feat: auto-install find-skills during create and link

[tonychang04]

Summary

• Adds find-skills from vercel-labs/skills to the installSkills() flow in src/lib/skills.ts
• Runs automatically during insforge create and insforge link for all templates
• Gives users skill discovery out of the box

Test plan

• Run insforge create with a template and verify find-skills is installed
• Run insforge link and verify find-skills is installed
• Verify graceful fallback if find-skills installation fails

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Extended skill installation system to support find-skills, expanding available capabilities.

• Improvements

  • Enhanced installation process with verbose logging and improved error handling.
  • Added timeout safeguards for installation operations.

[coderabbitai]

Walkthrough

A new asynchronous installation step is added to installSkills to install find-skills from vercel-labs, featuring verbose logging, error handling, and a 60-second timeout. The addition runs after the existing agent-skills installation with non-blocking error recovery.

Changes

Cohort / File(s)	Summary
Find-skills Installation src/lib/skills.ts	Added async block in installSkills to execute npm/npx command installing find-skills package with 60-second timeout, comprehensive logging (info/success/warning messages), and graceful error handling that logs warnings without blocking subsequent operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: filter skill install to only insforge and insforge-cli #13: Modifies the skill installation flow in src/lib/skills.ts by restricting npx skills add flags, creating overlapping changes in the same installation logic.

Poem

🐰 A skill hunter hops through the code,
Adding vercel-labs down the road,
Find-skills now installs with care,
With timeouts and logging everywhere,
No errors will make our journey fray,
More tools to help us every day! 🛠️

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding automatic installation of find-skills during the create and link commands.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/install-find-skills

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/skills.ts`:
- Around line 70-76: The installer currently uses a floating GitHub URL in the
execAsync call and in the fallback message; change both the command string
passed to execAsync('npx skills add https://github.com/vercel-labs/skills
--skill find-skills -y', ...) and the fallback clack.log.warn text to reference
an immutable ref (a specific tag or commit SHA), e.g., replace the URL with the
same GitHub URL pinned to a tag or commit (like
https://github.com/vercel-labs/skills@v1.2.3 or append #<commit-sha> per the
tool’s URL format) so the executed command and the "run manually" message both
point to the exact pinned ref; update the success message location (the
clack.log.success path that checks !json) similarly if it echoes the source URL.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 15f603fe-d4bb-4587-9183-adbf8e751d56

📥 Commits

Reviewing files that changed from the base of the PR and between 2f8b41f and bb419b7.

📒 Files selected for processing (1)

• src/lib/skills.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether any GitHub-based "skills add" sources are unpinned.
# Expected: every GitHub URL includes an immutable ref suffix like #<tag-or-sha>.
rg -nP "skills add https://github\\.com/[\\w./-]+(\\s|['\"])"
rg -nP "skills add https://github\\.com/[\\w./-]+#[\\w.-]+"

Repository: InsForge/CLI

Length of output: 358

---

Pin the GitHub source to an immutable ref.

Lines 70 and 76 install/reference a floating GitHub URL without a commit or tag pin, which is non-reproducible and weakens supply-chain guarantees. Use a tag/commit-pinned source for both the executed command and the fallback message.

🔧 Proposed hardening patch

+  const FIND_SKILLS_SOURCE = 'https://github.com/vercel-labs/skills#<commit-or-tag>';
+
   try {
     if (!json) clack.log.info('Installing find-skills...');
-    await execAsync('npx skills add https://github.com/vercel-labs/skills --skill find-skills -y', {
+    await execAsync(`npx skills add ${FIND_SKILLS_SOURCE} --skill find-skills -y`, {
       cwd: process.cwd(),
       timeout: 60_000,
     });
     if (!json) clack.log.success('find-skills installed.');
   } catch {
-    if (!json) clack.log.warn('Failed to install find-skills. You can run manually: npx skills add https://github.com/vercel-labs/skills --skill find-skills');
+    if (!json) clack.log.warn(`Failed to install find-skills. You can run manually: npx skills add ${FIND_SKILLS_SOURCE} --skill find-skills`);
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/skills.ts` around lines 70 - 76, The installer currently uses a
floating GitHub URL in the execAsync call and in the fallback message; change
both the command string passed to execAsync('npx skills add
https://github.com/vercel-labs/skills --skill find-skills -y', ...) and the
fallback clack.log.warn text to reference an immutable ref (a specific tag or
commit SHA), e.g., replace the URL with the same GitHub URL pinned to a tag or
commit (like https://github.com/vercel-labs/skills@v1.2.3 or append
#<commit-sha> per the tool’s URL format) so the executed command and the "run
manually" message both point to the exact pinned ref; update the success message
location (the clack.log.success path that checks !json) similarly if it echoes
the source URL.

[tonychang04]

Skills are prompt/markdown definitions, not executable code

[coderabbitai]

@tonychang04, that's a fair and important clarification — thank you. Since skills are prompt/markdown definitions rather than executable packages, the supply-chain concern I raised (arbitrary code injection) doesn't apply here. The worst-case scenario from a floating URL is unexpected drift in the prompt content, which is a much lower severity than what I originally implied. I'll withdraw the major severity flag on this.

---

✏️ Learnings added

Learnt from: tonychang04
Repo: InsForge/CLI PR: 25
File: src/lib/skills.ts:70-76
Timestamp: 2026-03-17T23:24:00.981Z
Learning: In the InsForge/CLI repository (`src/lib/skills.ts`), "skills" installed via `npx skills add` (e.g., `https://github.com/vercel-labs/skills`) are prompt/markdown definitions, not executable code. Supply-chain concerns about pinning to immutable refs are therefore low-severity for these installs, as there is no arbitrary code execution risk.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.