opencode-skills-collection 3.0.31 → 3.0.33

package/bundled-skills/gitops-workflow/SKILL.md

@@ -141,9 +141,11 @@ spec:
 brew install fluxcd/tap/flux
 
 # Alternative: download the official installer, inspect it, then execute it
-curl -fsSLo /tmp/flux-install.sh https://fluxcd.io/install.sh
-sed -n '1,160p' /tmp/flux-install.sh
-sudo bash /tmp/flux-install.sh
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+curl -fsSLo "$tmpdir/flux-install.sh" https://fluxcd.io/install.sh
+sed -n '1,160p' "$tmpdir/flux-install.sh"
+sudo bash "$tmpdir/flux-install.sh"
 
 # Bootstrap Flux
 flux bootstrap github \

package/bundled-skills/ii-commons/SKILL.md

@@ -43,7 +43,10 @@ Report the relevant cutoff date before interpreting recent results.
 
 ### Step 2: Search the Right Corpus
 
-Use exactly this command shape:
+Use this argv shape. Literal examples can be typed as shown, but when the query
+comes from a user prompt, pass it as an argument array through the runner API
+instead of interpolating it into a shell string. Double quotes do not protect
+against command substitution in generated shell commands.
 
 ```bash
 npx @intelligentinternet/ii-commons search arxiv "large language model inference" --max-results 10
@@ -51,6 +54,17 @@ npx @intelligentinternet/ii-commons search pubmed "type 2 diabetes review" --sta
 npx @intelligentinternet/ii-commons search policy "state overtime rule for agricultural workers" --jurisdictions US-CA --max-results 10
 ```
 
+```js
+spawnSync("npx", [
+  "@intelligentinternet/ii-commons",
+  "search",
+  "arxiv",
+  userQuery,
+  "--max-results",
+  "10",
+]);
+```
+
 Choose `arxiv` for preprints and technical research, `pubmed` for biomedical and clinical literature, and `policy` for supported US policy corpora.
 
 ### Step 3: Retrieve Metadata or Markdown

package/bundled-skills/lemmaly/SKILL.md

@@ -141,16 +141,25 @@ The first version is the default an AI ships when asked "filter the active users
 
 The upstream repo ships a deterministic CLI scanner with the same anti-patterns this skill enforces (**59 rules across 11 languages**: JavaScript/TypeScript, Python, SQL, Java, C#, C++, Go, Rust, PHP, Ruby, Shell/Bash). Each rule has a documented why, an incorrect example, a correct example, and the sibling skill to escalate to.
 
-To run the scanner locally:
+The scanner is optional. Do not automatically clone and run the upstream
+repository from its default branch, because that executes whatever code is
+current in a third-party repository. If the user explicitly wants the scanner,
+pin the source to a reviewed release tag or commit, use a throwaway directory,
+and show the resolved commit before running it:
 
 ```bash
-# Clone the upstream repo for the CLI tool
-git clone https://github.com/morsechimwai/lemmaly.git
-cd lemmaly
-node cli/lemmaly.js scan <path>          # flag instances of anti-patterns
-node cli/lemmaly.js rules                # list all 59 rules
+# Replace <reviewed-tag-or-commit> after reviewing the upstream release.
+tmpdir="$(mktemp -d)"
+git clone --filter=blob:none https://github.com/morsechimwai/lemmaly.git "$tmpdir/lemmaly"
+git -C "$tmpdir/lemmaly" checkout --detach <reviewed-tag-or-commit>
+git -C "$tmpdir/lemmaly" rev-parse HEAD
+node "$tmpdir/lemmaly/cli/lemmaly.js" scan <path>
+node "$tmpdir/lemmaly/cli/lemmaly.js" rules
 ```
 
+When the scan is done, remove the throwaway directory only after verifying that
+`$tmpdir` points to the directory created by `mktemp -d`.
+
 **CRITICAL severity (error in CI):**
 
 - `js-await-in-for-loop` — N+1 over network

package/bundled-skills/linkerd-patterns/SKILL.md

@@ -73,9 +73,11 @@ Production patterns for Linkerd service mesh - the lightweight, security-first s
 brew install linkerd
 
 # Alternative: download the official installer, inspect it, then execute it
-curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install -o /tmp/linkerd-install.sh
-sed -n '1,160p' /tmp/linkerd-install.sh
-sh /tmp/linkerd-install.sh
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install -o "$tmpdir/linkerd-install.sh"
+sed -n '1,160p' "$tmpdir/linkerd-install.sh"
+sh "$tmpdir/linkerd-install.sh"
 
