skills 1.4.7 → 1.4.9

package/ThirdPartyNoticeText.txt

@@ -25,35 +25,6 @@ The above copyright notice and this permission notice shall be included in all c
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
-================================================================================
-Package: gray-matter@4.0.3
-License: MIT
-Repository: https://github.com/jonschlinkert/gray-matter
---------------------------------------------------------------------------------
-
-The MIT License (MIT)
-
-Copyright (c) 2014-2018, Jon Schlinkert.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-
 ================================================================================
 Package: picocolors@1.1.1
 License: ISC
@@ -121,5 +92,26 @@ The above copyright notice and this permission notice shall be included in all c
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
+================================================================================
+Package: yaml@2.8.3
+License: ISC
+Repository: https://github.com/eemeli/yaml
+--------------------------------------------------------------------------------
+
+Copyright Eemeli Aro <eemeli@gmail.com>
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+THIS SOFTWARE.
+
+
 ================================================================================
 */

package/dist/_chunks/libs/@clack/core.mjs

@@ -1,4 +1,4 @@
-import { r as __toESM, t as __commonJSMin } from "../../rolldown-runtime.mjs";
+import { i as __toESM, t as __commonJSMin } from "../../rolldown-runtime.mjs";
 import { stdin, stdout } from "node:process";
 import * as g from "node:readline";
 import O from "node:readline";

package/dist/_chunks/libs/@clack/prompts.mjs

@@ -1,4 +1,4 @@
-import { r as __toESM } from "../../rolldown-runtime.mjs";
+import { i as __toESM } from "../../rolldown-runtime.mjs";
 import { a as SD, c as fD, d as require_src, i as RD, l as pD, n as LD, o as _D, r as MD, s as dD, t as ID, u as require_picocolors } from "./core.mjs";
 import { stripVTControlCharacters } from "node:util";
 import y from "node:process";

package/dist/_chunks/libs/@kwsites/file-exists.mjs

@@ -1,4 +1,4 @@
-import { n as __require, t as __commonJSMin } from "../../rolldown-runtime.mjs";
+import { r as __require, t as __commonJSMin } from "../../rolldown-runtime.mjs";
 var require_ms = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	var s = 1e3;
 	var m = s * 60;

package/dist/_chunks/libs/simple-git.mjs

@@ -1,4 +1,4 @@
-import { r as __toESM } from "../rolldown-runtime.mjs";
+import { i as __toESM } from "../rolldown-runtime.mjs";
 import { n as require_src, t as require_dist } from "./@kwsites/file-exists.mjs";
 import { t as require_dist$1 } from "./@kwsites/promise-deferred.mjs";
 import { spawn } from "child_process";

package/dist/_chunks/rolldown-runtime.mjs

@@ -6,6 +6,15 @@ var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
+var __exportAll = (all, symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
 var __copyProps = (to, from, except, desc) => {
 	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
 		key = keys[i];
@@ -21,4 +30,4 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 	enumerable: true
 }) : target, mod));
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
-export { __require as n, __toESM as r, __commonJSMin as t };
+export { __toESM as i, __exportAll as n, __require as r, __commonJSMin as t };

