npm - opencode-skills-collection - Versions diffs - 3.0.24 → 3.0.25 - Mend

opencode-skills-collection 3.0.24 → 3.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/bundled-skills/apify-actor-development/SKILL.md CHANGED Viewed

@@ -5,8 +5,6 @@ risk: unknown
 source: community
 ---
-<!-- security-allowlist: curl-pipe-bash, irm-pipe-iex -->
 # Apify Actor Development
 **Important:** Before you begin, fill in the `generatedBy` property in the meta section of `.actor/actor.json`. Replace it with the tool and model you're currently using, such as "Claude Code with Claude Sonnet 4.5". This helps Apify monitor and improve AGENTS.md for specific AI tools and models.
@@ -40,8 +38,8 @@ npm install -g apify-cli
 # Or (Mac): brew install apify-cli
 ```
-> **Security note:** Do NOT install the CLI by piping remote scripts to a shell
-> (e.g. `curl … | bash` or `irm … | iex`). Always use a package manager.
+> **Security note:** Do NOT install the CLI by piping remote scripts directly
+> into a shell. Always use a package manager.
 When the apify CLI is installed, check that it is logged in with:

package/bundled-skills/audit-skills/SKILL.md CHANGED Viewed

@@ -10,8 +10,6 @@ tags: [security, audit, skills, bundles, cross-platform]
 tools: [claude, gemini, gpt, llama, mistral, etc]
 ---
-<!-- security-allowlist: curl-pipe-bash -->
 # Audit Skills (Premium Universal Security)
 ## Overview
@@ -79,7 +77,7 @@ Analyzes code for platform-specific security issues across Windows, macOS, Linux
 #### 8. Obfuscation & Persistence
 - **Encoding**: `Base64`, `Hex`, `XOR` loops, `atob()`.
 - **Persistence**: `reg add` (Run keys), `schtasks`, `crontab`, `launchctl` (macOS), `systemd` units.
-- **Tubes**: `curl ... | bash`, `iwr ... | iex`.
+- **Remote script piping**: network fetch commands that stream directly into a shell or PowerShell evaluator.
 #### 9. Legitimacy & Scope (Universal)
 - **Registry Alignment**: Cross-reference with `CATALOG.md`.

package/bundled-skills/bun-development/SKILL.md CHANGED Viewed

@@ -6,8 +6,6 @@ source: community
 date_added: "2026-02-27"
 ---
-<!-- security-allowlist: curl-pipe-bash, irm-pipe-iex -->
 # ⚡ Bun Development
 > Fast, modern JavaScript/TypeScript development with the Bun runtime, inspired by [oven-sh/bun](https://github.com/oven-sh/bun).
@@ -30,10 +28,15 @@ Use this skill when:
 ```bash
 # macOS / Linux
-curl -fsSL https://bun.sh/install | bash
+brew install oven-sh/bun/bun
+# Alternative: download the official installer, inspect it, then execute it
+curl -fsSLo /tmp/bun-install.sh https://bun.sh/install
+sed -n '1,160p' /tmp/bun-install.sh
+bash /tmp/bun-install.sh
 # Windows
-powershell -c "irm bun.sh/install.ps1 | iex"
+powershell -NoProfile -Command "Invoke-WebRequest https://bun.sh/install.ps1 -OutFile $env:TEMP\\bun-install.ps1; Get-Content $env:TEMP\\bun-install.ps1 -TotalCount 120; powershell -ExecutionPolicy Bypass -File $env:TEMP\\bun-install.ps1"
 # Homebrew
 brew tap oven-sh/bun
@@ -588,7 +591,7 @@ console.log(__filename);
 ```bash
 # 1. Install Bun
-curl -fsSL https://bun.sh/install | bash
+brew install oven-sh/bun/bun
 # 2. Replace package manager
 rm -rf node_modules package-lock.json

package/bundled-skills/claude-code-expert/SKILL.md CHANGED Viewed

@@ -18,8 +18,6 @@ tools:
 - codex-cli
 ---
-<!-- security-allowlist: curl-pipe-bash -->
 # CLAUDE CODE EXPERT - Potencia Maxima
 ## Overview
@@ -350,7 +348,7 @@ Ideal para: experimentos, refatoracoes arriscadas, POCs sem risco ao main.