 # Validate cluster
 linkerd check --pre

package/bundled-skills/longbridge/SKILL.md

@@ -0,0 +1,95 @@
+---
+name: longbridge
+description: "125+ agent skills for Longbridge Securities — real-time quotes, charts, fundamentals, portfolio analysis, options, and more for HK/US/A-share/SG markets. Trilingual: Simplified Chinese, Traditional Chinese, English."
+category: finance
+risk: critical
+source: official
+source_repo: longbridge/skills
+source_type: official
+date_added: "2026-05-29"
+author: longbridge
+tags: [finance, stocks, trading, portfolio, market-data]
+tools: [claude, cursor, gemini, codex]
+license: "MIT"
+license_source: "https://github.com/longbridge/skills/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
+---
+
+# Longbridge
+
+## Overview
+
+Longbridge is the official skill collection for Longbridge Securities, covering 125+ agent skills across real-time market data, chart analysis, company fundamentals, portfolio management, options, sector screening, and more. Supports HK, US, A-share (SH/SZ), and SG markets. All skills are trilingual (Simplified Chinese / Traditional Chinese / English).
+
+Source repository: [github.com/longbridge/skills](https://github.com/longbridge/skills) (~840 stars, MIT)
+
+## When to Use This Skill
+
+- Use when the user asks about stock prices, charts, or market data for HK/US/A-share/SG markets
+- Use when the user wants company fundamentals, earnings, or analyst ratings
+- Use when the user asks about their portfolio, positions, or account P&L via Longbridge
+- Use when the user wants options analysis, sector rankings, capital flow, or news
+- Use when the user asks in Chinese (Simplified or Traditional) or English about any securities topic
+
+## How It Works
+
+### Step 1: Discover the Right Subcommand
+
+```bash
+longbridge --help
+```
+
+List all available subcommands. Never hard-code subcommand names — the CLI evolves.
+
+### Step 2: Check Subcommand Options
+
+```bash
+longbridge <subcommand> --help
+```
+
+Confirm flags and output format before calling.
+
+### Step 3: Call with JSON Output
+
+```bash
+longbridge <subcommand> --format json
+```
+
+Parse the structured output and render in the user's language (detect from input).
+
+## Authentication
+
+```bash
+longbridge auth login          # Basic market data (read-only)
+longbridge auth login --trade  # Portfolio and account features
+```
+
+## Install
+
+```bash
+# Claude Code plugin marketplace
+/plugin marketplace add longbridge/skills
+
+# Or via npx
+npx skills add https://github.com/longbridge/skills
+```
+
+## MCP Fallback
+
+If the `longbridge` CLI binary is not installed, fall back to MCP tools. Inspect available MCP tools at runtime — do not hard-code MCP tool names as they change with server versions.
+
+## Limitations
+
+- Portfolio and account features require login with Trade scope.
+- Real-time data is subject to Longbridge data subscription (delayed data available without subscription).
+- Crypto symbols use `.HAS` suffix on the Longbridge platform.
+- This skill does not place orders — read-only by default unless using the account write scope.
+
+## Security & Safety Notes
+
+- All market data queries are read-only (no side effects).
+- Watchlist mutations and order-related features follow a preview + confirm two-step protocol.
+- Credentials are handled by the Longbridge auth system; this skill does not store or transmit tokens.

package/bundled-skills/mercury-mcp/SKILL.md

@@ -1,9 +1,13 @@
 ---
 name: mercury-mcp
 description: "Cheatsheet for the Mercury (proton) MCP tools. Use when connected to the Mercury MCP server to look up which mercury_* tool to call for messaging teammates, threads, tasks, automations, or admin team-graph edits."
-risk: safe
+risk: critical
 source: community
 date_added: "2026-05-19"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 
 # Mercury MCP tool cheatsheet
@@ -21,6 +25,10 @@ This skill is a lookup reference for those tools. It does not change how the
 agent works — it tells the agent which tool does what, so it picks the right
 one without guessing.
 
