diff --git a/.prettierignore b/.prettierignore index 120f04c358..e8f035ad74 100644 --- a/.prettierignore +++ b/.prettierignore @@ -20,3 +20,4 @@ junit.xml .gemini-linters/ Thumbs.db .pytest_cache +**/SKILL.md diff --git a/eslint.config.js b/eslint.config.js index 0f20eeab42..3dcb7d8903 100644 --- a/eslint.config.js +++ b/eslint.config.js @@ -37,6 +37,7 @@ export default tseslint.config( 'dist/**', 'evals/**', 'packages/test-utils/**', + 'packages/core/src/skills/builtin/skill-creator/scripts/*.cjs', ], }, eslint.configs.recommended, diff --git a/integration-tests/skill-creator-scripts.test.ts b/integration-tests/skill-creator-scripts.test.ts new file mode 100644 index 0000000000..fe58ed9d90 --- /dev/null +++ b/integration-tests/skill-creator-scripts.test.ts @@ -0,0 +1,97 @@ +/** + * @license + * Copyright 2026 Google LLC + * SPDX-License-Identifier: Apache-2.0 + */ + +import { describe, it, expect, beforeEach, afterEach } from 'vitest'; +import { TestRig } from './test-helper.js'; +import * as fs from 'node:fs'; +import * as path from 'node:path'; +import { execSync } from 'node:child_process'; + +describe('skill-creator scripts e2e', () => { + let rig: TestRig; + const initScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/init_skill.cjs', + ); + const validateScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/validate_skill.cjs', + ); + const packageScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/package_skill.cjs', + ); + + beforeEach(() => { + rig = new TestRig(); + }); + + afterEach(async () => { + await rig.cleanup(); + }); + + it('should initialize, validate, and package a skill', async () => { + await rig.setup('skill-creator scripts e2e'); + const skillName = 'e2e-test-skill'; + const tempDir = rig.testDir!; + + // 1. Initialize + execSync(`node "${initScript}" ${skillName} --path "${tempDir}"`, { + stdio: 'inherit', + }); + const skillDir = path.join(tempDir, skillName); + + expect(fs.existsSync(skillDir)).toBe(true); + expect(fs.existsSync(path.join(skillDir, 'SKILL.md'))).toBe(true); + expect( + fs.existsSync(path.join(skillDir, 'scripts/example_script.cjs')), + ).toBe(true); + + // 2. Validate (should have warning initially due to TODOs) + const validateOutputInitial = execSync( + `node "${validateScript}" "${skillDir}" 2>&1`, + { encoding: 'utf8' }, + ); + expect(validateOutputInitial).toContain('⚠️ Found unresolved TODO'); + + // 3. Package (should fail due to TODOs) + try { + execSync(`node "${packageScript}" "${skillDir}" "${tempDir}"`, { + stdio: 'pipe', + }); + throw new Error('Packaging should have failed due to TODOs'); + } catch (err: unknown) { + expect((err as Error).message).toContain('Command failed'); + } + + // 4. Fix SKILL.md (remove TODOs) + let content = fs.readFileSync(path.join(skillDir, 'SKILL.md'), 'utf8'); + content = content.replace(/TODO: .+/g, 'Fixed'); + content = content.replace(/\[TODO: .+/g, 'Fixed'); + fs.writeFileSync(path.join(skillDir, 'SKILL.md'), content); + + // Also remove TODOs from example scripts + const exampleScriptPath = path.join(skillDir, 'scripts/example_script.cjs'); + let scriptContent = fs.readFileSync(exampleScriptPath, 'utf8'); + scriptContent = scriptContent.replace(/TODO: .+/g, 'Fixed'); + fs.writeFileSync(exampleScriptPath, scriptContent); + + // 4. Validate again (should pass now) + const validateOutput = execSync(`node "${validateScript}" "${skillDir}"`, { + encoding: 'utf8', + }); + expect(validateOutput).toContain('Skill is valid!'); + + // 5. Package + execSync(`node "${packageScript}" "${skillDir}" "${tempDir}"`, { + stdio: 'inherit', + }); + const skillFile = path.join(tempDir, `${skillName}.skill`); + expect(fs.existsSync(skillFile)).toBe(true); + + // 6. Verify zip content (should NOT have nested directory) + const zipList = execSync(`unzip -l "${skillFile}"`, { encoding: 'utf8' }); + expect(zipList).toContain('SKILL.md'); + expect(zipList).not.toContain(`${skillName}/SKILL.md`); + }); +}); diff --git a/integration-tests/skill-creator-vulnerabilities.test.ts b/integration-tests/skill-creator-vulnerabilities.test.ts new file mode 100644 index 0000000000..b94273e57f --- /dev/null +++ b/integration-tests/skill-creator-vulnerabilities.test.ts @@ -0,0 +1,111 @@ +/** + * @license + * Copyright 2026 Google LLC + * SPDX-License-Identifier: Apache-2.0 + */ + +import { describe, it, expect, beforeEach, afterEach } from 'vitest'; +import { TestRig } from './test-helper.js'; +import * as fs from 'node:fs'; +import * as path from 'node:path'; +import { execSync, spawnSync } from 'node:child_process'; + +describe('skill-creator scripts security and bug fixes', () => { + let rig: TestRig; + const initScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/init_skill.cjs', + ); + const validateScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/validate_skill.cjs', + ); + const packageScript = path.resolve( + 'packages/core/src/skills/builtin/skill-creator/scripts/package_skill.cjs', + ); + + beforeEach(() => { + rig = new TestRig(); + }); + + afterEach(async () => { + await rig.cleanup(); + }); + + it('should prevent command injection in package_skill.cjs', async () => { + await rig.setup('skill-creator command injection'); + const tempDir = rig.testDir!; + + // Create a dummy skill + const skillName = 