     "deny": [
       "Bash(rm -rf *)",
       "Bash(sudo *)",
-      "Bash(curl * | bash)"
+      "Bash(curl *remote-installer*)"
     ]
   }
 }

package/bundled-skills/cloud-penetration-testing/SKILL.md CHANGED Viewed

@@ -9,8 +9,6 @@ date_added: "2026-02-27"
 > AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
-<!-- security-allowlist: curl-pipe-bash -->
 # Cloud Penetration Testing
 ## Purpose
@@ -31,7 +29,9 @@ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip
 unzip awscliv2.zip && sudo ./aws/install
 # GCP CLI
-curl https://sdk.cloud.google.com | bash
+curl -fsSLo /tmp/google-cloud-sdk-install.sh https://sdk.cloud.google.com
+sed -n '1,160p' /tmp/google-cloud-sdk-install.sh
+bash /tmp/google-cloud-sdk-install.sh
 gcloud init
 # Additional tools

package/bundled-skills/comfyui-gateway/references/integration.md CHANGED Viewed

@@ -1663,8 +1663,8 @@ DATABASE_URL=postgresql://gateway_user:strong_password@postgres-host:5432/comfyu
 STORAGE_PROVIDER=s3
 S3_ENDPOINT=
 S3_BUCKET=my-comfyui-outputs
-S3_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
-S3_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+S3_ACCESS_KEY=<AWS_ACCESS_KEY_ID>
+S3_SECRET_KEY=<AWS_SECRET_ACCESS_KEY>
 S3_REGION=us-east-1
 # Cache

package/bundled-skills/docs/integrations/jetski-cortex.md CHANGED Viewed

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,464+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,465+ skills."
 ---
-# Jetski/Cortex + Gemini: safe integration with 1,464+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,465+ skills
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
-With 1,464+ skills, this approach fills the context window before user messages are even added, causing truncation.
+With 1,465+ skills, this approach fills the context window before user messages are even added, causing truncation.
 ---

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md CHANGED Viewed

@@ -21,7 +21,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
-This pattern avoids context overflow when you have 1,464+ skills installed.
+This pattern avoids context overflow when you have 1,465+ skills installed.
 Manifest contract references:
@@ -39,7 +39,7 @@ Manifest contract references:
     - `loadSkillBodies(skillsRoot, metas)`;
     - `buildModelMessages({...})`.
 - See also the integration guide:
-  - [`docs/integrations/jetski-cortex.md`](../../docs/integrations/jetski-cortex.md)
+  - [`docs/integrations/jetski-cortex.md`](../jetski-cortex.md)
 ---

package/bundled-skills/docs/maintainers/full-repo-audit-2026-05-23.md ADDED Viewed

@@ -0,0 +1,289 @@
+# Full repository audit - 2026-05-23
+Status: complete
+This audit tracks the current deep pass over the repository for bugs, inconsistencies, drift, documentation issues, and release/process risks. The working tree was checked from `/Users/nicco/Projects/antigravity-awesome-skills` on `main`.
+Patch follow-up:
+- Resolved in follow-up patches: unsafe archive fallback extraction, Telegram Node vulnerable dependency stack, installer symlink target migration, stale web SEO counts/social card, stale web canonical URL docs, malformed WhatsApp HMAC signature handling, Telegram token-in-URL webhook guidance, `.disabled` web asset publishing, Junta TLS bypasses, legacy manifest verification drift, Telegram HTML escaping, Remotion chart typo, nested skill ID collision coverage, Chinese/localized docs staleness, path-aware internal markdown link repair, and deterministic link/glossary validation reports.
+- Still open after these patches: none from this audit report. The legacy strict skill-quality warnings remain tracked as explicit backlog debt behind `tools/config/audit-skills-strict-budget.json`.
+## Validation evidence
+Passed:
+- `npm run validate`
+- `npm run validate:strict`
+- `npm run validate:references`
+- `npm run plugin-compat:check`
+- `npm run check:warning-budget`
+- `npm run audit:skills`
+- `npm run audit:consistency`
+- `npm run audit:maintainer` reported version/count/warning/consistency clean, then exited non-zero because this audit report itself is an untracked changed file
+- `npm run check:stale-claims`
+- `npm run bundles:check`
+- `npm run check:readme-credits`
+- `npm run security:docs`
+- `npm test`
+- `npm run test:local`
+- `npm run pr:preflight`
+- `npm run app:test`
+- `npm run app:test:coverage`
+- `npm run app:build`
+- `cd apps/web-app && npm run lint`
+- `cd apps/web-app && npm run verify:seo`
+- `npm audit --audit-level=high --omit=dev`
+- `npm audit --audit-level=moderate`
+- `cd apps/web-app && npm audit --audit-level=moderate`
+- `cd data && npm audit --audit-level=moderate`
+- `cd skills/loki-mode/examples/todo-app-generated/backend && npm audit --audit-level=moderate`
+- `cd skills/loki-mode/examples/todo-app-generated/frontend && npm audit --audit-level=moderate`
+- `cd skills/loki-mode/examples/todo-app-generated/backend && npm run build`
+- `cd skills/loki-mode/examples/todo-app-generated/frontend && npm run build`
+- Temp-copy `npm run build` for `skills/telegram/assets/boilerplate/nodejs`
