Vendor official jfrog-skills v0.11.0, bump to v0.5.0#14
Merged
Conversation
Replace the plugin monolithic skill (REST/curl-based, v1.0.0) with the full jfrog-skills repo content (v0.7.0) which uses jf CLI, jf api, OneModel GraphQL, AQL, and includes environment check scripts, login flow automation, and 24 structured reference files. Add the jfrog-package-safety-and-download skill for curation/safety checks (previously missing from the plugin entirely). Update plugin.json to register both skills.
Change mcp.json to use JFROG_URL (the standard JFrog CLI env var, full URL with protocol) instead of the non-standard JFROG_PLATFORM_URL (bare hostname). This aligns the plugin with the CLI, setup-jfrog-cli GitHub Action, and the Agent Guard hook which already reads JFROG_URL. Update the inner README to reflect the two skills (jfrog + jfrog-package-safety-and-download), the updated reference file structure (24 reference files + 3 scripts), and the JFROG_URL env var.
Replace CLI-only skill with mixed MCP+CLI skill from jfrog-skills PR #33 (feature/JFSK-1-mcp-three-tier-routing). Agents now try MCP tools first, fall back to jf CLI commands, then jf api. Changes: - skills/jfrog/SKILL.md: three-tier tool selection strategy, fallback tracking, MCP-first catalog/CVE routing, split gotchas, updated env-check contract (positional arg, no eval) - scripts/check-environment.sh: positional model-slug arg, bare UA output (printf) instead of eval-able export - plugin.json: version 0.4.0 -> 0.5.0-dev - README.md: document three-tier approach, trailing-slash warning
Replace the previously bundled skill content with the official jfrog-skills repo (v0.11.0). This aligns the Cursor plugin with the same skill used across all JFrog AI integrations. Breaking change: JFROG_PLATFORM_URL renamed to JFROG_URL. The new variable must include the protocol (e.g., https://mycompany.jfrog.io). Previously the plugin prepended https:// automatically; it no longer does. Key changes: - Vendor jfrog-skills v0.11.0 (24 reference files, 3 scripts) - Add jfrog-package-safety-and-download skill - Rename env var JFROG_PLATFORM_URL -> JFROG_URL in mcp.json - Update auth docs: jf login / JFROG_ACCESS_TOKEN (not jf config add) - Add VENDOR.md to track vendored skill source - Bump marketplace and plugin version to 0.5.0 - Remove duplicate mcp keyword from plugin.json Co-authored-by: Cursor <cursoragent@cursor.com>
|
All contributors have signed the CLA ✍️ ✅ |
The env var rename (JFROG_PLATFORM_URL -> JFROG_URL) was not approved as part of the v0.5.0 PR. Revert mcp.json and both READMEs back to JFROG_PLATFORM_URL while keeping all other v0.5.0 changes (vendored skills, package-safety skill, auth docs, version bump). Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
yanivt-jfrog
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
jfrog-package-safety-and-downloadfor checking whether packages are safe, curated, or allowed before downloading through Artifactory.What changed
references/files + 3 shell scripts from jfrog-skills v0.11.0SKILL.mdrewritten: three-tier tool routing (MCP, CLI,jf api), lazy reference loading, cautious execution, server selection rulesjfrog-package-safety-and-download/SKILL.md(286 lines)VENDOR.mdadded to track vendored source (v0.11.0, commit66e7d1d)plugin.json: version 0.4.0 -> 0.5.0, second skill registered, duplicatemcpkeyword removedmarketplace.json: version 0.4.0 -> 0.5.0Old-to-new file mapping
The old skill had flat files at the skill root (
artifactory-reference.md,security-reference.md,cli-reference.md, etc.). The new skill organizes content underreferences/by domain (artifactory-entities.md,artifactory-operations.md,xray-entities.md, etc.). The jfrog-skills repo content is a superset of the old reference files.Test plan
JFROG_PLATFORM_URL