npm - opencode-skills-collection - Versions diffs - 3.0.39 → 3.0.40 - Mend

opencode-skills-collection 3.0.39 → 3.0.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/bundled-skills/docs/integrations/jetski-cortex.md CHANGED Viewed

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,520+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1,525+ skills."
 ---
-# Jetski/Cortex + Gemini: safe integration with 1,520+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,525+ skills
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
-With 1,520+ skills, this approach fills the context window before user messages are even added, causing truncation.
+With 1,525+ skills, this approach fills the context window before user messages are even added, causing truncation.
 ---

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md CHANGED Viewed

@@ -21,7 +21,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
-This pattern avoids context overflow when you have 1,520+ skills installed.
+This pattern avoids context overflow when you have 1,525+ skills installed.
 Manifest contract references:

package/bundled-skills/docs/maintainers/repo-growth-seo.md CHANGED Viewed

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 Preferred positioning:
-> Installable GitHub library of 1,520+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,525+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 Key framing:
@@ -20,7 +20,7 @@ Key framing:
 Preferred description:
-> Installable GitHub library of 1,520+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,525+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 Preferred homepage:
@@ -28,7 +28,7 @@ Preferred homepage:
 Preferred social preview:
-- use a clean preview image that says `1,520+ Agentic Skills`;
+- use a clean preview image that says `1,525+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.

package/bundled-skills/docs/maintainers/skills-update-guide.md CHANGED Viewed

@@ -72,7 +72,7 @@ The update process refreshes:
 - Canonical skills index (`skills_index.json`)
 - Compatibility mirror (`data/skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,520+ skills from the skills directory
+- All 1,525+ skills from the skills directory
 ## When to Update

package/bundled-skills/docs/sources/sources.md CHANGED Viewed

@@ -11,6 +11,7 @@ If you recognize your work here and it is not properly attributed, please open a
 | `burp-suite-testing`        | [PortSwigger](https://portswigger.net/burp)                                | N/A            | Usage guide only (no binary). |
 | `crewai`                    | [CrewAI](https://github.com/joaomdmoura/crewAI)                            | MIT            | Framework guides.             |
 | `hasdata`, `hasdata-cli`    | [HasData CLI](https://github.com/HasData/hasdata-cli)                      | MIT            | Official HasData API and CLI guidance. |
+| `runapi-cli`                | [RunAPI CLI Skill](https://github.com/runapi-ai/cli-skill)                 | Apache-2.0     | Official RunAPI CLI skill for generating AI images, videos, and music/audio, plus other model API jobs. |
 | `langgraph`                 | [LangGraph](https://github.com/langchain-ai/langgraph)                     | MIT            | Framework guides.             |
 | `react-patterns`            | [React Docs](https://react.dev/)                                           | CC-BY          | Official patterns.            |
 | **All Official Skills**     | [Anthropic / Google / OpenAI / Microsoft / Supabase / Apify / Vercel Labs] | Proprietary    | Usage encouraged by vendors.  |

package/bundled-skills/docs/users/bundles.md CHANGED Viewed

@@ -917,4 +917,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 ---
-_Last updated: March 2026 | Total Skills: 1,520+ | Total Bundles: 52_
+_Last updated: March 2026 | Total Skills: 1,525+ | Total Bundles: 52_

package/bundled-skills/docs/users/claude-code-skills.md CHANGED Viewed

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 ## Why use this repo for Claude Code
-- It includes 1,520+ skills instead of a narrow single-domain starter pack.
+- It includes 1,525+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/gemini-cli-skills.md CHANGED Viewed

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,520+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,525+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V12.1.0)
+# Getting Started with Antigravity Awesome Skills (V12.2.1)
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**

package/bundled-skills/docs/users/kiro-integration.md CHANGED Viewed

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 Kiro's agentic capabilities are enhanced by skills that provide:
-- **Domain expertise** across 1,520+ specialized areas
+- **Domain expertise** across 1,525+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md CHANGED Viewed