+- Temp-copy `npm run build` for `skills/whatsapp-cloud-api/assets/boilerplate/nodejs`
+- Temp-copy `npm audit --audit-level=moderate` for `skills/whatsapp-cloud-api/assets/boilerplate/nodejs`
+- `npm pack --dry-run --json`
+- `bash scripts/validate-links.sh`
+- `python3 -m py_compile` equivalent pass over tracked Python sources, excluding generated mirrors/output
+- `bash -n` pass over tracked shell scripts, excluding generated mirrors/output
+- `node --check` over tracked JavaScript/CommonJS/ESM source files, excluding generated web output and plugin mirrors
+- JSON/JSONL parse over tracked JSON-like files
+- Ruby/Psych YAML parse over `.github/workflows/*.yml`, discussion templates, and issue templates
+- Ruby/Psych YAML parse over all tracked `*.yml` and `*.yaml`
+- Python XML parser over tracked XML/XSD/SVG files
+- `actionlint v1.7.12` run from `/tmp` over `.github/workflows/*.yml`
+- Global frontmatter parse over all tracked `*SKILL.md` files
+- Full-plugin and bundle-plugin file drift checks against canonical `skills/` sources
+- Plugin manifest parse/check over `.codex-plugin/plugin.json` and `.claude-plugin/plugin.json`
+- Canonical `skills_index.json` ID/path duplicate check
+- Targeted typo/refuso scan for common English misspellings across active repo sources, excluding generated output and plugin mirrors
+- Tracked temporary/bytecode artifact scan for `__pycache__`, `*.pyc`, `.DS_Store`, `*.tmp`, `*.bak`, and `*.orig`
+Observed counts:
+- Root visible skills: 1465
+- Tracked `*SKILL.md` files: 4559
+- Canonical indexed skills: 1465 files, 0 duplicate index IDs, 0 duplicate index paths
+- Canonical skill frontmatter: 0 duplicate names, 0 missing `risk`/`source`, 229 missing `date_added`
+- Nested indexed skills: 20 entries under second-level category paths such as `skills/game-development/2d-games`, `skills/libreoffice/base`, and `skills/security/aws-iam-best-practices`
+- Root `skills_index.json` and `data/skills_index.json`: equal
+- `audit:skills`: 1465 scanned, 0 errors, 740 warning-only
+- App coverage: 12 test files / 72 tests passed, 89.58% statements, 76.84% branches
+- Web app lint: passed with `--max-warnings 0`
+- Web app SEO verifier: passed, with the manifest coverage caveat noted below
+- Python syntax pass: 1077 files checked, 0 errors
+- Shell syntax pass: 61 scripts checked, 0 errors
+- JavaScript syntax pass: 74 source files checked, 0 errors
+- YAML parse pass: 81 files checked, 0 errors
+- XML/XSD/SVG parse pass: 342 files checked, 0 errors
+- Tracked symlinks: 7 checked, all targets exist
+- Plugin mirror `SKILL.md` files: 3094 matched canonical sources byte-for-byte, 0 drift
+- Global tracked skill frontmatter: 4559 `SKILL.md` files parsed, 0 frontmatter errors, 0 missing frontmatter, 0 missing `name`
+- Disabled source skills: 34 `skills/.disabled/*/SKILL.md` files present and included in the global frontmatter parse
+- Full plugin file drift: 11561 files checked in `plugins/antigravity-awesome-skills*`, 0 missing canonical files, 0 drift
+- Bundle plugin file drift: 950 files checked in `plugins/antigravity-bundle-*`, 0 missing canonical files, 0 drift
+- Plugin manifests: 76 manifests parsed, 0 missing name/version/reference errors
+- Maintainer audit: repository `sickn33/antigravity-awesome-skills`, version `11.5.0`, skills `1,465+`, warning budget `0/135`, consistency clean; tracked working tree clean, but the untracked audit report makes the full gate fail until added/removed
+- Stale-claims checker: no stale claims detected in active docs
+- Editorial bundles: manifest and generated doc are in sync
+- README credits check: no changed skill files detected
+- Telegram and WhatsApp TypeScript boilerplates build successfully in temp copies after `npm install --ignore-scripts`
+- WhatsApp TypeScript boilerplate temp-copy moderate audit: `0 vulnerabilities`
+Failed / issue-producing checks:
+- Temp-copy `npm audit --audit-level=moderate` for `skills/telegram/assets/boilerplate/nodejs`: 5 vulnerabilities, including 1 critical (`form-data <2.5.4`) through `node-telegram-bot-api -> @cypress/request-promise -> request`
+- `npm run audit:skills:strict`: 1465 scanned, 0 errors, but 740 warning-only skills / 865 warnings made the strict audit exit non-zero
+- Strict JSON parsing found 5 JSONC-style files with comments: `apps/web-app/tsconfig.json` plus the canonical and mirrored `typescript-expert/references/tsconfig-strict.json` files
+- Targeted typo scan found one confirmed source typo: `skills/remotion-best-practices/rules/charts.md:20`
+## Findings
+### High - archive refresh fallback extracts untrusted archives without path validation
+- File: `apps/web-app/refresh-skills-plugin.js`
+- Lines: `220-261`
+- Evidence: `syncWithArchive()` downloads GitHub tar/zip archives and extracts them with `tar -xzf`, `Expand-Archive`, or `unzip -o` directly into `update_temp`.
+- Risk: an archive containing path traversal entries or malicious symlinks can write outside the intended extraction root before the code checks for `antigravity-awesome-skills-main/skills`.