package/dist/cli.mjs

@@ -1,13 +1,10 @@
 #!/usr/bin/env node
-import { r as __toESM } from "./_chunks/rolldown-runtime.mjs";
+import { i as __toESM, n as __exportAll } from "./_chunks/rolldown-runtime.mjs";
 import { l as pD, u as require_picocolors } from "./_chunks/libs/@clack/core.mjs";
 import { a as Y, c as ve, i as Se, l as xe, n as M, o as be, r as Me, s as fe, t as Ie, u as ye } from "./_chunks/libs/@clack/prompts.mjs";
 import "./_chunks/libs/@kwsites/file-exists.mjs";
 import "./_chunks/libs/@kwsites/promise-deferred.mjs";
 import { t as esm_default } from "./_chunks/libs/simple-git.mjs";
-import { t as require_gray_matter } from "./_chunks/libs/gray-matter.mjs";
-import "./_chunks/libs/extend-shallow.mjs";
-import "./_chunks/libs/esprima.mjs";
 import { t as xdgConfig } from "./_chunks/libs/xdg-basedir.mjs";
 import { execSync, spawnSync } from "child_process";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
@@ -17,6 +14,7 @@ import { fileURLToPath } from "url";
 import * as readline from "readline";
 import { Writable } from "stream";
 import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises";
+import { parse } from "yaml";
 import { createHash } from "crypto";
 var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1);
 function getOwnerRepo(parsed) {
@@ -438,7 +436,17 @@ async function cleanupTempDir(dir) {
 		force: true
 	});
 }
-var import_gray_matter = /* @__PURE__ */ __toESM(require_gray_matter(), 1);
+function parseFrontmatter(raw) {
+	const match = raw.match(/^---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/);
+	if (!match) return {
+		data: {},
+		content: raw
+	};
+	return {
+		data: parse(match[1]) ?? {},
+		content: match[2] ?? ""
+	};
+}
 function isContainedIn(targetPath, basePath) {
 	const normalizedBase = normalize(resolve(basePath));
 	const normalizedTarget = normalize(resolve(targetPath));
@@ -525,7 +533,7 @@ async function hasSkillMd(dir) {
 async function parseSkillMd(skillMdPath, options) {
 	try {
 		const content = await readFile(skillMdPath, "utf-8");
-		const { data } = (0, import_gray_matter.default)(content);
+		const { data } = parseFrontmatter(content);
 		if (!data.name || !data.description) return null;
 		if (typeof data.name !== "string" || typeof data.description !== "string") return null;
 		if (data.metadata?.internal === true && !shouldInstallInternalSkills() && !options?.includeInternal) return null;
@@ -1360,6 +1368,87 @@ async function installWellKnownSkillForAgent(skill, agentType, options = {}) {
 		};
 	}
 }
+async function installBlobSkillForAgent(skill, agentType, options = {}) {
+	const agent = agents[agentType];
+	const isGlobal = options.global ?? false;
+	const cwd = options.cwd || process.cwd();
+	const installMode = options.mode ?? "symlink";
+	if (isGlobal && agent.globalSkillsDir === void 0) return {
+		success: false,
+		path: "",
+		mode: installMode,
+		error: `${agent.displayName} does not support global skill installation`
+	};
+	const skillName = sanitizeName(skill.installName);
+	const canonicalBase = getCanonicalSkillsDir(isGlobal, cwd);
+	const canonicalDir = join(canonicalBase, skillName);
+	const agentBase = getAgentBaseDir(agentType, isGlobal, cwd);
+	const agentDir = join(agentBase, skillName);
+	if (!isPathSafe(canonicalBase, canonicalDir)) return {
+		success: false,
+		path: agentDir,
+		mode: installMode,
+		error: "Invalid skill name: potential path traversal detected"
+	};
+	if (!isPathSafe(agentBase, agentDir)) return {
+		success: false,
+		path: agentDir,
+		mode: installMode,
+		error: "Invalid skill name: potential path traversal detected"
+	};
+	async function writeSkillFiles(targetDir) {
+		for (const file of skill.files) {
