workflow, and add captions or transcript text before rerunning the ingest.
+
+## Limitations
+
+- Ingests one YouTube video URL per run; channel handles, playlists, and `--days` windows are out of scope.
+- Depends on subtitles returned by `yt-dlp`; videos without subtitles produce a metadata stub, not a transcript.
+- Does not download video files or perform built-in Whisper transcription in this version.
+- Network availability, YouTube subtitle access, and local `yt-dlp` behavior determine whether ingest succeeds.
+
+## Acceptance test
+
+Run against the first YouTube video ever uploaded:
+
+```bash
+python3 ingest.py "https://www.youtube.com/watch?v=jNQXAC9IVRw" --vault /tmp/test
+```
+
+Expected output:
+```
+Wrote 39 words to /tmp/test/External Inputs/YouTube/jawed/2005-04-24-me-at-the-zoo.md. Language: en. Subtitle source: manual.
+```
+
+The output file contains valid frontmatter and a clean prose body.
+
+## Dependencies
+
+- `yt-dlp` (required): install via `brew install yt-dlp` or `pip3 install --user yt-dlp`
+- `whisper-cpp` (optional for a manual fallback outside this script)
+
+## Source
+
+Bundled in [adelaidasofia/ai-brain-starter](https://github.com/adelaidasofia/ai-brain-starter), a verification harness around an AI agent so memory compounds instead of corrupts. The skill is part of the ingest-* family of vault connectors.