+Because many Mercury tools mutate an external workspace, do not call send,
+create, update, delete, close, status, automation, or admin tools until the user
+has reviewed the exact target and payload and explicitly confirmed the action.
+
 ## When to Use This Skill
 
 - Use when your agent is connected to the Mercury MCP server and you need to

package/bundled-skills/moatmri/SKILL.md

@@ -0,0 +1,84 @@
+---
+name: moatmri
+description: Analyze AI disruption pressure across a business, map competitive exposure, and produce a 90-day defensive action plan.
+risk: safe
+source: community
+date_added: "2026-05-31"
+---
+
+# MoatMRI — AI Disruption Pressure Analysis
+
+*Where does intelligence pressure break this system first?*
+
+## When to Use This Skill
+
+- "Is my business at risk from AI? Where am I most exposed?"
+- "How would an AI-native startup take over my market?"
+- "What should I do in the next 90 days to defend against AI disruption?"
+- "I'm doing due diligence on [company] — what's their AI displacement risk?"
+- "Where does my competitive moat actually hold against AI pressure?"
+
+## How It Works
+
+### Step 1 — Gather Inputs
+
+Ask if not provided:
+- **Industry** (e.g., "real estate", "community banking", "retail pharmacy", "law firm")
+- **Entity type** (e.g., "independent broker", "solo practitioner", "regional franchise")
+- **Target name** (optional — specific organization for named analysis)
+
+## Limitations
+
+- Produces strategic risk analysis, not audited market research or investment advice.
+- Depends on current company, market, regulatory, and competitive context supplied by the user or gathered from reliable sources.
+- Treats disruption scenarios as planning tools; scores should be revisited as new evidence appears.
+
+### Step 2 — 10-Vector Pressure Map
+
+Score AI disruption pressure across exactly these 10 vectors (0–10):
+
+| # | Vector | What to Measure |
+|---|--------|----------------|
+| 1 | **labor_substitution** | Which roles/functions are directly automatable |
+| 2 | **customer_interface** | How AI changes how customers reach this entity |
+| 3 | **knowledge_commoditization** | Does AI commoditize the expertise this entity sells |
+| 4 | **pricing_pressure** | Does AI enable lower-cost competitors to undercut |
+| 5 | **supply_chain_automation** | Does AI change input costs or supplier relationships |
+| 6 | **data_moat** | Does this entity have proprietary data AI can't replicate |
+| 7 | **trust_relationship_moat** | How much does customer loyalty protect against displacement |
+| 8 | **distribution_channel_disruption** | Does AI create new channels that bypass this entity |
+| 9 | **regulatory_compliance_exposure** | Does AI alter the regulatory or liability landscape |
+| 10 | **decision_speed_gap** | Does AI accelerate decisions in ways that disadvantage this entity |
+
+For each vector produce: **score**, **headline**, **near_term** (12 months), **far_term** (3 years).
+
+**Aggregate risk score:** mean of all 10 vectors. Flag any vector ≥ 7 as critical.
+
+### Step 3 — AI Front-Door Takeover Storyboard
+
+6-step narrative of how an AI-native competitor displaces this entity:
+1. The entry point
+2. The wedge (first 10% of market)
+3. The acceleration (what makes it compound)
+4. The tipping point (when incumbent can't recover)
+5. The aftermath
+6. The survivor profile
+
+### Step 4 — 90-Day Counterstrike Plan
+
+- **Track A (Days 0–30):** Immediate defense — what to stop, what to protect
+- **Track B (Days 31–60):** Intelligence-layer build — data/relationships to fortify
+- **Track C (Days 61–90):** Offensive positioning — use AI pressure as competitive weapon
+
+## Best Practices
+
+- ✅ Score all 10 vectors before calculating aggregate — resist stopping at obvious ones
+- ✅ Keep the storyboard specific to industry/entity, not generic disruption narrative
+- ✅ Track C should be actionable within 90 days, not aspirational 3-year strategy
+- ❌ Don't conflate data_moat with trust_relationship_moat — they protect differently
+
+## Additional Resources
+
+- Repository: [thebrierfox/moatmri-skill](https://github.com/thebrierfox/moatmri-skill)
+- Full BYOK tool: [ace-license-server-production.up.railway.app/byok/moatmri](https://ace-license-server-production.up.railway.app/byok/moatmri)
+- Built by [IntuiTek¹](https://intuitek.ai) (~K¹) — MIT License

