opencode-skills-collection 3.0.21 → 3.0.23

package/bundled-skills/.antigravity-install-manifest.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "updatedAt": "2026-05-20T02:02:44.073Z",
+  "updatedAt": "2026-05-22T02:03:47.949Z",
   "entries": [
     "00-andruia-consultant",
     "007",
@@ -269,6 +269,7 @@
     "beautiful-prose",
     "behavioral-modes",
     "bevy-ecs-expert",
+    "bilig-workpaper",
     "bill-gates",
     "billing-automation",
     "binary-analysis-patterns",
@@ -860,6 +861,7 @@
     "memory-safety-patterns",
     "memory-systems",
     "mental-health-analyzer",
+    "mercury-mcp",
     "mermaid-expert",
     "metasploit-framework",
     "micro-saas-launcher",
@@ -997,6 +999,7 @@
     "performance-testing-review-multi-agent-review",
     "personal-tool-builder",
     "phase-gated-debugging",
+    "photopea-embedded-editor",
     "php-pro",
     "pipecat-friday-agent",
     "pipedrive-automation",
@@ -1266,6 +1269,7 @@
     "stripe-automation",
     "stripe-integration",
     "subagent-driven-development",
+    "subagent-orchestrator",
     "subject-line-psychologist",
     "supabase-automation",
     "superpowers-lab",

package/bundled-skills/bilig-workpaper/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: bilig-workpaper
+description: "Use formula-backed WorkPaper JSON and MCP tools for agent spreadsheet tasks without driving Excel or a browser UI."
+risk: unknown
+source: community
+date_added: "2026-05-21"
+tags:
+  - spreadsheets
+  - formulas
+  - mcp
+  - xlsx
+  - typescript
+---
+
+# Bilig WorkPaper
+
+## Overview
+
+Bilig WorkPaper gives agents a code-first workbook runtime for spreadsheet-style business logic. Use it when the task is easier to model as sheets and formulas, but the reliable path is to edit cells through an API, recalculate, read computed values back, and persist a JSON workbook document.
+
+The main use case is replacing fragile spreadsheet UI automation with deterministic tool calls. It is useful for quote calculators, payout models, budget checks, import validation, and reduced XLSX formula bug reports.
+
+## When To Use This Skill
+
+Use this skill when the user needs to:
+
+- work with spreadsheet formulas from a Node.js service, route, test, or agent tool;
+- write workbook inputs and verify calculated outputs with readback proof;
+- persist a formula workbook as reviewable WorkPaper JSON;
+- expose a file-backed workbook through MCP tools;
+- investigate an XLSX formula recalculation issue without automating Excel, LibreOffice, or a browser grid.
+
+Do not use it for manual spreadsheet editing, VBA/macros, pivots, charts, COM automation, or exact desktop Excel behavior unless the user explicitly asks to compare against Excel as an oracle.
+
+## Safer Command Pattern
+
+Prefer argument arrays in MCP/client configuration. Do not shell-concatenate user-provided paths, sheet names, formulas, or cell addresses. Reject path or cell input containing newlines, backticks, `$(`, `;`, `&`, `|`, `<`, or `>` before using it in a command.
+
+## Quick MCP Setup
+
+First prove the package-owned challenge works:
+
+```json
+{
+  "command": "npm",
+  "args": ["exec", "--package", "@bilig/workpaper", "--", "bilig-mcp-challenge"]
+}
+```
+
+Then run a writable file-backed MCP server:
+
+```json
+{
+  "command": "npm",
+  "args": [
+    "exec",
+    "--package",
+    "@bilig/workpaper",
+    "--",
+    "bilig-workpaper-mcp",
+    "--workpaper",
+    "./pricing.workpaper.json",
+    "--init-demo-workpaper",
+    "--writable"
+  ]
+}
+```
+
+Useful tools exposed by the MCP server:
+
+- `list_sheets`
+- `read_range`
+- `read_cell`
+- `set_cell_contents`
+- `get_cell_display_value`
+- `export_workpaper_document`
+- `validate_formula`
+
+After every write, read the dependent output cell and export the WorkPaper document. Do not claim success from the write call alone.
+
+## Direct TypeScript Pattern
+
+Use the package directly when workbook logic belongs inside application code:
+
+```ts
+import {
+  WorkPaper,
+  exportWorkPaperDocument,
+  serializeWorkPaperDocument,
+} from "@bilig/workpaper";
+
+const workbook = WorkPaper.buildFromSheets({
+  Inputs: [
+    ["Metric", "Value"],
+    ["Customers", 20],
+    ["Average revenue", 1200],
+  ],
+  Summary: [
+    ["Metric", "Value"],
+    ["Revenue", "=Inputs!B2*Inputs!B3"],
+  ],
+});
+
+const inputs = workbook.getSheetId("Inputs");
+const summary = workbook.getSheetId("Summary");
+if (inputs === undefined || summary === undefined) {
+  throw new Error("Workbook is missing required sheets");
+}
+
+workbook.setCellContents({ sheet: inputs, row: 1, col: 1 }, 32);
+const revenue = workbook.getCellDisplayValue({ sheet: summary, row: 1, col: 1 });
+const saved = serializeWorkPaperDocument(
+  exportWorkPaperDocument(workbook, { includeConfig: true }),
+);
+
+console.log({ revenue, savedBytes: saved.length });
+```
+
+## Required Verification
+
+A good agent response should include:
+
+- exact sheet names and A1 cells edited;
+- before values for important inputs and dependent outputs;
+- after values read from the recalculated workbook;
+- persistence evidence from exported or serialized WorkPaper JSON;
+- restore or reimport proof when file boundaries matter;
+- clear limitations for unsupported formulas or Excel-only behavior.
+
+If any proof step fails, report the blocker instead of saying the workbook was updated.
+
+## Limitations
+
+- WorkPaper behavior is not a complete replacement for desktop Excel, VBA, pivots, charts, or UI automation.
+- Formula compatibility depends on the Bilig runtime and should be verified against Excel when exact parity matters.
+- MCP writes should remain scoped to trusted workbook paths and must be followed by readback validation.
+
+## References
+
+- Repository: https://github.com/proompteng/bilig
+- Compact docs map: https://proompteng.github.io/bilig/llms.txt
+- Agent handbook: https://proompteng.github.io/bilig/headless-workpaper-agent-handbook.html
+- MCP server guide: https://proompteng.github.io/bilig/mcp-workpaper-tool-server.html
+- XLSX formula clinic: https://proompteng.github.io/bilig/formula-bug-clinic.html
+- Compatibility limits: https://proompteng.github.io/bilig/where-bilig-is-not-excel-compatible-yet.html

