skills 1.4.3 → 1.4.4

package/dist/cli.mjs

@@ -21,6 +21,13 @@ import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpat
 var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1);
 function getOwnerRepo(parsed) {
 	if (parsed.type === "local") return null;
+	const sshMatch = parsed.url.match(/^git@[^:]+:(.+)$/);
+	if (sshMatch) {
+		let path = sshMatch[1];
+		path = path.replace(/\.git$/, "");
+		if (path.includes("/")) return path;
+		return null;
+	}
 	if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null;
 	try {
 		let path = new URL(parsed.url).pathname.slice(1);
@@ -46,6 +53,11 @@ async function isRepoPrivate(owner, repo) {
 		return null;
 	}
 }
+function sanitizeSubpath(subpath) {
+	const segments = subpath.replace(/\\/g, "/").split("/");
+	for (const segment of segments) if (segment === "..") throw new Error(`Unsafe subpath: "${subpath}" contains path traversal segments. Subpaths must not contain ".." components.`);
+	return subpath;
+}
 function isLocalPath(input) {
 	return isAbsolute(input) || input.startsWith("./") || input.startsWith("../") || input === "." || input === ".." || /^[a-zA-Z]:[/\\]/.test(input);
 }
@@ -53,6 +65,10 @@ const SOURCE_ALIASES = { "coinbase/agentWallet": "coinbase/agentic-wallet-skills
 function parseSource(input) {
 	const alias = SOURCE_ALIASES[input];
 	if (alias) input = alias;
+	const githubPrefixMatch = input.match(/^github:(.+)$/);
+	if (githubPrefixMatch) return parseSource(githubPrefixMatch[1]);
+	const gitlabPrefixMatch = input.match(/^gitlab:(.+)$/);
+	if (gitlabPrefixMatch) return parseSource(`https://gitlab.com/${gitlabPrefixMatch[1]}`);
 	if (isLocalPath(input)) {
 		const resolvedPath = resolve(input);
 		return {
@@ -68,7 +84,7 @@ function parseSource(input) {
 			type: "github",
 			url: `https://github.com/${owner}/${repo}.git`,
 			ref,
-			subpath
+			subpath: subpath ? sanitizeSubpath(subpath) : subpath
 		};
 	}
 	const githubTreeMatch = input.match(/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)$/);
@@ -95,7 +111,7 @@ function parseSource(input) {
 			type: "gitlab",
 			url: `${protocol}://${hostname}/${repoPath.replace(/\.git$/, "")}.git`,
 			ref,
-			subpath
+			subpath: subpath ? sanitizeSubpath(subpath) : subpath
 		};
 	}
 	const gitlabTreeMatch = input.match(/^(https?):\/\/([^/]+)\/(.+?)\/-\/tree\/([^/]+)$/);
@@ -130,7 +146,7 @@ function parseSource(input) {
 		return {
 			type: "github",
 			url: `https://github.com/${owner}/${repo}.git`,
-			subpath
+			subpath: subpath ? sanitizeSubpath(subpath) : subpath
 		};
 	}
 	if (isWellKnownUrl(input)) return {
@@ -486,9 +502,15 @@ async function findSkillDirs(dir, depth = 0, maxDepth = 5) {
 		return [];
 	}
 }
+function isSubpathSafe(basePath, subpath) {
+	const normalizedBase = normalize(resolve(basePath));
+	const normalizedTarget = normalize(resolve(join(basePath, subpath)));
+	return normalizedTarget.startsWith(normalizedBase + sep) || normalizedTarget === normalizedBase;
+}
 async function discoverSkills(basePath, subpath, options) {
 	const skills = [];
 	const seenNames = /* @__PURE__ */ new Set();
+	if (subpath && !isSubpathSafe(basePath, subpath)) throw new Error(`Invalid subpath: "${subpath}" resolves outside the repository directory. Subpath must not contain ".." segments that escape the base path.`);
 	const searchPath = subpath ? join(basePath, subpath) : basePath;
 	const pluginGroupings = await getPluginGroupings(searchPath);
 	const enhanceSkill = (skill) => {
@@ -1751,7 +1773,7 @@ function createEmptyLocalLock() {
 		skills: {}
 	};
 }
-var version$1 = "1.4.3";
+var version$1 = "1.4.4";
 const isCancelled$1 = (value) => typeof value === "symbol";
 async function isSourcePrivate(source) {
 	const ownerRepo = parseOwnerRepo(source);
@@ -2580,7 +2602,7 @@ async function runAdd(args, options = {}) {
 					let skillFolderHash = "";
 					const skillPathValue = skillFiles[skill.name];
 					if (parsed.type === "github" && skillPathValue) {
-						const hash = await fetchSkillFolderHash(normalizedSource, skillPathValue);