+- Current tests: `apps/web-app/src/__tests__/refresh-skills-plugin.security.test.js` covers loopback/auth and fast-forward behavior but does not cover archive extraction safety.
+- Suggested fix: replace shell extraction with a safe extraction helper that rejects absolute paths, `..` segments, unsafe symlinks, and post-extraction realpaths outside `update_temp`; add tar/zip regression tests.
+### High - Telegram Node boilerplate resolves a vulnerable request stack
+- File: `skills/telegram/assets/boilerplate/nodejs/package.json`
+- Lines: `11-21`
+- Evidence: a temp-copy install/audit of this package reported 5 vulnerabilities: critical `form-data <2.5.4`, moderate `request`, `qs`, `tough-cookie`, and `uuid`. `npm ls` traces the critical path through `node-telegram-bot-api@0.66.0 -> @cypress/request-promise@5.0.0 -> request@2.88.2 -> form-data@2.3.3`.
+- Risk: users following this boilerplate get a vulnerable dependency graph even though the boilerplate TypeScript itself compiles.
+- Current tests: the root dependency audits do not cover this package because it has no committed lockfile and is not part of the root workspace install.
+- Suggested fix: replace `node-telegram-bot-api` with a maintained Telegram client that does not depend on deprecated `request`, or commit a tested lockfile/override strategy that removes the vulnerable transitive versions.
+### Medium - full-repo install migration preserves target symlinks
+- File: `tools/bin/install.js`
+- Lines: `474-493`
+- Evidence: when `target.path/.git` exists and `target.path` itself is a symlink, the migration renames the symlink to a backup and then recreates the same symlink at `target.path`.
+- Risk: this diverges from the non-symlink migration path, where a fresh directory is created. Subsequent writes continue through the symlink target, which is surprising during a "skills-only layout" migration and weaker as a trust boundary.
+- Suggested fix: either reject symlinked full-repo migration targets with a clear error, or materialize a real directory at `target.path` after backing up the symlink.
+### Medium - prerendered web app SEO count is stale
+- File: `apps/web-app/scripts/prerender-routes.js`
+- Lines: `12`, `156-159`
+- Evidence: `HOME_CATALOG_COUNT` is `1273` and the generated title is hardcoded to `1,273+`, while the current registry has 1465 skills. The checked `apps/web-app/dist/index.html` contains `1,273+ installable AI skills catalog`.
+- Risk: search/social metadata undersells the catalog and drifts from README/CATALOG counts.
+- Suggested fix: derive the title count from the actual `skills.json` count used by prerendering, or update the constant/title together with generated assets.
+### Medium - source web metadata and social card are stale before prerendering
+- Files: `apps/web-app/index.html`, `apps/web-app/public/social-card.svg`
+- Evidence: `index.html` still contains `1,326+` in title, description, Open Graph, and Twitter metadata. `social-card.svg` also displays `1,326+ Agentic Skills` and describes a `1,326 plus` headline.
+- Risk: the built homepage is partially corrected by prerendering, but source metadata, fallback HTML, and social preview assets remain stale and can leak into previews or static hosting paths.
+- Suggested fix: derive counts from the same generated registry source used by the app, or update these assets during the web asset sync step.
+### Medium - app environment docs name an unused canonical URL variable
+- File: `apps/web-app/README.md`
+- Line: `59`
+- Evidence: the README documents `VITE_SITE_URL`, but `apps/web-app/scripts/generate-sitemap.js` reads `SEO_SITE_URL || WEBSITE_BASE_URL` and `apps/web-app/scripts/prerender-routes.js` reads `SEO_SITE_URL`.
+- Risk: maintainers testing non-default hosts may set an environment variable that has no effect on sitemap/prerender canonical URLs.
+- Suggested fix: document `SEO_SITE_URL` and optionally `WEBSITE_BASE_URL`; remove or implement `VITE_SITE_URL`.
+### Medium - WhatsApp webhook HMAC validation throws on malformed signature length
+- File: `skills/whatsapp-cloud-api/assets/boilerplate/nodejs/src/webhook-handler.ts`
+- Lines: `38-41`
+- Evidence: `crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))` is called without first checking that the two buffers have the same byte length. A direct Node check with a short signature throws `RangeError: Input buffers must have the same byte length`.
+- Risk: malformed `x-hub-signature-256` headers can turn an invalid webhook request into an exception/500 path instead of a clean `401`, creating avoidable error noise and a small DoS surface.
+- Suggested fix: validate the `sha256=<64 hex chars>` shape before comparison, or compare only after checking equal buffer lengths; return `401` for malformed signatures.
+### Medium - Telegram webhook URL embeds the bot token
+- File: `skills/telegram/assets/boilerplate/nodejs/src/bot-client.ts`
+- Lines: `24-45`
+- Evidence: the Express route and registered webhook URL both use `/webhook/${this.token}` while Telegram already supports `secret_token`.
+- Risk: bot tokens placed in URL paths are likely to appear in reverse-proxy logs, request logs, telemetry, browser history, and webhook provider dashboards. The optional secret header loses much of its value if the bearer token itself is the path secret.