@@ -14,7 +14,7 @@ If you came in through a **Claude Code** or **Codex** plugin instead of a full l
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
-✅ **Downloaded 1,520+ skill files** to your computer (default: `~/.agents/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
+✅ **Downloaded 1,525+ skill files** to your computer (default: `~/.agents/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)
 ✅ **Made them available** to your AI assistant
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
@@ -34,7 +34,7 @@ Bundles are **curated groups** of skills organized by role. They help you decide
 **Analogy:**
-- You installed a toolbox with 1,520+ tools (✅ done)
+- You installed a toolbox with 1,525+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You can either **pick skills from the tray** or install that tray as a focused marketplace bundle plugin
@@ -212,7 +212,7 @@ Let's actually use a skill right now. Follow these steps:
 ## Step 5: Picking Your First Skills (Practical Advice)
-Don't try to use all 1,520+ skills at once. Here's a sensible approach:
+Don't try to use all 1,525+ skills at once. Here's a sensible approach:
 If you want a tool-specific starting point before choosing skills, use:
@@ -343,7 +343,7 @@ Usually no, but if your AI doesn't recognize a skill:
 ### "Can I load all skills into the model at once?"
-No. Even though you have 1,520+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,525+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 The intended pattern is:

package/bundled-skills/docs/users/visual-guide.md CHANGED Viewed

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,520+ skills live here
+├── 📁 skills/                          ← 1,525+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,520+ total)
+│   └── ... (1,525+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 ```
                     ┌─────────────────────────┐
-                    │  1,520+ SKILLS          │
+                    │  1,525+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,520+ total)                │
+│   └── ... (1,525+ total)                │
 └─────────────────────────────────────────┘
 ```

package/bundled-skills/examprep-ai/SKILL.md CHANGED Viewed

@@ -19,6 +19,14 @@ tags:
 # ExamPrep AI
+## When to Use
+Use this skill when you need to:
+- Convert a syllabus, past papers, or study notes into a prioritized roadmap.
+- Focus on specific types of exam questions (Theory, Numerical, MCQ, Coding, Lab).
+- Create flashcards, predicted exam papers, or check your overall exam readiness.
+- Perform last-minute revision or deep-dive into important exam topics.
 ## 🎯 Selective Reading Rule — Read ONLY the section matching the request
 | What the student asks for | Jump to |

package/bundled-skills/hugging-face-cli/SKILL.md CHANGED Viewed

@@ -6,7 +6,7 @@ risk: unknown
 ---
 Install by downloading the installer script first, reviewing it, and then running it locally. Example:
-`curl -LsSf https://hf.co/cli/install.sh -o /tmp/hf-install.sh && less /tmp/hf-install.sh && bash /tmp/hf-install.sh`
+`tmpdir="$(mktemp -d)" && trap 'rm -rf "$tmpdir"' EXIT && curl -LsSf https://hf.co/cli/install.sh -o "$tmpdir/hf-install.sh" && less "$tmpdir/hf-install.sh" && bash "$tmpdir/hf-install.sh"`
 ## When to Use
 Use this skill when you need the `hf` CLI for Hub authentication, downloads, uploads, repo management, or basic compute operations.
@@ -182,7 +182,7 @@ Generated with `huggingface_hub v1.8.0`. Run `hf skills add --force` to regenera
 To mount Hub repositories or buckets as local filesystems — no download, no copy, no waiting — use `hf-mount`. Files are fetched on demand. GitHub: https://github.com/huggingface/hf-mount
 Install by downloading the installer locally, reviewing it, and then running it. Example:
-`curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh -o /tmp/hf-mount-install.sh && less /tmp/hf-mount-install.sh && sh /tmp/hf-mount-install.sh`
+`tmpdir="$(mktemp -d)" && trap 'rm -rf "$tmpdir"' EXIT && curl -fsSL https://raw.githubusercontent.com/huggingface/hf-mount/main/install.sh -o "$tmpdir/hf-mount-install.sh" && less "$tmpdir/hf-mount-install.sh" && sh "$tmpdir/hf-mount-install.sh"`
 Some command examples:
 - `hf-mount start repo openai-community/gpt2 /tmp/gpt2` — mount a repo (read-only)