package/bundled-skills/docs/integrations/jetski-cortex.md

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,460+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,464+ skills."
 ---
 
-# Jetski/Cortex + Gemini: safe integration with 1,460+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,464+ skills
 
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
 
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
 
-With 1,460+ skills, this approach fills the context window before user messages are even added, causing truncation.
+With 1,464+ skills, this approach fills the context window before user messages are even added, causing truncation.
 
 ---
 

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md

@@ -21,7 +21,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
 
-This pattern avoids context overflow when you have 1,460+ skills installed.
+This pattern avoids context overflow when you have 1,464+ skills installed.
 
 Manifest contract references:
 

package/bundled-skills/docs/maintainers/repo-growth-seo.md

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 
 Preferred positioning:
 
-> Installable GitHub library of 1,460+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,464+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 
 Key framing:
 
@@ -20,7 +20,7 @@ Key framing:
 
 Preferred description:
 
-> Installable GitHub library of 1,460+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,464+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 
 Preferred homepage:
 
@@ -28,7 +28,7 @@ Preferred homepage:
 
 Preferred social preview:
 
-- use a clean preview image that says `1,460+ Agentic Skills`;
+- use a clean preview image that says `1,464+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.
 

package/bundled-skills/docs/maintainers/skills-update-guide.md

@@ -72,7 +72,7 @@ The update process refreshes:
 - Canonical skills index (`skills_index.json`)
 - Compatibility mirror (`data/skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,460+ skills from the skills directory
+- All 1,464+ skills from the skills directory
 