+- Suggested fix: use a random non-secret route ID or fixed `/webhook` route plus `x-telegram-bot-api-secret-token`; never include the bot token in URLs.
+### Medium - strict skill audit is not clean even though standard gates pass
+Resolved in follow-up patch: `npm run audit:skills:strict` now enforces a versioned warning budget in `tools/config/audit-skills-strict-budget.json`, with explicit limits for total warnings, warning-only skills, and the top strict finding codes. The current legacy baseline is documented and the command fails on errors or warning regressions above that budget.
+- Command: `npm run audit:skills:strict`
+- Evidence: strict mode scanned 1465 skills and found 0 errors, but still exited non-zero because 740 skills are warning-only with 865 total warnings. Top findings were `risk_suggestion` (1013), `missing_examples` (387), and `skill_too_long` (193).
+- Risk: regular validation and warning-budget gates can look clean while the stricter skill-quality bar is materially unmet.
+- Suggested fix: either wire a consciously scoped subset of strict findings into CI/release gating, or document strict mode as an advisory backlog with explicit thresholds and owners.
+### Medium - web asset setup publishes disabled skills as static files
+- File: `tools/scripts/setup_web.js`
+- Lines: `70-80`
+- Evidence: `app:setup` copies the entire `skills/` directory into `apps/web-app/public/skills` without excluding dot directories. Current generated assets contain `apps/web-app/public/skills/.disabled` and `apps/web-app/dist/skills/.disabled`, each around 17 MiB, with 1294 files copied from 34 disabled skill directories. `skills_index.json` correctly excludes `.disabled` and reports 0 disabled entries.
+- Risk: disabled skills are not shown in the catalog but are still shipped as static web assets and can be fetched directly by path, which conflicts with the validator/indexer semantics that hidden/disabled directories are excluded.
+- Suggested fix: make `copyFolderSync()` skip dot-prefixed directories, or explicitly skip `.disabled` when copying web assets; add a web setup test that asserts `public/skills/.disabled` is absent after `app:setup`.
+### Low - Junta scrapers bypass the shared TLS verification switch
+- Files: `skills/junta-leiloeiros/scripts/scraper/jucisrs.py`, `skills/junta-leiloeiros/scripts/scraper/jucesp.py`, `skills/junta-leiloeiros/scripts/scraper/jucema.py`
+- Lines: `jucisrs.py:178-182`, `jucisrs.py:223-229`, `jucisrs.py:245-257`, `jucesp.py:115-121`, `jucema.py:161-169`
+- Evidence: `base_scraper.py` provides `should_verify_tls()` and tests assert TLS verification is enabled by default, but these state-specific scrapers instantiate `httpx.AsyncClient(verify=False)` or Playwright with `ignore_https_errors=True` directly.
+- Risk: the test suite proves the shared base helper default, but not the actual transport behavior of these scraper implementations; network interception can still tamper with scraper input by default.
+- Suggested fix: replace direct `verify=False` / `ignore_https_errors=True` with `should_verify_tls()` in state-specific scrapers, and extend `test_junta_tls_security.py` to scan or monkeypatch concrete scraper clients.
+### Low - nested skill IDs lose their category namespace in generated routes
+- Files: `tools/scripts/generate_index.py`, `apps/web-app/src/pages/SkillDetail.tsx`, `apps/web-app/src/components/SkillCard.tsx`
+- Lines: `generate_index.py:879-887`, `SkillDetail.tsx:61-79`, `SkillCard.tsx:16`
+- Evidence: `generate_index.py` sets each skill `id` to `os.path.basename(root)` while keeping the full nested path separately. The current index has 20 nested skills, including `base => skills/libreoffice/base`, `templates => skills/app-builder/templates`, and `2d-games => skills/game-development/2d-games`. The web app routes to `/skill/${skill.id}` and resolves detail pages with `skills.find(s => s.id === id)`.
+- Risk: there are currently 0 duplicate IDs, so this is not breaking today. A future top-level `base`, another nested `base`, or similarly generic nested name would create an ambiguous route/star/canonical-ID collision because the public ID omits the category namespace.
+- Suggested fix: either generate route-safe IDs from the relative path for nested skills, or add a uniqueness test that fails when any future nested basename collides with another indexed skill.
+### Low - SEO verifier checks a legacy manifest filename, not the linked manifest
+- Files: `apps/web-app/index.html`, `apps/web-app/scripts/verify-seo-assets.js`, `.github/workflows/pages.yml`
+- Evidence: `index.html` links `%BASE_URL%site.webmanifest`, while `verify-seo-assets.js` and the Pages workflow check `dist/manifest.webmanifest`. Both files currently exist, so the gate passes, but it does not prove the linked manifest is present.
+- Risk: a future build could break `site.webmanifest` while the verifier still passes because `manifest.webmanifest` remains.
+- Suggested fix: make the verifier and Pages workflow check `site.webmanifest`, or explicitly verify every manifest referenced by `index.html`.
