* fix(xurl): use install kind "node" instead of invalid "npm" [AI]
The xurl skill's second installer declares kind "npm", which is not a
valid install kind. The installer switches on spec.kind with cases for
brew/node/go/uv/download and a default of "unsupported installer", so the
entry is dropped -- `openclaw skills info xurl` only offers the brew
option, leaving no install path on machines without Homebrew.
npm-backed installs use kind "node" (which honors
skills.install.nodeManager, default npm). Only kind is changed;
id/package/bins are left as-is.
Verified against openclaw 2026.6.11 in a container:
before (kind: npm): Install options: → Install xurl (brew)
after (kind: node): Install options: → Install @xdevplatform/xurl (npm)
* fix(github): drop non-functional "apt" install entry [AI]
The github skill's second installer declares kind "apt", which is not a
supported install kind (installer switch handles brew/node/go/uv/download
+ default "unsupported installer"). openclaw silently drops it -- `skills
info github` only ever surfaces the brew option -- so the entry is dead,
misleading metadata rather than a working Linux path.
The remaining brew installer is cross-platform (Homebrew runs on Linux),
so removing the dead entry loses no working path. Improving install paths
for Linux users without Homebrew is tracked separately in #57555
(needs-product-decision).
* docs: tailor imsg skill for OpenClaw agents
* docs(imsg-skill): document that poll send echoes --question as a visible comment
* docs(imsg-skill): note inbound native poll question is backfilled from its caption
* docs(imsg-skill): document only shipped poll behavior
Drop the poll caption echo, --comment override, and inbound question
backfill from the imsg skill: those live in imsg PR openclaw/imsg#155,
not shipped imsg 0.12.2 (poll --help exposes only --question/--option).
Also removes the inaccurate 'reply comment whose reply_to is the poll
guid' framing — #155 sends the caption as a plain message, not a reply.
Keeps shipped poll send/vote usage. Re-add once a release ships #155.
---------
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
* fix(session-memory): recover archived reset transcripts
* docs(session-logs): include archived transcripts in skill examples
Plain .jsonl globs miss .jsonl.reset.*Z and .jsonl.deleted.*Z files,
which still contain real transcript content. Add explicit guidance and
a list_session_transcripts helper so searches can opt in to full
history when needed.
Pairs with the session-memory recover-from-archive fix in the same
branch.
* docs(session-logs): scope nullglob and use while-read in helper
Address Greptile review feedback on PR #71537:
* nullglob is now saved and restored inside list_session_transcripts so
the helper does not change the caller shell environment when sourced.
* Replace 'for f in $(list_session_transcripts)' tip with a 'while
IFS= read -r' loop so paths with spaces or other IFS characters are
handled correctly. Include a worked example using the same date+size
listing the surrounding section already documents.
Doc only, no runtime behavior change.
Summary:
- The branch adds bundled skill-creator guidance to route durable OpenClaw skill work through Skill Workshop proposals and removes the direct `init_skill.py` scaffold helper plus its test.
- PR surface: Docs +6, Other -429. Total -423 across 3 files.
- Reproducibility: yes. source-level: current main has `init_skill.py` writing a live `SKILL.md` directly, whi ... `. I did not run the direct helper as a repro because this review was read-only and that path writes files.
Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.
Validation:
- ClawSweeper review passed for head 8eca1654472e50283ba7deed5f3220cc8213be94.
- Required merge gates passed before the squash merge.
Prepared head SHA: 8eca1654472e50283ba7deed5f3220cc8213be94
Review: https://github.com/openclaw/openclaw/pull/98346#issuecomment-4849855806
Co-authored-by: momothemage <niuzhengnan@163.com>
Approved-by: momothemage
Pass runtime config into CLI ClawHub skill updates so install policy sees configured safety rules, and update the bundled ClawHub skill docs to prefer openclaw skills for normal skill management. Keeps update-all limited to tracked ClawHub installs and intentionally leaves bundled-skill deprecation, legacy bootstrap, and Sherpa packaging for separate follow-up. Proof: focused ClawHub/CLI tests passed, autoreview clean, remote check:changed passed on Blacksmith Testbox tbx_01kvq0ywztsvw9vdc8zz1xktea; wrapper install/build/check passed, with full local pnpm test failing in unrelated baseline areas already reproduced on latest origin/main.
Move Canvas, Discord, Slack, voice-call, and WhatsApp skill docs from the root bundled skill tree into their owning plugin packages, with manifest skills declarations and docs/test path updates.
Validation:
- node --import tsx scripts/sync-plugin-versions.ts --check
- node scripts/run-vitest.mjs src/skills/loading/env-path-guidance.test.ts
- autoreview clean
- Crabbox Azure pnpm check:changed run_59ba76511d57 / lease cbx_cbc6750dad72
- wrapper prepare passed pnpm install --frozen-lockfile, pnpm build, and pnpm check before the oversized full local pnpm test was stopped
Follow-up: #95132 remains as the stacked PR for the rest of the starter-skill/Sherpa/ClawHub work.
Summary:
- The PR adds `curl` to the bundled Trello skill's `metadata.openclaw.requires.bins` entry.
- PR surface: Docs 0. Total 0 across 1 file.
- Reproducibility: yes. at source level. Current main and v2026.6.8 declare only `jq` for Trello while the skill body uses `curl`, and the shared requirement evaluator checks only declared bins.
Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.
Validation:
- ClawSweeper review passed for head 83ae5e8bef.
- Required merge gates passed before the squash merge.
Prepared head SHA: 83ae5e8bef
Review: https://github.com/openclaw/openclaw/pull/94729#issuecomment-4747397470
Co-authored-by: liuhao1024 <sunsky.lau@gmail.com>
* fix(skills/1password): stop forcing tmux for desktop app auth (#52540)
The bundled skill currently mandates that every `op` invocation run inside
a fresh tmux session. That guidance is wrong on every desktop-app-integration
setup (macOS/Windows/Linux) because the 1Password app exposes the CLI over
a per-user Unix domain socket the gateway exec env can reach but tmux
subshells generally cannot — wrapping in tmux produces "1Password CLI
couldn't connect to the 1Password desktop app" failures.
Rewrite the skill to detect auth mode first and only use tmux for the one
case where it actually helps:
- Service account (`OP_SERVICE_ACCOUNT_TOKEN`): direct exec, no signin.
- Desktop app integration: direct exec, never tmux. Note the macOS socket
location (`~/Library/Group Containers/2BUA8C4S2C.com.1password/t/`) so
agents can recognize the failure mode.
- Standalone interactive signin: tmux is the right tool because it
preserves the per-shell session token written by `op signin`.
Update Guardrails and the get-started reference accordingly. Drop the
blanket 'do not run op outside tmux' rule.
Fixes#52540
* fix(skills/1password): correct desktop-app IPC wording and signin example
Address PR #75090 review:
- Replace the blanket 'per-user Unix domain socket' description with
per-platform wording: XPC via the 1Password Browser Helper on macOS,
a Unix domain socket on Linux, a named pipe on Windows. Keep the macOS
group-container path as a symptom indicator only, not as a transport
claim. Mirror the same correction in the get-started reference and the
changelog entry.
- Fix the standalone-signin tmux example: `op signin` was being sent as
a plain command, so its eval-style export was printed but never applied.
Subsequent `op whoami` and `op vault list` calls would fail because
the OP_SESSION_* env var was never set. Wrap the call in
`eval "$(op signin ...)"` so the session token is exported into the
tmux pane environment as the surrounding text describes.
Same direct-exec direction; tighter and more accurate.
* docs(1password): clarify Windows standalone signin
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix(skills/1password): repair auth-mode guidance
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
The previous `read_text(encoding="utf-8")` call left the UTF-8 byte
order mark (EF BB BF, three bytes) in the content string if the file
was saved by a tool that emits a BOM. The first line check
(`lines[0].strip() != "---"`) then saw "\ufeff---" and rejected the
file as "Invalid frontmatter format", even though the document was
otherwise valid frontmatter.
Co-authored-by: Zo Bot <github-automation@zo.computer>
Fixes#37748.
Sort skill package archive entries by relative POSIX archive name so generated `.skill` bundles are reproducible regardless of filesystem traversal order.
Verification:
- `PYTHONDONTWRITEBYTECODE=1 python3 skills/skill-creator/scripts/test_package_skill.py`
- `git diff --check origin/main...HEAD`
- GitHub CI run 26690938925 on `43a0fdf717`: all checks passed except repeated unrelated no-output timeouts in `checks-node-agentic-commands-doctor` and `checks-node-core-runtime-infra-state` after visible tests passed.
Summary:
- The PR makes skill-creator quick validation reject empty or whitespace-only `name` and `description` fields, adds regression tests, and records the fix in the changelog.
- Reproducibility: yes. Source inspection on current main shows empty or whitespace-only values skip validation after `.strip()`, and the source PR includes before/after terminal output for the same path.
Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(skill-creator): reject empty name and description in skill valida…
Validation:
- ClawSweeper review passed for head 0fb4555cb2.
- Required merge gates passed before the squash merge.
Prepared head SHA: 0fb4555cb2
Review: https://github.com/openclaw/openclaw/pull/83704#issuecomment-4479984760
Co-authored-by: jay <a1@ponys-Mac.local>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: takhoffman
Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>
When OpenClaw spawns an agent shell with a different HOME than the user
that ran `gh auth login` (per-agent codex homes, systemd User= services,
sudo'd shells), `gh` looks at $XDG_CONFIG_HOME/gh or $HOME/.config/gh and
reports "not logged into any GitHub hosts" even though the operator HOME
has a valid hosts.yml.
Add `detectGhConfigDirMismatch` in src/agents/skills/gh-config-discovery.ts:
a pure helper that takes process env plus a fileExists probe and returns
either "auth-discoverable", "no-known-auth", "explicit-gh-config-dir-set",
or a "mismatch" with the alternate config dir, the host file path, and a
suggested GH_CONFIG_DIR value to set on the gateway service environment.
The helper checks `/root`, `$SUDO_USER`'s home, and `$USER`'s home as
candidate operator homes on Linux/macOS, and uses platform-specific path
joins so the same logic works on Windows test runners.
Wire the helper into the doctor skills health flow: when the github skill
is reported and the gh binary is present, call the discovery helper and,
on a mismatch, print a "GitHub CLI" note with the operator-actionable
fix instructions before any unavailable-skill repair prompt.
Update skills/github/SKILL.md with a troubleshooting subsection that
documents GH_CONFIG_DIR for service/agent environments where HOME differs
from the user that ran `gh auth login`.
Fixes#78063.