+			const fullPath = join(targetDir, file.path);
+			if (!isPathSafe(targetDir, fullPath)) continue;
+			const parentDir = dirname(fullPath);
+			if (parentDir !== targetDir) await mkdir(parentDir, { recursive: true });
+			await writeFile(fullPath, file.contents, "utf-8");
+		}
+	}
+	try {
+		if (installMode === "copy") {
+			await cleanAndCreateDirectory(agentDir);
+			await writeSkillFiles(agentDir);
+			return {
+				success: true,
+				path: agentDir,
+				mode: "copy"
+			};
+		}
+		await cleanAndCreateDirectory(canonicalDir);
+		await writeSkillFiles(canonicalDir);
+		if (isGlobal && isUniversalAgent(agentType)) return {
+			success: true,
+			path: canonicalDir,
+			canonicalPath: canonicalDir,
+			mode: "symlink"
+		};
+		if (!await createSymlink(canonicalDir, agentDir)) {
+			await cleanAndCreateDirectory(agentDir);
+			await writeSkillFiles(agentDir);
+			return {
+				success: true,
+				path: agentDir,
+				canonicalPath: canonicalDir,
+				mode: "symlink",
+				symlinkFailed: true
+			};
+		}
+		return {
+			success: true,
+			path: agentDir,
+			canonicalPath: canonicalDir,
+			mode: "symlink"
+		};
+	} catch (error) {
+		return {
+			success: false,
+			path: agentDir,
+			mode: installMode,
+			error: error instanceof Error ? error.message : "Unknown error"
+		};
+	}
+}
 async function listInstalledSkills(options = {}) {
 	const cwd = options.cwd || process.cwd();
 	const skillsMap = /* @__PURE__ */ new Map();
@@ -1641,7 +1730,7 @@ var WellKnownProvider = class {
 			const response = await fetch(skillMdUrl);
 			if (!response.ok) return null;
 			const content = await response.text();
-			const { data } = (0, import_gray_matter.default)(content);
+			const { data } = parseFrontmatter(content);
 			if (!data.name || !data.description) return null;
 			const files = /* @__PURE__ */ new Map();
 			files.set("SKILL.md", content);
@@ -1753,28 +1842,10 @@ function getGitHubToken() {
 	return null;
 }
 async function fetchSkillFolderHash(ownerRepo, skillPath, token, ref) {
-	let folderPath = skillPath.replace(/\\/g, "/");
-	if (folderPath.endsWith("/SKILL.md")) folderPath = folderPath.slice(0, -9);
-	else if (folderPath.endsWith("SKILL.md")) folderPath = folderPath.slice(0, -8);
-	if (folderPath.endsWith("/")) folderPath = folderPath.slice(0, -1);
-	const branches = ref ? [ref] : ["main", "master"];
-	for (const branch of branches) try {
-		const url = `https://api.github.com/repos/${ownerRepo}/git/trees/${encodeURIComponent(branch)}?recursive=1`;
-		const headers = {
-			Accept: "application/vnd.github.v3+json",
-			"User-Agent": "skills-cli"
-		};
-		if (token) headers["Authorization"] = `Bearer ${token}`;
-		const response = await fetch(url, { headers });
-		if (!response.ok) continue;
-		const data = await response.json();
-		if (!folderPath) return data.sha;
-		const folderEntry = data.tree.find((entry) => entry.type === "tree" && entry.path === folderPath);
-		if (folderEntry) return folderEntry.sha;
-	} catch {
-		continue;
-	}
-	return null;
+	const { fetchRepoTree, getSkillFolderHashFromTree } = await Promise.resolve().then(() => blob_exports);
+	const tree = await fetchRepoTree(ownerRepo, ref, token);
+	if (!tree) return null;
+	return getSkillFolderHashFromTree(tree, skillPath);
 }
 async function addSkillToLock(skillName, entry) {
 	const lock = await readSkillLock$1();
@@ -1890,7 +1961,210 @@ function createEmptyLocalLock() {
 		skills: {}
 	};
 }
-var version$1 = "1.4.7";
+var blob_exports = /* @__PURE__ */ __exportAll({
+	fetchRepoTree: () => fetchRepoTree,
+	findSkillMdPaths: () => findSkillMdPaths,
+	getSkillFolderHashFromTree: () => getSkillFolderHashFromTree,
+	toSkillSlug: () => toSkillSlug,
+	tryBlobInstall: () => tryBlobInstall
