opencode-skills-collection 3.0.31 → 3.0.33

package/bundled-skills/sendblue/sendblue-cli/SKILL.md

@@ -2,7 +2,7 @@
 name: sendblue-cli
 description: "Send iMessage and SMS from the shell via the @sendblue/cli npm package — outbound sends, contact management, and account setup with no API client or webhook server required."
 category: api-integration
-risk: safe
+risk: critical
 source: community
 source_repo: sendblue-api/sendblue-cli
 source_type: official
@@ -12,6 +12,10 @@ tags: [sendblue, imessage, sms, cli, messaging, notifications]
 tools: [claude, cursor, gemini]
 license: "MIT"
 license_source: "https://github.com/sendblue-api/sendblue-cli/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # Sendblue CLI
@@ -121,6 +125,7 @@ To text yourself at the end of every agent turn, register a `Stop` hook in `sett
 ## Security & Safety Notes
 
 - Credentials are written to `~/.sendblue/credentials.json` with mode `600`. Treat that file like an API key — do not commit it, do not copy it across machines without the same posture.
+- Treat every outbound send, contact setup, login, or account setup action as state-changing. Preview the recipient, message body, and account/email target, then wait for explicit user confirmation before running it.
 - Run the CLI as the OS user that owns the credentials file. `sudo` writes a separate copy under root's home and silently desyncs.
 - Outbound messages to phone numbers are not free of consequence — wire `sendblue send` into hooks or loops only after gating on duration or success conditions to avoid spamming the recipient.
 - Verification codes arrive by email; treat the address you registered with as a recovery factor for the account.

package/bundled-skills/sendblue/sendblue-notify/SKILL.md

@@ -2,13 +2,17 @@
 name: sendblue-notify
 description: "Text the user's phone when a long-running task, agent turn, or scheduled job finishes — via @sendblue/cli for outbound, optionally wired to a Claude Code Stop hook for automatic fire."
 category: automation
-risk: safe
+risk: critical
 source: community
 source_type: official
 date_added: "2026-05-22"
 author: AnthonyFirth
 tags: [sendblue, imessage, sms, notifications, hooks, claude-code, automation]
 tools: [claude, cursor, gemini]
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # Sendblue Notify
@@ -146,6 +150,7 @@ You can install both: textme on a server for inbound, notify as a local `Stop`-h
 ## Security & Safety Notes
 
 - **Lock-screen previews leak.** Anyone holding the phone can read notification copy. Do not embed secrets, customer data, full error stacks, or auth tokens. Link to a log, dashboard, or PR instead.
+- **Confirm before sending or wiring hooks.** Preview the destination, message template, trigger, and duration gate; wait for explicit user confirmation before running `sendblue send` or editing hook config.
 - **Automated outbound is a footgun.** A misconfigured `Stop` hook can fire dozens of messages a minute. Always gate by duration and prove the threshold in a dry run before committing.
 - **Per-user numbers.** The destination phone number is a personal identifier — keep it in user-local config (env var, gitignored file), not in committed repo files or CI logs.
 - **Free-plan verification is silent.** If the destination contact hasn't texted in once, sends return an API error but the user just sees "no text arrived". Confirm verification before wiring an unattended hook.

package/bundled-skills/sendblue/textme/SKILL.md

@@ -12,6 +12,10 @@ tags: [textme, sendblue, imessage, sms, claude-code, daemon, remote-control, aut
 tools: [claude, cursor, gemini]
 license: "MIT"
 license_source: "https://github.com/njerschow/textme/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # TextMe

