npm - opencode-skills-collection - Versions diffs - 3.1.4 → 3.1.6 - Mend

opencode-skills-collection 3.1.4 → 3.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/bundled-skills/webapp-testing/scripts/with_server.py CHANGED Viewed

@@ -19,6 +19,52 @@ import socket
 import time
 import sys
 import argparse
+import shlex
+import shutil
+from pathlib import Path
+from tempfile import TemporaryDirectory
+ALLOWED_EXECUTABLES = {
+    "npm", "npx", "pnpm", "yarn", "node", "python", "python3",
+    "uv", "pytest", "vitest", "playwright",
+}
+SHELL_METACHARS = {";", "&&", "||", "|", "`", "$(", ">", "<"}
+def safe_working_directory(raw_path):
+    root = Path.cwd().resolve()
+    path = Path(raw_path).expanduser()
+    resolved = (path if path.is_absolute() else root / path).resolve()
+    try:
+        resolved.relative_to(root)
+    except ValueError as exc:
+        raise ValueError(f"working directory escapes current project: {raw_path}") from exc
+    if not resolved.is_dir():
+        raise ValueError(f"working directory not found: {resolved}")
+    return resolved
+def resolve_allowed_executable(executable):
+    if Path(executable).name != executable:
+        raise ValueError(f"executable must be a bare command name: {executable}")
+    if executable not in ALLOWED_EXECUTABLES:
+        raise ValueError(f"unsupported executable: {executable}")
+    resolved = shutil.which(executable)
+    if not resolved:
+        raise ValueError(f"executable not found on PATH: {executable}")
+    return resolved
+def validate_argv(parts):
+    if not parts:
+        raise ValueError("empty command")
+    exe = Path(parts[0]).name
+    resolved_exe = resolve_allowed_executable(exe)
+    for part in parts:
+        if any(token in part for token in SHELL_METACHARS):
+            raise ValueError(f"unsupported shell metacharacter in argument: {part}")
+    return [resolved_exe, *parts[1:]]
 def is_server_ready(port, timeout=30):
     """Wait for server to be ready by polling the port."""
@@ -32,14 +78,64 @@ def is_server_ready(port, timeout=30):
     return False
+def parse_server_command(command):
+    """Parse a server command without invoking a shell."""
+    parts = shlex.split(command)
+    cwd = None
+    if len(parts) >= 4 and parts[0] == "cd" and parts[2] == "&&":
+        cwd = safe_working_directory(parts[1])
+        parts = parts[3:]
+    if not parts:
+        raise ValueError("empty server command")
+    return validate_argv(parts), cwd
+def self_test():
+    npm_path = shutil.which("npm")
+    python_path = shutil.which("python") or shutil.which("python3")
+    assert npm_path, "npm required for self-test"
+    assert python_path, "python required for self-test"
+    with TemporaryDirectory() as tmp:
+        previous_cwd = Path.cwd()
+        try:
+            import os
+            os.chdir(tmp)
+            assert parse_server_command("npm run dev") == ([npm_path, "run", "dev"], None)
+            Path("backend").mkdir()
+            cmd, cwd = parse_server_command("cd backend && python server.py")
+            assert cmd == [python_path, "server.py"]
+            assert cwd == (Path(tmp) / "backend").resolve()
+            try:
+                validate_argv(["sh", "-c", "npm run dev"])
+            except ValueError:
+                pass
+            else:
+                raise AssertionError("shell launcher should be rejected")
+            try:
+                parse_server_command("cd ../outside && python server.py")
+            except ValueError:
+                pass
+            else:
+                raise AssertionError("escaping working directory should be rejected")
+        finally:
+            os.chdir(previous_cwd)
 def main():
     parser = argparse.ArgumentParser(description='Run command with one or more servers')
-    parser.add_argument('--server', action='append', dest='servers', required=True, help='Server command (can be repeated)')
-    parser.add_argument('--port', action='append', dest='ports', type=int, required=True, help='Port for each server (must match --server count)')
+    parser.add_argument('--self-test', action='store_true', help='Run parser self-test and exit')
+    parser.add_argument('--server', action='append', dest='servers', help='Server command (can be repeated)')
+    parser.add_argument('--port', action='append', dest='ports', type=int, help='Port for each server (must match --server count)')
     parser.add_argument('--timeout', type=int, default=30, help='Timeout in seconds per server (default: 30)')
     parser.add_argument('command', nargs=argparse.REMAINDER, help='Command to run after server(s) ready')
     args = parser.parse_args()
+    if args.self_test:
+        self_test()
+        return
+    if not args.servers or not args.ports:
+        print("Error: --server and --port are required")
+        sys.exit(1)
     # Remove the '--' separator if present
     if args.command and args.command[0] == '--':
@@ -65,10 +161,10 @@ def main():
         for i, server in enumerate(servers):
             print(f"Starting server {i+1}/{len(servers)}: {server['cmd']}")
-            # Use shell=True to support commands with cd and &&
+            server_cmd, server_cwd = parse_server_command(server['cmd'])
             process = subprocess.Popen(
-                server['cmd'],
-                shell=True,
+                server_cmd,
+                cwd=server_cwd,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE
             )
@@ -84,8 +180,9 @@ def main():
         print(f"\nAll {len(servers)} server(s) ready")
         # Run the command
-        print(f"Running: {' '.join(args.command)}\n")
-        result = subprocess.run(args.command)
+        test_command = validate_argv(args.command)
+        print(f"Running: {' '.join(test_command)}\n")
+        result = subprocess.run(test_command)
         sys.exit(result.returncode)
     finally:
@@ -103,4 +200,4 @@ def main():
 if __name__ == '__main__':
-    main()
+    main()