+});
+const DOWNLOAD_BASE_URL = process.env.SKILLS_DOWNLOAD_URL || "https://skills.sh";
+const FETCH_TIMEOUT = 1e4;
+function toSkillSlug(name) {
+	return name.toLowerCase().replace(/[\s_]+/g, "-").replace(/[^a-z0-9-]/g, "").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+async function fetchRepoTree(ownerRepo, ref, token) {
+	const branches = ref ? [ref] : [
+		"HEAD",
+		"main",
+		"master"
+	];
+	for (const branch of branches) try {
+		const url = `https://api.github.com/repos/${ownerRepo}/git/trees/${encodeURIComponent(branch)}?recursive=1`;
+		const headers = {
+			Accept: "application/vnd.github.v3+json",
+			"User-Agent": "skills-cli"
+		};
+		if (token) headers["Authorization"] = `Bearer ${token}`;
+		const response = await fetch(url, {
+			headers,
+			signal: AbortSignal.timeout(FETCH_TIMEOUT)
+		});
+		if (!response.ok) continue;
+		const data = await response.json();
+		return {
+			sha: data.sha,
+			branch,
+			tree: data.tree
+		};
+	} catch {
+		continue;
+	}
+	return null;
+}
+function getSkillFolderHashFromTree(tree, skillPath) {
+	let folderPath = skillPath.replace(/\\/g, "/");
+	if (folderPath.endsWith("/SKILL.md")) folderPath = folderPath.slice(0, -9);
+	else if (folderPath.endsWith("SKILL.md")) folderPath = folderPath.slice(0, -8);
+	if (folderPath.endsWith("/")) folderPath = folderPath.slice(0, -1);
+	if (!folderPath) return tree.sha;
+	return tree.tree.find((e) => e.type === "tree" && e.path === folderPath)?.sha ?? null;
+}
+const PRIORITY_PREFIXES = [
+	"",
+	"skills/",
+	"skills/.curated/",
+	"skills/.experimental/",
+	"skills/.system/",
+	".agents/skills/",
+	".claude/skills/",
+	".cline/skills/",
+	".codebuddy/skills/",
+	".codex/skills/",
+	".commandcode/skills/",
+	".continue/skills/",
+	".github/skills/",
+	".goose/skills/",
+	".iflow/skills/",
+	".junie/skills/",
+	".kilocode/skills/",
+	".kiro/skills/",
+	".mux/skills/",
+	".neovate/skills/",
+	".opencode/skills/",
+	".openhands/skills/",
+	".pi/skills/",
+	".qoder/skills/",
+	".roo/skills/",
+	".trae/skills/",
+	".windsurf/skills/",
+	".zencoder/skills/"
+];
+function findSkillMdPaths(tree, subpath) {
+	const allSkillMds = tree.tree.filter((e) => e.type === "blob" && e.path.endsWith("SKILL.md")).map((e) => e.path);
+	const prefix = subpath ? subpath.endsWith("/") ? subpath : subpath + "/" : "";
+	const filtered = prefix ? allSkillMds.filter((p) => p.startsWith(prefix) || p === prefix + "SKILL.md") : allSkillMds;
+	if (filtered.length === 0) return [];
+	const priorityResults = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const priorityPrefix of PRIORITY_PREFIXES) {
+		const fullPrefix = prefix + priorityPrefix;
+		for (const skillMd of filtered) {
+			if (!skillMd.startsWith(fullPrefix)) continue;
+			const rest = skillMd.slice(fullPrefix.length);
+			if (rest === "SKILL.md") {
+				if (!seen.has(skillMd)) {
+					priorityResults.push(skillMd);
+					seen.add(skillMd);
+				}
+				continue;
+			}
+			const parts = rest.split("/");
+			if (parts.length === 2 && parts[1] === "SKILL.md") {
+				if (!seen.has(skillMd)) {
+					priorityResults.push(skillMd);
+					seen.add(skillMd);
+				}
+			}
+		}
+	}
+	if (priorityResults.length > 0) return priorityResults;
+	return filtered.filter((p) => {
+		return p.split("/").length <= 6;
+	});
+}
+async function fetchSkillMdContent(ownerRepo, branch, skillMdPath) {
+	try {
+		const url = `https://raw.githubusercontent.com/${ownerRepo}/${branch}/${skillMdPath}`;
+		const response = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });
+		if (!response.ok) return null;
+		return await response.text();
+	} catch {
+		return null;
+	}
+}
+async function fetchSkillDownload(source, slug) {
+	try {
