fix: embed skill content instead of reading from disk#2992
Merged
louisgv merged 2 commits intoOpenRouterTeam:mainfrom Mar 25, 2026
Merged
fix: embed skill content instead of reading from disk#2992louisgv merged 2 commits intoOpenRouterTeam:mainfrom
louisgv merged 2 commits intoOpenRouterTeam:mainfrom
Conversation
The spawn skill injection condition used `enabledSteps?.has("spawn")`
which is falsy when enabledSteps is undefined (no --steps flag). Now
checks the recursive beta flag directly and falls through when no
explicit steps are selected, matching how auto-update works.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The skills/ directory exists in the repo but isn't bundled when the CLI is installed via npm. readSkillContent() couldn't find the files at runtime, causing "No spawn skill file for agent" on every deploy. Fixed by embedding all skill content directly as string constants in the module. Removed fs-based getSkillsDir/readSkillContent/getSpawnSkillSourceFile in favor of a single AGENT_SKILLS config map with inline content. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
louisgv
approved these changes
Mar 25, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 0c09003
Findings
✅ No security issues found
Security Analysis
- Command injection: SAFE - base64 validated with regex, paths hardcoded
- Path traversal: SAFE - all paths are hardcoded constants
- File permissions: GOOD - chmod 644 for instruction files
- Error handling: ROBUST - graceful degradation on failure
- Content safety: SAFE - static markdown documentation only
- Feature gating: CORRECT - properly gated behind SPAWN_BETA flag
Tests
- ✅ bun test: 43 pass, 0 fail
- ✅ biome lint: 0 errors
- ✅ bash -n: N/A (no shell scripts modified)
Summary
This PR refactors skill injection to embed content directly instead of reading from disk, improving npm package reliability. All security properties are preserved: paths are hardcoded, base64 is validated, and error handling is robust.
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skills/directory exists in the repo but isn't bundled when the CLI is installed via npm —readSkillContent()couldn't find files at runtime, causingNo spawn skill file for agent: claudeon every deployspawn-skill.tsgetSkillsDir(),readSkillContent(),getSpawnSkillSourceFile()in favor of a singleAGENT_SKILLSconfig map with inline contentTest plan
bunx @biomejs/biome check src/— zero errorsbun test src/__tests__/spawn-skill.test.ts— 43 pass, 0 failspawn claude sprite --beta recursive→ skill file written successfully🤖 Generated with Claude Code