package/bundled-skills/whatsapp-cloud-api/assets/boilerplate/nodejs/src/index.ts CHANGED Viewed

@@ -29,6 +29,7 @@ const templates = new TemplateManager(config);
 // === Express Setup ===
 const app = express();
+app.disable('x-powered-by');
 const PORT = process.env.PORT || 3000;
 // Raw body capture MUST come before express.json()

package/bundled-skills/whatsapp-cloud-api/assets/boilerplate/python/requirements.txt CHANGED Viewed

@@ -2,3 +2,4 @@ flask>=3.0.0
 httpx>=0.27.0
 python-dotenv>=1.0.0
 gunicorn>=22.0.0
+zipp>=3.19.1

package/bundled-skills/whatsapp-cloud-api/scripts/setup_project.py CHANGED Viewed

@@ -18,6 +18,24 @@ def get_skill_dir() -> str:
     return os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+def _safe_target_path(path: str, skill_dir: str) -> str:
+    target_path = os.path.abspath(path)
+    skill_root = os.path.abspath(skill_dir)
+    if os.path.commonpath([target_path, skill_root]) == skill_root:
+        raise ValueError("Refusing to create a project inside the skill source directory")
+    return target_path
+def self_test() -> None:
+    skill_dir = get_skill_dir()
+    _safe_target_path(os.path.join(os.path.dirname(skill_dir), "my-whatsapp-project"), skill_dir)
+    try:
+        _safe_target_path(os.path.join(skill_dir, "assets", "x"), skill_dir)
+    except ValueError:
+        return
+    raise AssertionError("accepted target inside skill source directory")
 def setup_project(language: str, path: str, name: str | None = None) -> None:
     """Copy boilerplate and configure a new WhatsApp project."""
     skill_dir = get_skill_dir()
@@ -28,7 +46,7 @@ def setup_project(language: str, path: str, name: str | None = None) -> None:
         print(f"Available: nodejs, python")
         sys.exit(1)
-    target_path = os.path.abspath(path)
+    target_path = _safe_target_path(path, skill_dir)
     if os.path.exists(target_path) and os.listdir(target_path):
         print(f"Warning: Directory '{target_path}' already exists and is not empty.")
@@ -93,15 +111,20 @@ def setup_project(language: str, path: str, name: str | None = None) -> None:
 def main():
     parser = argparse.ArgumentParser(description="Setup a new WhatsApp Cloud API project")
+    parser.add_argument(
+        "--self-test",
+        action="store_true",
+        help="Run safety self-checks",
+    )
     parser.add_argument(
         "--language",
         choices=["nodejs", "python"],
-        required=True,
+        required=False,
         help="Project language (nodejs or python)",
     )
     parser.add_argument(
         "--path",
-        required=True,
+        required=False,
         help="Path where the project will be created",
     )
     parser.add_argument(
@@ -111,6 +134,11 @@ def main():
     )
     args = parser.parse_args()
+    if args.self_test:
+        self_test()
+        return
+    if not args.language or not args.path:
+        parser.error("--language and --path are required unless --self-test is used")
     setup_project(args.language, args.path, args.name)