'injection-test'; + execSync(`node "${initScript}" ${skillName} --path "${tempDir}"`); + const skillDir = path.join(tempDir, skillName); + + // Malicious output filename with command injection + const maliciousFilename = '"; touch injection_success; #'; + + // Attempt to package with malicious filename + // We expect this to fail or at least NOT create the 'injection_success' file + spawnSync('node', [packageScript, skillDir, tempDir, maliciousFilename], { + cwd: tempDir, + }); + + const injectionFile = path.join(tempDir, 'injection_success'); + expect(fs.existsSync(injectionFile)).toBe(false); + }); + + it('should prevent path traversal in init_skill.cjs', async () => { + await rig.setup('skill-creator init path traversal'); + const tempDir = rig.testDir!; + + const maliciousName = '../traversal-success'; + + const result = spawnSync( + 'node', + [initScript, maliciousName, '--path', tempDir], + { + encoding: 'utf8', + }, + ); + + expect(result.stderr).toContain( + 'Error: Skill name cannot contain path separators', + ); + const traversalDir = path.join(path.dirname(tempDir), 'traversal-success'); + expect(fs.existsSync(traversalDir)).toBe(false); + }); + + it('should prevent path traversal in validate_skill.cjs', async () => { + await rig.setup('skill-creator validate path traversal'); + + const maliciousPath = '../../../../etc/passwd'; + const result = spawnSync('node', [validateScript, maliciousPath], { + encoding: 'utf8', + }); + + expect(result.stderr).toContain('Error: Path traversal detected'); + }); + + it('should not crash on empty description in validate_skill.cjs', async () => { + await rig.setup('skill-creator regex crash'); + const tempDir = rig.testDir!; + const skillName = 'empty-desc-skill'; + + execSync(`node "${initScript}" ${skillName} --path "${tempDir}"`); + const skillDir = path.join(tempDir, skillName); + const skillMd = path.join(skillDir, 'SKILL.md'); + + // Set an empty quoted description + let content = fs.readFileSync(skillMd, 'utf8'); + content = content.replace(/^description: .+$/m, 'description: ""'); + fs.writeFileSync(skillMd, content); + + const result = spawnSync('node', [validateScript, skillDir], { + encoding: 'utf8', + }); + + // It might still fail validation (e.g. TODOs), but it should NOT crash with a stack trace + expect(result.status).not.toBe(null); + expect(result.stderr).not.toContain( + "TypeError: Cannot read properties of undefined (reading 'trim')", + ); + }); +}); diff --git a/packages/core/src/skills/builtin/skill-creator/SKILL.md b/packages/core/src/skills/builtin/skill-creator/SKILL.md new file mode 100644 index 0000000000..57996a25cd --- /dev/null +++ b/packages/core/src/skills/builtin/skill-creator/SKILL.md @@ -0,0 +1,382 @@ +--- +name: skill-creator +description: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Gemini CLI's capabilities with specialized knowledge, workflows, or tool integrations. +--- + +# Skill Creator + +This skill provides guidance for creating effective skills. + +## About Skills + +Skills are modular, self-contained packages that extend Gemini CLI's capabilities by providing specialized knowledge, workflows, and tools. Think of them as "onboarding guides" for specific domains or tasks—they transform Gemini CLI from a general-purpose agent into a specialized agent equipped with procedural knowledge that no model can fully possess. + +### What Skills Provide + +1. Specialized workflows - Multi-step procedures for specific domains +2. Tool integrations - Instructions for working with specific file formats or APIs +3. Domain expertise - Company-specific knowledge, schemas, business logic +4. Bundled resources - Scripts, references, and assets for complex and repetitive tasks + +## Core Principles + +### Concise is Key + +The context window is a public good. Skills share the context window with everything else Gemini CLI needs: system prompt, conversation history, other Skills' metadata, and the actual user request. + +**Default assumption: Gemini CLI is already very smart.** Only add context Gemini CLI doesn't already have. Challenge each piece of information: "Does Gemini CLI really need this explanation?" and "Does this paragraph justify its token cost?" + +Prefer concise examples over verbose explanations. + +### Set Appropriate Degrees of Freedom + +Match the level of specificity to the task's fragility and variability: + +**High freedom (text-based instructions)**: Use when multiple approaches are valid, decisions depend on context, or heuristics guide the approach. + +**Medium freedom (pseudocode or scripts with parameters)**: Use when a preferred pattern exists, some variation is acceptable, or configuration affects behavior. + +**Low freedom (specific scripts, few parameters)**: Use when operations are fragile and error-prone, consistency is critical, or a specific sequence must be followed. + +Think of Gemini CLI as exploring a path: a narrow bridge with cliffs needs specific guardrails (low freedom), while an open field allows many routes (high freedom). + +### Anatomy of a Skill + +Every skill consists of a required SKILL.md file and optional bundled resources: + +``` +skill-name/ +├── SKILL.md (required) +│ ├── YAML frontmatter metadata (required) +│ │ ├── name: (required) +│ │ └── description: (required) +│ └── Markdown instructions (required) +└── Bundled Resources (optional) + ├── scripts/ - Executable code (Node.js/Python/Bash/etc.) + ├── references/ - Documentation intended to be loaded into context as needed + └── assets/ - Files used in output (templates, icons, fonts, etc.) +``` + +#### SKILL.md (required) + +Every SKILL.md consists of: + +- **Frontmatter** (YAML): Contains `name` and `description` fields. These are the only fields that Gemini CLI reads to determine when the skill gets used, thus it is very important to be clear and comprehensive in describing what the skill is, and when it should be used. +- **Body** (Markdown): Instructions and guidance for using the skill. Only loaded AFTER the skill triggers (if at all). + +#### Bundled Resources (optional) + +##### Scripts (`scripts/`) + +Executable code (Node.js/Python/Bash/etc.) for tasks that require deterministic reliability or are repeatedly rewritten. + +- **When to include**: When the same code is being rewritten repeatedly or deterministic reliability is needed +- **Example**: `scripts/rotate_pdf.cjs` for PDF rotation tasks +- **Benefits**: Token efficient, deterministic, may be executed without loading into context +- **Agentic Ergonomics**: Scripts must output LLM-friendly stdout. Suppress standard tracebacks. Output clear, concise success/failure messages, and paginate or truncate outputs (e.g., "Success: First 50 lines of processed file...") to prevent context window overflow. +- **Note**: Scripts may still need to be read by Gemini CLI for patching or environment-specific adjustments + +##### References (`references/`) + +Documentation and reference material intended to be loaded as needed into context to inform Gemini CLI's process and thinking. + +- **When to include**: For documentation that Gemini CLI should reference while working +- **Examples**: `references/finance.md` for financial schemas, `references/mnda.md` for company NDA template, `references/policies.md` for company policies, `references/api_docs.md` for API specifications +- **Use cases**: Database schemas, API documentation, domain knowledge, company policies, detailed workflow guides +- **Benefits**: Keeps SKILL.md lean, loaded only when Gemini CLI determines it's needed +- **Best practice**: If files are large (>10k words), include grep search patterns in SKILL.md +- **Avoid duplication**: Information should live in either SKILL.md or + references files, not both. Prefer references files for detailed information unless it's truly core to the skill—this keeps SKILL.md lean while making information discoverable without hogging the context window. Keep only essential procedural instructions and workflow guidance in SKILL.md; move detailed reference material, schemas, and examples to references files. + +##### Assets (`assets/`) + +Files not intended to be loaded into context, but rather used within the output Gemini CLI produces. + +- **When to include**: When the skill needs files that will be used in the final output +- **Examples**: `assets/logo.png` for brand assets, `assets/slides.pptx` for PowerPoint templates, `assets/frontend-template/` for HTML/React boilerplate, `assets/font.ttf` for typography +- **Use cases**: Templates, images, icons, boilerplate code, fonts, sample documents that get copied or modified +- **Benefits**: Separates output resources from documentation, enables Gemini CLI to use files without loading them into context + +#### What to Not Include in a Skill + +A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including: + +- README.md +- INSTALLATION_GUIDE.md +- QUICK_REFERENCE.md +- CHANGELOG.md +- etc. + +The skill should only contain the information needed for an AI agent to do the job at hand. It should not contain auxiliary context about the process that went into creating it, setup and testing procedures, user-facing documentation, etc. Creating additional documentation files just adds clutter and confusion. + +### Progressive Disclosure Design Principle + +Skills use a three-level loading system to manage context efficiently: + +1. **Metadata (name + description)** - Always in context (~100 words) +2. **SKILL.md body** - When skill triggers (<5k words) +3. **Bundled resources** - As needed by Gemini CLI (Unlimited because scripts can be executed without reading into context window) + +#### Progressive Disclosure Patterns + +Keep SKILL.md body to the essentials and under 500 lines to minimize context bloat. Split content into separate files when approaching this limit. When splitting out content into other files, it is very important to reference them from SKILL.md and describe clearly when to read them, to ensure the reader of the skill knows they exist and when to use them. + +**Key principle:** When a skill supports multiple variations, frameworks, or options, keep only the core workflow and selection guidance in SKILL.md. Move variant-specific details (patterns, examples, configuration) into separate reference files. + +**Pattern 1: High-level guide with references** + +```markdown +# PDF Processing + +## Quick start + +Extract text with pdfplumber: [code example] + +## Advanced features + +- **Form filling**: See [FORMS.md](FORMS.md) for complete guide +- **API reference**: See [REFERENCE.md](REFERENCE.md) for