+### Low - Telegram HTML messages interpolate display names without escaping
+- File: `skills/telegram/assets/boilerplate/nodejs/src/handlers.ts`
+- Lines: `8-14`, `31-37`
+- Evidence: `/start` injects `msg.from?.first_name` into a message sent with `parse_mode: 'HTML'`; `/about` does the same with bot profile fields.
+- Risk: Telegram display names containing `<`, `>`, or `&` can break formatting, cause send failures, or create unintended markup in generated bot replies.
+- Suggested fix: HTML-escape interpolated values whenever `parse_mode: 'HTML'` is used, or switch these messages to plain text/Markdown with appropriate escaping.
+### Low - Chinese documentation is release/count stale
+- Files: `docs_zh-CN/README.md`, `docs_zh-CN/users/getting-started.md`, `docs_zh-CN/final-validation-report.md`
+- Evidence: English docs and package metadata are at `11.5.0` / `1465`, while `docs_zh-CN/README.md` is synced to `10.7.0` / `1436`, contains an internal mention of version `8.10.0`, and `docs_zh-CN/users/getting-started.md` still says `V10.7.0`. `docs_zh-CN/final-validation-report.md` is also for `V8.10.0`.
+- Risk: localized entry points give outdated release and catalog information.
+- Suggested fix: either refresh translated docs after canonical English updates or mark old translation reports as historical snapshots so they are not read as current documentation.
+### Low - internal markdown links are broken in integration and localized docs
+- Files: `docs/integrations/jetski-gemini-loader/README.md`, `docs_zh-CN/README.md`, `docs/vietnamese/*.vi.md`, `docs_zh-CN/integrations/jetski-gemini-loader/README.md`
+- Evidence: a relative-path-aware local scan over `README.md`, `docs/`, and `docs_zh-CN/` found 105 broken internal links. Confirmed examples:
+  - `docs/integrations/jetski-gemini-loader/README.md` links to `../../docs/integrations/jetski-cortex.md`, which resolves to nonexistent `docs/docs/integrations/jetski-cortex.md`; the real target is `docs/integrations/jetski-cortex.md`.
+  - `docs_zh-CN/README.md` links to paths such as `docs/users/bundles.md`, which resolve under `docs_zh-CN/docs/...` instead of the repo root.
+- Risk: GitHub users following localized or integration docs hit dead links even though the current `validate:references` gate passes.
+- Suggested fix: add a path-aware markdown link checker to CI, then repair localized relative paths and the Jetski integration link.
+### Low - Remotion chart rule has a visible typo
+- File: `skills/remotion-best-practices/rules/charts.md`
+- Line: `20`
+- Evidence: the sentence reads `See Bar Chart Example for a basic example implmentation.`
+- Risk: low editorial quality issue in a user-facing skill rule.
+- Suggested fix: change `implmentation` to `implementation`.
+### Low - link validation script writes a stale, machine-specific translated report
+- Files: `scripts/validate-links.sh`, `docs_zh-CN/link-validation-report.txt`
+- Evidence: `scripts/validate-links.sh` writes `docs_zh-CN/link-validation-report.txt` with a timestamp and absolute local paths. The script labels this as a translated report but scans `docs/`, not `docs_zh-CN/`, and resolves internal links by basename only. The script itself notes that links such as `../../CATALOG.md` can be false positives.
+- Risk: rerunning the script creates non-portable tracked drift and produces a report that can mix real broken links with known false positives.
+- Suggested fix: either make the report deterministic and unambiguous, or stop tracking it. Resolve links relative to each source file and run separate checks for canonical docs and translated docs.
+### Low - deliberate pipe-to-shell examples remain allowlisted
+Resolved in follow-up patch: executable `curl|bash`, `curl|sh`, and `irm|iex` install examples in canonical skill sources were replaced with package-manager or download-inspect-execute flows, and obsolete pipe-to-shell allowlists were removed. The remaining `security-allowlist` comments cover non-pipe rule families or sandbox notes.
+- Files include `skills/bun-development/SKILL.md`, `skills/linkerd-patterns/SKILL.md`, `skills/cloud-penetration-testing/SKILL.md`, `skills/varlock/SKILL.md`, `skills/evolution/SKILL.md`, and plugin mirrors.
+- Evidence: `npm run security:docs` passes because these examples are allowlisted, but the repo still contains executable `curl|bash`, `curl|sh`, and `irm|iex` examples.
+- Risk: this is accepted by current policy, but remains risky guidance for automated agents.
+- Suggested fix: where practical, replace executable pipe-to-shell examples with package-manager or checksum-verified alternatives; keep allowlists only where no safe practical alternative exists.
+### Low - documentation examples use realistic-looking secret placeholders
+Resolved in follow-up patch: canonical examples now use `<AWS_ACCESS_KEY_ID>`, `<AWS_SECRET_ACCESS_KEY>`, and `<BASE64_PRIVATE_KEY>`, and `npm run security:docs` blocks those realistic placeholder patterns from returning.
+- Files include `skills/comfyui-gateway/references/integration.md`, `skills/security/aws-iam-best-practices/SKILL.md`, `skills/k8s-manifest-generator/resources/implementation-playbook.md`, and plugin mirrors.