package/bundled-skills/social-metadata-hardening/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: social-metadata-hardening
+description: "Fix social sharing previews so URLs render as rich cards on Facebook, LinkedIn, X/Twitter, WhatsApp, Telegram, Slack, and Discord. Covers OG tags, Twitter cards, absolute image URLs, and metadata debugging."
+category: seo
+risk: safe
+source: self
+source_type: self
+date_added: "2026-05-31"
+author: Whoisabhishekadhikari
+tags: [seo, open-graph, twitter-card, social-sharing, og-image, nextjs, metadata]
+tools: [claude, cursor, gemini, claude-code]
+version: 1.0.0
+---
+
+# Social Metadata Hardening Skill
+
+Fix social sharing so every important URL unfurls as a rich card across all platforms.
+
+---
+
+## When to Use
+
+- Use when shared links show missing, stale, cropped, or incorrect previews on social and chat platforms.
+- Use when auditing Open Graph, Twitter/X card, image URL, alt text, or `metadataBase` coverage in a web app.
+- Use before launch when every public page needs predictable rich previews across LinkedIn, X, Facebook, WhatsApp, Slack, Discord, and Telegram.
+
+---
+
+## Why Previews Break
+
+| Problem | Root Cause |
+|---------|-----------|
+| No preview at all | Missing og:title, og:description, or og:image |
+| Broken image | Relative URL (must be absolute) |
+| Wrong image size | Image not 1200×630px (OG standard) |
+| Plain text card | Twitter card type missing or set to `summary` |
+| Stale preview | Platform caching old metadata |
+| Metadata missing on crawl | Tags added by client-side JS (crawlers don't run JS) |
+
+---
+
+## The Gold Standard Metadata Block
+
+Every shareable page needs ALL of these in static HTML:
+
+```js
+// Next.js App Router — lib/socialMetadata.js
+export function buildSocialMetadata({
+  title,
+  description,
+  path,          // '/blog/my-post'
+  image,         // '/images/og/my-post.jpg' or full URL
+  imageAlt,
+  imageWidth = 1200,
+  imageHeight = 630,
+}) {
+  const baseUrl = process.env.NEXT_PUBLIC_BASE_URL || 'https://www.yourdomain.com';
+  
+  // Always produce an absolute URL
+  const imageUrl = image?.startsWith('http') ? image : `${baseUrl}${image}`;
+  const pageUrl  = `${baseUrl}${path}`;
+  
+  // Detect MIME type from extension
+  const ext = imageUrl.split('.').pop().toLowerCase();
+  const mimeMap = { jpg: 'image/jpeg', jpeg: 'image/jpeg', png: 'image/png', webp: 'image/webp' };
+  const imageType = mimeMap[ext] || 'image/jpeg';
+
+  return {
+    title,
+    description,
+    alternates: { canonical: pageUrl },
+    openGraph: {
+      title,
+      description,
+      url: pageUrl,
+      type: 'website',  // use 'article' for blog posts
+      images: [{
+        url: imageUrl,
+        secureUrl: imageUrl,   // explicit HTTPS version
+        width: imageWidth,
+        height: imageHeight,
+        alt: imageAlt || title,
+        type: imageType,
+      }],
+    },
+    twitter: {
+      card: 'summary_large_image',  // NOT 'summary' — that shows a tiny image
+      title,
+      description,
+      images: [imageUrl],
+    },
+  };
+}
+```
+
+---
+
+## Applying the Helper
+
+### Static page
+```js
+// app/about/page.js
+import { buildSocialMetadata } from '@/lib/socialMetadata';
+
+export const metadata = buildSocialMetadata({
+  title: 'About Us | My Site',
+  description: 'Learn about our team and mission.',
+  path: '/about',
+  image: '/images/og/about.jpg',
+  imageAlt: 'The My Site team',
+});
+```
+
+### Dynamic page (blog post, tool page)
+```js
+// app/blog/[slug]/page.js
+import { buildSocialMetadata } from '@/lib/socialMetadata';
+
+export async function generateMetadata({ params }) {
+  const post = await getPost(params.slug);
+  return buildSocialMetadata({