package/bundled-skills/open-dynamic-workflows/SKILL.md ADDED Viewed

@@ -0,0 +1,101 @@
+---
+name: open-dynamic-workflows
+description: "Plan, orchestrate, and adversarially verify parallel AI coding agents with a dynamic multi-agent workflow engine."
+category: ai-agents
+risk: critical
+source: community
+source_repo: Suraj1235/open-dynamic-workflows
+source_type: community
+date_added: "2026-06-06"
+author: Suraj1235
+tags: [multi-agent, orchestration, workflow, adversarial-verification, coding-agents]
+tools: [claude, cursor, codex, gemini, antigravity]
+# Optional: declare the upstream license if source_repo is set
+license: "MIT"
+license_source: "https://github.com/Suraj1235/open-dynamic-workflows/blob/main/LICENSE"
+---
+# Open Dynamic Workflows
+## Overview
+Open Dynamic Workflows (ODW) is an open-source dynamic multi-agent workflow engine for AI coding agents such as OpenCode, Codex, Antigravity, and VS Code. It lets you plan a task, orchestrate multiple agents working in parallel, and adversarially verify their output before it lands. ODW ships a Codex/Antigravity skill folder (`SKILL.md` plus a daemon bridge) and an OpenCode plugin, and it is bring-your-own-model (Anthropic, OpenAI-compatible, or Ollama). This skill is adapted from the community project at `Suraj1235/open-dynamic-workflows`.
+## When to Use This Skill
+- Use when you need to decompose a coding task into independent subtasks and run multiple agents in parallel.
+- Use when working across more than one AI coding tool (OpenCode, Codex, Antigravity, VS Code) and want a single orchestration layer.
+- Use when the user asks for adversarial review or verification of agent-generated changes before merging.
+## How It Works
+### Step 1: Plan
+ODW takes a high-level goal and produces a dynamic workflow graph of subtasks, identifying which can run in parallel and which have dependencies.
+### Step 2: Orchestrate
+The engine dispatches subtasks to parallel agents through the OpenCode plugin or the Codex/Antigravity daemon bridge, using your configured model provider (Anthropic, OpenAI-compatible, or Ollama).
+### Step 3: Adversarially Verify
+Completed work is routed through an adversarial verification pass that challenges the output before results are synthesized and returned.
+## Examples
+### Example 1: Run a parallel workflow
+ODW is installed from source (clone the repo, then `npm install`). The CLI is
+`odw-daemon` — run it as `npm run odw -- <args>` from inside the repo, or as
+`npx odw-daemon <args>` / a global `odw-daemon` if you link the bin.
+```bash
+# Configure your model provider (bring-your-own-model)
+export ANTHROPIC_API_KEY=...        # or an OpenAI-compatible / Ollama endpoint
+# One-time setup: generate ~/.odw/config.json
+npm run setup
+# Start the local workflow daemon (once)
+npm run odw -- start
+# Plan, orchestrate, and verify a task across parallel agents
+npm run odw -- run --prompt "refactor the auth module and add tests"
+```
+### Example 2: Use the Codex/Antigravity skill bridge
+```bash
+# ODW ships a SKILL.md + daemon bridge consumed by Codex / Antigravity.
+# Start the daemon, then run a saved orchestration script through it:
+npm run odw -- start
+npm run odw -- run --script examples/workflows/studio-prime.workflow.js --cwd .
+```
+## Best Practices
+- ✅ Scope each subtask so agents can run without shared state.
+- ✅ Keep the adversarial verification pass enabled before merging agent output.
+- ❌ Don't run interdependent subtasks in parallel without declaring their dependencies.
+- ❌ Don't commit provider API keys; use environment variables or a secrets manager.
+## Limitations
+- This skill does not replace environment-specific validation, testing, or expert review.
+- Stop and ask for clarification if required inputs, permissions, or safety boundaries are missing.
+## Security & Safety Notes
+- ODW executes agent-generated code and shell commands; run it only in an authorized, local, or sandboxed environment.
+- Model provider credentials (Anthropic / OpenAI-compatible / Ollama) must be supplied via environment variables, never committed to source.
+- Review adversarial-verification output before applying changes to a production branch.
+## Common Pitfalls
