Growth: distribution, skill marketplace, external skill pinning + audit, local overlay#85
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several major features to dotagents, including a local configuration overlay (dotagents.local.yaml), external skill pinning with a lockfile (dotagents.lock), a security audit tool for external skills, and validation against the agentskills.io specification. The review feedback highlights critical issues in the lockfile generation and git synchronization: specifically, partial updates can silently unpin un-cloned repositories from the lockfile, and git fetch --unshallow will fail on complete repositories, requiring a fallback to a normal fetch.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
yourconscience
force-pushed
the
claude/dotagents-growth-ideas-xu19yv
branch
from
4cc1097 to
9113b94
Compare
1 participant
Implements the approved growth ideas from the tech-search analysis.
1. Distribution
.goreleaser.yaml+release.ymlworkflow: pushing av*tag builds darwin/linux amd64/arm64 binaries and publishes GitHub Releases.go install) and an honest comparison table vs skillshare, vsync, and agents-cli.2. Skill marketplace (cross-agent)
.claude-plugin/marketplace.jsonexposes the portable skills (tech-search, grill-me, humanizer, repo-eval, spec, pr-triage, tmux) as single-skill plugins:/plugin marketplace add yourconscience/dotagents. Personal skills (jobs, remote-access, gws, tg, ...) are simply not listed.skills:allowlist onexternal_skillssources lets any dotagents user (and by extension Hermes/Amp/Droid/Codex/Pi) consume a subset of this repo's skills. Documented for skillshare consumers too.3. External skill pinning + audit + personal overlay
dotagents.lock: sync records each external source's commit and keeps it pinned;dotagents external listshows pin state,dotagents external update [name ...]moves to latest and rewrites the lock.dotagents doctorgains three checks:external skill lock(unpinned/drifted sources),external skill audit(pipe-to-shell, base64-to-shell, prompt-injection phrasing, hidden-from-user wording, credential paths — warn-only), andskill spec(validates all skills against the agentskills.io Agent Skills spec; all 15 current skills conform).dotagents.local.yaml(gitignored) merges overdotagents.yamlby name, so personal agents/sources/MCP/hooks/plugins can move out of public git.Verification
go build,go vet,gofmt,golangci-lint run(0 issues), fullgo test ./...pass; 20+ new tests for lock, allowlist, audit patterns, overlay merge, and spec validation.dotagents doctorsmoke-run in container: new checks pass; fixed pre-existing warn by listingtgin the README skill list.https://claude.ai/code/session_01URU7SGkj54HYMEs2sZ19y7
Generated by Claude Code