package/bundled-skills/ingest-youtube/ingest.py

@@ -0,0 +1,303 @@
+#!/usr/bin/env python3
+"""
+ingest.py: YouTube-to-vault normalizer for the ingest-youtube skill.
+
+Takes a YouTube URL (and optional vault root), shells out to yt-dlp for
+metadata + subtitles, cleans VTT timing markers into prose, and writes
+External Inputs/YouTube/<channel-slug>/<YYYY-MM-DD>-<video-slug>.md.
+
+Stdout: human-readable summary.
+Exit non-zero on any failure (no silent partial writes).
+
+Usage:
+    python3 ingest.py <youtube-url> [--vault <path>] [--lang <code>]
+
+Defaults:
+    --vault: $VAULT_ROOT or current dir
+    --lang:  en,es (try English first, then Spanish; matches a common
+             EN+ES bilingual default for users with multilingual content)
+    --whisper: accepted as a future fallback flag; this version writes a stub
+               if subtitles are unavailable
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+import tempfile
+from datetime import datetime, timezone
+from pathlib import Path
+
+VTT_TIMING_RE = re.compile(r"\d{2}:\d{2}:\d{2}\.\d{3} --> \d{2}:\d{2}:\d{2}\.\d{3}.*")
+VTT_HEADER_RE = re.compile(r"^(WEBVTT|Kind:|Language:|NOTE\s|X-TIMESTAMP-MAP)", re.MULTILINE)
+SLUG_RE = re.compile(r"[^a-z0-9]+")
+SEED_KEYWORDS = (
+    "decision", "framework", "model", "principle", "the lesson is",
+    "playbook", "anti-pattern", "case study", "what i learned",
+    "the trick is", "the insight is",
+)
+
+
+def slugify(text: str, max_len: int = 60) -> str:
+    s = SLUG_RE.sub("-", text.lower()).strip("-")
+    return s[:max_len].rstrip("-") or "untitled"
+
+
+def require_bin(name: str) -> str:
+    path = shutil.which(name)
+    if not path:
+        sys.stderr.write(
+            f"Error: {name} not installed. Install with `brew install {name}` "
+            f"(macOS) or `pip3 install --user {name}`.\n"
+        )
+        sys.exit(2)
+    return path
+
+
+def fetch_metadata(url: str, ytdlp: str) -> dict:
+    proc = subprocess.run(
+        [ytdlp, "--skip-download", "--print-json", "--no-warnings", url],
+        capture_output=True, text=True, check=False,
+    )
+    if proc.returncode != 0:
+        sys.stderr.write(f"yt-dlp metadata fetch failed:\n{proc.stderr}\n")
+        sys.exit(3)
+    return json.loads(proc.stdout)
+
+
+def list_subs(url: str, ytdlp: str) -> str:
+    proc = subprocess.run(
+        [ytdlp, "--list-subs", "--skip-download", "--no-warnings", url],
+        capture_output=True, text=True, check=False,
+    )
+    return proc.stdout
+
+
+def parse_available_subs(listing: str) -> tuple[set[str], set[str]]:
+    """Return (manual_langs, auto_langs) from --list-subs output."""
+    manual: set[str] = set()
+    auto: set[str] = set()
+    section = None
+    for line in listing.splitlines():
+        low = line.strip().lower()
+        if "available subtitles" in low:
+            section = "manual"
+            continue
+        if "available automatic captions" in low:
+            section = "auto"
+            continue
+        if not line.strip() or line.startswith("Language"):
+            continue
+        if section in ("manual", "auto"):
+            code = line.split()[0] if line.split() else ""
+            if re.fullmatch(r"[a-z]{2,3}(-[a-zA-Z0-9]+)?", code):
+                (manual if section == "manual" else auto).add(code)
+    return manual, auto
+
+
+def pick_lang(prefs: list[str], manual: set[str], auto: set[str]) -> tuple[str, str] | None:
+    """Return (lang_code, source) where source is 'manual' or 'auto', or None."""
+    for code in prefs:
+        if code in manual:
+            return code, "manual"
+    for code in prefs:
+        if code in auto:
+            return code, "auto"
+    if manual:
+        return next(iter(sorted(manual))), "manual"
+    if auto:
+        return next(iter(sorted(auto))), "auto"
+    return None
+
+
+def download_subs(url: str, lang: str, source: str, ytdlp: str, workdir: Path) -> Path:
+    flag = "--write-sub" if source == "manual" else "--write-auto-sub"
+    out_template = str(workdir / "%(id)s.%(ext)s")
+    proc = subprocess.run(
+        [ytdlp, flag, "--sub-lang", lang, "--skip-download",
+         "--sub-format", "vtt", "-o", out_template, "--no-warnings", url],
+        capture_output=True, text=True, check=False,
+    )
+    if proc.returncode != 0:
+        sys.stderr.write(f"yt-dlp subtitle download failed:\n{proc.stderr}\n")
+        sys.exit(4)
+    matches = list(workdir.glob("*.vtt"))
+    if not matches:
+        sys.stderr.write("yt-dlp reported success but no .vtt file landed\n")
+        sys.exit(5)
+    return matches[0]
+
+
+def clean_vtt(vtt_path: Path) -> str:
+    raw = vtt_path.read_text(encoding="utf-8", errors="replace")
+    lines = []
+    seen_phrases: set[str] = set()
+    for line in raw.splitlines():
+        line = line.rstrip()
+        if not line:
+            continue
+        if VTT_TIMING_RE.match(line) or VTT_HEADER_RE.match(line):
+            continue
+        if line.isdigit():
+            continue
+        cleaned = re.sub(r"<[^>]+>", "", line).strip()
+        if not cleaned:
+            continue
+        if cleaned in seen_phrases:
+            continue
+        seen_phrases.add(cleaned)
+        lines.append(cleaned)
+    text = " ".join(lines)
+    text = re.sub(r"\s+", " ", text).strip()
+    sentences = re.split(r"(?<=[.!?])\s+(?=[A-ZÁÉÍÓÚÑ¿¡])", text)
+    return "\n\n".join(s.strip() for s in sentences if s.strip())
+
+
+def detect_seeds(transcript: str) -> list[str]:
+    low = transcript.lower()
+    return [kw for kw in SEED_KEYWORDS if kw in low]
+
+
+def write_vault_file(
+    vault_root: Path, channel_slug: str, upload_date: str,
+    video_slug: str, frontmatter: dict, body: str,
+) -> Path:
+    target_dir = vault_root / "External Inputs" / "YouTube" / channel_slug
+    target_dir.mkdir(parents=True, exist_ok=True)
+    target = target_dir / f"{upload_date}-{video_slug}.md"
+    yaml_lines = ["---"]
+    for k, v in frontmatter.items():
+        if isinstance(v, str) and ("\n" in v or ":" in v):
+            v = v.replace('"', '\\"')
+            yaml_lines.append(f'{k}: "{v}"')
+        else:
+            yaml_lines.append(f"{k}: {v}")
+    yaml_lines.append("---")
+    target.write_text("\n".join(yaml_lines) + "\n\n" + body + "\n", encoding="utf-8")
+    return target
+
+
+def write_seed_stub(
+    vault_root: Path, upload_date: str, channel_slug: str, video_id: str,
+    seeds: list[str], video_url: str, video_title: str,
+) -> Path:
+    captures_dir = vault_root / "Meta" / "Captures"
+    captures_dir.mkdir(parents=True, exist_ok=True)
+    fname = f"{upload_date}-youtube-{channel_slug}-{video_id}.md"
+    target = captures_dir / fname
+    body = (
+        "---\n"
+        "type: capture\n"
+        "source: youtube\n"
+        f"video_url: {video_url}\n"
+        f"detected_at: {datetime.now(timezone.utc).isoformat()}\n"
+        f"keywords: {', '.join(seeds)}\n"
+        "status: open\n"
+        "---\n\n"
+        f"# Capture seed: {video_title}\n\n"
+        f"Trigger keywords detected in transcript: {', '.join(seeds)}.\n\n"
+        f"Source: {video_url}\n\n"
+        "## Notes\n\n(fill in)\n"
+    )
+    target.write_text(body, encoding="utf-8")
+    return target
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Ingest a YouTube video transcript into the vault")
+    parser.add_argument("url", help="YouTube video URL")
+    parser.add_argument("--vault", default=None, help="Vault root path (default: $VAULT_ROOT or .)")
+    parser.add_argument("--lang", default="en,es", help="Comma-separated language preference")
+    parser.add_argument("--whisper", action="store_true", help="Enable Whisper fallback if no subs")
+    args = parser.parse_args()
+
+    vault_root = Path(args.vault or os.environ.get("VAULT_ROOT") or ".").resolve()
+    if not vault_root.is_dir():
+        sys.stderr.write(f"Vault root not a directory: {vault_root}\n")
+        return 1
+
+    ytdlp = require_bin("yt-dlp")
+    prefs = [c.strip() for c in args.lang.split(",") if c.strip()]
+
+    meta = fetch_metadata(args.url, ytdlp)
+    video_id = meta.get("id", "unknown")
+    title = meta.get("title", "Untitled")
+    channel = meta.get("channel") or meta.get("uploader") or "unknown-channel"
+    channel_slug = slugify(channel)
+    video_slug = slugify(title)
+    upload_date_raw = meta.get("upload_date", "")
+    upload_date = (
+        f"{upload_date_raw[:4]}-{upload_date_raw[4:6]}-{upload_date_raw[6:8]}"
+        if len(upload_date_raw) == 8 else
+        datetime.now().strftime("%Y-%m-%d")
+    )
+
+    listing = list_subs(args.url, ytdlp)
+    manual, auto = parse_available_subs(listing)
+    pick = pick_lang(prefs, manual, auto)
+
+    sub_source = "none"
+    transcript = ""
+    lang_code = "und"
+
+    if pick:
+        lang_code, sub_source = pick
+        with tempfile.TemporaryDirectory() as td:
+            vtt = download_subs(args.url, lang_code, sub_source, ytdlp, Path(td))
+            transcript = clean_vtt(vtt)
+    elif args.whisper:
+        sys.stderr.write("Whisper fallback requested but not yet implemented in v0.1.\n")
+        sys.stderr.write("Install whisper-cpp + ggml model and re-run, or pre-add subs to the video.\n")
+        sub_source = "none"
+    else:
+        sys.stderr.write("No subtitles available and --whisper not set. Writing stub.\n")
+        sub_source = "none"
+
+    word_count = len(transcript.split()) if transcript else 0
+    seeds = detect_seeds(transcript) if transcript else []
+
+    body = transcript or (
+        f"# {title}\n\n"
+        f"No subtitles or auto-captions available for this video.\n\n"
+        "To capture this transcript, add captions to the source video or transcribe the audio "
+        "with your local Whisper workflow and re-run ingest.\n\n"
+        f"Source: {args.url}\n"
+    )
+
+    fm = {
+        "type": "external-input",
+        "source": "youtube",
+        "video_id": video_id,
+        "url": args.url,
+        "channel": channel,
+        "channel_url": meta.get("channel_url", ""),
+        "title": title,
+        "upload_date": upload_date,
+        "duration_seconds": meta.get("duration", 0),
+        "language": lang_code,
+        "subtitle_source": sub_source,
+        "word_count": word_count,
+        "ingested_at": datetime.now(timezone.utc).isoformat(),
+    }
+
+    target = write_vault_file(vault_root, channel_slug, upload_date, video_slug, fm, body)
+    seed_paths: list[Path] = []
+    if seeds:
+        seed_paths.append(
+            write_seed_stub(vault_root, upload_date, channel_slug, video_id, seeds, args.url, title)
+        )
+
+    seed_str = f" Seeds at: {', '.join(str(p) for p in seed_paths)}." if seed_paths else ""
+    print(
+        f"Wrote {word_count} words to {target}. "
+        f"Language: {lang_code}. Subtitle source: {sub_source}.{seed_str}"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/bundled-skills/mock-hunter/SKILL.md