+- Evidence: secret-pattern scanning found `AKIAIOSFODNN7EXAMPLE`, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`, and `-----BEGIN PRIVATE KEY-----` examples. These are not confirmed live secrets: the AWS values are standard examples and the private key block is an ellipsis placeholder.
+- Risk: realistic secret-looking examples can create noisy secret-scan alerts and make it harder to distinguish documentation placeholders from real leaks.
+- Suggested fix: replace realistic credential examples with unmistakable placeholders such as `<AWS_ACCESS_KEY_ID>`, `<AWS_SECRET_ACCESS_KEY>`, and `<BASE64_PRIVATE_KEY>`.
+## Non-findings / bounded checks
+- The apparent `--- ` frontmatter prefix in eight skills is accepted by the repo parser (`^---\s*\n`) and those skills are indexed, so this is not currently a validator bug.
+- Duplicate names under `skills/.disabled` are intentionally skipped by validator/index generation.
+- Root npm production audit reported `0 vulnerabilities`.
+- Root, web app, and data package moderate audits reported `0 vulnerabilities`.
+- Loki todo-app frontend and backend moderate audits reported `0 vulnerabilities`.
+- Loki todo-app frontend and backend builds completed successfully.
+- Telegram and WhatsApp Node boilerplates compile successfully when installed in temp copies.
+- WhatsApp Node boilerplate moderate audit reported `0 vulnerabilities` in a temp copy.
+- Python syntax checking found 0 errors across 1077 source files.
+- Shell syntax checking found 0 errors across 61 shell scripts.
+- JavaScript syntax checking found 0 errors across 74 source files.
+- YAML and XML-family parse checks found 0 syntax errors in tracked files.
+- The 7 tracked symlinks all resolve to in-repo targets.
+- The strict JSON parse failures are JSONC/commented config files rather than malformed runtime JSON; TypeScript accepts `tsconfig.json` comments, and the commented `tsconfig-strict.json` is a reference artifact mirrored byte-for-byte.
+- Plugin mirror skill files are byte-for-byte synchronized with canonical `skills/` sources: 3094 matched, 0 drift.
+- Full-library plugin skill counts differ from the root visible catalog intentionally: the Codex plugin advertises `1,429 plugin-safe skills`, and omitted root skills are compatibility-filtered rather than missing files.
+- Duplicate `name` values across all tracked `SKILL.md` files are expected because canonical skills are copied into full plugins and bundle plugins; canonical-vs-plugin byte checks found no content drift.
+- All 76 plugin manifests parsed with required identity/version fields present.
+- `npm run audit:maintainer` did not reveal a repo health issue beyond the intentional untracked audit report; `git status --porcelain --untracked-files=no` was clean.
+- `npm pack --dry-run --json` produced the expected installer-only package contents: `LICENSE`, `README.md`, `package.json`, `tools/bin/install.js`, and `tools/lib/*`.
+- No tracked temporary/bytecode/macOS artifact files were found for `__pycache__`, `*.pyc`, `*.pyo`, `.DS_Store`, `*.tmp`, `*.bak`, or `*.orig`.
+- The targeted common-typo scan produced two `Teh` matches that are a person's surname in the Geoffrey Hinton skill, not typos.

package/bundled-skills/docs/maintainers/merge-batch.md CHANGED Viewed

@@ -5,7 +5,7 @@
 ## Prerequisites
 - Start from a clean `main`.
-- Make sure [`.github/MAINTENANCE.md`](/Users/nicco/Projects/antigravity-awesome-skills/.github/MAINTENANCE.md) is the governing policy.
+- Make sure [`.github/MAINTENANCE.md`](../../.github/MAINTENANCE.md) is the governing policy.
 - Have `gh` authenticated with maintainer permissions.
 - Use this only for PRs that are already expected to merge; conflicting PRs still need the manual conflict playbook.
@@ -52,4 +52,4 @@ Stop and switch to the manual playbook when:
 - the PR needs a manual README credits decision
 - fork approval or branch permissions are missing
-In those cases, follow [Merging Pull Requests](/Users/nicco/Projects/antigravity-awesome-skills/docs/maintainers/merging-prs.md) and the relevant sections in [MAINTENANCE.md](/Users/nicco/Projects/antigravity-awesome-skills/.github/MAINTENANCE.md).
+In those cases, follow [Merging Pull Requests](merging-prs.md) and the relevant sections in [MAINTENANCE.md](../../.github/MAINTENANCE.md).

package/bundled-skills/docs/maintainers/repo-growth-seo.md CHANGED Viewed

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 Preferred positioning:
-> Installable GitHub library of 1,464+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,465+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 Key framing:
@@ -20,7 +20,7 @@ Key framing:
 Preferred description:
-> Installable GitHub library of 1,464+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,465+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 Preferred homepage:
@@ -28,7 +28,7 @@ Preferred homepage:
 Preferred social preview:
-- use a clean preview image that says `1,464+ Agentic Skills`;
+- use a clean preview image that says `1,465+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.