package/bundled-skills/nextjs-seo-indexing/SKILL.md

@@ -0,0 +1,263 @@
+---
+name: nextjs-seo-indexing
+description: "Fix SEO indexing issues, crawl budget problems, and Search Console coverage errors for Next.js apps. Covers canonical tags, noindex audits, sitemap health, static rendering, and internal linking."
+category: seo
+risk: safe
+source: self
+source_type: self
+date_added: "2026-05-31"
+author: Whoisabhishekadhikari
+tags: [seo, indexing, nextjs, search-console, crawl-budget, canonical, sitemap]
+tools: [claude, cursor, gemini, claude-code]
+version: 1.0.0
+---
+
+# Next.js SEO Indexing & Crawl Budget Skill
+
+Fix Google Search Console coverage issues, canonical problems, sitemap errors, and crawl budget waste in Next.js apps.
+
+---
+
+## When to Use
+
+- Use when a Next.js site has Google Search Console coverage issues such as duplicate canonicals, accidental noindex, crawl waste, or discovered-but-not-indexed URLs.
+- Use when auditing sitemap, robots.txt, redirect, internal-linking, or static-rendering problems before an SEO release.
+- Use when you need framework-specific examples for Next.js App Router metadata, `generateMetadata`, `robots.js`, and sitemap routes.
+
+---
+
+## Understanding Search Console Coverage States
+
+| Status | Meaning | Fix |
+|--------|---------|-----|
+| Crawled – not indexed | Google crawled but chose not to index | Improve content quality + canonical + internal links |
+| Duplicate without canonical | Multiple URLs serve same content, no canonical | Add explicit canonical to the preferred URL |
+| Excluded by noindex | `noindex` tag present | Remove noindex if page should be indexed |
+| Duplicate, Google chose different canonical | Google prefers a different URL than you specified | Align canonical with the URL Google naturally picks |
+| Alternative page with proper canonical | Correct — non-preferred duplicate pointing to canonical | Expected behavior, not a problem |
+| Not found 404 | Page deleted or URL changed | Add redirect or restore page |
+| Discovered – not indexed | Google knows it exists but hasn't crawled it | Improve internal linking + crawl budget |
+| Page with redirect | Redirect chain or redirect to wrong target | Shorten redirect chain, verify destination |
+
+---
+
+## Step 1 — Canonical Audit
+
+### Next.js App Router (metadata export)
+```js
+// app/blog/my-post/page.js
+export const metadata = {
+  title: 'My Post Title',
+  alternates: {
+    canonical: 'https://www.yourdomain.com/blog/my-post',
+  },
+};
+```
+
+### Next.js App Router (generateMetadata)
+```js
+export async function generateMetadata({ params }) {
+  return {
+    alternates: {
+      canonical: `https://www.yourdomain.com/blog/${params.slug}`,
+    },
+  };
+}
+```
+
+### Common canonical mistakes to fix:
+```js
+// ❌ WRONG — relative URL
+canonical: '/blog/my-post'
+
+// ❌ WRONG — missing trailing slash inconsistency  
+// (pick one and stick with it sitewide)
+
+// ✓ CORRECT — absolute URL, consistent scheme + subdomain
+canonical: 'https://www.yourdomain.com/blog/my-post'
+```
+
+---
+
+## Step 2 — Noindex Audit
+
+Find pages that are accidentally noindexed:
+
+```bash
+# Search for noindex in metadata
+grep -r "noindex\|robots.*noindex" --include="*.{js,ts,jsx,tsx}" app/ pages/ -l
+
+# Check layout.js — a noindex here affects ALL pages
+grep -n "robots" app/layout.js
+```
+
+In Next.js App Router, `robots` in the root layout applies globally. Only set it there if you want the whole site affected.
+
+```js
+// app/layout.js — only set robots if you need sitewide control
+export const metadata = {
+  // ✓ Allow indexing
+  robots: { index: true, follow: true },
+  // ❌ This would noindex the entire site:
+  // robots: { index: false }
+};
+```
+
+---
+
+## Step 3 — Sitemap Health
+
+### Verify sitemap routes return 200 + valid XML
+```bash
+curl -sI https://www.yourdomain.com/sitemap.xml | grep -i "content-type\|status"
+curl -s https://www.yourdomain.com/sitemap.xml | head -20
+```
+