package/bundled-skills/writing-skills/render-graphs.js CHANGED Viewed

@@ -17,6 +17,27 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
+function safeJoin(base, ...parts) {
+  const root = path.resolve(base);
+  const target = path.resolve(root, ...parts);
+  const rel = path.relative(root, target);
+  if (rel.startsWith('..') || path.isAbsolute(rel)) {
+    throw new Error(`Path escapes skill directory: ${parts.join('/')}`);
+  }
+  return target;
+}
+function selfTest() {
+  const root = path.resolve('/tmp/skill');
+  if (safeJoin(root, 'diagrams', 'a.svg') !== path.resolve(root, 'diagrams', 'a.svg')) {
+    throw new Error('safeJoin failed valid path');
+  }
+  for (const bad of ['../x', 'diagrams/../../x']) {
+    try { safeJoin(root, bad); } catch { continue; }
+    throw new Error(`safeJoin accepted ${bad}`);
+  }
+}
 function extractDotBlocks(markdown) {
   const blocks = [];
   const regex = /```dot\n([\s\S]*?)```/g;
@@ -83,6 +104,10 @@ function renderToSvg(dotContent) {
 function main() {
   const args = process.argv.slice(2);
+  if (args.includes('--self-test')) {
+    selfTest();
+    return;
+  }
   const combine = args.includes('--combine');
   const skillDirArg = args.find(a => !a.startsWith('--'));
@@ -99,7 +124,7 @@ function main() {
   }
   const skillDir = path.resolve(skillDirArg);
-  const skillFile = path.join(skillDir, 'SKILL.md');
+  const skillFile = safeJoin(skillDir, 'SKILL.md');
   const skillName = path.basename(skillDir).replace(/-/g, '_');
   if (!fs.existsSync(skillFile)) {
@@ -127,7 +152,7 @@ function main() {
   console.log(`Found ${blocks.length} diagram(s) in ${path.basename(skillDir)}/SKILL.md`);
-  const outputDir = path.join(skillDir, 'diagrams');
+  const outputDir = safeJoin(skillDir, 'diagrams');
   if (!fs.existsSync(outputDir)) {
     fs.mkdirSync(outputDir);
   }
@@ -137,12 +162,12 @@ function main() {
     const combined = combineGraphs(blocks, skillName);
     const svg = renderToSvg(combined);
     if (svg) {
-      const outputPath = path.join(outputDir, `${skillName}_combined.svg`);
+      const outputPath = safeJoin(outputDir, `${skillName}_combined.svg`);
       fs.writeFileSync(outputPath, svg);
       console.log(`  Rendered: ${skillName}_combined.svg`);
       // Also write the dot source for debugging
-      const dotPath = path.join(outputDir, `${skillName}_combined.dot`);
+      const dotPath = safeJoin(outputDir, `${skillName}_combined.dot`);
       fs.writeFileSync(dotPath, combined);
       console.log(`  Source: ${skillName}_combined.dot`);
     } else {
@@ -153,7 +178,7 @@ function main() {
     for (const block of blocks) {
       const svg = renderToSvg(block.content);
       if (svg) {
-        const outputPath = path.join(outputDir, `${block.name}.svg`);
+        const outputPath = safeJoin(outputDir, `${block.name}.svg`);
         fs.writeFileSync(outputPath, svg);
         console.log(`  Rendered: ${block.name}.svg`);
       } else {