+    title: `${post.title} | My Blog`,
+    description: post.excerpt,
+    path: `/blog/${params.slug}`,
+    image: post.ogImage || '/images/og/default.jpg',
+    imageAlt: post.title,
+  });
+}
+```
+
+### Homepage (app/layout.js or app/page.js)
+```js
+export const metadata = {
+  metadataBase: new URL('https://www.yourdomain.com'), // REQUIRED for absolute URLs
+  ...buildSocialMetadata({
+    title: 'My Site — Tagline Here',
+    description: 'Site-wide description.',
+    path: '/',
+    image: '/images/og/home.jpg',
+  }),
+};
+```
+
+> ⚠️ **`metadataBase` is critical.** Without it, Next.js generates relative OG image URLs that every platform rejects.
+
+---
+
+## OG Image Checklist
+
+Good OG images:
+- **1200 × 630px** (2:1 ratio — works on all platforms)
+- **Under 8MB** (Facebook limit)
+- Served over **HTTPS**
+- File name has **no spaces** (use hyphens)
+- Format: **JPEG or PNG** (WebP works on most but not all crawlers)
+- **Accessible via GET** with no authentication
+
+```bash
+# Verify your OG image is reachable and correct size
+curl -sI https://www.yourdomain.com/images/og/home.jpg | grep -i "content-type\|content-length\|status"
+```
+
+---
+
+## Platform-Specific Notes
+
+### Facebook / Meta
+- Caches aggressively — use the [Sharing Debugger](https://developers.facebook.com/tools/debug/) to force recrawl
+- Minimum image: 200×200px (but use 1200×630 for quality)
+- Needs: `og:title`, `og:description`, `og:image`, `og:url`
+
+### X / Twitter
+- Use `twitter:card = summary_large_image` for full-width images
+- `twitter:image` must be an absolute URL
+- Use the [Card Validator](https://cards-dev.twitter.com/validator) to test
+
+### LinkedIn
+- Caches hard — use [Post Inspector](https://www.linkedin.com/post-inspector/) to refresh
+- Respects `og:` tags; ignores `twitter:` tags
+- Image must be ≥1.91:1 aspect ratio
+
+### WhatsApp / Telegram
+- Read OG tags on first share; cache can last hours
+- Re-share after a few hours for the cache to clear naturally
+
+### Slack / Discord
+- Both use OG tags; both cache
+- Discord also supports `og:type = article` for richer embeds
+
+---
+
+## Debugging Social Previews
+
+### 1. Check raw HTML for tags
+```bash
+curl -s https://www.yourdomain.com/blog/my-post | grep -i "og:\|twitter:"
+```
+If tags don't appear → they're being added by JavaScript (not crawlable). Fix: move to `export const metadata` or `generateMetadata`.
+
+### 2. Validate with platform tools
+| Platform | Tool |
+|----------|------|
+| Facebook | https://developers.facebook.com/tools/debug/ |
+| LinkedIn | https://www.linkedin.com/post-inspector/ |
+| Twitter/X | https://cards-dev.twitter.com/validator |
+| General | https://metatags.io |
+
+### 3. Force cache refresh
+After deploying fixes, paste the URL into each platform's debugger and click "Fetch new scrape information" (or equivalent).
+
+---
+
+## Social Metadata Checklist
+
+- [ ] `metadataBase` set in root layout
+- [ ] All shareable pages use shared `buildSocialMetadata` helper
+- [ ] OG image URLs are absolute (start with `https://`)
+- [ ] `secureUrl` set equal to `url` in OG image block
+- [ ] Image is 1200×630px, under 8MB, HTTPS
+- [ ] `twitter:card` is `summary_large_image` (not `summary`)
+- [ ] Image alt text present
+- [ ] Tags visible in raw HTML (not JavaScript-rendered)
+- [ ] All platform debuggers show correct preview
+- [ ] Cache refreshed on all platforms after deployment
+
+## Limitations
+
+- Cannot force immediate cache refresh on every social platform; some previews may remain stale after a correct fix.
+- Requires deployed, publicly reachable URLs for reliable validation with platform debuggers.
+- Does not replace brand, accessibility, or legal review of image text, alt text, and preview copy.

