npm - opencode-skills-collection - Versions diffs - 3.0.24 → 3.0.25 - Mend

opencode-skills-collection 3.0.24 → 3.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/bundled-skills/telegram/assets/boilerplate/nodejs/src/bot-client.ts CHANGED Viewed

@@ -1,19 +1,19 @@
-import TelegramBot from 'node-telegram-bot-api';
+import { Telegraf } from 'telegraf';
 import express from 'express';
 export class TelegramBotClient {
-  public bot: TelegramBot;
-  private token: string;
+  public bot: Telegraf;
   constructor(token: string, webhookMode: boolean = false) {
-    this.token = token;
-    this.bot = new TelegramBot(token, {
-      polling: !webhookMode,
-    });
+    this.bot = new Telegraf(token);
+    if (webhookMode) {
+      this.bot.telegram.deleteWebhook({ drop_pending_updates: true }).catch(() => undefined);
+    }
   }
   async startPolling(): Promise<void> {
-    const me = await this.bot.getMe();
+    await this.bot.launch();
+    const me = await this.bot.telegram.getMe();
     console.log(`Bot @${me.username} (${me.first_name}) started with polling`);
   }
@@ -21,16 +21,18 @@ export class TelegramBotClient {
     const app = express();
     app.use(express.json());
-    // Webhook endpoint
-    app.post(`/webhook/${this.token}`, (req, res) => {
+    app.post('/webhook', async (req, res) => {
       if (secret) {
         const headerSecret = req.headers['x-telegram-bot-api-secret-token'];
         if (headerSecret !== secret) {
           return res.sendStatus(403);
         }
       }
-      this.bot.processUpdate(req.body);
-      res.sendStatus(200);
+      await this.bot.handleUpdate(req.body, res);
+      if (!res.headersSent) {
+        res.sendStatus(200);
+      }
     });
     // Health check
@@ -39,19 +41,20 @@ export class TelegramBotClient {
     });
     // Register webhook with Telegram
-    await this.bot.setWebHook(`${webhookUrl}/webhook/${this.token}`, {
+    const normalizedWebhookUrl = webhookUrl.replace(/\/+$/, '');
+    await this.bot.telegram.setWebhook(`${normalizedWebhookUrl}/webhook`, {
       max_connections: 40,
       secret_token: secret,
     } as any);
-    const info = await this.bot.getWebHookInfo();
+    const info = await this.bot.telegram.getWebhookInfo();
     console.log('Webhook registered:', info.url);
     app.listen(port, () => {
       console.log(`Express server listening on port ${port}`);
     });
-    const me = await this.bot.getMe();
+    const me = await this.bot.telegram.getMe();
     console.log(`Bot @${me.username} (${me.first_name}) started with webhook`);
   }
@@ -61,20 +64,20 @@ export class TelegramBotClient {
   async sendMessageSafe(
     chatId: number | string,
     text: string,
-    options?: TelegramBot.SendMessageOptions
-  ): Promise<TelegramBot.Message | null> {
+    options?: Record<string, unknown>
+  ): Promise<unknown | null> {
     const maxRetries = 3;
     for (let attempt = 0; attempt < maxRetries; attempt++) {
       try {
-        return await this.bot.sendMessage(chatId, text, options);
+        return await this.bot.telegram.sendMessage(chatId, text, options as any);
       } catch (error: any) {
-        if (error?.response?.statusCode === 429) {
-          const retryAfter = error.response.body?.parameters?.retry_after || 5;
+        if (error?.response?.error_code === 429) {
+          const retryAfter = error.response.parameters?.retry_after || 5;
           console.warn(`Rate limited. Retrying after ${retryAfter}s...`);
           await new Promise((r) => setTimeout(r, retryAfter * 1000));
           continue;
         }
-        if (error?.response?.statusCode === 403) {
+        if (error?.response?.error_code === 403) {
           console.warn(`Bot blocked by user ${chatId}`);
           return null;
         }

package/bundled-skills/telegram/assets/boilerplate/nodejs/src/handlers.ts CHANGED Viewed

@@ -1,23 +1,29 @@
 import { TelegramBotClient } from './bot-client';
-import TelegramBot from 'node-telegram-bot-api';
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
 export function registerHandlers(client: TelegramBotClient): void {
   const bot = client.bot;
-  // /start command
-  bot.onText(/\/start/, async (msg) => {
-    const name = msg.from?.first_name || 'usuario';
+  bot.start(async (ctx) => {
+    const name = escapeHtml(ctx.from?.first_name || 'usuario');
     await client.sendMessageSafe(
-      msg.chat.id,
+      ctx.chat.id,
       `Ola, ${name}! Bem-vindo ao bot.\n\nComandos disponiveis:\n/start - Iniciar\n/help - Ajuda\n/about - Sobre`,
       { parse_mode: 'HTML' }
     );
   });
-  // /help command
-  bot.onText(/\/help/, async (msg) => {
+  bot.help(async (ctx) => {
     await client.sendMessageSafe(
-      msg.chat.id,
+      ctx.chat.id,
       '<b>Comandos:</b>\n' +
         '/start - Iniciar o bot\n' +
         '/help - Ver esta mensagem\n' +
@@ -27,52 +33,40 @@ export function registerHandlers(client: TelegramBotClient): void {
     );
   });
-  // /about command
-  bot.onText(/\/about/, async (msg) => {
-    const me = await bot.getMe();
+  bot.command('about', async (ctx) => {
+    const me = await bot.telegram.getMe();
+    const firstName = escapeHtml(me.first_name);
+    const username = escapeHtml(me.username || 'sem_username');
     await client.sendMessageSafe(
-      msg.chat.id,
-      `<b>${me.first_name}</b>\n@${me.username}\n\nBot criado com Telegram Bot API`,
+      ctx.chat.id,
+      `<b>${firstName}</b>\n@${username}\n\nBot criado com Telegram Bot API`,
       { parse_mode: 'HTML' }
     );
   });
-  // /echo command
-  bot.onText(/\/echo (.+)/, async (msg, match) => {
-    const text = match?.[1] || '';
-    await client.sendMessageSafe(msg.chat.id, text);
+  bot.hears(/^\/echo (.+)/, async (ctx) => {
+    const text = ctx.match?.[1] || '';
+    await client.sendMessageSafe(ctx.chat.id, text);
   });
-  // Callback query handler (for inline keyboards)
-  bot.on('callback_query', async (query) => {
-    await bot.answerCallbackQuery(query.id, { text: `Opcao: ${query.data}` });
+  bot.on('callback_query', async (ctx) => {
+    const data = 'data' in ctx.callbackQuery ? ctx.callbackQuery.data : '';
+    await ctx.answerCbQuery(`Opcao: ${data}`);
-    if (query.message) {
-      await bot.editMessageText(`Voce escolheu: ${query.data}`, {
-        chat_id: query.message.chat.id,
-        message_id: query.message.message_id,
-      });
+    if (ctx.callbackQuery.message) {
+      await ctx.editMessageText(`Voce escolheu: ${data}`);
     }
   });
-  // Default message handler (echo)
-  bot.on('message', async (msg) => {
-    // Skip commands
-    if (msg.text?.startsWith('/')) return;
-    // Echo non-command text messages
-    if (msg.text) {
-      await client.sendMessageSafe(msg.chat.id, `Voce disse: ${msg.text}`);
-    }
-  });
+  bot.on('text', async (ctx) => {
+    if (ctx.message.text.startsWith('/')) return;
-  // Error handler
-  bot.on('polling_error', (error) => {
-    console.error('Polling error:', error.message);
+    await client.sendMessageSafe(ctx.chat.id, `Voce disse: ${ctx.message.text}`);
   });
-  bot.on('webhook_error', (error) => {
-    console.error('Webhook error:', error.message);
+  bot.catch((error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error('Telegram bot error:', message);
   });
   console.log('All handlers registered');

package/bundled-skills/telegram/references/webhook-setup.md CHANGED Viewed

@@ -50,27 +50,26 @@ POST https://api.telegram.org/bot<TOKEN>/deleteWebhook
 ```typescript
 import express from 'express';
-import TelegramBot from 'node-telegram-bot-api';
+import { Telegraf } from 'telegraf';
 const app = express();
 const TOKEN = process.env.TELEGRAM_BOT_TOKEN!;
 const WEBHOOK_URL = process.env.WEBHOOK_URL!; // https://seu-dominio.com
 const SECRET_TOKEN = process.env.WEBHOOK_SECRET || 'meu-secret-seguro';
-// Bot sem polling (webhook mode)
-const bot = new TelegramBot(TOKEN);
+const bot = new Telegraf(TOKEN);
 app.use(express.json());
 // Validar secret token
-app.post(`/webhook/${TOKEN}`, (req, res) => {
+app.post('/webhook', async (req, res) => {
   const secretHeader = req.headers['x-telegram-bot-api-secret-token'];
   if (secretHeader !== SECRET_TOKEN) {
     return res.sendStatus(403);
   }
-  bot.processUpdate(req.body);
-  res.sendStatus(200);
+  await bot.handleUpdate(req.body, res);
+  if (!res.headersSent) res.sendStatus(200);
 });
 // Health check
@@ -78,13 +77,13 @@ app.get('/health', (req, res) => res.json({ status: 'ok' }));
 // Registrar webhook na inicializacao
 async function start() {
-  await bot.setWebHook(`${WEBHOOK_URL}/webhook/${TOKEN}`, {
+  await bot.telegram.setWebhook(`${WEBHOOK_URL.replace(/\/+$/, '')}/webhook`, {
     max_connections: 40,
     allowed_updates: ['message', 'callback_query'],
     secret_token: SECRET_TOKEN,
   });
-  const info = await bot.getWebHookInfo();
+  const info = await bot.telegram.getWebhookInfo();
   console.log('Webhook info:', info);
   app.listen(3000, () => console.log('Server rodando na porta 3000'));
@@ -256,14 +255,19 @@ services:
 ```typescript
 // api/webhook.ts
 import { VercelRequest, VercelResponse } from '@vercel/node';
-import TelegramBot from 'node-telegram-bot-api';
+import { Telegraf } from 'telegraf';
-const bot = new TelegramBot(process.env.TELEGRAM_BOT_TOKEN!);
+const bot = new Telegraf(process.env.TELEGRAM_BOT_TOKEN!);
 export default async function handler(req: VercelRequest, res: VercelResponse) {
   if (req.method === 'POST') {
-    bot.processUpdate(req.body);
-    res.status(200).send('OK');
+    const secretHeader = req.headers['x-telegram-bot-api-secret-token'];
+    if (secretHeader !== process.env.WEBHOOK_SECRET) {
+      return res.status(403).send('Forbidden');
+    }
+    await bot.handleUpdate(req.body, res);
+    if (!res.writableEnded) res.status(200).send('OK');
   } else {
     res.status(200).json({ status: 'ok' });
   }

package/bundled-skills/uv-package-manager/resources/implementation-playbook.md CHANGED Viewed