all methods +- **Examples**: See [EXAMPLES.md](EXAMPLES.md) for common patterns +``` + +Gemini CLI loads FORMS.md, REFERENCE.md, or EXAMPLES.md only when needed. + +**Pattern 2: Domain-specific organization** + +For Skills with multiple domains, organize content by domain to avoid loading irrelevant context: + +``` +bigquery-skill/ +├── SKILL.md (overview and navigation) +└── reference/ + ├── finance.md (revenue, billing metrics) + ├── sales.md (opportunities, pipeline) + ├── product.md (API usage, features) + └── marketing.md (campaigns, attribution) +``` + +When a user asks about sales metrics, Gemini CLI only reads sales.md. + +Similarly, for skills supporting multiple frameworks or variants, organize by variant: + +``` +cloud-deploy/ +├── SKILL.md (workflow + provider selection) +└── references/ + ├── aws.md (AWS deployment patterns) + ├── gcp.md (GCP deployment patterns) + └── azure.md (Azure deployment patterns) +``` + +When the user chooses AWS, Gemini CLI only reads aws.md. + +**Pattern 3: Conditional details** + +Show basic content, link to advanced content: + +```markdown +# CSV Processing + +## Basic Analysis + +Use pandas for loading and basic queries. See [PANDAS.md](PANDAS.md). + +## Advanced Operations + +For massive files that exceed memory, see [STREAMING.md](STREAMING.md). For timestamp normalization, see [TIMESTAMPS.md](TIMESTAMPS.md). + +Gemini CLI reads REDLINING.md or OOXML.md only when the user needs those features. +``` + +**Important guidelines:** + +- **Avoid deeply nested references** - Keep references one level deep from SKILL.md. All reference files should link directly from SKILL.md. +- **Structure longer reference files** - For files longer than 100 lines, include a table of contents at the top so Gemini CLI can see the full scope when previewing. + +## Skill Creation Process + +Skill creation involves these steps: + +1. Understand the skill with concrete examples +2. Plan reusable skill contents (scripts, references, assets) +3. Initialize the skill (run node init_skill.cjs) +4. Edit the skill (implement resources and write SKILL.md) +5. Package the skill (run node package_skill.cjs) +6. Install and reload the skill +7. Iterate based on real usage + +Follow these steps in order, skipping only if there is a clear reason why they are not applicable. + +### Skill Naming + +- Use lowercase letters, digits, and hyphens only; normalize user-provided titles to hyphen-case (e.g., "Plan Mode" -> `plan-mode`). +- When generating names, generate a name under 64 characters (letters, digits, hyphens). +- Prefer short, verb-led phrases that describe the action. +- Namespace by tool when it improves clarity or triggering (e.g., `gh-address-comments`, `linear-address-issue`). +- Name the skill folder exactly after the skill name. + +### Step 1: Understanding the Skill with Concrete Examples + +Skip this step only when the skill's usage patterns are already clearly understood. It remains valuable even when working with an existing skill. + +To create an effective skill, clearly understand concrete examples of how the skill will be used. This understanding can come from either direct user examples or generated examples that are validated with user feedback. + +For example, when building an image-editor skill, relevant questions include: + +- "What functionality should the image-editor skill support? Editing, rotating, anything else?" +- "Can you give some examples of how this skill would be used?" +- "I can imagine users asking for things like 'Remove the red-eye from this image' or 'Rotate this image'. Are there other ways you imagine this skill being used?" +- "What would a user say that should trigger this skill?" + +**Avoid interrogation loops:** Do not ask more than one or two clarifying questions at a time. Bias toward action: propose a concrete list of features or examples based on your initial understanding, and ask the user to refine them. + +Conclude this step when there is a clear sense of the functionality the skill should support. + +### Step 2: Planning the Reusable Skill Contents + +To turn concrete examples into an effective skill, analyze each example by: + +1. Considering how to execute on the example from scratch +2. Identifying what scripts, references, and assets would be helpful when executing these workflows repeatedly + +Example: When building a `pdf-editor` skill to handle queries like "Help me rotate this PDF," the analysis shows: + +1. Rotating a PDF requires re-writing the same code each time +2. A `scripts/rotate_pdf.cjs` script would be helpful to store in the skill + +Example: When designing a `frontend-webapp-builder` skill for queries like "Build me a todo app" or "Build me a dashboard to track my steps," the analysis shows: + +1. Writing a frontend webapp requires the same boilerplate HTML/React each time +2. An `assets/hello-world/` template containing the boilerplate HTML/React project files would be helpful to store in the skill + +Example: When building a `big-query` skill to handle queries like "How many users have logged in today?" the analysis shows: + +1. Querying BigQuery requires re-discovering the table schemas and relationships each time +2. A `references/schema.md` file documenting the table schemas would be helpful to