package/bundled-skills/youtube-notetaker/reference/artifact.html CHANGED Viewed

@@ -126,6 +126,9 @@ var CURRENT_ID=null, YTID=null, INDEX=null;
 function onYouTubeIframeAPIReady(){player=new YT.Player('ytplayer',{events:{'onReady':function(){ready=true;if(pending!=null){doPlay(pending);pending=null;}}}});}
 function fmt(t){t=Math.floor(t);return String(Math.floor(t/60)).padStart(2,'0')+':'+String(t%60).padStart(2,'0');}
 function esc(s){var d=document.createElement('div');d.textContent=s==null?'':s;return d.innerHTML;}
+function clear(el){while(el.firstChild)el.removeChild(el.firstChild);}
+function node(tag,cls,text){var el=document.createElement(tag);if(cls)el.className=cls;if(text!=null)el.textContent=text;return el;}
+function safeUrl(url,fallback){try{var u=new URL(url||'',window.location.href);return /^https?:$/.test(u.protocol)?u.href:(fallback||'#');}catch(e){return fallback||'#';}}
 /* ---------------- Router ---------------- */
 function route(){
@@ -154,16 +157,19 @@ async function loadIndex(){
     var r=await fetch(API_URL); if(!r.ok) throw new Error('HTTP '+r.status);
     var d=await r.json();
     INDEX=(d.items||[]).filter(function(it){return it.youtube_id;});
-    var g=document.getElementById('grid'); g.innerHTML='';
-    if(!INDEX.length){g.innerHTML='<p style="color:#7a6f5d">No videos in the library yet.</p>';return;}
+    var g=document.getElementById('grid'); clear(g);
+    if(!INDEX.length){var empty=node('p','', 'No videos in the library yet.');empty.style.color='#7a6f5d';g.appendChild(empty);return;}
     INDEX.forEach(function(it){
       var slides=it.slides||[]; var thumb=(slides[0]&&slides[0].img)||'';
-      var tags=(it.tags||[]).slice(0,3).map(function(t){return '<span class="tag">'+esc(t)+'</span>';}).join('');
       var a=document.createElement('a'); a.className='card'; a.href='#/'+encodeURIComponent(it.id);
-      a.innerHTML='<div class="thumb">'+(thumb?'<img src="'+esc(thumb)+'" alt="">':'')+'<span class="play">▶</span><span class="badge">'+(it.slide_count||slides.length)+' slides</span></div>'
-        +'<div class="body"><div class="ct">'+esc(it.title||it.id)+'</div>'
-        +'<div class="cs">'+esc(it.speaker||'')+'</div>'
-        +(tags?'<div class="tags">'+tags+'</div>':'')+'</div>';
+      var thumbBox=node('div','thumb');
+      if(thumb){var img=document.createElement('img');img.src=safeUrl(thumb,'');img.alt='';thumbBox.appendChild(img);}
+      thumbBox.appendChild(node('span','play','▶'));
+      thumbBox.appendChild(node('span','badge',(it.slide_count||slides.length)+' slides'));
+      var body=node('div','body');body.appendChild(node('div','ct',it.title||it.id));body.appendChild(node('div','cs',it.speaker||''));
+      var tagList=(it.tags||[]).slice(0,3);
+      if(tagList.length){var tags=node('div','tags');tagList.forEach(function(t){tags.appendChild(node('span','tag',t));});body.appendChild(tags);}
+      a.appendChild(thumbBox);a.appendChild(body);
       g.appendChild(a);
     });
   }catch(e){var el=document.getElementById('homeErr');el.style.display='block';el.textContent='Could not load the video library: '+e.message+'. Is the backend running?';}
@@ -183,7 +189,8 @@ async function loadVideo(id){
     SLIDES=(m.slides||[]).slice().sort(function(a,b){return a.t-b.t;});
     document.title=m.title||'Video deep-dive';
     document.getElementById('title').textContent=m.title||'';
