Skip to content

feat: auto-install find-skills during create and link #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tonychang04 merged 1 commit into from
Mar 17, 2026
Merged

feat: auto-install find-skills during create and link #25

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions src/lib/skills.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,18 @@ export async function installSkills(json: boolean): Promise<void> {
if (!json) clack.log.warn('Failed to install agent skills. You can run manually: npx skills add insforge/agent-skills -s insforge -s insforge-cli');
}

// Install find-skills from vercel-labs for skill discovery
try {
if (!json) clack.log.info('Installing find-skills...');
await execAsync('npx skills add https://github.com/vercel-labs/skills --skill find-skills -y', {
cwd: process.cwd(),
timeout: 60_000,
});
if (!json) clack.log.success('find-skills installed.');
} catch {
if (!json) clack.log.warn('Failed to install find-skills. You can run manually: npx skills add https://github.com/vercel-labs/skills --skill find-skills');
Comment on lines +70 to +76
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether any GitHub-based "skills add" sources are unpinned.
# Expected: every GitHub URL includes an immutable ref suffix like #<tag-or-sha>.
rg -nP "skills add https://github\\.com/[\\w./-]+(\\s|['\"])"
rg -nP "skills add https://github\\.com/[\\w./-]+#[\\w.-]+"

Repository: InsForge/CLI

Length of output: 358

Pin the GitHub source to an immutable ref.

Lines 70 and 76 install/reference a floating GitHub URL without a commit or tag pin, which is non-reproducible and weakens supply-chain guarantees. Use a tag/commit-pinned source for both the executed command and the fallback message.

🔧 Proposed hardening patch 
+  const FIND_SKILLS_SOURCE = 'https://github.com/vercel-labs/skills#<commit-or-tag>';
+
   try {
     if (!json) clack.log.info('Installing find-skills...');
-    await execAsync('npx skills add https://github.com/vercel-labs/skills --skill find-skills -y', {
+    await execAsync(`npx skills add ${FIND_SKILLS_SOURCE} --skill find-skills -y`, {
       cwd: process.cwd(),
       timeout: 60_000,
     });
     if (!json) clack.log.success('find-skills installed.');
   } catch {
-    if (!json) clack.log.warn('Failed to install find-skills. You can run manually: npx skills add https://github.com/vercel-labs/skills --skill find-skills');
+    if (!json) clack.log.warn(`Failed to install find-skills. You can run manually: npx skills add ${FIND_SKILLS_SOURCE} --skill find-skills`);
   }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/lib/skills.ts` around lines 70 - 76, The installer currently uses a
floating GitHub URL in the execAsync call and in the fallback message; change
both the command string passed to execAsync('npx skills add
https://github.com/vercel-labs/skills --skill find-skills -y', ...) and the
fallback clack.log.warn text to reference an immutable ref (a specific tag or
commit SHA), e.g., replace the URL with the same GitHub URL pinned to a tag or
commit (like https://github.com/vercel-labs/skills@v1.2.3 or append
#<commit-sha> per the tool’s URL format) so the executed command and the "run
manually" message both point to the exact pinned ref; update the success message
location (the clack.log.success path that checks !json) similarly if it echoes
the source URL.

Copy link
Contributor Author

@tonychang04 tonychang04 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills are prompt/markdown definitions, not executable code

Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tonychang04, that's a fair and important clarification — thank you. Since skills are prompt/markdown definitions rather than executable packages, the supply-chain concern I raised (arbitrary code injection) doesn't apply here. The worst-case scenario from a floating URL is unexpected drift in the prompt content, which is a much lower severity than what I originally implied. I'll withdraw the major severity flag on this.

✏️ Learnings added 
Learnt from: tonychang04
Repo: InsForge/CLI PR: 25
File: src/lib/skills.ts:70-76
Timestamp: 2026-03-17T23:24:00.981Z
Learning: In the InsForge/CLI repository (`src/lib/skills.ts`), "skills" installed via `npx skills add` (e.g., `https://github.com/vercel-labs/skills`) are prompt/markdown definitions, not executable code. Supply-chain concerns about pinning to immutable refs are therefore low-severity for these installs, as there is no arbitrary code execution risk.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

}

try {
updateGitignore();
} catch {
Expand Down
Loading