Add SafeSkill security badge (50/100 — Use with Caution)#2
Open
OyaAIProd wants to merge 1 commit into
Open
Conversation
Signed-off-by: SafeSkill Scanner <mk@oya.ai>
amingclawdev
added a commit
that referenced
this pull request
May 15, 2026
…plit)
Add an inline mcpServers block to .claude-plugin/plugin.json so Claude Code recognizes the Aming Claw MCP server during plugin install. Use ${CLAUDE_PLUGIN_ROOT} for cwd (per Claude Code plugin docs) instead of pointing at the shared .mcp.json — that file is also consumed by Codex plugin install and Claude Code workspace-open, so it cannot be made plugin-cache-specific without breaking those.
Scope: MANIFEST ONLY. Acceptance #1 (host schema recognition) and part of #3 (test distinguishes skill install from MCP server availability) addressed. Acceptance #2 (fresh Claude install discovers 30 MCP tools and 7 resources) is NOT yet met — requires the cache-runtime fix in the row's merged content (generate runtime-aware .mcp.json in aming-claw plugin install). Split to a follow-on MF for codex's plugin_installer.py stream. Row remains OPEN.
Focused tests: python -m pytest agent/tests/test_package_install.py -q (24 passed)
Validation: claude plugin validate .claude-plugin/plugin.json -> Validation passed; claude plugin validate . -> Validation passed
Chain-Source-Stage: observer-hotfix
Chain-Project: aming-claw
Chain-Bug-Id: BUG-CLAUDE-PLUGIN-MCP-SERVERS-NOT-BUNDLED
amingclawdev
added a commit
that referenced
this pull request
May 15, 2026
Remove plugin-time dependencies on root CLAUDE.md from skills/aming-claw-launcher/SKILL.md so the skill is self-sufficient when loaded as a Claude plugin (where CLAUDE.md is not loaded as plugin context). Three changes in launcher SKILL.md: - Preview Flow step 2: drop the "(see project rules in CLAUDE.md)" parenthetical; the inline rule "do not let the plugin session spawn executor workers" is the actual operational rule. - Project-Local Plugin Contract: remove the bullet that listed CLAUDE.md as a plugin asset (CLAUDE.md is workspace context, not part of plugin contract); add inline note clarifying the workspace/plugin boundary. - References: reframe the CLAUDE.md link as "Workspace project rules (workspace-only context; plugin-time guidance lives in this skill, not in CLAUDE.md)". Validation: On Claude Code CLI 2.1.116, claude plugin validate . and claude plugin validate .claude-plugin/plugin.json both pass clean — the "CLAUDE.md not loaded as plugin context" warning the row premised was not reproducible (may exist on 2.1.140 install-time path, in which case it remains non-blocking because CLAUDE.md is intentionally workspace-context-only). Acceptance criteria met: #1 plugin-visible instructions do not rely on root CLAUDE.md, #2 CLAUDE.md preserved for workspace use, #3 validation warning documented as non-reproducible/non-blocking. Focused tests: python -m pytest agent/tests/test_package_install.py -q (24 passed) E2E: e2e_not_applicable — skill text-only change, no dashboard/runtime behavior surface Chain-Source-Stage: observer-hotfix Chain-Project: aming-claw Chain-Bug-Id: DOC-CLAUDE-PLUGIN-ROOT-CLAUDEMD-NOT-LOADED
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🟠 SafeSkill Security Scan Results
Top Findings
dbservice/lib/knowledgeStore.js:137)dbservice/lib/memoryRelations.js:79)dbservice/lib/memoryRelations.js:185)agent/governance/dashboard_dist/assets/index-XzC3tyEx.js:44)agent/governance/dashboard_dist/assets/index-XzC3tyEx.js:44)View full report on SafeSkill
About SafeSkill
SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.
False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.