-    document.getElementById('speaker').innerHTML=esc(m.speaker||'')+' · <a target="_blank" href="'+(m.source_url||'#')+'">watch on YouTube ↗</a>';
+    var speaker=document.getElementById('speaker');clear(speaker);speaker.appendChild(document.createTextNode((m.speaker||'')+' · '));
+    var watch=document.createElement('a');watch.target='_blank';watch.rel='noopener noreferrer';watch.href=safeUrl(m.source_url,'#');watch.textContent='watch on YouTube ↗';speaker.appendChild(watch);
     document.getElementById('deckcount').textContent=SLIDES.length+' slides · drag the divider ⋮⋮ to resize';
     document.getElementById('now-t').textContent='--:--';
     document.getElementById('now-tx').textContent='Click any slide to play the video from that point.';
@@ -198,25 +205,29 @@ function parseTranscript(body){
   return out;
 }
 function renderDeck(){
-  var deck=document.getElementById('deck');deck.innerHTML='';
+  var deck=document.getElementById('deck');clear(deck);
   SLIDES.forEach(function(s,i){
     var d=document.createElement('div');d.className='slide';d.id='slide-'+i;d.dataset.t=s.t;
-    d.innerHTML='<div class="slide-img"><img src="'+esc(s.img)+'" alt="'+esc(s.title)+'"><span class="play-badge">▶</span><span class="slide-t">'+esc(s.mmss||fmt(s.t))+'</span></div>'
-      +'<div class="slide-meta"><h3>'+esc(s.title)+'</h3><button class="btn">▶ Play '+esc(s.mmss||fmt(s.t))+'</button></div>'
-      +'<label class="note-lbl">Notes <span class="saved" id="saved-'+i+'"></span></label>'
-      +'<textarea class="note-area" id="note-'+i+'"></textarea>';
+    var imgBox=node('div','slide-img');
+    var img=document.createElement('img');img.src=safeUrl(s.img,'');img.alt=s.title||'';imgBox.appendChild(img);
+    imgBox.appendChild(node('span','play-badge','▶'));imgBox.appendChild(node('span','slide-t',s.mmss||fmt(s.t)));
+    var meta=node('div','slide-meta');meta.appendChild(node('h3','',s.title||''));
+    var playBtn=node('button','btn','▶ Play '+(s.mmss||fmt(s.t)));meta.appendChild(playBtn);
+    var label=node('label','note-lbl','Notes ');var saved=node('span','saved');saved.id='saved-'+i;label.appendChild(saved);
+    var note=document.createElement('textarea');note.className='note-area';note.id='note-'+i;
+    d.appendChild(imgBox);d.appendChild(meta);d.appendChild(label);d.appendChild(note);
     deck.appendChild(d);
-    d.querySelector('textarea').value=s.note||'';
+    note.value=s.note||'';
     d.querySelector('.slide-img').onclick=function(){play(i);};
-    d.querySelector('.btn').onclick=function(){play(i);};
-    d.querySelector('textarea').addEventListener('input',function(){onNote(i,this.value);});
+    playBtn.onclick=function(){play(i);};
+    note.addEventListener('input',function(){onNote(i,this.value);});
   });
 }
 function renderTranscript(){
-  var c=document.getElementById('transcript');c.innerHTML='';
+  var c=document.getElementById('transcript');clear(c);
   SEGS.forEach(function(seg){
     var r=document.createElement('div');r.className='trow';r.dataset.t=seg.t;r.dataset.text=seg.text.toLowerCase();
-    r.innerHTML='<span class="tt">'+fmt(seg.t)+'</span><span class="tx">'+esc(seg.text)+'</span>';
+    r.appendChild(node('span','tt',fmt(seg.t)));r.appendChild(node('span','tx',seg.text));
     r.onclick=function(){seekOnly(seg.t);};c.appendChild(r);
   });
 }