+		const [owner, repo] = source.split("/");
+		const url = `${DOWNLOAD_BASE_URL}/api/download/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/${encodeURIComponent(slug)}`;
+		const response = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });
+		if (!response.ok) return null;
+		return await response.json();
+	} catch {
+		return null;
+	}
+}
+async function tryBlobInstall(ownerRepo, options = {}) {
+	const tree = await fetchRepoTree(ownerRepo, options.ref, options.token);
+	if (!tree) return null;
+	let skillMdPaths = findSkillMdPaths(tree, options.subpath);
+	if (skillMdPaths.length === 0) return null;
+	if (options.skillFilter) {
+		const filterSlug = toSkillSlug(options.skillFilter);
+		const filtered = skillMdPaths.filter((p) => {
+			const parts = p.split("/");
+			if (parts.length < 2) return false;
+			const folderName = parts[parts.length - 2];
+			return toSkillSlug(folderName) === filterSlug;
+		});
+		if (filtered.length > 0) skillMdPaths = filtered;
+	}
+	const mdFetches = await Promise.all(skillMdPaths.map(async (mdPath) => {
+		return {
+			mdPath,
+			content: await fetchSkillMdContent(ownerRepo, tree.branch, mdPath)
+		};
+	}));
+	const parsedSkills = [];
+	for (const { mdPath, content } of mdFetches) {
+		if (!content) continue;
+		const { data } = parseFrontmatter(content);
+		if (!data.name || !data.description) continue;
+		if (typeof data.name !== "string" || typeof data.description !== "string") continue;
+		if (data.metadata?.internal === true && !options.includeInternal) continue;
+		parsedSkills.push({
+			mdPath,
+			name: data.name,
+			description: data.description,
+			content,
+			slug: toSkillSlug(data.name),
+			metadata: data.metadata
+		});
+	}
+	if (parsedSkills.length === 0) return null;
+	let filteredSkills = parsedSkills;
+	if (options.skillFilter) {
+		const filterSlug = toSkillSlug(options.skillFilter);
+		const nameFiltered = parsedSkills.filter((s) => s.slug === filterSlug);
+		if (nameFiltered.length > 0) filteredSkills = nameFiltered;
+		if (filteredSkills.length === 0) return null;
+	}
+	const source = ownerRepo.toLowerCase();
+	const downloads = await Promise.all(filteredSkills.map(async (skill) => {
+		return {
+			skill,
+			download: await fetchSkillDownload(source, skill.slug)
+		};
+	}));
+	if (!downloads.every((d) => d.download !== null)) return null;
+	return {
+		skills: downloads.map(({ skill, download }) => {
+			skill.mdPath.endsWith("/SKILL.md") ? skill.mdPath.slice(0, -9) : skill.mdPath === "SKILL.md" || skill.mdPath.slice(0, -9);
+			return {
+				name: skill.name,
+				description: skill.description,
+				path: "",
+				rawContent: skill.content,
+				metadata: skill.metadata,
+				files: download.files,
+				snapshotHash: download.hash,
+				repoPath: skill.mdPath
+			};
+		}),
+		tree
+	};
+}
+var version$1 = "1.4.9";
 const isCancelled$1 = (value) => typeof value === "symbol";
 async function isSourcePrivate(source) {
 	const ownerRepo = parseOwnerRepo(source);
@@ -2371,11 +2645,27 @@ async function runAdd(args, options = {}) {
 		spinner.start("Parsing source...");
 		const parsed = parseSource(source);
 		spinner.stop(`Source: ${parsed.type === "local" ? parsed.localPath : parsed.url}${parsed.ref ? ` @ ${import_picocolors.default.yellow(parsed.ref)}` : ""}${parsed.subpath ? ` (${parsed.subpath})` : ""}${parsed.skillFilter ? ` ${import_picocolors.default.dim("@")}${import_picocolors.default.cyan(parsed.skillFilter)}` : ""}`);
+		if (getOwnerRepo(parsed)?.split("/")[0]?.toLowerCase() === "openclaw" && !options.dangerouslyAcceptOpenclawRisks) {
+			console.log();
+			M.warn(import_picocolors.default.yellow(import_picocolors.default.bold("⚠ OpenClaw skills are unverified community submissions.")));
