port: skill curation updates from ECC#67
Merged
Conversation
Ports the safe, narrow skill curation work from ECC's PR #1723 (SHA d8f879e) plus three smaller drift-related changes (105b524, 2bb88cf, e5229ce). All harness-agnostic content; no source/script behavior changes. skills/agent-payment-x402/SKILL.md (e5229ce) Frontmatter description, opening line softened (autonomous -> policy-gated). New "Decision Tree" and "Supported Networks" sections cover both agentwallet-sdk on Base and OKX Agent Payments Protocol on X Layer. MCP integration split into Option A (agentwallet) / Option B (OKX), with seller-side SDK guide URLs. Sources expanded with OKX Payments / Agent Payments Protocol references. skills/backend-patterns/SKILL.md (d8f879e) Replace the unsafe in-memory rate limiter example with a short paragraph directing readers to a shared store (Redis, gateway, platform native). The original example demonstrated a pattern that fails open in serverless/multi-replica deployments. skills/deep-research/SKILL.md (d8f879e) skills/exa-search/SKILL.md (d8f879e) skills/fal-ai-media/SKILL.md (d8f879e) skills/x-api/SKILL.md (d8f879e) Add drift-prone-skill warning blockquote at the top of each. These skills wrap external services whose tool names, quotas, and result shapes change quickly. skills/search-first/SKILL.md (d8f879e, Gemini-adapted) Add Step 0 "Tool Availability Preflight" to the workflow diagram + a checklist table for repo search, package registry, GitHub CLI, MCP/docs tools, and ~/.gemini/skills. Update HTTP client recommendation (ky/got -> ky/undici). Add a "Silent skipping" anti-pattern. Add a note that the subagent dispatch tool name depends on the active harness — adapted from ECC's Task -> Agent rename, which doesn't translate 1:1 to Gemini. skills/security-review/SKILL.md (d8f879e) Tighten the CSP example: remove 'unsafe-inline' and 'unsafe-eval' defaults, add base-uri/object-src/frame-ancestors directives. Prepended advisory paragraph framing those flags as temporary compatibility debt with a documented removal plan. skills/strategic-compact/SKILL.md (105b524 ported, 2bb88cf n/a) Fix the broken hook command path in the Setup example: the config pointed at "~/.gemini/skills/strategic-compact/ suggest-compact.sh" which does not exist; the actual hook ships at scripts/hooks/suggest-compact.js and installs to ~/.gemini/scripts/hooks/suggest-compact.js. Also fix the prose reference from .sh to .js. The multilingual mirror commit (2bb88cf) does not apply — EGC does not maintain per-language SKILL.md mirrors under skills/. Two ECC commits in this batch did not port: - fd95cf6 (observer-loop.sh signal retry): EGC's continuous-learning-v2 has a different observer architecture (no long-lived Claude child PID), so the SIGUSR1 wait-interrupt bug it fixes does not apply. - 12e1bc4 (continuous-learning storage migration): the bulk of the commit moves user data from ~/.claude/homunculus/ to an XDG-compliant path because of Claude Code's sensitive-path guard. EGC has no such guard and existing EGC users live at ~/.gemini/homunculus/, so the migration creates risk without benefit. Better as a dedicated PR. Lint clean. 264/264 tests pass. Doc-only.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughNine skill docs updated: added drift warnings, expanded agent-payment x402 integration guidance, replaced unsafe in-memory rate-limiter example, tightened CSP example, enhanced search-first preflight checks, and migrated a shell hook to a JavaScript hook. ChangesSkill Documentation Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
skills/backend-patterns/SKILL.md (1)
1-10:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winMissing required "When to Use" or "Ideal For" section.
The file jumps directly to "API Design Patterns" without establishing when this skill should be applied. As per coding guidelines, skill documentation must include a "When to Use" or "Ideal For" section in the document body (not the frontmatter) with specific, actionable trigger conditions.
📋 Suggested addition after line 8
# Backend Development Patterns Backend architecture patterns and best practices for scalable server-side applications. + +## When to Use + +- Building or refactoring API endpoints +- Implementing database queries and transactions +- Adding caching layers for performance +- Setting up authentication and authorization +- Implementing rate limiting or background jobs +- Structuring service layers and repositories +- Choosing error handling patterns🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/backend-patterns/SKILL.md` around lines 1 - 10, Add a "When to Use" (or "Ideal For") section in the document body just after the frontmatter and before the "API Design Patterns" heading; this section should list concrete trigger conditions (e.g., team size > X, microservices architecture, high read/write load, need for low-latency APIs, schema evolution frequency) and short, actionable guidance on when to choose backend-patterns. Locate the insertion point by finding the "API Design Patterns" header in SKILL.md and add the new heading and 3–6 bullet-style trigger conditions describing specific scenarios where this skill applies.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/agent-payment-x402/SKILL.md`:
- Around line 86-87: In skills/agent-payment-x402/SKILL.md the Option B
references two non-existent skill files
(skills/okx-agent-payments-protocol/SKILL.md and
skills/okx-x402-payment/SKILL.md); fix by either creating those two SKILL.md
files with the dispatcher and compatibility-alias contents respectively
(matching the dispatcher described in Option B) or update the references in
skills/agent-payment-x402/SKILL.md to point to the actual existing skill files
in the repo; ensure the dispatcher name and the deprecated-alias semantics in
the text match the created filenames so readers can follow the guidance.
---
Outside diff comments:
In `@skills/backend-patterns/SKILL.md`:
- Around line 1-10: Add a "When to Use" (or "Ideal For") section in the document
body just after the frontmatter and before the "API Design Patterns" heading;
this section should list concrete trigger conditions (e.g., team size > X,
microservices architecture, high read/write load, need for low-latency APIs,
schema evolution frequency) and short, actionable guidance on when to choose
backend-patterns. Locate the insertion point by finding the "API Design
Patterns" header in SKILL.md and add the new heading and 3–6 bullet-style
trigger conditions describing specific scenarios where this skill applies.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 06020650-8257-4e5e-9488-dc00940dfaf8
📒 Files selected for processing (9)
skills/agent-payment-x402/SKILL.mdskills/backend-patterns/SKILL.mdskills/deep-research/SKILL.mdskills/exa-search/SKILL.mdskills/fal-ai-media/SKILL.mdskills/search-first/SKILL.mdskills/security-review/SKILL.mdskills/strategic-compact/SKILL.mdskills/x-api/SKILL.md
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 9 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="skills/search-first/SKILL.md">
<violation number="1" location="skills/search-first/SKILL.md:120">
P3: The updated Node HTTP client recommendation conflicts with the unchanged Example 2 (`got`), leaving inconsistent guidance in the same skill.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
P0 — external skill paths in x402 SKILL (CodeRabbit, line 87): Option B referenced "skills/okx-agent-payments-protocol/SKILL.md" and "skills/okx-x402-payment/SKILL.md" as plain paths. A reader could reasonably interpret those as files inside this repo — they are not, and CodeRabbit's scanner failed to find them. These skills live in the external okx/onchainos-skills repository. Rewrote the bullets to (a) state explicitly that the skills live in that external repo, (b) link each name to its canonical location on github.com/okx/onchainos-skills. P3 — internal consistency in search-first (cubic, line 120): Updated the Data & APIs HTTP-client recommendation from ky/got -> ky/undici in the previous commit, but Example 2 in the same skill still said "Found: got (Node) with retry plugin ... ADOPT — use got/httpx". Realigned Example 2 to use undici with its retry interceptor so the skill no longer recommends two different libraries on the same page. Lint clean. 264/264 tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First port PR from the 2026-05-12 upstream sync round (audit log: `upstream/sync-rounds/2026-05-12.md`).
Ports the safe, narrow skill curation work from ECC's PR #1723 plus three smaller drift-related changes from neighbouring commits. All harness-agnostic content; no source / hook / script behavior changes.
Files changed (9)
ECC commits in scope that did not port
/.claude/homunculus/` because of Claude Code's sensitive-path guard. EGC has no such guard, existing users live at `/.gemini/homunculus/`, so the migration creates risk without benefit. Better as a dedicated PR if revisited.These skips are also recorded in the audit log so the precedent is auditable.
Test plan
Summary by cubic
Ports curated updates to several skills to improve safety, clarity, and payment integration options. No changes to sources, hooks, or script behavior.
New Features
agent-payment-x402: Added decision tree and network guidance. Supports Base viaagentwallet-sdkand X Layer via OKX Agent Payments Protocol. Linked seller SDK guides and clarified that OKX skills live in the externalokx/onchainos-skillsrepo (withokx-x402-paymentnoted as deprecated). Language softened to policy-gated.search-first: Added Step 0 tool-availability preflight. Updated HTTP client tip fromky/gottoky/undiciand aligned Example 2 to useundici. Noted harness-specific subagent names. Added “silent skipping” anti-pattern.backend-patterns: Replaced unsafe in-memory rate limiter example with guidance to use shared stores (Redis/gateway/platform).security-review: Tightened CSP example (no'unsafe-inline'/'unsafe-eval'; addedbase-uri,object-src,frame-ancestors).deep-research,exa-search,fal-ai-media,x-api: Added “drift-prone skill” warnings to check current tool names, limits, and result shapes.Bug Fixes
strategic-compact: Fixed setup example to usenode ~/.gemini/scripts/hooks/suggest-compact.jsand corrected.sh→.jsreference.Written for commit 337977f. Summary will update on new commits.
Summary by CodeRabbit