package/bundled-skills/youtube-notetaker/scripts/serve.py CHANGED Viewed

@@ -33,7 +33,12 @@ API = "/api/video-deepdives"
 FM_RE = re.compile(r"^---\n(.*?)\n---\n?(.*)$", re.DOTALL)
 SAFE_SLUG_RE = re.compile(r"^[A-Za-z0-9_-]+$")
 SAFE_MEDIA_RE = re.compile(r"^[A-Za-z0-9_.-]+$")
+SAFE_PATH_PART_RE = re.compile(r"^[A-Za-z0-9_.-]+$")
 SAFE_CTYPE_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]*/[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]*(?:; charset=[A-Za-z0-9._-]+)?$")
+LOCAL_ORIGINS = {
+    "http://127.0.0.1:8000": "http://127.0.0.1:8000",
+    "http://localhost:8000": "http://localhost:8000",
+}
 def split_frontmatter(text):
@@ -52,7 +57,13 @@ def dump_file(meta, body):
 def library_path(lib, *parts):
     root = Path(lib).resolve()
-    candidate = root.joinpath(*parts).resolve()
+    candidate = root
+    for part in parts:
+        value = str(part)
+        if not SAFE_PATH_PART_RE.fullmatch(value) or value in {".", ".."}:
+            return None
+        candidate = candidate / value
+    candidate = candidate.resolve()
     try:
         candidate.relative_to(root)
     except ValueError:
@@ -60,14 +71,38 @@ def library_path(lib, *parts):
     return candidate
+def media_path(lib, filename):
+    if not SAFE_MEDIA_RE.fullmatch(filename or ""):
+        return None
+    media_dir = library_path(lib, "_media")
+    if not media_dir or not media_dir.is_dir():
+        return None
+    for path in media_dir.iterdir():
+        if path.is_file() and path.name == filename:
+            return path
+    return None
+def item_path(lib, slug):
+    if not SAFE_SLUG_RE.fullmatch(slug or ""):
+        return None
+    target = slug + ".md"
+    for path in Path(lib).resolve().iterdir():
+        if path.is_file() and path.name == target:
+            return path
+    return None
 def safe_content_type(ctype):
     return ctype if isinstance(ctype, str) and SAFE_CTYPE_RE.match(ctype) else "application/octet-stream"
+def safe_local_origin(origin):
+    return LOCAL_ORIGINS.get(origin or "")
 def load_item(lib, slug):
-    if not SAFE_SLUG_RE.match(slug):
-        return None
-    path = library_path(lib, slug + ".md")
+    path = item_path(lib, slug)
     if not path or not path.is_file():
         return None
     meta, body = split_frontmatter(path.read_text(encoding="utf-8"))
@@ -110,9 +145,12 @@ class Handler(BaseHTTPRequestHandler):
         self.send_response(code)
         self.send_header("Content-Type", ctype)
         self.send_header("Content-Length", str(len(body)))
-        self.send_header("Access-Control-Allow-Origin", "*")
         self.send_header("Access-Control-Allow-Methods", "GET, OPTIONS")
         self.send_header("Access-Control-Allow-Headers", "Content-Type, X-Video-Library-Token")
+        origin = safe_local_origin(self.headers.get("Origin"))
+        if origin:
+            self.send_header("Access-Control-Allow-Origin", origin)
+            self.send_header("Vary", "Origin")
         self.end_headers()
         if self.command != "HEAD":
             self.wfile.write(body)
@@ -134,9 +172,9 @@ class Handler(BaseHTTPRequestHandler):
         if path.startswith(API + "/_media/"):
             fn = posixpath.basename(path)  # strip any traversal
-            if not SAFE_MEDIA_RE.match(fn):
+            if not SAFE_MEDIA_RE.fullmatch(fn):
                 return self._send(400, {"error": "bad media name"})
-            fp = library_path(self.lib, "_media", fn)
+            fp = media_path(self.lib, fn)
             if not fp or not fp.is_file():
                 return self._send(404, {"error": "no such media"})
             ctype = mimetypes.guess_type(str(fp))[0] or "application/octet-stream"
@@ -186,9 +224,12 @@ def self_test():
         (root / "_media" / "video_1-slide-01.jpg").write_bytes(b"x")
         assert load_item(str(root), "video_1")
         assert load_item(str(root), "../secret") is None
-        assert library_path(str(root), "_media", "../video_1.md") == root.resolve() / "video_1.md"
+        assert library_path(str(root), "_media", "../video_1.md") is None
         assert safe_content_type("text/html; charset=utf-8") == "text/html; charset=utf-8"
         assert safe_content_type("text/html\r\nX-Bad: 1") == "application/octet-stream"
+        assert safe_local_origin("http://localhost:8000") == LOCAL_ORIGINS["http://localhost:8000"]
+        assert safe_local_origin("http://localhost:3000") is None
+        assert safe_local_origin("http://localhost:8000\r\nX-Bad: 1") is None
 def main():

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-collection",
-  "version": "3.1.4",
+  "version": "3.1.6",
   "description": "OpenCode CLI plugin that automatically downloads and keeps skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -40,7 +40,7 @@
   "devDependencies": {
     "@opencode-ai/sdk": "^1.15.5",
     "@types/bun": "*",
-    "@types/node": "^25.9.1",
+    "@types/node": "^26.0.0",
     "@types/strip-json-comments": "^3.0.0",
     "typescript": "^6.0.2"
   }

package/skills_index.json CHANGED Viewed

@@ -562,15 +562,17 @@
     "date_added": "2026-06-20",
     "plugin": {
       "targets": {
-        "codex": "supported",
-        "claude": "supported"
+        "codex": "blocked",
+        "claude": "blocked"
       },
       "setup": {
         "type": "none",
         "summary": "",
         "docs": null
       },
-      "reasons": []
+      "reasons": [
+        "explicit_target_restriction"
+      ]
     }
   },
   {
@@ -18200,6 +18202,28 @@
       "reasons": []
     }
   },
+  {
+    "id": "infinity",
+    "path": "skills/infinity",
+    "category": "uncategorized",
+    "name": "infinity",
+    "description": "Enforces a strict input boundary protocol (detect, classify, filter, verify) to ensure untrusted data never reaches business logic raw.",
+    "risk": "safe",
+    "source": "community",
+    "date_added": "2026-06-23",
+    "plugin": {
+      "targets": {
+        "codex": "supported",
+        "claude": "supported"
+      },
+      "setup": {
+        "type": "none",
+        "summary": "",
+        "docs": null
+      },
+      "reasons": []
+    }
+  },
   {
     "id": "ingest-youtube",
     "path": "skills/ingest-youtube",