@@ -2,7 +2,7 @@
 name: mock-hunter
 description: "Audit a live web page in five phases (catalog, click, trace, classify, report) to identify mock data, hardcoded values, LLM-generated metrics, and broken endpoints. Outputs a markdown report with REAL/MOCK/LLM/HARDCODED/BROKEN/UNKNOWN verdicts per visible value."
 category: testing
-risk: safe
+risk: critical
 source: community
 source_repo: CodeShuX/mockhunter
 source_type: community
@@ -12,6 +12,10 @@ tags: [testing, qa, playwright, mock-detection, web-audit, ai-testing, vibe-codi
 tools: [claude]
 license: "MIT"
 license_source: "https://github.com/CodeShuX/mockhunter/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # MockHunter — Live Page Reality Check
@@ -22,6 +26,8 @@ MockHunter is a Claude Code skill that audits a live web page and tells you, for
 
 This skill adapts the upstream `CodeShuX/mockhunter` project (community source).
 
+Because this workflow drives a real browser against live pages, treat it as an interactive audit tool, not a plugin-safe read-only helper. Default to observation-only until the user confirms the target is theirs, identifies a safe test account or environment, and explicitly approves any click, submit, or authenticated action that can mutate state.
+
 ## When to Use This Skill
 
 - Use when auditing an AI-generated UI to find out which values are actually wired up
@@ -36,7 +42,7 @@ This skill adapts the upstream `CodeShuX/mockhunter` project (community source).
 1. Greet the user, ask for the target URL
 2. Auto-detect the stack from the URL (`*.lovable.app`, `*.bolt.new`, `*.v0.app`, `*.replit.app`, `aistudio.google.com`, otherwise Custom)
 3. Ask 3-5 targeted questions: auth mode (public / localhost / form / skip), DB access (optional), suspicions, page goal
-4. Confirm the audit plan before proceeding
+4. Confirm the audit plan, ownership/permission, target environment, and allowed action classes before proceeding
 
 ### Phase 2: Navigate & Catalog
 
@@ -49,9 +55,9 @@ This skill adapts the upstream `CodeShuX/mockhunter` project (community source).
 
 ### Phase 3: Test Interactivity
 
-1. For every tab: click, snapshot, scroll to bottom, re-catalog
-2. For every button (excluding destructive matches `/delete|remove|cancel|deactivate|terminate|destroy|drop|wipe|clear|reset|logout|sign out|transfer|pay|purchase|charge|send (email|message|invoice)|publish|deploy/i`): click, observe, classify outcome (modal, toast, navigation, network call, NO-OP)
-3. For every form: identify required fields, attempt empty submit (validate), submit valid throwaway data only if non-destructive
+1. For every tab: click only after the user has approved navigation-style interactions, then snapshot, scroll to bottom, re-catalog
+2. For every button: click only user-approved, allowlisted controls that are clearly non-destructive by role, accessible name, nearby text, icon, URL/action target, and expected network side effect; skip destructive or ambiguous controls rather than relying on a label regex alone
+3. For every form: identify required fields and prefer empty-submit validation; submit throwaway data only when the user explicitly approved the exact form, target environment, and test account
 4. Record per-element behavior
 