+### Next.js App Router sitemap (recommended pattern)
+```js
+// app/sitemap.js
+export default async function sitemap() {
+  const baseUrl = 'https://www.yourdomain.com';
+  
+  // Static pages
+  const staticPages = [
+    { url: baseUrl, lastModified: new Date(), changeFrequency: 'daily', priority: 1.0 },
+    { url: `${baseUrl}/about`, lastModified: new Date(), changeFrequency: 'monthly', priority: 0.8 },
+  ];
+  
+  // Dynamic pages (fetch from DB or CMS)
+  const posts = await getPosts(); // your data fetch
+  const dynamicPages = posts.map(post => ({
+    url: `${baseUrl}/blog/${post.slug}`,
+    lastModified: new Date(post.updatedAt),
+    changeFrequency: 'weekly',
+    priority: 0.7,
+  }));
+  
+  return [...staticPages, ...dynamicPages];
+}
+```
+
+### Multiple sitemaps (sitemap index)
+```js
+// app/sitemap-tools/sitemap.js  
+// app/sitemap-blog/sitemap.js
+// Each returns an array of URL entries
+```
+
+---
+
+## Step 4 — Static Rendering Verification
+
+Pages must be statically generated (or SSR with metadata in HTML) for Google to see SEO tags.
+
+```bash
+# Check build output — pages should show ● (static) not λ (dynamic)
+npm run build 2>&1 | grep -E "○|●|λ|/blog|/tools"
+```
+
+```
+○  /about             (static)
+●  /blog/[slug]       (SSG)  ← good
+λ  /api/data          (serverless) ← expected for APIs
+```
+
+If important pages are `λ` (fully dynamic with no static generation), add:
+
+```js
+// app/blog/[slug]/page.js
+export async function generateStaticParams() {
+  const posts = await getPosts();
+  return posts.map(post => ({ slug: post.slug }));
+}
+```
+
+---
+
+## Step 5 — Internal Linking Audit
+
+Pages with zero internal links are rarely indexed. Every important page should be reachable from:
+1. Homepage or navigation
+2. A sitemap
+3. At least one other content page
+
+```bash
+# Find pages that have no inbound links from other pages
+# (manual check — grep for the slug across all files)
+grep -r "/blog/my-orphan-post" --include="*.{js,ts,jsx,tsx,md}" . | grep -v "sitemap\|the-page-itself"
+```
+
+---
+
+## Step 6 — Redirect Audit
+
+```bash
+# Find all redirects in Next.js config
+grep -A 3 "redirects" next.config.js
+
+# Check for redirect chains (A → B → C — should be A → C)
+# Test a suspected chain:
+curl -sI https://www.yourdomain.com/old-url | grep -i location
+```
+
+```js
+// next.config.js — keep redirects flat (no chains)
+async redirects() {
+  return [
+    {
+      source: '/old-url',
+      destination: '/new-url', // Must NOT itself redirect
+      permanent: true, // 308 for SEO
+    },
+  ];
+}
+```
+
+---
+
+## Step 7 — robots.txt Check
+
+```bash
+curl -s https://www.yourdomain.com/robots.txt
+```
+
+```
+# ✓ Good
+User-agent: *
+Allow: /
+Sitemap: https://www.yourdomain.com/sitemap.xml
+
+# ❌ Bad — disallows crawling of important content
+Disallow: /blog/
+Disallow: /tools/
+```
+
+```js
+// app/robots.js (Next.js App Router)
+export default function robots() {
+  return {
+    rules: { userAgent: '*', allow: '/' },
+    sitemap: 'https://www.yourdomain.com/sitemap.xml',
+  };
+}
+```
+
+---
+
+## Indexing Checklist
+
+- [ ] All important pages have absolute canonical URLs
+- [ ] No important pages accidentally noindexed
+- [ ] Sitemap routes return 200 with valid XML
+- [ ] Sitemap submitted to Google Search Console
+- [ ] Important pages statically generated (●) in build output
+- [ ] No redirect chains (A→B→C should be A→C)
+- [ ] robots.txt allows important content
+- [ ] Every important page has ≥1 internal inbound link
+- [ ] `generateStaticParams` added for dynamic routes with known slugs
+
+## Limitations
+
+- Does not guarantee Google will index a page; final indexing decisions remain with the search engine.
+- Requires access to the codebase, deployed URLs, and ideally Google Search Console data for confident diagnosis.
+- Treat recommendations that change URL structure, redirects, or canonical policy as production-impacting and review them before deployment.

