feat: discover skills from Claude plugin manifests#259
feat: discover skills from Claude plugin manifests#259quuu merged 4 commits intovercel-labs:mainfrom
Conversation
Add support for discovering skills declared in `.claude-plugin/marketplace.json` and `.claude-plugin/plugin.json` files. This enables compatibility with the Claude Code plugin marketplace ecosystem. - Add `getPluginSkillPaths()` to extract skill directories from manifests - Integrate manifest discovery into existing `discoverSkills()` flow - Document the feature in README.md → In-collaboration-with: [Claude Code](https://claude.com/claude-code)
|
@galligan is attempting to deploy a commit to the Vercel Team on Vercel. A member of the Team first needs to authorize it. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9cb0c93a92
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Add containment check to reject manifest paths that escape basePath via `..` segments or absolute paths. This prevents malicious repos from causing skill discovery to read files outside the cloned repository. → In-collaboration-with: [Claude Code](https://claude.com/claude-code)
|
Fixed in c05d3a5 — added |
Add validation that pluginRoot, source, and skill paths must start with './' to match Claude Code plugin manifest conventions. Paths without the prefix are now skipped. → In-collaboration-with: [Claude Code](https://claude.com/claude-code)
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
UpdatesAdded two security/compliance fixes based on review feedback and Claude Code documentation: 1. Path traversal prevention (c05d3a5)
2. Enforce
|
Replace hardcoded '/' with path.sep and add normalize() for Windows compatibility where paths use '\' as separator. → In-collaboration-with: [Claude Code](https://claude.com/claude-code)
galligan
changed the title
2 participants
Summary
.claude-plugin/marketplace.jsonand.claude-plugin/plugin.jsonfilesCloses #121
Details
When a repository contains plugin manifest files, this PR extracts skill paths from them and includes those directories in the skill discovery search. This allows plugins that declare their skills explicitly in manifest files to be discovered without requiring skills to live in conventional directories.
New file:
src/plugin-manifest.ts- Parses marketplace.json and plugin.json, returning directories to search for skills.Modified:
src/skills.ts- CallsgetPluginSkillPaths()during priority directory discovery phase.Tests: Comprehensive test coverage for both manifest formats and edge cases.
Test plan
npm test- all tests pass including new plugin-manifest tests→ In-collaboration-with: Claude Code