package/bundled-skills/socialclaw/SKILL.md

@@ -2,7 +2,7 @@
 name: socialclaw
 description: "Agent-first social media publishing skill — schedule and publish posts across 13 platforms (X, LinkedIn, Instagram, Facebook Pages, TikTok, Discord, Telegram, YouTube, Reddit, WordPress, Pinterest) via a single workspace API key."
 category: marketing
-risk: safe
+risk: critical
 source: community
 source_repo: ndesv21/socialclaw
 source_type: community
@@ -12,6 +12,10 @@ tags: [social-media, publishing, scheduling, marketing, twitter, linkedin, insta
 tools: [claude]
 license: "MIT"
 license_source: "https://github.com/ndesv21/socialclaw/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # SocialClaw — Social Media Publisher
@@ -103,5 +107,6 @@ Website: [getsocialclaw.com](https://getsocialclaw.com)
 ## Limitations
 
 - Requires a valid SocialClaw workspace API key; do not attempt publishing without explicit user-provided credentials.
+- Treat every publish, schedule, delete, or account-changing action as state-changing: show the target platforms, content, media, and timing, then wait for explicit user confirmation before calling the service.
 - Platform availability, rate limits, analytics fields, and scheduling behavior depend on the upstream SocialClaw service.
 - This skill describes the publishing workflow; it does not replace platform-specific compliance, brand review, or legal approval before posting.

package/bundled-skills/uv-package-manager/resources/implementation-playbook.md

@@ -51,9 +51,11 @@ Comprehensive guide to using uv, an extremely fast Python package installer and
 
 ```bash
 # macOS/Linux
-curl -LsSf https://astral.sh/uv/install.sh -o /tmp/uv-install.sh
-sed -n '1,160p' /tmp/uv-install.sh
-sh /tmp/uv-install.sh
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+curl -LsSf https://astral.sh/uv/install.sh -o "$tmpdir/uv-install.sh"
+sed -n '1,160p' "$tmpdir/uv-install.sh"
+sh "$tmpdir/uv-install.sh"
 
 # Windows (PowerShell)
 powershell -NoProfile -Command "Invoke-WebRequest https://astral.sh/uv/install.ps1 -OutFile $env:TEMP\\uv-install.ps1; Get-Content $env:TEMP\\uv-install.ps1 -TotalCount 120; powershell -ExecutionPolicy Bypass -File $env:TEMP\\uv-install.ps1"

package/bundled-skills/varlock/SKILL.md

@@ -88,9 +88,11 @@ curl -H "Authorization: Bearer $API_KEY" https://api.example.com
 
 ```bash
 # Install Varlock CLI
-curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh
-sed -n '1,160p' /tmp/varlock-install.sh
-sh /tmp/varlock-install.sh --force-no-brew
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh"
+sed -n '1,160p' "$tmpdir/varlock-install.sh"
+sh "$tmpdir/varlock-install.sh" --force-no-brew
 