+- **Problem:** Parallel agents collide on the same files.
+  **Solution:** Give each subtask exclusive file/module ownership and run conflicting tasks sequentially.
+## Related Skills
+- `@multi-agent-orchestration` - When coordinating multiple agents on one goal.
+- `@code-review` - How adversarial verification complements human review.

package/bundled-skills/permission-manager/README.md CHANGED Viewed

@@ -18,5 +18,5 @@ Use this when optimizing opencode's permission settings, reviewing allowed comma
 - **Config review**: Loads `~/.config/opencode/opencode.json` or project-level config
 - **Permission summary**: Identifies currently allowed commands and skill permissions
-- **Safe commands**: Suggests read-only commands (ls*, git status*, git log*, rg, grep, cat, etc.)
+- **Safe commands**: Suggests reviewed read-only commands such as `git status --short`, `git log --oneline`, `rg`, `grep`, and `cat`; broad trailing wildcards need manual review.
 - **Change application**: Edits config to add/remove permission entries, validates JSON

package/bundled-skills/permission-manager/SKILL.md CHANGED Viewed

@@ -33,7 +33,8 @@ Complements opencode's built-in allow/deny/ask permissions by auditing current c
 ## Key Rules
 - Never allow commands that modify files, commit, push, or change system state
-- Use wildcards appropriately (e.g., `git status*` not just `git status`)
+- Prefer exact command entries such as `git status --short`, `git diff --stat`, and `ls -la`
+- Avoid trailing wildcards such as `git status*` unless the expanded command family has been manually reviewed as read-only
 - Confirm with user before modifying permission config
 - Distinguish between bash command permissions and skill permissions
 - Keep config organized: group related commands together

package/bundled-skills/polis-protocol/SKILL.md CHANGED Viewed

@@ -2,7 +2,7 @@
 name: polis-protocol
 description: "Coordinate multi-vendor AI agents as a self-improving team — a learning router assigns work by track record and citizens can amend the protocol's own rules."
 category: orchestration
-risk: safe
+risk: critical
 source: community
 source_repo: yehudalevy-collab/polis-protocol
 source_type: community
@@ -12,6 +12,10 @@ tags: [multi-agent, coordination, routing, orchestration, governance, vendor-agn
 tools: [claude, cursor, gemini, codex, antigravity]
 license: "MIT"
 license_source: "https://github.com/yehudalevy-collab/polis-protocol/blob/main/LICENSE"
+plugin:
+  targets:
+    codex: blocked
+    claude: blocked
 ---
 # Polis Protocol — a team of agents that develops
@@ -33,11 +37,13 @@ In Antigravity specifically, this turns Manager View's fixed pipeline into a tea
 ### Step 1: Found a polis
-Clone the repo and run the scaffolder directly (review `install.sh` first if you prefer the one-line installer):
+Clone a reviewed revision of the repo and run the scaffolder directly (review `install.sh` first if you prefer the one-line installer):
 ```bash
 git clone https://github.com/yehudalevy-collab/polis-protocol.git
-python3 polis-protocol/scripts/init_polis.py \
+cd polis-protocol
+git checkout <reviewed-commit-sha>
+python3 scripts/init_polis.py \
   --project-root . \
   --agent-id gemini-antigravity-yourproject \
   --vendor google --model gemini-3 --tool antigravity
@@ -68,7 +74,9 @@ A settled contract files a lesson; `--reconcile` folds it into `routing_stats.ym
 ```bash
 git clone https://github.com/yehudalevy-collab/polis-protocol.git
-cd polis-protocol && bash scripts/demo.sh
+cd polis-protocol
+git checkout <reviewed-commit-sha>
+bash scripts/demo.sh
 ```
 The router recommends Gemini for a Spanish-translation contract — because settled work taught it she has the best record on that tag, not because anyone reassigned it.
@@ -91,3 +99,4 @@ python3 scripts/route_contract.py --polis-root examples/research-team/_polis \
 - Routing quality depends on accurate citizen capability cards and enough settled work history to learn from.
 - The protocol coordinates agent work but does not replace review, tests, or explicit maintainer approval.
 - Multi-agent voting and amendments can add process overhead for small, single-owner tasks.
+- The upstream scripts are external code; pin to a reviewed commit and run `--dry-run` before allowing writes to a project.