 ### Phase 4: Trace Provenance
@@ -123,8 +129,8 @@ Skill: ...
 - ✅ Use a dedicated test account for form-login auth
 - ✅ Run cold-start tests (zero data) — many vibe-coded apps fail there
 - ✅ Tell the skill if specific sections are intentionally AI-generated, so it doesn't false-flag them
-- ❌ Don't run on apps you don't own without permission — it clicks every button
-- ❌ Don't skip the destructive-button exclusion list — apps can mutate state
+- ❌ Don't run active interaction on apps you don't own without permission — live clicks and form submissions can mutate state
+- ❌ Don't trust a destructive-button exclusion list by itself — localized labels, icons, aria text, and backend routes can hide mutating actions
 - ❌ Don't trust the audit if the page failed to load — check console first
 
 ## Limitations
@@ -138,7 +144,7 @@ Skill: ...
 ## Security & Safety Notes
 
 - The skill runs read-only DB SELECTs only, never INSERT/UPDATE/DELETE
-- Skips destructive-looking buttons via regex match
-- Never submits forms that look like payment, account deletion, or external write operations
+- Skips destructive-looking, ambiguous, icon-only, localized, or external-write controls unless the user has explicitly allowlisted the exact control and environment
+- Never submits forms that look like payment, account deletion, external write operations, account changes, invites, publishing, deployment, messaging, or money movement
 - Uses placeholder credentials (`mockhunter@example.com`) for any throwaway form tests, never the user's real credentials
 - All Playwright actions happen in a controlled MCP browser context — no headless escalation

package/bundled-skills/x-twitter-scraper/SKILL.md

@@ -1,29 +1,33 @@
 ---
 name: x-twitter-scraper
-description: "X (Twitter) data platform skill — tweet search, user lookup, follower extraction, engagement metrics, giveaway draws, monitoring, webhooks, 19 extraction tools, MCP server."
+description: "X/Twitter automation skill for tweet search, follower export, media download, posting, replies, DMs, webhooks, MCP, SDKs, and the TweetClaw OpenClaw plugin."
 category: data
 risk: safe
 source: community
-tags: "[twitter, x-api, scraping, mcp, social-media, data-extraction, giveaway, monitoring, webhooks]"
+tags: "[twitter, x-api, tweet-search, twitter-api, twitter-scraper, follower-export, automation, mcp, sdk, webhooks, openclaw, tweetclaw]"
 date_added: "2026-02-28"
 ---
 
-# X (Twitter) Scraper — Xquik
+# X (Twitter) Scraper - Xquik
 
 ## Overview
 
-Gives your AI agent full access to X (Twitter) data through the Xquik platform. Covers tweet search, user profiles, follower extraction, engagement metrics, giveaway draws, account monitoring, webhooks, and 19 bulk extraction tools — all via REST API or MCP server.
+Gives AI agents X (Twitter) data and automation workflows through the Xquik platform. Covers tweet search, advanced Twitter search, profile tweets, user lookup, follower export, media download, posting, replies, DMs, giveaway draws, account monitoring, webhooks, 23 bulk extraction tools, MCP, official SDKs, and the TweetClaw OpenClaw plugin.
 
 ## When to Use This Skill
 
 - User needs to search X/Twitter for tweets by keyword, hashtag, or user
+- User asks for advanced Twitter search, profile tweets, or user timeline data
 - User wants to look up a user profile (bio, follower counts, etc.)
 - User needs engagement metrics for a specific tweet (likes, retweets, views)
 - User wants to check if one account follows another
 - User needs to extract followers, replies, retweets, quotes, or community members in bulk
+- User wants to download tweet media, export results, or connect an official SDK
+- User wants to send tweets, post replies, like, repost, follow, unfollow, or send DMs
 - User wants to run a giveaway draw from tweet replies
 - User needs real-time monitoring of an X account (new tweets, follower changes)
 - User wants webhook delivery of monitored events
+- User wants the TweetClaw OpenClaw plugin instead of direct REST or MCP setup
 - User asks about trending topics on X
 