 ## When to Update
 

package/bundled-skills/docs/users/bundles.md

@@ -673,4 +673,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 
 ---
 
-_Last updated: March 2026 | Total Skills: 1,460+ | Total Bundles: 37_
+_Last updated: March 2026 | Total Skills: 1,464+ | Total Bundles: 37_

package/bundled-skills/docs/users/claude-code-skills.md

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 
 ## Why use this repo for Claude Code
 
-- It includes 1,460+ skills instead of a narrow single-domain starter pack.
+- It includes 1,464+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/gemini-cli-skills.md

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,460+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,464+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V11.3.0)
+# Getting Started with Antigravity Awesome Skills (V11.5.0)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/kiro-integration.md

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 
 Kiro's agentic capabilities are enhanced by skills that provide:
 
-- **Domain expertise** across 1,460+ specialized areas
+- **Domain expertise** across 1,464+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md

@@ -14,7 +14,7 @@ If you came in through a **Claude Code** or **Codex** plugin instead of a full l
 
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
 
-✅ **Downloaded 1,460+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
+✅ **Downloaded 1,464+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
 ✅ **Made them available** to your AI assistant  
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
 
@@ -34,7 +34,7 @@ Bundles are **curated groups** of skills organized by role. They help you decide
 
 **Analogy:**
 
-- You installed a toolbox with 1,460+ tools (✅ done)
+- You installed a toolbox with 1,464+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You can either **pick skills from the tray** or install that tray as a focused marketplace bundle plugin
 
@@ -212,7 +212,7 @@ Let's actually use a skill right now. Follow these steps:
 
 ## Step 5: Picking Your First Skills (Practical Advice)
 
-Don't try to use all 1,460+ skills at once. Here's a sensible approach:
+Don't try to use all 1,464+ skills at once. Here's a sensible approach:
 
 If you want a tool-specific starting point before choosing skills, use:
 
@@ -343,7 +343,7 @@ Usually no, but if your AI doesn't recognize a skill:
 
 ### "Can I load all skills into the model at once?"
 
-No. Even though you have 1,460+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,464+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 
 The intended pattern is:
 

package/bundled-skills/docs/users/visual-guide.md

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,460+ skills live here
+├── 📁 skills/                          ← 1,464+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,460+ total)
+│   └── ... (1,464+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 
 ```
                     ┌─────────────────────────┐
-                    │  1,460+ SKILLS          │
+                    │  1,464+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,460+ total)                │
+│   └── ... (1,464+ total)                │
 └─────────────────────────────────────────┘
 ```
 

package/bundled-skills/ejentum-reasoning-harness/SKILL.md

@@ -9,6 +9,9 @@ date_added: "2026-05-10"
 license: "MIT"
 license_source: "https://github.com/ejentum/ejentum-mcp/blob/main/LICENSE"
 plugin:
+  targets:
+    codex: blocked
+    claude: blocked
   setup:
     type: manual
     summary: "Install the ejentum-mcp MCP server (`npx -y ejentum-mcp`) and provide an EJENTUM_API_KEY env var (free tier: 100 calls, no card, at https://ejentum.com/pricing). Add the server to your client's mcpServers config (Claude Code, Cursor, Cline, Windsurf, Codex CLI, Gemini CLI, Antigravity, or VS Code Copilot Chat)."

package/bundled-skills/ingest-youtube/SKILL.md

@@ -9,6 +9,11 @@ date_added: "2026-05-09"
 license: MIT
 license_source: "https://github.com/adelaidasofia/ai-brain-starter/blob/main/LICENSE"
 upstream: "https://github.com/adelaidasofia/ai-brain-starter/tree/main/skills/ingest-youtube"
+plugin:
+  setup:
+    type: manual
+    summary: "Install yt-dlp locally before running ingest.py; the script only accepts http(s) YouTube video URLs and writes markdown into the selected vault."
+    docs: "SKILL.md"
 ---
 