+						const hash = await fetchSkillFolderHash(normalizedSource, skillPathValue, getGitHubToken());
 						if (hash) skillFolderHash = hash;
 					}
 					await addSkillToLock(skill.name, {
@@ -3845,6 +3867,22 @@ function readSkillLock() {
 		};
 	}
 }
+function getSkipReason(entry) {
+	if (entry.sourceType === "local") return "Local path";
+	if (entry.sourceType === "git") return "Git URL (hash tracking not supported)";
+	if (!entry.skillFolderHash) return "No version hash available";
+	if (!entry.skillPath) return "No skill path recorded";
+	return "No version tracking";
+}
+function printSkippedSkills(skipped) {
+	if (skipped.length === 0) return;
+	console.log();
+	console.log(`${DIM}${skipped.length} skill(s) cannot be checked automatically:${RESET}`);
+	for (const skill of skipped) {
+		console.log(`  ${TEXT}•${RESET} ${skill.name} ${DIM}(${skill.reason})${RESET}`);
+		console.log(`    ${DIM}To update: ${TEXT}npx skills add ${skill.sourceUrl} -g -y${RESET}`);
+	}
+}
 async function runCheck(args = []) {
 	console.log(`${TEXT}Checking for skill updates...${RESET}`);
 	console.log();
@@ -3857,12 +3895,16 @@ async function runCheck(args = []) {
 	}
 	const token = getGitHubToken();
 	const skillsBySource = /* @__PURE__ */ new Map();
-	let skippedCount = 0;
+	const skipped = [];
 	for (const skillName of skillNames) {
 		const entry = lock.skills[skillName];
 		if (!entry) continue;
-		if (entry.sourceType !== "github" || !entry.skillFolderHash || !entry.skillPath) {
-			skippedCount++;
+		if (!entry.skillFolderHash || !entry.skillPath) {
+			skipped.push({
+				name: skillName,
+				reason: getSkipReason(entry),
+				sourceUrl: entry.sourceUrl
+			});
 			continue;
 		}
 		const existing = skillsBySource.get(entry.source) || [];
@@ -3872,9 +3914,10 @@ async function runCheck(args = []) {
 		});
 		skillsBySource.set(entry.source, existing);
 	}
-	const totalSkills = skillNames.length - skippedCount;
+	const totalSkills = skillNames.length - skipped.length;
 	if (totalSkills === 0) {
 		console.log(`${DIM}No GitHub skills to check.${RESET}`);
+		printSkippedSkills(skipped);
 		return;
 	}
 	console.log(`${DIM}Checking ${totalSkills} skill(s) for updates...${RESET}`);
@@ -3917,6 +3960,7 @@ async function runCheck(args = []) {
 		console.log();
 		console.log(`${DIM}Could not check ${errors.length} skill(s) (may need reinstall)${RESET}`);
 	}
+	printSkippedSkills(skipped);
 	track({
 		event: "check",
 		skillCount: String(totalSkills),
@@ -3936,12 +3980,18 @@ async function runUpdate() {
 	}
 	const token = getGitHubToken();
 	const updates = [];
-	let checkedCount = 0;
+	const skipped = [];
 	for (const skillName of skillNames) {
 		const entry = lock.skills[skillName];
 		if (!entry) continue;
-		if (entry.sourceType !== "github" || !entry.skillFolderHash || !entry.skillPath) continue;
-		checkedCount++;
+		if (!entry.skillFolderHash || !entry.skillPath) {
+			skipped.push({
+				name: skillName,
+				reason: getSkipReason(entry),
+				sourceUrl: entry.sourceUrl
+			});
+			continue;
+		}
 		try {
 			const latestHash = await fetchSkillFolderHash(entry.source, entry.skillPath, token);
 			if (latestHash && latestHash !== entry.skillFolderHash) updates.push({
@@ -3951,8 +4001,9 @@ async function runUpdate() {
 			});
 		} catch {}
 	}
-	if (checkedCount === 0) {
+	if (skillNames.length - skipped.length === 0) {
 		console.log(`${DIM}No skills to check.${RESET}`);
+		printSkippedSkills(skipped);
 		return;
 	}
 	if (updates.length === 0) {
@@ -3982,11 +4033,14 @@ async function runUpdate() {
 			installUrl,
 			"-g",
 			"-y"
-		], { stdio: [
-			"inherit",
-			"pipe",
-			"pipe"
-		] }).status === 0) {
+		], {
+			stdio: [
+				"inherit",
+				"pipe",
+				"pipe"
+			],
+			shell: process.platform === "win32"
+		}).status === 0) {
 			successCount++;
 			console.log(`  ${TEXT}✓${RESET} Updated ${update.name}`);
 		} else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skills",
-  "version": "1.4.3",
+  "version": "1.4.4",
   "description": "The open agent skills ecosystem",
   "type": "module",
   "bin": {