package/bundled-skills/runapi-cli/SKILL.md ADDED Viewed

@@ -0,0 +1,140 @@
+---
+name: runapi-cli
+description: Generate AI images, videos, and music/audio from agents using the RunAPI CLI.
+category: development
+risk: critical
+source: official
+source_repo: runapi-ai/cli-skill
+source_type: official
+date_added: "2026-06-07"
+author: runapi-ai
+tags: [runapi, cli, models, automation, codex, claude, gemini]
+tools: [claude, codex, gemini, cursor, antigravity]
+license: "Apache-2.0"
+license_source: "https://github.com/runapi-ai/cli-skill/blob/main/LICENSE"
+---
+# RunAPI CLI
+## Overview
+The `runapi` CLI is the execution layer for RunAPI model tasks. Use it when an agent needs to generate AI images, videos, or music/audio, run a one-off model job, pass a JSON request body, wait for an async task, or script RunAPI from a terminal, server, or CI job.
+Source repository: [github.com/runapi-ai/cli-skill](https://github.com/runapi-ai/cli-skill) (Apache-2.0)
+## When to Use This Skill
+- Use when the user asks to run a RunAPI model from an agent.
+- Use when the user needs to inspect RunAPI CLI auth or account status.
+- Use when the user wants to pass JSON request bodies to RunAPI services.
+- Use when the user wants to submit async RunAPI tasks and wait for completion.
+- Use when the user wants to install the RunAPI CLI on a local machine, server, or CI runner.
+## Install
+### macOS / Linux
+```shell
+brew install runapi-ai/tap/runapi
+```
+### Server / CI
+Download the installer, inspect it, then run it locally.
+```shell
+curl -fsSL https://runapi.ai/cli/install.sh -o runapi-install.sh
+less runapi-install.sh
+sh runapi-install.sh
+```
+To pin a specific version:
+```shell
+sh runapi-install.sh --version v0.1.0
+```
+The installer detects OS and architecture, verifies the SHA-256 checksum from `https://runapi.ai/cli/latest.json`, and refuses to write the binary if verification fails.
+## Authentication
+Treat RunAPI authentication and generation as security-sensitive: commands can call remote services, consume credits, and expose account state. Review installer scripts before running them and keep API keys in environment variables or stdin, not shell history.
+Check the current state first:
+```shell
+runapi auth status
+```
+| Source | How |
+|---|---|
+| Environment | Read `RUNAPI_API_KEY` from the environment |
+| Saved config | `printf '%s' "$RUNAPI_API_KEY" \| runapi auth import-token --token -` |
+| Browser login | `runapi login` only when the user explicitly wants browser auth |
+`RUNAPI_BASE_URL` overrides the default base URL.
+Avoid passing secrets directly in command arguments. Prefer `RUNAPI_API_KEY` or stdin token import with `--token -`.
+## Discover Services, Commands, and Fields
+The CLI is JSON-first. Every service exposes typed commands, and each command documents its request fields through `--help`. Inspect command help before composing a request.
+```shell
+runapi --help
+runapi suno --help
+runapi suno text-to-music --help
+```
+## Run a Model
+Pass the request body as JSON through `--input-file`, `--input`, or stdin. The default flow is synchronous and polls until the task completes.
+```shell
+runapi suno text-to-music --input-file request.json
+runapi suno text-to-music --async --input-file request.json
+runapi wait <task-id> --service suno --action text-to-music
+runapi get <task-id> --service suno --action text-to-music
+```
+JSON responses go to stdout; progress lines go to stderr. Pipe to `jq` for downstream parsing.
+## Account
+```shell
+runapi account info
+runapi account balance
+```
+## Install the Skill Into Another Agent Runtime
+```shell
+runapi agent install-skill --target claude
+runapi agent install-skill --target codex
+runapi agent install-skill --target gemini
+runapi agent install-skill --target openclaw
+runapi agent list-targets
+runapi agent install-skill --target-dir <path>
+```
+## Limitations
+- RunAPI model calls require a valid RunAPI account or API key.
+- Some model tasks are long-running and should use `--async` plus `runapi wait`.
+- Browser login is interactive and should not be the default path for agents.
+- This skill does not replace model-specific parameter validation; inspect command help before building request JSON.
+## Security & Safety Notes
+- Never paste API keys into example commands or PR text.
+- Prefer `RUNAPI_API_KEY` or stdin token import instead of command-line secrets.
+- Do not run interactive `runapi login` by default from an agent.
+- Check the CLI exit code before assuming a task succeeded.
+## References
+- RunAPI CLI skill: https://github.com/runapi-ai/cli-skill
+- RunAPI CLI repository: https://github.com/runapi-ai/cli
+- RunAPI model catalog: https://runapi.ai/models.md

package/bundled-skills/schema-markup-generator/SKILL.md CHANGED Viewed

@@ -33,10 +33,11 @@ The cleanest approach is a reusable `JsonLd` component:
 ```jsx
 // components/JsonLd.jsx
 export function JsonLd({ data }) {
+  const json = JSON.stringify(data).replace(/</g, '\\u003c');
   return (
     <script
       type="application/ld+json"
-      dangerouslySetInnerHTML={{ __html: JSON.stringify(data) }}
+      dangerouslySetInnerHTML={{ __html: json }}
     />
   );
 }

package/bundled-skills/smart-git-automation/SKILL.md CHANGED Viewed

@@ -61,8 +61,10 @@ Show the proposed branch name and ask for one-word confirmation (or type alterna
 - If not on main/master: check if current branch matches proposed name
   - If yes: stay on it
   - If no: ask to switch or create new
-- Create branch: `git checkout -b <branch-name>`
-- Stage changes: `git add <grouped-files>`
+- Create branch only after validating the branch name, then use `git checkout -b "$branch_name"`
+- Stage explicit pathspecs only: `git add -- path/to/file ...`
+  - If file paths are generated, keep them NUL-delimited (`git diff -z --name-only`) and pass them as pathspec arguments.
+  - Never concatenate untrusted filenames into a shell command and never run the placeholder text literally.
 - Auto-generate commit message from changes:
   - First line: `<type>: <short description>` (max 72 chars)
   - Body: grouped file changes with brief descriptions