 # ingest-youtube — YouTube-to-vault connector
@@ -34,7 +39,7 @@ Do NOT use for:
 
 1. Parse the input as one YouTube video URL.
 2. Verify `yt-dlp` is installed. If not, the script exits with install instructions: `brew install yt-dlp` (macOS) or `pip3 install --user yt-dlp`.
-3. Call `yt-dlp --list-subs <url>` to enumerate available subtitles.
+3. Validate the URL as a single http(s) YouTube video and call `yt-dlp --ignore-config --list-subs -- <url>` to enumerate available subtitles.
 4. Subtitle priority: manual subs > auto-generated captions. Manual subs preserve creator-provided punctuation and speaker labels; auto-gen is uppercase + no punctuation.
 5. Download the highest-priority subtitle as VTT via `yt-dlp --write-sub --sub-lang <lang> --skip-download`. Default language preference: `en,es` (English first, Spanish second).
 6. Strip VTT timing markers and merge into clean prose paragraphs. Deduplicate repeated lines (auto-generated VTTs are line-doubled). Preserve speaker labels if the source had them.

package/bundled-skills/ingest-youtube/ingest.py

@@ -22,6 +22,7 @@ Defaults:
 from __future__ import annotations
 
 import argparse
+import html
 import json
 import os
 import re
@@ -31,10 +32,13 @@ import sys
 import tempfile
 from datetime import datetime, timezone
 from pathlib import Path
+from urllib.parse import parse_qs, urlparse, urlunparse
 
 VTT_TIMING_RE = re.compile(r"\d{2}:\d{2}:\d{2}\.\d{3} --> \d{2}:\d{2}:\d{2}\.\d{3}.*")
 VTT_HEADER_RE = re.compile(r"^(WEBVTT|Kind:|Language:|NOTE\s|X-TIMESTAMP-MAP)", re.MULTILINE)
 SLUG_RE = re.compile(r"[^a-z0-9]+")
+YOUTUBE_VIDEO_ID_RE = re.compile(r"^[A-Za-z0-9_-]{11}$")
+SUBPROCESS_TIMEOUT_SECONDS = 60
 SEED_KEYWORDS = (
     "decision", "framework", "model", "principle", "the lesson is",
     "playbook", "anti-pattern", "case study", "what i learned",
@@ -42,6 +46,57 @@ SEED_KEYWORDS = (
 )
 
 
+def validate_youtube_url(raw_url: str) -> str:
+    if not raw_url or raw_url.startswith("-") or any(ord(ch) < 32 or ord(ch) == 127 for ch in raw_url):
+        raise ValueError("URL must be a valid http(s) YouTube video URL")
+
+    parsed = urlparse(raw_url)
+    if parsed.scheme not in {"http", "https"}:
+        raise ValueError("URL must use http or https")
+
+    host = parsed.hostname.lower() if parsed.hostname else ""
+    video_id = ""
+
+    if host in {"youtube.com", "www.youtube.com", "m.youtube.com", "music.youtube.com"}:
+        parts = [part for part in parsed.path.split("/") if part]
+        if parsed.path == "/watch":
+            video_id = parse_qs(parsed.query).get("v", [""])[0]
+        elif len(parts) >= 2 and parts[0] in {"shorts", "embed", "v"}:
+            video_id = parts[1]
+    elif host == "youtu.be":
+        video_id = parsed.path.lstrip("/").split("/", 1)[0]
+
+    if not YOUTUBE_VIDEO_ID_RE.fullmatch(video_id):
+        raise ValueError("URL must point to a single YouTube video")
+
+    return urlunparse(("https", "www.youtube.com", "/watch", "", f"v={video_id}", ""))
+
+
+def run_ytdlp(args: list[str]) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(
+        args,
+        capture_output=True,
+        text=True,
+        check=False,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
+    )
+
+
+def yaml_scalar(value: object) -> str:
+    if isinstance(value, bool):
+        return "true" if value else "false"
+    if isinstance(value, (int, float)):
+        return str(value)
+    if value is None:
+        return '""'
+    return json.dumps(str(value), ensure_ascii=False)
+
+
+def markdown_text(value: object) -> str:
+    text = html.escape(str(value), quote=False)
+    return re.sub(r"([\\`*_{}\[\]()#+.!|-])", r"\\\1", text)
+
+
 def slugify(text: str, max_len: int = 60) -> str:
     s = SLUG_RE.sub("-", text.lower()).strip("-")
     return s[:max_len].rstrip("-") or "untitled"
@@ -59,10 +114,7 @@ def require_bin(name: str) -> str:
 
 
 def fetch_metadata(url: str, ytdlp: str) -> dict:
-    proc = subprocess.run(
-        [ytdlp, "--skip-download", "--print-json", "--no-warnings", url],
-        capture_output=True, text=True, check=False,
-    )
+    proc = run_ytdlp([ytdlp, "--ignore-config", "--skip-download", "--print-json", "--no-warnings", "--", url])
     if proc.returncode != 0:
         sys.stderr.write(f"yt-dlp metadata fetch failed:\n{proc.stderr}\n")
         sys.exit(3)
@@ -70,10 +122,7 @@ def fetch_metadata(url: str, ytdlp: str) -> dict:
 
 
 def list_subs(url: str, ytdlp: str) -> str:
-    proc = subprocess.run(
-        [ytdlp, "--list-subs", "--skip-download", "--no-warnings", url],
-        capture_output=True, text=True, check=False,
-    )
+    proc = run_ytdlp([ytdlp, "--ignore-config", "--list-subs", "--skip-download", "--no-warnings", "--", url])
     return proc.stdout
 
 
@@ -117,11 +166,10 @@ def pick_lang(prefs: list[str], manual: set[str], auto: set[str]) -> tuple[str,
 def download_subs(url: str, lang: str, source: str, ytdlp: str, workdir: Path) -> Path:
     flag = "--write-sub" if source == "manual" else "--write-auto-sub"
     out_template = str(workdir / "%(id)s.%(ext)s")
-    proc = subprocess.run(
-        [ytdlp, flag, "--sub-lang", lang, "--skip-download",
-         "--sub-format", "vtt", "-o", out_template, "--no-warnings", url],
-        capture_output=True, text=True, check=False,
-    )
+    proc = run_ytdlp([
+        ytdlp, "--ignore-config", flag, "--sub-lang", lang, "--skip-download",
+        "--sub-format", "vtt", "-o", out_template, "--no-warnings", "--", url,
+    ])
     if proc.returncode != 0:
         sys.stderr.write(f"yt-dlp subtitle download failed:\n{proc.stderr}\n")
         sys.exit(4)
@@ -171,11 +219,7 @@ def write_vault_file(
     target = target_dir / f"{upload_date}-{video_slug}.md"
     yaml_lines = ["---"]
     for k, v in frontmatter.items():
-        if isinstance(v, str) and ("\n" in v or ":" in v):
-            v = v.replace('"', '\\"')
-            yaml_lines.append(f'{k}: "{v}"')
-        else:
-            yaml_lines.append(f"{k}: {v}")
+        yaml_lines.append(f"{k}: {yaml_scalar(v)}")
     yaml_lines.append("---")
     target.write_text("\n".join(yaml_lines) + "\n\n" + body + "\n", encoding="utf-8")
     return target
@@ -193,14 +237,14 @@ def write_seed_stub(
         "---\n"
         "type: capture\n"
         "source: youtube\n"
-        f"video_url: {video_url}\n"
-        f"detected_at: {datetime.now(timezone.utc).isoformat()}\n"
-        f"keywords: {', '.join(seeds)}\n"
+        f"video_url: {yaml_scalar(video_url)}\n"
+        f"detected_at: {yaml_scalar(datetime.now(timezone.utc).isoformat())}\n"
+        f"keywords: {yaml_scalar(', '.join(seeds))}\n"
         "status: open\n"
         "---\n\n"
-        f"# Capture seed: {video_title}\n\n"
-        f"Trigger keywords detected in transcript: {', '.join(seeds)}.\n\n"
-        f"Source: {video_url}\n\n"
+        f"# Capture seed: {markdown_text(video_title)}\n\n"
+        f"Trigger keywords detected in transcript: {markdown_text(', '.join(seeds))}.\n\n"
+        f"Source: {markdown_text(video_url)}\n\n"
         "## Notes\n\n(fill in)\n"
     )
     target.write_text(body, encoding="utf-8")
@@ -220,10 +264,16 @@ def main() -> int:
         sys.stderr.write(f"Vault root not a directory: {vault_root}\n")
         return 1
 