 # Add to PATH (add to ~/.zshrc or ~/.bashrc)
 export PATH="$HOME/.varlock/bin:$PATH"
@@ -245,9 +247,11 @@ varlock load
 
 ```dockerfile
 # Install Varlock in container
-RUN curl -sSfL https://varlock.dev/install.sh -o /tmp/varlock-install.sh \
-    && sed -n '1,160p' /tmp/varlock-install.sh \
-    && sh /tmp/varlock-install.sh --force-no-brew \
+RUN tmpdir="$(mktemp -d)" \
+    && curl -sSfL https://varlock.dev/install.sh -o "$tmpdir/varlock-install.sh" \
+    && sed -n '1,160p' "$tmpdir/varlock-install.sh" \
+    && sh "$tmpdir/varlock-install.sh" --force-no-brew \
+    && rm -rf "$tmpdir" \
     && ln -s /root/.varlock/bin/varlock /usr/local/bin/varlock
 
 # Validate at container start

package/bundled-skills/vibe-code-cleanup/SKILL.md

@@ -0,0 +1,231 @@
+---
+name: vibe-code-cleanup
+description: "Safe production cleanup and hardening for vibe-coded fullstack apps (Next.js, React, Node.js, etc.). Removes dead imports, unused files, broken references, and standardizes helpers without breaking routes or APIs."
+category: fullstack
+risk: safe
+source: self
+source_type: self
+date_added: "2026-05-31"
+author: Whoisabhishekadhikari
+tags: [cleanup, refactor, nextjs, production, vibe-code, fullstack, nodejs]
+tools: [claude, cursor, gemini, claude-code]
+version: 1.0.0
+---
+
+# Vibe-Code Cleanup — Production Refactor Skill
+
+A safe, incremental cleanup workflow for AI-generated / vibe-coded fullstack apps.
+The goal is to make the codebase production-ready **without** breaking anything that already works.
+
+## When to Use
+
+- Use when a rapidly built app works but has broken imports, duplicated logic, dead code, unclear environment variables, or fragile release hygiene.
+- Use before launch or handoff to convert exploratory code into a maintainable production baseline.
+- Use when cleanup must preserve existing behavior and avoid broad rewrites of routes, APIs, auth, data models, or integrations.
+
+## Core Philosophy
+
+> **Surgery, not demolition.** Remove only what is provably dead. Preserve everything else.
+
+Never:
+- Rewrite working systems for cosmetic reasons
+- Rename routes, slugs, or API endpoints that may be indexed or cached
+- Change tool inputs/outputs, API contracts, DB schema, or auth flow
+- Delete files you haven't verified are unused
+- Make broad sweeping changes in a single commit
+
+Always:
+- Make small, targeted, reversible changes
+- Validate after every meaningful batch of changes
+- Prefer shared helpers over copy-pasted blocks
+- Keep backward compatibility
+
+---
+
+## Step 1 — Reconnaissance (read before touching)
+
+Before changing anything, map the codebase:
+
+```bash
+# List all pages/routes
+find . -path "*/app/**/page.{js,jsx,ts,tsx}" | sort
+find . -path "*/pages/**/*.{js,jsx,ts,tsx}" | grep -v "_" | sort
+
+# Find broken imports (TS projects)
+npx tsc --noEmit 2>&1 | head -80
+
+# Find unused exports (optional, for larger projects)
+npx ts-prune 2>/dev/null | head -40
+
+# Check for console.log / debug leftovers
+grep -r "console\.log\|debugger\|TODO\|FIXME\|HACK" --include="*.{js,ts,jsx,tsx}" -l
+```
+
+Document what you find. Do NOT change yet.
+
+---
+
+## Step 2 — Fix Broken Imports First
+
+Broken imports cause build failures and should be fixed before anything else.
+
+```bash
+# TypeScript: list all errors
+npx tsc --noEmit 2>&1
+
+# Common patterns to fix:
+# - Missing file (file was deleted or renamed)
+# - Wrong relative path (../lib vs ../../lib)
+# - Named export that doesn't exist
+```
+
+**Fix rule:** Fix the import reference. Do NOT delete the referenced file unless you've confirmed it's unused everywhere.
+
+---
+
+## Step 3 — Identify Dead Code (verify before removing)
+
+A file/export is safe to remove **only if**:
+1. No other file imports it (grep-confirmed)
+2. It's not referenced in config, sitemap, or route manifest
+3. It's not a public-facing URL (page.js, route.js)
+
+```bash
+# Check if a file is imported anywhere