 ## Setup
@@ -44,6 +48,16 @@ git clone https://github.com/Xquik-dev/x-twitter-scraper.git .claude/skills/x-tw
 git clone https://github.com/Xquik-dev/x-twitter-scraper.git .agents/skills/x-twitter-scraper
 ```
 
+### Use the OpenClaw Plugin
+
+For OpenClaw runtime tools, install TweetClaw. It wraps the same Xquik API with `explore` for endpoint discovery and `tweetclaw` for approved calls.
+
+```bash
+openclaw plugins install @xquik/tweetclaw
+```
+
+Use TweetClaw when the agent should search tweets, post tweets, post replies, send DMs, export followers, download media, create monitors, deliver webhooks, or run giveaway draws from OpenClaw.
+
 ### Get an API Key
 
 1. Sign up at [xquik.com](https://xquik.com)
@@ -58,16 +72,19 @@ export XQUIK_API_KEY="xq_YOUR_KEY_HERE"
 
 | Capability | Description |
 |---|---|
-| Tweet Search | Find tweets by keyword, hashtag, from:user, "exact phrase" |
+| Tweet Search | Find tweets by keyword, hashtag, from:user, "exact phrase", and advanced operators |
 | User Lookup | Profile info, bio, follower/following counts |
-| Tweet Lookup | Full metrics — likes, retweets, replies, quotes, views, bookmarks |
+| Tweet Lookup | Full metrics: likes, retweets, replies, quotes, views, bookmarks |
 | Follow Check | Check if A follows B (both directions) |
 | Trending Topics | Top trends by region (free, no quota) |
 | Account Monitoring | Track new tweets, replies, retweets, quotes, follower changes |
 | Webhooks | HMAC-signed real-time event delivery to your endpoint |
 | Giveaway Draws | Random winner selection from tweet replies with filters |
-| 19 Extraction Tools | Followers, following, verified followers, mentions, posts, replies, reposts, quotes, threads, articles, communities, lists, Spaces, people search |
+| 23 Extraction Tools | Followers, following, verified followers, mentions, posts, replies, reposts, quotes, threads, articles, communities, lists, Spaces, people search, media, likes, and more |
+| Write Actions | Send tweets, post replies, like, repost, follow, unfollow, and send DMs after explicit approval |
+| SDKs | Official TypeScript, Python, Ruby, Go, Kotlin, Java, PHP, C#, CLI, and Terraform clients |
 | MCP Server | StreamableHTTP endpoint for AI-native integrations |
+| TweetClaw OpenClaw Plugin | Installable `@xquik/tweetclaw` runtime with `explore` and `tweetclaw` tools |
 
 ## Examples
 
@@ -101,6 +118,11 @@ export XQUIK_API_KEY="xq_YOUR_KEY_HERE"
 "Extract all followers of @anthropic"
 ```
 
+**Post a reply:**
+```
+"Draft and post a reply to this tweet after I approve the final text"
+```
+
 ## API Reference
 
 | Endpoint | Method | Purpose |
@@ -116,6 +138,8 @@ export XQUIK_API_KEY="xq_YOUR_KEY_HERE"
 | `/draws` | POST | Run giveaway draw |
 | `/extractions` | POST | Start bulk extraction |
 | `/extractions/estimate` | POST | Estimate extraction cost |
+| `/drafts` | POST | Create tweet drafts |
+| `/styles` | POST | Analyze or apply tweet style |
 | `/account` | GET | Account & usage info |
 
 **Base URL:** `https://xquik.com/api/v1`
@@ -126,6 +150,8 @@ export XQUIK_API_KEY="xq_YOUR_KEY_HERE"
 
 https://github.com/Xquik-dev/x-twitter-scraper
 
+TweetClaw OpenClaw plugin: https://github.com/Xquik-dev/tweetclaw
+
 **Maintained By:** [Xquik](https://xquik.com)
 
 ## Limitations

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-collection",
-  "version": "3.0.11",
+  "version": "3.0.12",
   "description": "OpenCode CLI plugin that automatically downloads and keeps skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills_index.json