+    try:
+        youtube_url = validate_youtube_url(args.url)
+    except ValueError as exc:
+        sys.stderr.write(f"Invalid YouTube URL: {exc}\n")
+        return 2
+
     ytdlp = require_bin("yt-dlp")
     prefs = [c.strip() for c in args.lang.split(",") if c.strip()]
 
-    meta = fetch_metadata(args.url, ytdlp)
+    meta = fetch_metadata(youtube_url, ytdlp)
     video_id = meta.get("id", "unknown")
     title = meta.get("title", "Untitled")
     channel = meta.get("channel") or meta.get("uploader") or "unknown-channel"
@@ -236,7 +286,7 @@ def main() -> int:
         datetime.now().strftime("%Y-%m-%d")
     )
 
-    listing = list_subs(args.url, ytdlp)
+    listing = list_subs(youtube_url, ytdlp)
     manual, auto = parse_available_subs(listing)
     pick = pick_lang(prefs, manual, auto)
 
@@ -247,7 +297,7 @@ def main() -> int:
     if pick:
         lang_code, sub_source = pick
         with tempfile.TemporaryDirectory() as td:
-            vtt = download_subs(args.url, lang_code, sub_source, ytdlp, Path(td))
+            vtt = download_subs(youtube_url, lang_code, sub_source, ytdlp, Path(td))
             transcript = clean_vtt(vtt)
     elif args.whisper:
         sys.stderr.write("Whisper fallback requested but not yet implemented in v0.1.\n")
@@ -261,18 +311,18 @@ def main() -> int:
     seeds = detect_seeds(transcript) if transcript else []
 
     body = transcript or (
-        f"# {title}\n\n"
+        f"# {markdown_text(title)}\n\n"
         f"No subtitles or auto-captions available for this video.\n\n"
         "To capture this transcript, add captions to the source video or transcribe the audio "
         "with your local Whisper workflow and re-run ingest.\n\n"
-        f"Source: {args.url}\n"
+        f"Source: {markdown_text(youtube_url)}\n"
     )
 
     fm = {
         "type": "external-input",
         "source": "youtube",
         "video_id": video_id,
-        "url": args.url,
+        "url": youtube_url,
         "channel": channel,
         "channel_url": meta.get("channel_url", ""),
         "title": title,
@@ -288,7 +338,7 @@ def main() -> int:
     seed_paths: list[Path] = []
     if seeds:
         seed_paths.append(
-            write_seed_stub(vault_root, upload_date, channel_slug, video_id, seeds, args.url, title)
+            write_seed_stub(vault_root, upload_date, channel_slug, video_id, seeds, youtube_url, title)
         )
 
     seed_str = f" Seeds at: {', '.join(str(p) for p in seed_paths)}." if seed_paths else ""

package/bundled-skills/linux-privilege-escalation/SKILL.md

@@ -9,8 +9,6 @@ date_added: "2026-02-27"
 
 > AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
 
-<!-- security-allowlist: curl-pipe-bash -->
-
 # Linux Privilege Escalation
 
 ## Purpose
@@ -145,8 +143,11 @@ echo $PATH
 Deploy automated scripts for comprehensive enumeration:
 
 ```bash
-# LinPEAS
-curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
+# LinPEAS: download first, inspect the script, then execute only in an authorized lab
+curl -L -o linpeas.sh https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
+less linpeas.sh
+chmod +x linpeas.sh
+./linpeas.sh
 
 # LinEnum
 ./LinEnum.sh -t