add skill-auto-installer: intent-based auto-install meta-skill#413
Open
maimai-dot wants to merge 1 commit into
Open
add skill-auto-installer: intent-based auto-install meta-skill#413maimai-dot wants to merge 1 commit into
maimai-dot wants to merge 1 commit into
Conversation
📝 WalkthroughWalkthroughThis PR introduces the ChangesSkill Auto-Installer Plugin
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md (1)
67-67: ⚡ Quick winEnhance logging format for better auditability.
The current log format captures only the skill name and trigger keyword. This makes it difficult to:
- Debug installation or invocation failures
- Track which marketplace version was installed
- Audit security incidents
- Correlate user actions with outcomes
📊 Recommended enhanced log format
5. **记录日志**: 每次安装后在 `~/.claude/skill-auto-installer.log` 追加一行:[YYYY-MM-DD HH:MM:SS] ACTION=install SKILL= TRIGGER=<关键词> SOURCE= STATUS=<success|failure> INVOKED=<yes|no>
每次调用技能后追加:[YYYY-MM-DD HH:MM:SS] ACTION=invoke SKILL= REQUEST=<用户请求摘要> STATUS=<success|failure> ERROR=<错误信息>
This structured format enables:
- Easy parsing with
grepor log analysis tools- Clear audit trail for security review
- Debugging failed installations or invocations
- Tracking skill usage patterns over time
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md` at line 67, Update the log format instruction in SKILL.md where it currently specifies appending `[YYYY-MM-DD HH:MM] <skill-name> — <触发关键词>` to `~/.claude/skill-auto-installer.log`; replace it with the recommended structured entries for both install and invoke events such that install lines include timestamp, ACTION=install, SKILL=<skill-name>, TRIGGER=<关键词>, SOURCE=<marketplace-path>, STATUS=<success|failure>, INVOKED=<yes|no> and invoke lines include timestamp, ACTION=invoke, SKILL=<skill-name>, REQUEST=<用户请求摘要>, STATUS=<success|failure>, ERROR=<错误信息>, so consumers of the log can parse and audit installations and invocations reliably.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md`:
- Around line 45-55: The auto-install Phase 3 uses unvalidated <skill-name> and
a blind cp -r which risks path traversal, accidental overwrites, and ambiguous
source selection; update the logic in SKILL.md and any related scripts to
validate the skill name (e.g., allow only [A-Za-z0-9_-] in the skill_name
variable), use find to populate a results array, handle zero or multiple matches
(fail or choose explicitly and log which results[0] is used), detect an existing
target directory (target="$HOME/.claude/skills/$skill_name") and abort or prompt
instead of overwriting, and perform a safe copy from the chosen source to the
target rather than an unconditional cp -r.
- Around line 41-42: The shell snippet using the placeholder <skill-name> in
SKILL.md must validate the runtime-substituted skill-name before embedding it in
a shell command to prevent path traversal and command injection; update the code
that constructs the command (the snippet using "ls
~/.claude/skills/<skill-name>/ ...") to first ensure the skill-name matches a
safe pattern (only alphanumeric, hyphen, underscore), reject any values
containing "/", "\" or "..", and/or enforce that the value exists in the
predefined intent-to-skill mapping (the mapping table referenced around lines
17-35) before executing the ls check or echo.
- Around line 63-66: The SKILL.md policy currently enables a critical security
risk by combining "静默安装" (Rule 1) and "安装后立即使用" (Rule 4): silently installing
skills from the cloned marketplace and immediately executing them allows
arbitrary code execution; change the workflow so that before any install
triggered by the auto-installer you require explicit user confirmation showing
skill name, source, author and requested permissions (replace Rule 1 with a
confirmation requirement), do not auto-execute after install (replace Rule 4 to
"提示用户调用" only), and optionally enforce a trusted-marketplace/allow-list and
signature verification for skills (add a mandatory verification step referenced
in the SKILL.md policy) so installs from untrusted marketplaces are blocked or
flagged for manual approval.