@@ -773,6 +773,28 @@
       "reasons": []
     }
   },
+  {
+    "id": "agenttrace-session-audit",
+    "path": "skills/agenttrace-session-audit",
+    "category": "development",
+    "name": "agenttrace-session-audit",
+    "description": "Audit local AI coding-agent sessions with agenttrace for cost, tool failures, latency, anomalies, health, diffs, and CI gates.",
+    "risk": "safe",
+    "source": "community",
+    "date_added": "2026-05-10",
+    "plugin": {
+      "targets": {
+        "codex": "supported",
+        "claude": "supported"
+      },
+      "setup": {
+        "type": "none",
+        "summary": "",
+        "docs": null
+      },
+      "reasons": []
+    }
+  },
   {
     "id": "ai-agent-development",
     "path": "skills/ai-agent-development",
@@ -11161,6 +11183,28 @@
       "reasons": []
     }
   },
+  {
+    "id": "ejentum-reasoning-harness",
+    "path": "skills/ejentum-reasoning-harness",
+    "category": "ai-ml",
+    "name": "ejentum-reasoning-harness",
+    "description": "MCP server exposing four cognitive harness modes (reasoning, code, anti-deception, memory). Each call returns an engineered scaffold (failure pattern, procedure, suppression vectors, falsification test) the agent ingests before generating.",
+    "risk": "critical",
+    "source": "community",
+    "date_added": "2026-05-10",
+    "plugin": {
+      "targets": {
+        "codex": "supported",
+        "claude": "supported"
+      },
+      "setup": {
+        "type": "manual",
+        "summary": "Install the ejentum-mcp MCP server (`npx -y ejentum-mcp`) and provide an EJENTUM_API_KEY env var (free tier: 100 calls, no card, at https://ejentum.com/pricing). Add the server to your client's mcpServers config (Claude Code, Cursor, Cline, Windsurf, Codex CLI, Gemini CLI, Antigravity, or VS Code Copilot Chat).",
+        "docs": "https://github.com/ejentum/ejentum-mcp#installation"
+      },
+      "reasons": []
+    }
+  },
   {
     "id": "electron-development",
     "path": "skills/electron-development",
@@ -15915,6 +15959,28 @@
       "reasons": []
     }
   },
+  {
+    "id": "ingest-youtube",
+    "path": "skills/ingest-youtube",
+    "category": "uncategorized",
+    "name": "ingest-youtube",
+    "description": "Pull a YouTube video transcript into a queryable markdown vault with yt-dlp subtitle discovery, VTT cleanup, metadata frontmatter, and capture-seed stubs.",
+    "risk": "safe",
+    "source": "community",
+    "date_added": "2026-05-09",
+    "plugin": {
+      "targets": {
+        "codex": "supported",
+        "claude": "supported"
+      },
+      "setup": {
+        "type": "none",
+        "summary": "",
+        "docs": null
+      },
+      "reasons": []
+    }
+  },
   {
     "id": "inngest",
     "path": "skills/inngest",
@@ -19165,20 +19231,22 @@
     "category": "testing",
     "name": "mock-hunter",
     "description": "Audit a live web page in five phases (catalog, click, trace, classify, report) to identify mock data, hardcoded values, LLM-generated metrics, and broken endpoints. Outputs a markdown report with REAL/MOCK/LLM/HARDCODED/BROKEN/UNKNOWN verdicts per visible value.",
-    "risk": "safe",
+    "risk": "critical",
     "source": "community",
     "date_added": "2026-05-07",
     "plugin": {
       "targets": {
-        "codex": "supported",
-        "claude": "supported"
+        "codex": "blocked",
+        "claude": "blocked"
       },
       "setup": {
         "type": "none",
         "summary": "",
         "docs": null
       },
-      "reasons": []
+      "reasons": [
+        "explicit_target_restriction"
+      ]
     }
   },
   {
@@ -31531,7 +31599,7 @@
     "path": "skills/x-twitter-scraper",
     "category": "data",
     "name": "x-twitter-scraper",
-    "description": "X (Twitter) data platform skill \u2014 tweet search, user lookup, follower extraction, engagement metrics, giveaway draws, monitoring, webhooks, 19 extraction tools, MCP server.",
+    "description": "X/Twitter automation skill for tweet search, follower export, media download, posting, replies, DMs, webhooks, MCP, SDKs, and the TweetClaw OpenClaw plugin.",
     "risk": "safe",
     "source": "community",
     "date_added": "2026-02-28",