+			M.message(import_picocolors.default.yellow("This source contains user-submitted skills that have not been reviewed for safety or quality."));
+			M.message(import_picocolors.default.yellow("Skills run with full agent permissions and could be malicious."));
+			console.log();
+			M.message(`If you understand the risks, re-run with:\n\n  ${import_picocolors.default.cyan(`npx skills add ${source} --dangerously-accept-openclaw-risks`)}\n`);
+			Se(import_picocolors.default.red("Installation blocked"));
+			process.exit(1);
+		}
 		if (parsed.type === "well-known") {
 			await handleWellKnownSkills(source, parsed.url, options, spinner);
 			return;
 		}
-		let skillsDir;
+		if (parsed.skillFilter) {
+			options.skill = options.skill || [];
+			if (!options.skill.includes(parsed.skillFilter)) options.skill.push(parsed.skillFilter);
+		}
+		const includeInternal = !!(options.skill && options.skill.length > 0);
+		let skills;
+		let blobResult = null;
 		if (parsed.type === "local") {
 			spinner.start("Validating local path...");
 			if (!existsSync(parsed.localPath)) {
@@ -2383,31 +2673,58 @@ async function runAdd(args, options = {}) {
 				Se(import_picocolors.default.red(`Local path does not exist: ${parsed.localPath}`));
 				process.exit(1);
 			}
-			skillsDir = parsed.localPath;
 			spinner.stop("Local path validated");
+			spinner.start("Discovering skills...");
+			skills = await discoverSkills(parsed.localPath, parsed.subpath, {
+				includeInternal,
+				fullDepth: options.fullDepth
+			});
+		} else if (parsed.type === "github" && !options.fullDepth) {
+			const BLOB_ALLOWED_OWNERS = ["vercel", "vercel-labs"];
+			const ownerRepo = getOwnerRepo(parsed);
+			const owner = ownerRepo?.split("/")[0]?.toLowerCase();
+			if (ownerRepo && owner && BLOB_ALLOWED_OWNERS.includes(owner)) {
+				spinner.start("Fetching skills...");
+				const token = getGitHubToken();
+				blobResult = await tryBlobInstall(ownerRepo, {
+					subpath: parsed.subpath,
+					skillFilter: parsed.skillFilter,
+					ref: parsed.ref,
+					token,
+					includeInternal
+				});
+				if (!blobResult) spinner.stop(import_picocolors.default.dim("Falling back to clone..."));
+			}
+			if (blobResult) {
+				skills = blobResult.skills;
+				spinner.stop(`Found ${import_picocolors.default.green(skills.length)} skill${skills.length > 1 ? "s" : ""}`);
+			} else {
+				spinner.start("Cloning repository...");
+				tempDir = await cloneRepo(parsed.url, parsed.ref);
+				spinner.stop("Repository cloned");
+				spinner.start("Discovering skills...");
+				skills = await discoverSkills(tempDir, parsed.subpath, {
+					includeInternal,
+					fullDepth: options.fullDepth
+				});
+			}
 		} else {
 			spinner.start("Cloning repository...");
 			tempDir = await cloneRepo(parsed.url, parsed.ref);
-			skillsDir = tempDir;
 			spinner.stop("Repository cloned");
+			spinner.start("Discovering skills...");
+			skills = await discoverSkills(tempDir, parsed.subpath, {
+				includeInternal,
+				fullDepth: options.fullDepth
+			});
 		}
-		if (parsed.skillFilter) {
-			options.skill = options.skill || [];
-			if (!options.skill.includes(parsed.skillFilter)) options.skill.push(parsed.skillFilter);
-		}
-		const includeInternal = !!(options.skill && options.skill.length > 0);
-		spinner.start("Discovering skills...");
-		const skills = await discoverSkills(skillsDir, parsed.subpath, {
-			includeInternal,
-			fullDepth: options.fullDepth
-		});
 		if (skills.length === 0) {
 			spinner.stop(import_picocolors.default.red("No skills found"));
 			Se(import_picocolors.default.red("No valid skills found. Skills require a SKILL.md with name and description."));