store in the skill + +To establish the skill's contents, analyze each concrete example to create a list of the reusable resources to include: scripts, references, and assets. + +### Step 3: Initializing the Skill + +At this point, it is time to actually create the skill. + +Skip this step only if the skill being developed already exists, and iteration or packaging is needed. In this case, continue to the next step. + +When creating a new skill from scratch, always run the `init_skill.cjs` script. The script conveniently generates a new template skill directory that automatically includes everything a skill requires, making the skill creation process much more efficient and reliable. + +**Note:** Use the absolute path to the script as provided in the `available_resources` section. + +Usage: + +```bash +node /scripts/init_skill.cjs --path +``` + +The script: + +- Creates the skill directory at the specified path +- Generates a SKILL.md template with proper frontmatter and TODO placeholders +- Creates example resource directories: `scripts/`, `references/`, and `assets/` +- Adds example files (`scripts/example_script.cjs`, `references/example_reference.md`, `assets/example_asset.txt`) that can be customized or deleted + +After initialization, customize or remove the generated SKILL.md and example files as needed. + +### Step 4: Edit the Skill + +When editing the (newly-generated or existing) skill, remember that the skill is being created for another instance of Gemini CLI to use. Include information that would be beneficial and non-obvious to Gemini CLI. Consider what procedural knowledge, domain-specific details, or reusable assets would help another Gemini CLI instance execute these tasks more effectively. + +#### Learn Proven Design Patterns + +Consult these helpful guides based on your skill's needs: + +- **Multi-step processes**: See references/workflows.md for sequential workflows and conditional logic +- **Specific output formats or quality standards**: See references/output-patterns.md for template and example patterns + +These files contain established best practices for effective skill design. + +#### Start with Reusable Skill Contents + +To begin implementation, start with the reusable resources identified above: `scripts/`, `references/`, and `assets/` files. Note that this step may require user input. For example, when implementing a `brand-guidelines` skill, the user may need to provide brand assets or templates to store in `assets/`, or documentation to store in `references/`. + +Added scripts must be tested by actually running them to ensure there are no bugs and that the output matches what is expected. If there are many similar scripts, only a representative sample needs to be tested to ensure confidence that they all work while balancing time to completion. + +Any example files and directories not needed for the skill should be deleted. The initialization script creates example files in `scripts/`, `references/`, and `assets/` to demonstrate structure, but most skills won't need all of them. + +#### Update SKILL.md + +**Writing Guidelines:** Always use imperative/infinitive form. + +##### Frontmatter + +Write the YAML frontmatter with `name` and `description`: + +- `name`: The skill name +- `description`: This is the primary triggering mechanism for your skill, and helps Gemini CLI understand when to use the skill. + - Include both what the Skill does and specific triggers/contexts for when to use it. + - **Must be a single-line string** (e.g., `description: Data ingestion...`). Quotes are optional. + - Include all "when to use" information here - Not in the body. The body is only loaded after triggering, so "When to Use This Skill" sections in the body are not helpful to Gemini CLI. + - Example: `description: Data ingestion, cleaning, and transformation for tabular data. Use when Gemini CLI needs to work with CSV/TSV files to analyze large datasets, normalize schemas, or merge sources.` + +Do not include any other fields in YAML frontmatter. + +##### Body + +Write instructions for using the skill and its bundled resources. + +### Step 5: Packaging a Skill + +Once development of the skill is complete, it must be packaged into a distributable .skill file that gets shared with the user. The packaging process automatically validates the skill first (checking YAML and ensuring no TODOs remain) to ensure it meets all requirements: + +**Note:** Use the absolute path to the script as provided in the `available_resources` section. + +```bash +node /scripts/package_skill.cjs +``` + +Optional output directory specification: + +```bash +node /scripts/package_skill.cjs ./dist +``` + +The packaging script will: + +1. **Validate** the skill automatically, checking: + - YAML frontmatter format and required fields + - Skill naming conventions and directory structure + - Description completeness and quality + - File organization and resource references + +2. **Package** the skill if validation passes, creating a .skill file named after the skill (e.g., `my-skill.skill`) that includes all files and maintains the proper directory structure for distribution. The .skill file is a zip file with a .skill extension. + +If validation fails, the script will report the errors and exit without creating a package. Fix any validation errors and run the packaging command again. + +### Step 6: Installing and Reloading a Skill + +Once the skill is packaged into a `.skill` file, offer to install it for the user. Ask whether they would like to install it locally in the current folder (workspace scope) or at the user level (user scope). + +If the user agrees to an installation, perform it immediately using the `run_shell_command` tool: + +- **Locally (workspace scope)**: + ```bash + gemini skills install --scope workspace + ``` +- **User level (user scope)**: + ```bash + gemini skills install --scope user + ``` + +**Important:** After the installation is complete, notify the user that they MUST manually execute the `/skills reload` command in their interactive Gemini CLI session to enable the new skill. They can then verify the installation by running `/skills list`. + +Note: You (the agent) cannot execute the `/skills reload` command yourself; it must be done by the user in an interactive instance of Gemini CLI. Do not attempt to run it on their behalf. + +### Step 7: Iterate + +After testing the skill, users may request improvements. Often this happens right after using the skill, with fresh context of how the skill performed. + +**Iteration workflow:** + +1. Use the skill on real tasks +2. Notice struggles or inefficiencies +3. Identify how SKILL.md or bundled resources should be updated +4. Implement changes and test again diff --git a/packages/core/src/skills/builtin/skill-creator/scripts/init_skill.cjs b/packages/core/src/skills/builtin/skill-creator/scripts/init_skill.cjs new file mode 100644 index 0000000000..d23853f255 --- /dev/null +++ b/packages/core/src/skills/builtin/skill-creator/scripts/init_skill.cjs @@ -0,0 +1,235 @@ +#!/usr/bin/env node + +/* eslint-env node */ + +/** + * Skill Initializer - Creates a new skill from template + * + * Usage: + * node init_skill.cjs --path + * + * Examples: + * node init_skill.cjs my-new-skill --path skills/public + */ + +const fs = require('node:fs'); +const path = require('node:path'); + +const SKILL_TEMPLATE = `--- +name: {skill_name} +description: TODO: Complete and informative explanation of what the skill does and when to use it. Include WHEN to use this skill - specific scenarios, file types, or tasks that trigger it. +--- + +# {skill_title} + +## Overview + +[TODO: 1-2 sentences explaining what this skill enables] + +## Structuring This Skill + +[TODO: Choose the structure that best fits this skill's purpose. Common patterns: + +**1. Workflow-Based** (best for sequential processes) +- Works well when there are clear step-by-step procedures +- Example: CSV-Processor skill with "Workflow Decision Tree" → "Ingestion" → "Cleaning" → "Analysis" +- Structure: ## Overview → ## Workflow Decision Tree → ## Step 1 → ## Step 2... + +**2. Task-Based** (best for tool collections) +- Works well when the skill offers different operations/capabilities +- Example: PDF skill with "Quick Start" → "Merge PDFs" → "Split PDFs" → "Extract Text" +- Structure: ## Overview → ## Quick Start → ## Task Category 1 → ## Task Category 2... + +**3. Reference/Guidelines** (best for standards or specifications) +- Works well for brand guidelines, coding standards, or requirements +- Example: Brand styling with "Brand Guidelines" → "Colors" → "Typography" → "Features" +- Structure: ## Overview → ## Guidelines → ## Specifications → ## Usage... + +**4. Capabilities-Based** (best for integrated systems) +- Works well when the skill provides multiple interrelated features +- Example: Product Management with "Core Capabilities" → numbered capability list +- Structure: ## Overview → ## Core Capabilities → ### 1. Feature → ### 2. Feature... + +Patterns can be mixed and matched as needed. Most skills combine patterns (e.g., start with task-based, add workflow for complex operations). + +Delete this entire "Structuring This Skill" section when done - it's just guidance.] + +## [TODO: Replace with the first main section based on chosen structure] + +[TODO: Add content here. See examples in existing skills: +- Code samples for technical skills +- Decision trees for complex workflows +- Concrete examples with realistic user requests +- References to scripts/templates/references as needed] + +## Resources + +This skill includes example resource directories that demonstrate how to organize different types of bundled resources: + +### scripts/ +Executable code that can be run directly to perform specific operations. + +**Examples from other skills:** +- PDF skill: fill_fillable_fields.cjs, extract_form_field_info.cjs - utilities for PDF manipulation +- CSV skill: normalize_schema.cjs, merge_datasets.cjs - utilities for tabular data manipulation + +**Appropriate for:** Node.cjs scripts (cjs), shell scripts, or any executable code that performs automation, data processing, or specific operations. + +**Note:** Scripts may be executed without loading into context, but can still be read by Gemini CLI for patching or environment adjustments. + +### references/ +Documentation and reference material intended to be loaded into context to inform Gemini CLI's process and thinking. + +**Examples from other skills:** +- Product management: communication.md, context_building.md - detailed workflow guides +- BigQuery: API reference documentation and query examples +- Finance: Schema documentation, company policies + +**Appropriate for:** In-depth documentation, API references, database schemas, comprehensive guides, or any detailed information that Gemini CLI should reference while working. + +### assets/ +Files not intended to be loaded into context, but rather used within the output Gemini CLI produces. + +**Examples from other skills:** +- Brand styling: PowerPoint template files (.pptx), logo files +- Frontend builder: HTML/React boilerplate project directories +- Typography: Font files (.ttf, .woff2) + +**Appropriate for:** Templates, boilerplate code, document templates, images, icons, fonts, or any files meant to be copied or used in the final output. + +--- + +**Any unneeded directories can be deleted.** Not every skill requires all three types of resources. +`; + +const EXAMPLE_SCRIPT = `#!/usr/bin/env node + +/** + * Example helper script for {skill_name} + * + * This is a placeholder script that can be executed directly. + * Replace with actual implementation or delete if not needed. + * + * Example real scripts from other skills: + * - pdf/scripts/fill_fillable_fields.cjs - Fills PDF form fields + * - pdf/scripts/convert_pdf_to_images.cjs - Converts PDF pages to images + * + * Agentic Ergonomics: + * - Suppress tracebacks. + * - Return clean success/failure strings. + * - Truncate long outputs. + */ + +async function main() { + try { + // TODO: Add actual script logic here. + // This could be data processing, file conversion, API calls, etc. + + // Example output formatting for an LLM agent + process.stdout.write("Success: Processed the task.\\n"); + } catch (err) { + // Trap the error and output a clean message instead of a noisy stack trace + process.stderr.write(\`Failure: \${err.message}\\n\`); + process.exit(1); + } +} + +main(); +`; + +const EXAMPLE_REFERENCE = `# Reference Documentation for {skill_title} + +This is a placeholder for detailed reference documentation. +Replace with actual reference content or delete if not needed. + +## Structure Suggestions + +### API Reference Example +- Overview +- Authentication +- Endpoints with examples +- Error codes + +### Workflow Guide Example +- Prerequisites +- Step-by-step instructions +- Best practices +`; + +function titleCase(name) { + return name + .split('-') + .map((word) => word.charAt(0).toUpperCase() + word.slice(1)) + .join(' '); +} + +async function main() { + const args = process.argv.slice(2); + if (args.length < 3 || args[1] !== '--path') { + console.log('Usage: node init_skill.cjs --path '); + process.exit(1); + } + + const skillName = args[0]; + const basePath = path.resolve(args[2]); + + // Prevent path traversal + if ( + skillName.includes(path.sep) || + skillName.includes('/') || + skillName.includes('\\') + ) { + console.error('❌ Error: Skill name cannot contain path separators.'); + process.exit(1); + } + + const skillDir = path.join(basePath, skillName); + + // Additional check to ensure the resolved skillDir is actually inside basePath + if (!skillDir.startsWith(basePath)) { + console.error('❌ Error: Invalid skill name or path.'); + process.exit(1); + } + + if (fs.existsSync(skillDir)) { + console.error(`❌ Error: Skill directory already exists: ${skillDir}`); + process.exit(1); + } + + const skillTitle = titleCase(skillName); + + try { + fs.mkdirSync(skillDir, { recursive: true }); + fs.mkdirSync(path.join(skillDir, 'scripts')); + fs.mkdirSync(path.join(skillDir, 'references')); + fs.mkdirSync(path.join(skillDir, 'assets')); + + fs.writeFileSync( + path.join(skillDir, 'SKILL.md'), + SKILL_TEMPLATE.replace(/{skill_name}/g, skillName).replace( + /{skill_title}/g, + skillTitle, + ), + ); + fs.writeFileSync( + path.join(skillDir, 'scripts/example_script.cjs'), + EXAMPLE_SCRIPT.replace(/{skill_name}/g, skillName), + { mode: 0o755 }, + ); + fs.writeFileSync( + path.join(skillDir, 'references/example_reference.md'), + EXAMPLE_REFERENCE.replace(/{skill_title}/g, skillTitle), + ); + fs.writeFileSync( + path.join(skillDir, 'assets/example_asset.txt'), + 'Placeholder for assets.', + ); + + console.log(`✅ Skill '${skillName}' initialized at ${skillDir}`); + } catch (err) { + console.error(`❌ Error: ${err.message}`); + process.exit(1); + } +} + +main(); diff --git a/packages/core/src/skills/builtin/skill-creator/scripts/package_skill.cjs b/packages/core/src/skills/builtin/skill-creator/scripts/package_skill.cjs new file mode 100644 index 0000000000..c01edff4f7 --- /dev/null +++ b/packages/core/src/skills/builtin/skill-creator/scripts/package_skill.cjs @@ -0,0 +1,87 @@ +#!