+grep -r "from.*my-file\|require.*my-file" --include="*.{js,ts,jsx,tsx}" .
+
+# Check if a component is used anywhere  
+grep -r "MyComponent" --include="*.{js,ts,jsx,tsx}" .
+```
+
+---
+
+## Step 4 — Consolidate Repeated Logic into Helpers
+
+Look for repeated patterns (metadata blocks, API fetch wrappers, error handlers) that appear in 3+ places.
+
+**Good consolidation targets:**
+- Page-level SEO metadata (Open Graph, Twitter cards, canonical)
+- Fetch wrappers with error handling
+- Repeated utility functions (slugify, formatDate, truncate)
+
+**Bad consolidation targets (leave alone):**
+- One-off business logic
+- Route handlers with different contracts
+- Anything touching DB schema or auth
+
+**Pattern for shared metadata helper (Next.js):**
+```js
+// lib/socialMetadata.js
+export function buildPageMetadata({ title, description, path, image }) {
+  const baseUrl = process.env.NEXT_PUBLIC_BASE_URL || 'https://yourdomain.com';
+  const imageUrl = image?.startsWith('http') ? image : `${baseUrl}${image}`;
+  
+  return {
+    title,
+    description,
+    openGraph: {
+      title,
+      description,
+      url: `${baseUrl}${path}`,
+      images: [{ url: imageUrl, width: 1200, height: 630, alt: title }],
+    },
+    twitter: {
+      card: 'summary_large_image',
+      title,
+      description,
+      images: [imageUrl],
+    },
+    alternates: {
+      canonical: `${baseUrl}${path}`,
+    },
+  };
+}
+```
+
+---
+
+## Step 5 — Environment Variable Audit
+
+```bash
+# List all env vars used in code
+grep -r "process\.env\." --include="*.{js,ts,jsx,tsx}" . | grep -oP 'process\.env\.\w+' | sort -u
+
+# Compare against .env.example or .env.local
+cat .env.example 2>/dev/null || cat .env.local 2>/dev/null
+```
+
+Flag any env vars used in code but missing from `.env.example`. Never add secrets to version control.
+
+---
+
+## Step 6 — Validate After Every Batch
+
+Run this after every meaningful batch of cleanup changes:
+
+```bash
+# TypeScript check
+npx tsc --noEmit
+
+# Lint
+npx eslint . --ext .js,.jsx,.ts,.tsx --max-warnings 0
+
+# Build (catches runtime issues TypeScript misses)
+npm run build
+
+# Tests (if present)
+npm test -- --runInBand --passWithNoTests
+```
+
+If build or typecheck breaks → **revert the last batch** before continuing.
+
+---
+
+## Step 7 — Commit Strategy
+
+Each commit should be a single logical unit:
+
+```
+fix: remove broken import in app/blog/page.js
+refactor: consolidate social metadata into lib/socialMetadata.js  
+chore: remove verified-unused utils/oldHelper.js
+fix: standardize env var references to NEXT_PUBLIC_BASE_URL
+```
+
+Never bundle UI changes + logic changes + file deletions in one commit. Smaller commits = easier rollback.
+
+---
+
+## What NOT to Clean Up
+
+Treat these as off-limits unless there's a verified bug:
+
+| Area | Why |
+|------|-----|
+| Route slugs / page paths | May be indexed by Google |
+| API route contracts | Callers depend on exact shape |
+| DB schema / Prisma models | Migration required |
+| Auth flow logic | Security-sensitive |
+| Third-party integration configs | Keys/webhooks are environment-specific |
+| Working tool pages | User-facing functionality |
+
+---
+
+## Cleanup Checklist
+
+- [ ] TypeScript errors fixed
+- [ ] No broken imports
+- [ ] Dead code removed (grep-verified)
+- [ ] Shared helpers created for repeated patterns (3+ uses)
+- [ ] No hardcoded secrets or local-only URLs
+- [ ] All env vars documented in `.env.example`
+- [ ] Build passes
+- [ ] Tests pass (or no tests exist)
+- [ ] Lint passes
+- [ ] Each commit is scoped and explainable
+
+## Limitations
+
+- Does not infer product intent from code alone; confirm behavior before deleting routes, components, API contracts, or data models.
+- Cleanup should be applied in small reviewed batches because broad refactors can hide regressions.
+- Avoid changing auth, billing, persistence, or third-party integration behavior without explicit requirements and tests.