Several agent files used <example> blocks containing user: "..." /
assistant: "..." turn markers, embedded as \n-escaped strings inside
the YAML frontmatter description: field. Replace those with flat prose
trigger descriptions in description: and a 'When to invoke' section
in the agent body containing prose-bullet scenarios.
Affected files:
- 5 agent definitions:
- plugins/hookify/agents/conversation-analyzer.md
- plugins/pr-review-toolkit/agents/code-reviewer.md
- plugins/pr-review-toolkit/agents/pr-test-analyzer.md
- plugins/pr-review-toolkit/agents/type-design-analyzer.md
- plugins/pr-review-toolkit/agents/comment-analyzer.md
- 5 agent-development skill files updated to teach the new format:
- plugins/plugin-dev/skills/agent-development/SKILL.md
- .../references/triggering-examples.md
- .../references/agent-creation-system-prompt.md
- .../examples/complete-agent-examples.md
- .../examples/agent-creation-prompt.md
Routing is unaffected: each description: still names the trigger
surface in plain English.
Adobe's Creative Cloud skills for image editing, design automation,
background removal, vectorization, and retouching. Points at the
plugins/creative-cloud/adobe-for-creativity subdir of adobe/skills.
The 'Validate frontmatter' step interpolated step output directly into a
double-quoted shell string, allowing a fork PR that adds a file named
e.g. agents/$(curl ...).md to execute arbitrary commands on the runner.
- Pass the file list via env: and reference as "$FILES" so the shell
never re-evaluates the contents
- Pass PR number via env: for consistency (no ${{ }} inside run:)
- Gate the job on same-repo PRs only, since fork PRs are auto-closed by
close-external-prs.yml anyway
Impact was bounded (fork PRs get a read-only token with no secrets), but
this closes the RCE-on-runner vector entirely.
The bot command handlers bypassed access control — they responded to
any DM user regardless of dmPolicy, leaking bot presence and
contradicting ACCESS.md's "Drop silently. No reply." contract for
allowlist mode.
Add dmCommandGate() that applies the same disabled/allowlist checks
as gate() without the pairing side effects, and route all three
handlers through it. Also prune expired pending codes before /status
iterates them.
Fixes#854
Co-authored-by: Claude <noreply@anthropic.com>
Ports anthropics/skills#547 (b0cbd3d) so this repo matches the upstream
skills repo.
improve_description.py and run_loop.py now shell out to `claude -p` instead
of using the Anthropic SDK directly, so the description optimizer uses the
session's existing Claude Code auth and no longer requires a separate
ANTHROPIC_API_KEY. SKILL.md drops the stale extended-thinking reference and
adds guidance for updating an existing skill.
Several enterprise customers sync exclusively from this repo (not
anthropics/skills, whose README disclaims production use), so they have been
stuck on the old SDK-based path.
Let installs follow the repo's default branch instead of a fixed SHA.
Removes the plugin from the weekly SHA-bump rotation and lets developer
updates reach users directly on `claude plugin install`.