package/bundled-skills/openclaw-github-repo-commander/scripts/repo-audit.sh

@@ -9,6 +9,7 @@ if [[ ! -d "$target" ]]; then
 fi
 
 cd "$target"
+repo_root="$(pwd -P)"
 
 status=0
 
@@ -21,6 +22,25 @@ warn() {
   status=1
 }
 
+has_symlink_component() {
+  local candidate="$1"
+  local current="."
+  local part
+  local -a parts
+
+  candidate="${candidate#./}"
+  IFS='/' read -r -a parts <<< "$candidate"
+  for part in "${parts[@]}"; do
+    [[ -z "$part" || "$part" == "." ]] && continue
+    current="$current/$part"
+    if [[ -L "$current" ]]; then
+      return 0
+    fi
+  done
+
+  return 1
+}
+
 if command -v rg >/dev/null 2>&1; then
   if rg --hidden --glob '!.git/**' --glob '!.github/workflows/**' --glob '!node_modules/**' --glob '!dist/**' --glob '!build/**' \
     --regexp 'ghp_[A-Za-z0-9_]{20,}' \
@@ -67,7 +87,29 @@ if command -v rg >/dev/null 2>&1 && [[ -f README.md ]]; then
     [[ "$link" =~ ^mailto: ]] && continue
     link="${link%%#*}"
     [[ -z "$link" ]] && continue
+    if [[ "$link" = /* || "/$link/" == *"/../"* ]]; then
+      broken_links=1
+      printf 'WARN README local link escapes repository: %s\n' "$link"
+      continue
+    fi
+    if has_symlink_component "$link"; then
+      broken_links=1
+      printf 'WARN README local link escapes repository: %s\n' "$link"
+      continue
+    fi
     if [[ ! -e "$link" ]]; then
+      parent_dir="$(dirname -- "$link")"
+      if [[ -d "$parent_dir" ]]; then
+        resolved_parent="$(cd "$parent_dir" && pwd -P)"
+        case "$resolved_parent/" in
+          "$repo_root"/* | "$repo_root/" ) ;;
+          * )
+            broken_links=1
+            printf 'WARN README local link escapes repository: %s\n' "$link"
+            continue
+            ;;
+        esac
+      fi
       broken_links=1
       printf 'WARN broken README local link: %s\n' "$link"
     fi

package/bundled-skills/photopea-embedded-editor/SKILL.md

@@ -247,7 +247,8 @@ async function addImageAndWait(pea, imgURI) {
     count = (await pea.runScript(`app.echoToOE(app.activeDocument.layers.length)`))[0];
   count = parseInt(count);
 
-  await pea.runScript(`app.open("${imgURI}", null, true);`);
+  const imageUrlLiteral = JSON.stringify(imgURI);
+  await pea.runScript(`app.open(${imageUrlLiteral}, null, true);`);
 
   return new Promise((resolve) => {
     const check = async () => {
@@ -306,9 +307,11 @@ document.getElementById("exportBtn").addEventListener("click", async () => {
 ```js
 async function generateCard(pea, name, tagline) {
   await pea.openFromURL("https://example.com/card.psd", false);
+  const nameLiteral = JSON.stringify(name);
+  const taglineLiteral = JSON.stringify(tagline);
   await pea.runScript(`
-    app.activeDocument.layers.getByName("Name").textItem.contents    = "${name}";
-    app.activeDocument.layers.getByName("Tagline").textItem.contents = "${tagline}";
+    app.activeDocument.layers.getByName("Name").textItem.contents    = ${nameLiteral};
+    app.activeDocument.layers.getByName("Tagline").textItem.contents = ${taglineLiteral};
   `);
   return await pea.exportImage("png");
 }
@@ -1385,6 +1388,7 @@ app.echoToOE(JSON.stringify(getLayerInfo(app.activeDocument)));
 - This skill covers host-page integration patterns; it does not replace Photopea's own terms, API documentation, or licensing guidance.
 - Remote URL loading depends on browser CORS behavior, network availability, and the user's Photopea account/session state.
 - `runScript` executes scripts inside the embedded Photopea document context. Only run scripts you understand and only with user-approved files.
+- Serialize dynamic values with `JSON.stringify` before embedding them in a `runScript` string. Never concatenate user-provided URLs, layer names, or text directly into Photopea script source.
 - Export behavior can vary by document size, browser memory limits, and the formats supported by the active Photopea runtime.
 
 ---