In `@README.md`:
- Line 322: The README's "Dual-layer matching (Hook regex pre-scan ~ms + Skill
semantic analysis ~s)" claim is inconsistent with SKILL.md which only documents
a single Phase 1 keyword mapping intent analysis; either update SKILL.md to
describe the hook pre-scan and timing (e.g., add a "Dual-Layer Architecture"
section specifying the Hook pre-scan regex step and the semantic analysis step
and their ~ms/~s expectations), or remove/simplify the dual-layer phrase from
README.md (the table row for plugins/skill-auto-installer) to match the
implemented behavior; locate references to the hook/pre-scan in the plugin code
under plugins/skill-auto-installer/ (search for "hook", "pre-scan", "regex",
"dual-layer") to confirm which fix is appropriate before changing SKILL.md or
README.md.
---
Nitpick comments:
In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md`:
- Line 67: Update the log format instruction in SKILL.md where it currently
specifies appending `[YYYY-MM-DD HH:MM] <skill-name> — <触发关键词>` to
`~/.claude/skill-auto-installer.log`; replace it with the recommended structured
entries for both install and invoke events such that install lines include
timestamp, ACTION=install, SKILL=<skill-name>, TRIGGER=<关键词>,
SOURCE=<marketplace-path>, STATUS=<success|failure>, INVOKED=<yes|no> and invoke
lines include timestamp, ACTION=invoke, SKILL=<skill-name>, REQUEST=<用户请求摘要>,
STATUS=<success|failure>, ERROR=<错误信息>, so consumers of the log can parse and
audit installations and invocations reliably.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9a8b4afe-c75e-494b-9bcd-30ac9b463889
📒 Files selected for processing (3)
README.mdplugins/skill-auto-installer/.claude-plugin/plugin.jsonplugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md
Comment on lines
+41
to
+42
| ```bash | ||
| ls ~/.claude/skills/<skill-name>/ 2>/dev/null && echo "INSTALLED" || echo "MISSING" |
There was a problem hiding this comment.
Validate skill-name before using in shell commands.
The <skill-name> placeholder will be substituted at runtime with a value derived from intent analysis. Without validation, a malicious or malformed skill name could enable path traversal or command injection.
🛡️ Recommended validation before shell execution
Before constructing the command, validate that skill-name:
- Contains only allowed characters (alphanumeric, hyphens, underscores)
- Does not contain path traversal sequences (
..,/,\) - Matches one of the known skill names from the mapping table
Example validation pattern:
# Ensure skill-name contains only safe characters
if [[ ! "$skill_name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
echo "Invalid skill name"
exit 1
fiOr restrict to the predefined set from the intent table (lines 17-35).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md` around
lines 41 - 42, The shell snippet using the placeholder <skill-name> in SKILL.md
must validate the runtime-substituted skill-name before embedding it in a shell
command to prevent path traversal and command injection; update the code that
constructs the command (the snippet using "ls ~/.claude/skills/<skill-name>/
...") to first ensure the skill-name matches a safe pattern (only alphanumeric,
hyphen, underscore), reject any values containing "/", "\" or "..", and/or
enforce that the value exists in the predefined intent-to-skill mapping (the
mapping table referenced around lines 17-35) before executing the ls check or
echo.
Comment on lines
+45
to
+55
| ### Phase 3: 自动安装 | ||
|
|
||
| 如果技能缺失,从 marketplace 复制: | ||
|
|
||
| ```bash | ||
| # 搜索所有 marketplace 中的该技能 | ||
| find ~/.claude/plugins/marketplaces/ -maxdepth 3 -type d -name "<skill-name>" 2>/dev/null | ||
|
|
||
| # 如果找到,复制到 skills 目录 | ||
| cp -r <source-path> ~/.claude/skills/<skill-name> | ||
| ``` |
There was a problem hiding this comment.
Add validation and safe copy practices.
The auto-installation phase has several safety concerns:
- Path traversal risk:
<skill-name>is used in bothfindandcpwithout validation (same issue as Phase 2). - Overwrite without confirmation:
cp -rwill silently overwrite existing skills. - Multiple matches: If
findreturns multiple results, the workflow doesn't specify which to use.