package/bundled-skills/docs/maintainers/skills-update-guide.md CHANGED Viewed

@@ -72,7 +72,7 @@ The update process refreshes:
 - Canonical skills index (`skills_index.json`)
 - Compatibility mirror (`data/skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,464+ skills from the skills directory
+- All 1,465+ skills from the skills directory
 ## When to Update

package/bundled-skills/docs/users/agent-overload-recovery.md CHANGED Viewed

@@ -26,9 +26,9 @@ Examples:
 What the script does:
-- syncs the repository `skills/` tree into `~/.gemini/antigravity/skills_library`
+- syncs the repository `skills/` tree into `~/.agents/skills_library`
 - preserves your full library in the backing store
-- activates only the requested bundles or skill ids into `~/.gemini/antigravity/skills`
+- activates only the requested bundles or skill ids into `~/.agents/skills`
 - `--clear` archives the current live directory first, then restores the selected set
 Optional environment overrides:

package/bundled-skills/docs/users/bundles.md CHANGED Viewed

@@ -673,4 +673,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 ---
-_Last updated: March 2026 | Total Skills: 1,464+ | Total Bundles: 37_
+_Last updated: March 2026 | Total Skills: 1,465+ | Total Bundles: 37_

package/bundled-skills/docs/users/claude-code-skills.md CHANGED Viewed

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 ## Why use this repo for Claude Code
-- It includes 1,464+ skills instead of a narrow single-domain starter pack.
+- It includes 1,465+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/faq.md CHANGED Viewed

@@ -123,7 +123,7 @@ _Always check the Risk label and review the code._
 It depends on how you install:
 - **Using the installer CLI (`npx antigravity-awesome-skills`)**:
-  The default install target is `~/.gemini/antigravity/skills/` for Antigravity's global library.
+  The default install target is `~/.agents/skills/` for Antigravity's global library.
 - **Using a tool-specific flag**:
   Use `--claude`, `--cursor`, `--gemini`, `--codex`, `--kiro`, or `--antigravity` to target the matching tool path automatically.
 - **Using a manual clone or custom workspace path**:
@@ -230,7 +230,7 @@ If Antigravity becomes unstable only when the full skills library is active, swi
 - [agent-overload-recovery.md](agent-overload-recovery.md)
-That guide shows how to run `scripts/activate-skills.sh` from a cloned copy of this repository so only the bundles or skill ids you need stay active in `~/.gemini/antigravity/skills`.
+That guide shows how to run `scripts/activate-skills.sh` from a cloned copy of this repository so only the bundles or skill ids you need stay active in `~/.agents/skills`.
 ### I use OpenCode with `.agents/skills`. Should I install the whole library?

package/bundled-skills/docs/users/gemini-cli-skills.md CHANGED Viewed

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,464+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,465+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V11.5.0)
+# Getting Started with Antigravity Awesome Skills (V11.6.0)
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
@@ -32,7 +32,7 @@ If you prefer a marketplace-style install for **Claude Code** or **Codex**, use
 npx antigravity-awesome-skills
 ```
-This clones to `~/.gemini/antigravity/skills` by default. Use `--cursor`, `--claude`, `--gemini`, `--codex`, or `--kiro` to install for a specific tool, or `--path <dir>` for a custom location. Run `npx antigravity-awesome-skills --help` for details.
+This clones to `~/.agents/skills` by default. Use `--cursor`, `--claude`, `--gemini`, `--codex`, or `--kiro` to install for a specific tool, or `--path <dir>` for a custom location. Run `npx antigravity-awesome-skills --help` for details.
 The installer uses a shallow clone by default so you get the current library without paying for the full git history on first install.
 If you see a 404 error, use: `npx github:sickn33/antigravity-awesome-skills`
@@ -105,7 +105,7 @@ Once installed, just talk to your AI naturally.
 | **Codex CLI**   | ✅ Full Support | `.codex/skills/` or use the repo-local plugin metadata described in [plugins.md](plugins.md) |
 | **Kiro CLI**    | ✅ Full Support | Global: `~/.kiro/skills/` · Workspace: `.kiro/skills/`                |
 | **Kiro IDE**    | ✅ Full Support | Global: `~/.kiro/skills/` · Workspace: `.kiro/skills/`                |
-| **Antigravity** | ✅ Native       | Global: `~/.gemini/antigravity/skills/` · Workspace: `.agent/skills/` |
+| **Antigravity** | ✅ Native       | Global: `~/.agents/skills/` · Workspace: `.agent/skills/` |
 | **Cursor**      | ✅ Native       | `.cursor/skills/`                                                     |
 | **OpenCode**    | ✅ Full Support | `.agents/skills/` (prefer reduced installs with `--risk`, `--category`, or `--tags`) |
 | **AdaL CLI**    | ✅ Full Support | `.adal/skills/`                                                       |

package/bundled-skills/docs/users/kiro-integration.md CHANGED Viewed

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 Kiro's agentic capabilities are enhanced by skills that provide:
-- **Domain expertise** across 1,464+ specialized areas
+- **Domain expertise** across 1,465+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture