LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-09 15:35:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,664 Commits 662 Branches 74 Tags
dependabot/github_actions/actions/setup-python-6
Commit Graph

212 Commits

Author SHA1 Message Date
Farhoud Cheraghi
aedf3ee68f fix(skills): expand skill-creator description to cover edit/audit/review triggers (#39158) 
Merged via squash.

Prepared head SHA: 13997c1ee5
Co-authored-by: haynzz <1236319+haynzz@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-08 12:13:00 +03:00
Vincent Koc
bf623a580b Agents: add skill API rate-limit guardrail (#38452) 
* Agents: add rate-limit guardrail for skill API writes

* Changelog: note skill API rate-limit awareness
 2026-03-06 20:20:00 -05:00
Mark Zhang
81f22ae109 openai-image-gen: validate and normalize --output-format (#36648) 
* openai-image-gen: validate and normalize output format

* Skills/openai-image-gen: cover output-format edge cases

* Changelog: note openai image output format validation

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 11:14:30 -05:00
Mark Zhang
20038fb955 openai-image-gen: validate --background and --style options (#36762) 
* openai-image-gen: validate --background and --style inputs

* Skills/openai-image-gen: warn on ignored background and style flags

* Skills/openai-image-gen: cover empty and warning cases

* Changelog: note openai image flag validation

* Skills/openai-image-gen: fix Python import order

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 11:04:25 -05:00
Vincent Koc
05c2cbf0e9 Skills/nano-banana-pro: clarify MEDIA token comment (#38063) 2026-03-06 10:51:11 -05:00
Mark Zhang
37a3fb0f86 nano-banana-pro: respect explicit --resolution when editing images (#36880) 
* nano-banana-pro: respect explicit --resolution when editing images

* Changelog: note nano banana resolution fix

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 10:44:54 -05:00
ABFS Tech
86a89d96d7 fix(nano-banana-pro): remove space after MEDIA: token in generate_image.py (#18706) 
The MEDIA: output token must appear at line start with no space after
the colon for OpenClaw's splitMediaFromOutput parser to extract the
file path and auto-attach media on outbound chat channels (Discord,
Telegram, WhatsApp, etc.).

The script was printing 'MEDIA: /path' (with space), which while
tolerated by the regex, does not match the canonical 'MEDIA:/path'
format used by all other skills (e.g. openai-image-gen) and tested
in the codebase (pi-embedded-subscribe.tools.media.test.ts,
media/parse.test.ts).

Also updated the comment to clarify the format constraint.
 2026-03-06 10:29:06 -05:00
Brenner Spear
36e2e04a32 feat(nano-banana-pro): add --aspect-ratio flag to generate_image.py (#28159) 
* feat(nano-banana-pro): add --aspect-ratio flag to generate_image.py

* Nano Banana: allow all supported aspect ratios

* Docs: expand nano banana aspect ratio options

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 00:26:55 -05:00
Vincent Koc
4d183af0cf fix: code/cli acpx reliability 20260304 (#34020) 
* agents: switch claude-cli defaults to bypassPermissions

* agents: add claude-cli default args coverage

* agents: emit watchdog stall system event for cli runs

* agents: test cli watchdog stall system event

* acpx: fallback to sessions new when ensure returns no ids

* acpx tests: mock sessions new fallback path

* acpx tests: cover ensure-empty fallback flow

* skills: clarify claude print mode without pty

* docs: update cli-backends claude default args

* docs: refresh cli live test default args

* gateway tests: align live claude args defaults

* changelog: credit claude/acpx reliability fixes

* Agents: normalize legacy Claude permission flag overrides

* Tests: cover legacy Claude permission override normalization

* Changelog: note legacy Claude permission flag auto-normalization

* ACPX: fail fast when ensure/new return no session IDs

* ACPX tests: support empty sessions new fixture output

* ACPX tests: assert ensureSession failure when IDs missing

* CLI runner: scope watchdog heartbeat wake to session

* CLI runner tests: assert session-scoped watchdog wake

* Update CHANGELOG.md
 2026-03-04 01:15:28 -05:00
AaronWander
4c32411bee fix(exec): suggest increasing timeout on timeouts 2026-03-03 02:35:10 +00:00
bmendonca3
738f5d4533 skills: make sherpa-onnx-tts bin ESM-compatible 2026-03-02 18:30:42 +00:00
Onur Solmaz
a7d56e3554 feat: ACP thread-bound agents (#23580) 
* docs: add ACP thread-bound agents plan doc

* docs: expand ACP implementation specification

* feat(acp): route ACP sessions through core dispatch and lifecycle cleanup

* feat(acp): add /acp commands and Discord spawn gate

* ACP: add acpx runtime plugin backend

* fix(subagents): defer transient lifecycle errors before announce

* Agents: harden ACP sessions_spawn and tighten spawn guidance

* Agents: require explicit ACP target for runtime spawns

* docs: expand ACP control-plane implementation plan

* ACP: harden metadata seeding and spawn guidance

* ACP: centralize runtime control-plane manager and fail-closed dispatch

* ACP: harden runtime manager and unify spawn helpers

* Commands: route ACP sessions through ACP runtime in agent command

* ACP: require persisted metadata for runtime spawns

* Sessions: preserve ACP metadata when updating entries

* Plugins: harden ACP backend registry across loaders

* ACPX: make availability probe compatible with adapters

* E2E: add manual Discord ACP plain-language smoke script

* ACPX: preserve streamed spacing across Discord delivery

* Docs: add ACP Discord streaming strategy

* ACP: harden Discord stream buffering for thread replies

* ACP: reuse shared block reply pipeline for projector

* ACP: unify streaming config and adopt coalesceIdleMs

* Docs: add temporary ACP production hardening plan

* Docs: trim temporary ACP hardening plan goals

* Docs: gate ACP thread controls by backend capabilities

* ACP: add capability-gated runtime controls and /acp operator commands

* Docs: remove temporary ACP hardening plan

* ACP: fix spawn target validation and close cache cleanup

* ACP: harden runtime dispatch and recovery paths

* ACP: split ACP command/runtime internals and centralize policy

* ACP: harden runtime lifecycle, validation, and observability

* ACP: surface runtime and backend session IDs in thread bindings

* docs: add temp plan for binding-service migration

* ACP: migrate thread binding flows to SessionBindingService

* ACP: address review feedback and preserve prompt wording

* ACPX plugin: pin runtime dependency and prefer bundled CLI

* Discord: complete binding-service migration cleanup and restore ACP plan

* Docs: add standalone ACP agents guide

* ACP: route harness intents to thread-bound ACP sessions

* ACP: fix spawn thread routing and queue-owner stall

* ACP: harden startup reconciliation and command bypass handling

* ACP: fix dispatch bypass type narrowing

* ACP: align runtime metadata to agentSessionId

* ACP: normalize session identifier handling and labels

* ACP: mark thread banner session ids provisional until first reply

* ACP: stabilize session identity mapping and startup reconciliation

* ACP: add resolved session-id notices and cwd in thread intros

* Discord: prefix thread meta notices consistently

* Discord: unify ACP/thread meta notices with gear prefix

* Discord: split thread persona naming from meta formatting

* Extensions: bump acpx plugin dependency to 0.1.9

* Agents: gate ACP prompt guidance behind acp.enabled

* Docs: remove temp experiment plan docs

* Docs: scope streaming plan to holy grail refactor

* Docs: refactor ACP agents guide for human-first flow

* Docs/Skill: add ACP feature-flag guidance and direct acpx telephone-game flow

* Docs/Skill: add OpenCode and Pi to ACP harness lists

* Docs/Skill: align ACP harness list with current acpx registry

* Dev/Test: move ACP plain-language smoke script and mark as keep

* Docs/Skill: reorder ACP harness lists with Pi first

* ACP: split control-plane manager into core/types/utils modules

* Docs: refresh ACP thread-bound agents plan

* ACP: extract dispatch lane and split manager domains

* ACP: centralize binding context and remove reverse deps

* Infra: unify system message formatting

* ACP: centralize error boundaries and session id rendering

* ACP: enforce init concurrency cap and strict meta clear

* Tests: fix ACP dispatch binding mock typing

* Tests: fix Discord thread-binding mock drift and ACP request id

* ACP: gate slash bypass and persist cleared overrides

* ACPX: await pre-abort cancel before runTurn return

* Extension: pin acpx runtime dependency to 0.1.11

* Docs: add pinned acpx install strategy for ACP extension

* Extensions/acpx: enforce strict local pinned startup

* Extensions/acpx: tighten acp-router install guidance

* ACPX: retry runtime test temp-dir cleanup

* Extensions/acpx: require proactive ACPX repair for thread spawns

* Extensions/acpx: require restart offer after acpx reinstall

* extensions/acpx: remove workspace protocol devDependency

* extensions/acpx: bump pinned acpx to 0.1.13

* extensions/acpx: sync lockfile after dependency bump

* ACPX: make runtime spawn Windows-safe

* fix: align doctor-config-flow repair tests with default-account migration (#23580) (thanks @osolmaz)
 2026-02-26 11:00:09 +01:00
Peter Steinberger
42373b6742 fix(skills): support multiline frontmatter fallback without PyYAML 2026-02-23 18:56:14 +00:00
Brian Mendonca
f18f087c3c fix(skills): make quick_validate work without PyYAML 
(cherry picked from commit 485a55b4ec)
 2026-02-23 18:56:14 +00:00
Gustavo Madeira Santana
c92c3ad224 Tests: isolate quick_validate stub and remove DS_Store 2026-02-23 03:25:37 -05:00
Vincent Koc
07edadfa8a skill-creator: reject unclosed YAML frontmatter (#24289) 2026-02-23 02:51:51 -05:00
Vincent Koc
c8a62e1cea Skills/Python: harden script edge cases and add regression tests (#24277) 
* Skill creator: skip self-including .skill output

* Skill creator tests: cover output-dir-inside-skill case

* Skill validator: parse frontmatter robustly across newlines

* Skill validator tests: add CRLF and malformed frontmatter coverage

* Model usage: require positive --days value

* Model usage tests: cover --days validation and filtering

* Nano banana: close input image handles after loading

* Skill validator: keep type hints compatible with older python

* Changelog: credit @vincentkoc for Python skills hardening
 2026-02-23 02:34:23 -05:00
Vincent Koc
844924cf8d fix(skill-creator): harden skill packaging path handling (#24260) 
* fix(skill-creator): skip symlinks during skill packaging

* test(skill-creator): cover symlink skipping and root-escape guard
 2026-02-23 02:07:36 -05:00
Vincent Koc
76dabd5214 CI/Skills: add Python lint and test harness for skills scripts (#24246) 
* CI: add skills Python checks job

* Chore: add Python lint and test pre-commit hooks

* Tests: fix skill-creator package test import path

* Chore: add Python tooling config for skills scripts

* CI: run all skills Python tests

* Chore: run all skills Python tests in pre-commit

* Chore: enable pytest discovery for all skills tests

* Changelog: note skills Python quality harness
 2026-02-23 01:52:00 -05:00
CornBrother0x
f3adf142c1 fix(security): escape user input in HTML gallery to prevent stored XSS (#16958) 
* Security/openai-image-gen: escape HTML gallery user input

* Tests/openai-image-gen: add gallery XSS regression coverage

* Changelog: add openai-image-gen XSS hardening note

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:39:58 -05:00
Sid
3bfe990c33 fix(skill-creator): exclude .git and VCS internals from .skill archives (#23180) 
The packager included .git directory contents in .skill archives,
causing unnecessary bloat, metadata leakage, and poor artifact hygiene.

Hard-exclude .git, .svn, .hg, __pycache__, and node_modules from
packaged archives. These paths are never useful in distributable skills.

Fixes #23149

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-22 15:24:11 -05:00
Peter Steinberger
7abae052f9 chore(skills): remove bundled food-order skill 2026-02-22 15:06:27 +01:00
Henry Loenwind
24d18d0d72 fix: Correct data path in SKILL.md (coding-agent) (#11009) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: f7e56b80c6
Co-authored-by: HenryLoenwind <1485873+HenryLoenwind@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 18:09:25 +05:30
Santiago Medina Rolong
11f6bea598 add secret safety 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
8db5e77ffa skills: fmt 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
da844d6411 skills: update xurl description 2026-02-21 11:58:14 +01:00
Santiago Medina
ac2ef69454 Update skills/xurl/SKILL.md 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 11:58:14 +01:00
Santiago Medina Rolong
635b6298e3 skills: add xurl skill 2026-02-21 11:58:14 +01:00
Harold Hunt
02ac5b59d1 Skills: add SonosCLI troubleshooting guidance (openclaw#21316) thanks @huntharo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 19:52:42 -06:00
Val Alexander
82a1741336 fix: update formula handling in SKILL.md and frontmatter.ts (#11046) 
- Changed "cask" to "formula" in SKILL.md for consistency.
- Enhanced formula parsing in frontmatter.ts to trim whitespace and fallback to cask if formula is not provided.
 2026-02-19 16:57:08 -06:00
Peter Steinberger
ee1d6427b5 fix(security): enforce symlink-safe skill packaging 2026-02-19 10:56:17 +01:00
aether-ai-agent
c275932aa4 fix(security): OC-22 prevent Zip Slip and symlink following in skill packaging 
This commit implements critical security fixes for vulnerability OC-22
(CVSS 7.7, CWE-426) in the skill packaging system.

## Security Fixes

1. Symlink Detection and Rejection
   - Added check to detect and reject symlinks in skill directories
   - Prevents attackers from including arbitrary system files via symlink following
   - Rejects packaging with error message if any symlink is found

2. Path Traversal (Zip Slip) Prevention
   - Added validation for arcname paths in zip archives
   - Rejects paths containing ".." (directory traversal)
   - Rejects absolute paths that could escape skill directory
   - Prevents attackers from overwriting system files during extraction

## Attack Vectors Mitigated

- Symlink following: Attacker creates symlink to /etc/passwd or other
  sensitive files in skill directory → now rejected
- Zip Slip: Attacker crafts paths with "../../root/.bashrc" to overwrite
  system files during extraction → now rejected

## Changes

- Modified: skills/skill-creator/scripts/package_skill.py
  - Added symlink check (line 73-76)
  - Added path validation check (line 84-87)
  - Enhanced error messages for security violations

- Added: skills/skill-creator/scripts/test_package_skill.py
  - Comprehensive test suite with 11 test cases
  - Tests for symlink rejection
  - Tests for path traversal prevention
  - Tests for normal file packaging
  - Tests for edge cases (nested files, multiple files, large skills)

## Testing

All 11 tests pass:
- test_normal_file_packaging: Normal files packaged correctly
- test_symlink_rejection: Symlinks detected and rejected
- test_symlink_to_sensitive_file: Sensitive file symlinks rejected
- test_zip_slip_prevention: Normal subdirectories work properly
- test_absolute_path_prevention: Path validation logic tested
- test_nested_files_allowed: Properly nested files allowed
- test_multiple_files_with_symlink_mixed: Single symlink fails entire package
- test_large_skill_with_many_files: Large skills handled correctly
- test_missing_skill_directory: Error handling verified
- test_file_instead_of_directory: Error handling verified
- test_missing_skill_md: Error handling verified
 2026-02-19 10:56:17 +01:00
Peter Steinberger
797a47c3ce docs: harden coding-agent skill guidance example 2026-02-18 16:55:50 +01:00
DylanWoodAkers
cfd384ead2 feat(skills): improve descriptions with routing logic (#14577) 
* feat(skills): improve descriptions with routing logic

Apply OpenAI's recommended pattern for skill descriptions:
- Add 'Use when' conditions for clear triggering
- Add 'NOT for' negative examples to reduce misfires
- Make descriptions act as routing logic, not marketing copy

Based on: https://developers.openai.com/blog/skills-shell-tips/

Skills updated:
- coding-agent: clarify when to delegate vs direct edit
- github: add boundaries vs browser/scripting
- weather: add scope limitations

Glean reported 20% drop in skill triggering without negative
examples, recovering after adding them. This change brings
Clawdbot skills in line with that pattern.

* docs(skills): clarify routing boundaries (openclaw#14577) (thanks @DylanWoodAkers)

* docs(changelog): add PR 14577 release note (openclaw#14577) (thanks @DylanWoodAkers)

---------

Co-authored-by: ClawdBotWolf <clawdbotwolf@proton.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-18 01:31:28 +01:00
Blakeshannon
9cce40d123 feat(skills): Add 'Use when / Don't use when' routing blocks (#14521) 
* feat(skills): add 'Use when / Don't use when' blocks to skill descriptions

Based on OpenAI's Shell + Skills + Compaction best practices article.

Key changes:
- Added clear routing logic to skill descriptions
- Added negative examples to prevent misfires
- Added templates/examples to github skill
- Included Blake's specific setup notes for openhue

Skills updated:
- apple-reminders: Clarify vs Clawdbot cron
- github: Clarify vs local git operations
- imsg: Clarify vs other messaging channels
- openhue: Add device inventory, room layout
- tmux: Clarify vs exec tool
- weather: Add location defaults, format codes

Reference: https://developers.openai.com/blog/skills-shell-tips

* fix(skills): restore metadata and generic CLI examples

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-18 01:28:20 +01:00
Sebastian
f79cf3a01d revert: remove accidentally merged video-quote-finder skill (#18550) 2026-02-16 21:16:29 -05:00
OpenClaw Bot
767109e7d5 fix(skills): improve git credential handling for gh-issues sub-agents 
- Add explicit GH_TOKEN setup in sub-agent environment
- Disable credential helper before push
- Use GIT_ASKPASS to prevent credential prompts
 2026-02-17 00:00:08 +01:00
zisisp
71dad89193 Revert "skills/video-quote-finder: add markdown PR hygiene checks" 
This reverts commit 38c0d42542.
 2026-02-16 23:50:47 +01:00
zisisp
d0793cbb9b skills/video-quote-finder: add markdown PR hygiene checks 2026-02-16 23:50:47 +01:00
zisisp
e2f28ff4cb skills/video-quote-finder: strip URL fragments before adding timestamp 2026-02-16 23:50:47 +01:00
zisisp
61726a2fbd skills: add video-quote-finder with timestamp links 2026-02-16 23:50:47 +01:00
Peter Steinberger
2363e1b085 fix(security): restrict skill download target paths 2026-02-16 03:47:28 +01:00
Shadow
9203a2fdb1 Discord: CV2! (#16364) 2026-02-15 10:24:53 -06:00
Peter Steinberger
d3428053d9 fix: redact config values in skills status 2026-02-14 17:35:16 +01:00
Peter Steinberger
e50ce897b0 chore(skills): remove duplicate local-places skill 2026-02-13 16:15:47 +01:00
Hudson Rivera
588d7133f5 fix(docs): correct wake command in coding-agent skill (#10516) 
The skill documented `openclaw gateway wake --text ... --mode now` which
is not a valid subcommand. The correct command is
`openclaw system event --text ... --mode now`.

Fixes #10515.
 2026-02-09 12:18:20 -05:00
Peter Steinberger
31a7e4f937 chore(skills): remove bird skill 2026-02-06 22:28:44 -08:00
Gustavo Madeira Santana
6b7d3c3062 Revert "feat(skills): add QR code skill (#8817)" 
This reverts commit ad13c265ba.
 2026-02-05 17:20:27 -05:00
Omar Khaleel
ad13c265ba feat(skills): add QR code skill (#8817) 
feat(skills): add QR code generation and reading skill

Adds qr-code skill with:
- qr_generate.py - Generate QR codes with customizable size/error correction
- qr_read.py - Decode QR codes from images
- SKILL.md documentation

Co-authored-by: Omar-Khaleel
 2026-02-05 13:34:43 -08:00
Wangnov
089d03453d docs(skills): split tmux send-keys for TUI (#7737) 
* docs(skills): split tmux send-keys for TUI

* docs(skills): soften TUI send-keys wording

---------

Co-authored-by: wangnov <1694546283@qq.com>
 2026-02-03 22:03:47 -08:00