@@ -51,10 +51,12 @@ Comprehensive guide to using uv, an extremely fast Python package installer and
 ```bash
 # macOS/Linux
-curl -LsSf https://astral.sh/uv/install.sh | sh
+curl -LsSf https://astral.sh/uv/install.sh -o /tmp/uv-install.sh
+sed -n '1,160p' /tmp/uv-install.sh
+sh /tmp/uv-install.sh
 # Windows (PowerShell)
-powershell -c "irm https://astral.sh/uv/install.ps1 | iex"
+powershell -NoProfile -Command "Invoke-WebRequest https://astral.sh/uv/install.ps1 -OutFile $env:TEMP\\uv-install.ps1; Get-Content $env:TEMP\\uv-install.ps1 -TotalCount 120; powershell -ExecutionPolicy Bypass -File $env:TEMP\\uv-install.ps1"
 # Using pip (if you already have Python)
 pip install uv

package/bundled-skills/varlock/SKILL.md CHANGED Viewed

@@ -6,8 +6,6 @@ source: "https://github.com/dmno-dev/varlock"
 version: 1.0.0
 ---
-<!-- security-allowlist: curl-pipe-bash -->
 # Varlock Security Skill
 Secure-by-default environment variable management for Claude Code sessions.
@@ -90,7 +88,9 @@ curl -H "Authorization: Bearer $API_KEY" https://api.example.com
 ```bash
 # Install Varlock CLI
-curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
+curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh
+sed -n '1,160p' /tmp/varlock-install.sh
+sh /tmp/varlock-install.sh --force-no-brew
 # Add to PATH (add to ~/.zshrc or ~/.bashrc)
 export PATH="$HOME/.varlock/bin:$PATH"
@@ -245,7 +245,9 @@ varlock load
 ```dockerfile
 # Install Varlock in container
-RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
+RUN curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh \
+    && sed -n '1,160p' /tmp/varlock-install.sh \
+    && sh /tmp/varlock-install.sh --force-no-brew \
     && ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
 # Validate at container start

package/bundled-skills/whatsapp-cloud-api/assets/boilerplate/nodejs/src/webhook-handler.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { Request, Response, NextFunction } from 'express';
 import { WebhookPayload, IncomingMessage, StatusUpdate } from './types';
 const SAFE_CHALLENGE_RE = /^[A-Za-z0-9._-]{1,200}$/;
+const SIGNATURE_RE = /^sha256=[a-f0-9]{64}$/i;
 /**
  * Middleware para validar assinatura HMAC-SHA256 dos webhooks do WhatsApp.
@@ -35,10 +36,17 @@ export function validateHMAC(appSecret: string) {
       'sha256=' +
       crypto.createHmac('sha256', appSecret).update(rawBody).digest('hex');
-    const isValid = crypto.timingSafeEqual(
-      Buffer.from(signature),
-      Buffer.from(expectedSignature)
-    );
+    if (!SIGNATURE_RE.test(signature)) {
+      console.warn('Invalid webhook signature format');
+      res.sendStatus(401);
+      return;
+    }
+    const signatureBuffer = Buffer.from(signature, 'utf8');
+    const expectedSignatureBuffer = Buffer.from(expectedSignature, 'utf8');
+    const isValid =
+      signatureBuffer.length === expectedSignatureBuffer.length &&
+      crypto.timingSafeEqual(signatureBuffer, expectedSignatureBuffer);
     if (!isValid) {
       console.warn('Invalid webhook signature');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-collection",
-  "version": "3.0.24",
+  "version": "3.0.25",
   "description": "OpenCode CLI plugin that automatically downloads and keeps skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills_index.json CHANGED Viewed

@@ -1332,9 +1332,9 @@
   {
     "id": "andrej-karpathy",
     "path": "skills/andrej-karpathy",
-    "category": "ai-ml",
+    "category": "uncategorized",
     "name": "andrej-karpathy",
-    "description": "Agente que simula Andrej Karpathy \u2014 ex-Director of AI da Tesla, co-fundador da OpenAI, fundador da Eureka Labs, e o maior educador de deep learning do mundo.",
+    "description": "Behavioral guidelines to reduce common LLM coding mistakes. Use when writing, reviewing, or refactoring code to avoid overcomplication, make surgical changes, surface assumptions, and define verifiable success criteria.",
     "risk": "safe",
     "source": "community",
     "date_added": "2026-03-06",
@@ -21744,6 +21744,28 @@
       "reasons": []
     }
   },
+  {
+    "id": "pdf-conversion-router",
+    "path": "skills/pdf-conversion-router",
+    "category": "uncategorized",
+    "name": "pdf-conversion-router",
+    "description": "Use when converting a PDF into another format such as Markdown, HTML, text, JSON, DOCX, or structured notes and the agent must choose the best extraction route, settings, and cleanup strategy for maximum fidelity and readability.",
+    "risk": "safe",
+    "source": "community",
+    "date_added": "2026-05-23",
+    "plugin": {
+      "targets": {
+        "codex": "supported",
+        "claude": "supported"
+      },
+      "setup": {
+        "type": "none",
+        "summary": "",
+        "docs": null
+      },
+      "reasons": []
+    }
+  },
   {
     "id": "pdf-official",
     "path": "skills/pdf-official",