/usr/bin/env node + +/* eslint-env node */ + +/** + * Skill Packager - Creates a distributable .skill file of a skill folder + * + * Usage: + * node package_skill.js [output-directory] + */ + +const path = require('node:path'); +const { spawnSync } = require('node:child_process'); +const { validateSkill } = require('./validate_skill.cjs'); + +async function main() { + const args = process.argv.slice(2); + if (args.length < 1) { + console.log( + 'Usage: node package_skill.js [output-directory]', + ); + process.exit(1); + } + + const skillPathArg = args[0]; + const outputDirArg = args[1]; + + if ( + skillPathArg.includes('..') || + (outputDirArg && outputDirArg.includes('..')) + ) { + console.error('❌ Error: Path traversal detected in arguments.'); + process.exit(1); + } + + const skillPath = path.resolve(skillPathArg); + const outputDir = outputDirArg ? path.resolve(outputDirArg) : process.cwd(); + const skillName = path.basename(skillPath); + + // 1. Validate first + console.log('🔍 Validating skill...'); + const result = validateSkill(skillPath); + if (!result.valid) { + console.error(`❌ Validation failed: ${result.message}`); + process.exit(1); + } + + if (result.warning) { + console.warn(`⚠️ ${result.warning}`); + console.log('Please resolve all TODOs before packaging.'); + process.exit(1); + } + console.log('✅ Skill is valid!'); + + // 2. Package + const outputFilename = path.join(outputDir, `${skillName}.skill`); + + try { + // Zip everything except junk, keeping the folder structure + // We'll use the native 'zip' command for simplicity in a CLI environment + // or we could use a JS library, but zip is ubiquitous on darwin/linux. + + // Command to zip: + // -r: recursive + // -x: exclude patterns + // Run the zip command from within the directory to avoid parent folder nesting + const zipProcess = spawnSync('zip', ['-r', outputFilename, '.'], { + cwd: skillPath, + stdio: 'inherit', + }); + + if (zipProcess.error) { + throw zipProcess.error; + } + + if (zipProcess.status !== 0) { + throw new Error(`zip command failed with exit code ${zipProcess.status}`); + } + + console.log(`✅ Successfully packaged skill to: ${outputFilename}`); + } catch (err) { + console.error(`❌ Error packaging: ${err.message}`); + process.exit(1); + } +} + +main(); diff --git a/packages/core/src/skills/builtin/skill-creator/scripts/validate_skill.cjs b/packages/core/src/skills/builtin/skill-creator/scripts/validate_skill.cjs new file mode 100644 index 0000000000..d51fec96ba --- /dev/null +++ b/packages/core/src/skills/builtin/skill-creator/scripts/validate_skill.cjs @@ -0,0 +1,127 @@ +/* eslint-env node */ + +/** + * Quick validation logic for skills. + * Leveraging existing dependencies when possible or providing a zero-dep fallback. + */ + +const fs = require('node:fs'); +const path = require('node:path'); + +function validateSkill(skillPath) { + if (!fs.existsSync(skillPath) || !fs.statSync(skillPath).isDirectory()) { + return { valid: false, message: `Path is not a directory: ${skillPath}` }; + } + + const skillMdPath = path.join(skillPath, 'SKILL.md'); + if (!fs.existsSync(skillMdPath)) { + return { valid: false, message: 'SKILL.md not found' }; + } + + const content = fs.readFileSync(skillMdPath, 'utf8'); + if (!content.startsWith('---')) { + return { valid: false, message: 'No YAML frontmatter found' }; + } + + const parts = content.split('---'); + if (parts.length < 3) { + return { valid: false, message: 'Invalid frontmatter format' }; + } + + const frontmatterText = parts[1]; + + const nameMatch = frontmatterText.match(/^name:\s*(.+)$/m); + // Match description: "text" or description: 'text' or description: text + const descMatch = frontmatterText.match( + /^description:\s*(?:'([^']*)'|"([^"]*)"|(.+))$/m, + ); + + if (!nameMatch) + return { valid: false, message: 'Missing "name" in frontmatter' }; + if (!descMatch) + return { + valid: false, + message: 'Description must be a single-line string: description: ...', + }; + + const name = nameMatch[1].trim(); + const description = ( + descMatch[1] !== undefined + ? descMatch[1] + : descMatch[2] !== undefined + ? descMatch[2] + : descMatch[3] || '' + ).trim(); + + if (description.includes('\n')) { + return { + valid: false, + message: 'Description must be a single line (no newlines)', + }; + } + + if (!/^[a-z0-9-]+$/.test(name)) { + return { valid: false, message: `Name "${name}" should be hyphen-case` }; + } + + if (description.length > 1024) { + return { valid: false, message: 'Description is too long (max 1024)' }; + } + + // Check for TODOs + const files = getAllFiles(skillPath); + for (const file of files) { + const fileContent = fs.readFileSync(file, 'utf8'); + if (fileContent.includes('TODO:')) { + return { + valid: true, + message: 'Skill has unresolved TODOs', + warning: `Found unresolved TODO in ${path.relative(skillPath, file)}`, + }; + } + } + + return { valid: true, message: 'Skill is valid!' }; +} + +function getAllFiles(dir, fileList = []) { + const files = fs.readdirSync(dir); + files.forEach((file) => { + const name = path.join(dir, file); + if (fs.statSync(name).isDirectory()) { + if (!['node_modules', '.git', '__pycache__'].includes(file)) { + getAllFiles(name, fileList); + } + } else { + fileList.push(name); + } + }); + return fileList; +} + +if (require.main === module) { + const args = process.argv.slice(2); + if (args.length !== 1) { + console.log('Usage: node validate_skill.js '); + process.exit(1); + } + + const skillDirArg = args[0]; + if (skillDirArg.includes('..')) { + console.error('❌ Error: Path traversal detected in skill directory path.'); + process.exit(1); + } + + const result = validateSkill(path.resolve(skillDirArg)); + if (result.warning) { + console.warn(`⚠️ ${result.warning}`); + } + if (result.valid) { + console.log(`✅ ${result.message}`); + } else { + console.error(`❌ ${result.message}`); + process.exit(1); + } +} + +module.exports = { validateSkill };