🛡️ Recommended safety improvements
# 1. Validate skill-name (alphanumeric, hyphens, underscores only)
if [[ ! "$skill_name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
echo "Invalid skill name: $skill_name"
exit 1
fi
# 2. Search marketplace with validated name
results=($(find ~/.claude/plugins/marketplaces/ -maxdepth 3 -type d -name "$skill_name" 2>/dev/null))
# 3. Handle multiple or zero results
if [ ${`#results`[@]} -eq 0 ]; then
echo "Skill not found in marketplace"
exit 1
elif [ ${`#results`[@]} -gt 1 ]; then
echo "Multiple versions found, using first: ${results[0]}"
fi
# 4. Check if target already exists
target="$HOME/.claude/skills/$skill_name"
if [ -d "$target" ]; then
echo "Skill already installed, skipping"
exit 0
fi
# 5. Safe copy
cp -r "${results[0]}" "$target"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md` around
lines 45 - 55, The auto-install Phase 3 uses unvalidated <skill-name> and a
blind cp -r which risks path traversal, accidental overwrites, and ambiguous
source selection; update the logic in SKILL.md and any related scripts to
validate the skill name (e.g., allow only [A-Za-z0-9_-] in the skill_name
variable), use find to populate a results array, handle zero or multiple matches
(fail or choose explicitly and log which results[0] is used), detect an existing
target directory (target="$HOME/.claude/skills/$skill_name") and abort or prompt
instead of overwriting, and perform a safe copy from the chosen source to the
target rather than an unconditional cp -r.
Comment on lines
+63
to
+66
| 1. **静默安装**: 不要在安装过程中询问用户"是否安装",直接安装。只在安装完成后告知用户安装了哪些技能。 | ||
| 2. **批量匹配**: 一个用户请求可能匹配多个技能(如"设计前端页面并导出PDF"),全部安装。 | ||
| 3. **优先 marketplace**: 始终从已克隆的 marketplace 复制,不尝试 `npx skills add`(那需要独立仓库)。 | ||
| 4. **安装后立即使用**: 技能安装完成后,必须调用该技能来完成用户的任务。 |
There was a problem hiding this comment.
Critical security risk: Silent installation with immediate execution.
Rules 1 and 4 create a dangerous workflow:
- Rule 1 installs skills silently without user confirmation
- Rule 4 immediately executes the newly installed skill
This combination enables arbitrary code execution if:
- A malicious skill exists in any cloned marketplace
- Intent keywords match the malicious skill
- The user makes a request containing those keywords
Attack scenario:
- User clones a marketplace that includes a malicious
pdfskill - User says "Generate a PDF report"
- System auto-installs malicious
pdfskill silently - System immediately invokes malicious skill with user's request
- Malicious code executes with user's permissions
There is no integrity verification, no signature checking, no allow-list, and no user review opportunity.
🔒 Recommended security-first redesign
Option 1: Require explicit confirmation (safest)
3. **需要确认**: 安装前必须获得用户批准,显示技能来源、作者、权限需求。
4. **安装后提示使用**: 安装完成后,建议用户调用,但不自动执行。Option 2: Trusted marketplace + allow-list
3. **仅信任的市场**: 只从官方认证的 marketplace 安装,维护已验证技能的 allow-list。
3a. **签名验证**: 验证技能的数字签名与已知发布者匹配。
4. **沙盒首次运行**: 首次调用新安装的技能时在受限环境中运行。Option 3: Dry-run mode
1. **静默发现**: 分析意图、查找匹配技能,但不自动安装。
2. **推荐安装**: 向用户展示推荐的技能列表,附带描述和来源。
3. **用户选择**: 用户选择要安装的技能。
4. **安装后可用**: 技能可用,但用户决定何时调用。The current "silent + auto-execute" design is fundamentally incompatible with user safety.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/skill-auto-installer/skills/skill-auto-installer/SKILL.md` around
lines 63 - 66, The SKILL.md policy currently enables a critical security risk by
combining "静默安装" (Rule 1) and "安装后立即使用" (Rule 4): silently installing skills
from the cloned marketplace and immediately executing them allows arbitrary code
execution; change the workflow so that before any install triggered by the
auto-installer you require explicit user confirmation showing skill name,
source, author and requested permissions (replace Rule 1 with a confirmation
requirement), do not auto-execute after install (replace Rule 4 to "提示用户调用"
only), and optionally enforce a trusted-marketplace/allow-list and signature
verification for skills (add a mandatory verification step referenced in the
SKILL.md policy) so installs from untrusted marketplaces are blocked or flagged
for manual approval.
| | [claude-channel-whatsapp](https://github.com/riasistemas/claude-channel-whatsapp) | Official WhatsApp Business Cloud API bridge for Claude Code -- webhooks, OGG Opus audio, allowlist + permission relay scrubbing secrets. NOT Baileys/scraping -- uses Meta's official API with WABA tokens. Apache-2.0, by RIA Systems (verified Meta Tech Provider). Landing: [claude-plugins.riasistemas.com.br/whatsapp](https://claude-plugins.riasistemas.com.br/whatsapp). Install: `/plugin marketplace add riasistemas/claude-plugins` then `/plugin install whatsapp@riasistemas` | | ||
| | [axme-code](https://github.com/AxmeAI/axme-code) | Persistent project memory across sessions, architectural decisions with enforce levels, and pre-execution safety hooks that block dangerous commands at the harness level (not via prompts). Local-only storage, multi-repo workspace support, automatic knowledge extraction via background auditor. 100% on ToolEmu safety, 89% on LongMemEval at ~10x fewer tokens than competitors. | | ||
| | [logic-lens](https://github.com/hyhmrright/logic-lens) | Logic-first code review plugin for Claude Code — detects behavioral bugs via semi-formal execution tracing. Finds logic errors linters and type checkers miss. Structured findings: Premises → Trace → Divergence → Remedy with L1–L6 risk codes. Six skills: logic-review, logic-explain, logic-diff, logic-locate, logic-health, logic-fix-all. | | ||
| | [skill-auto-installer](plugins/skill-auto-installer/) | Natural language intent analysis → skill recommendation → auto-install. Dual-layer matching (Hook regex pre-scan ~ms + Skill semantic analysis ~s). Supports 17 intent domains (PDF, Excel, PPT, Word, frontend design, MCP builder, Claude API, etc.). Zero config. | |
There was a problem hiding this comment.
Verify "Dual-layer matching" claim against SKILL.md.
The README description mentions:
"Dual-layer matching (Hook regex pre-scan ~ms + Skill semantic analysis ~s)"
However, the SKILL.md specification (file 1) only documents a single-layer intent analysis process:
- Phase 1 (lines 13-36): Intent analysis using a keyword mapping table
- No mention of "Hook regex pre-scan" or two-layer architecture
- No performance benchmarks (~ms, ~s) provided
Possible explanations:
- The dual-layer architecture exists in the implementation but wasn't documented in SKILL.md
- This is a planned feature not yet implemented
- The description is inaccurate
🔍 Recommended verification
Option 1: Document the dual-layer architecture in SKILL.md
### Dual-Layer Architecture
1. **Hook Pre-Scan** (~ms): Fast regex-based keyword detection
2. **Semantic Analysis** (~s): Deep intent analysis using the mapping tableOption 2: Simplify the README description to match current spec
| [skill-auto-installer](plugins/skill-auto-installer/) | Natural language intent analysis → skill recommendation → auto-install. Supports 17 intent domains (PDF, Excel, PPT, Word, frontend design, MCP builder, Claude API, etc.). Silent installation, batch matching, zero config. |Option 3: Verify the implementation actually uses dual-layer matching
#!/bin/bash
# Search for hook regex pre-scan implementation
rg -i "hook.*regex|pre.*scan|dual.*layer" plugins/skill-auto-installer/🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@README.md` at line 322, The README's "Dual-layer matching (Hook regex
pre-scan ~ms + Skill semantic analysis ~s)" claim is inconsistent with SKILL.md
which only documents a single Phase 1 keyword mapping intent analysis; either
update SKILL.md to describe the hook pre-scan and timing (e.g., add a
"Dual-Layer Architecture" section specifying the Hook pre-scan regex step and
the semantic analysis step and their ~ms/~s expectations), or remove/simplify
the dual-layer phrase from README.md (the table row for
plugins/skill-auto-installer) to match the implemented behavior; locate
references to the hook/pre-scan in the plugin code under
plugins/skill-auto-installer/ (search for "hook", "pre-scan", "regex",
"dual-layer") to confirm which fix is appropriate before changing SKILL.md or
README.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add skill-auto-installer, a meta-skill for Claude Code that automatically discovers, installs, and invokes skills based on natural language intent.
What it does
User says: "Generate a PDF report from this data"
→ Intent analysis detects "PDF" → pdf skill auto-installed → report generated. Zero manual steps.
Architecture
Links
Summary by CodeRabbit
skill-auto-installerplugin, enabling natural-language intent analysis with dual-layer matching and automatic installation support for enhanced skill discovery and setup.