 			await cleanup(tempDir);
 			process.exit(1);
 		}
-		spinner.stop(`Found ${import_picocolors.default.green(skills.length)} skill${skills.length > 1 ? "s" : ""}`);
+		if (!blobResult) spinner.stop(`Found ${import_picocolors.default.green(skills.length)} skill${skills.length > 1 ? "s" : ""}`);
 		if (options.list) {
 			console.log();
 			M.step(import_picocolors.default.bold("Available Skills"));
@@ -2669,7 +2986,17 @@ async function runAdd(args, options = {}) {
 		spinner.start("Installing skills...");
 		const results = [];
 		for (const skill of selectedSkills) for (const agent of targetAgents) {
-			const result = await installSkillForAgent(skill, agent, {
+			let result;
+			if (blobResult && "files" in skill) {
+				const blobSkill = skill;
+				result = await installBlobSkillForAgent({
+					installName: blobSkill.name,
+					files: blobSkill.files
+				}, agent, {
+					global: installGlobally,
+					mode: installMode
+				});
+			} else result = await installSkillForAgent(skill, agent, {
 				global: installGlobally,
 				mode: installMode
 			});
@@ -2685,13 +3012,10 @@ async function runAdd(args, options = {}) {
 		const successful = results.filter((r) => r.success);
 		const failed = results.filter((r) => !r.success);
 		const skillFiles = {};
-		for (const skill of selectedSkills) {
-			let relativePath;
-			if (tempDir && skill.path === tempDir) relativePath = "SKILL.md";
-			else if (tempDir && skill.path.startsWith(tempDir + sep)) relativePath = skill.path.slice(tempDir.length + 1).split(sep).join("/") + "/SKILL.md";
-			else continue;
-			skillFiles[skill.name] = relativePath;
-		}
+		for (const skill of selectedSkills) if (blobResult && "repoPath" in skill) skillFiles[skill.name] = skill.repoPath;
+		else if (tempDir && skill.path === tempDir) skillFiles[skill.name] = "SKILL.md";
+		else if (tempDir && skill.path.startsWith(tempDir + sep)) skillFiles[skill.name] = skill.path.slice(tempDir.length + 1).split(sep).join("/") + "/SKILL.md";
+		else continue;
 		const normalizedSource = getOwnerRepo(parsed);
 		const lockSource = parsed.url.startsWith("git@") ? parsed.url : normalizedSource;
 		if (normalizedSource) {
@@ -2721,7 +3045,10 @@ async function runAdd(args, options = {}) {
 				if (successfulSkillNames.has(skillDisplayName)) try {
 					let skillFolderHash = "";
 					const skillPathValue = skillFiles[skill.name];
-					if (parsed.type === "github" && skillPathValue) {
+					if (blobResult && skillPathValue) {
+						const hash = getSkillFolderHashFromTree(blobResult.tree, skillPathValue);
+						if (hash) skillFolderHash = hash;
+					} else if (parsed.type === "github" && skillPathValue) {
 						const hash = await fetchSkillFolderHash(normalizedSource, skillPathValue, getGitHubToken(), parsed.ref);
 						if (hash) skillFolderHash = hash;
 					}
@@ -2742,7 +3069,7 @@ async function runAdd(args, options = {}) {
 			for (const skill of selectedSkills) {
 				const skillDisplayName = getSkillDisplayName(skill);
 				if (successfulSkillNames.has(skillDisplayName)) try {
-					const computedHash = await computeSkillFolderHash(skill.path);
+					const computedHash = blobResult && "snapshotHash" in skill ? skill.snapshotHash : await computeSkillFolderHash(skill.path);
 					await addSkillToLocalLock(skill.name, {
 						source: lockSource || parsed.url,
 						ref: parsed.ref,
@@ -2905,6 +3232,7 @@ function parseAddOptions(args) {
 			i--;
 		} else if (arg === "--full-depth") options.fullDepth = true;
 		else if (arg === "--copy") options.copy = true;
+		else if (arg === "--dangerously-accept-openclaw-risks") options.dangerouslyAcceptOpenclawRisks = true;
 		else if (arg && !arg.startsWith("-")) source.push(arg);
 	}
 	return {