skillshare v0.20.16 Release Notes

TL;DR

1. Repository subdir installs are safer — Skillshare now rejects repository subdirectories that try to escape the repo with traversal segments, backslashes, absolute paths, control characters, or encoded traversal.
2. Blob-style SKILL.md URLs are checked before trimming — GitHub, GitLab, and Bitbucket skill-file URLs now keep suspicious path segments visible to validation instead of silently cleaning them.
3. Metadata stays readable after saves — .metadata.json is written with repository-friendly permissions so Git and other tools can read it after install or update operations.

Bug fix: repository subdir installs reject traversal paths

Source parsing now enforces that repository subdirectories stay inside the repository. Inputs that contain traversal segments or encoded traversal are rejected before install and download flows use them:

skillshare install github.com/owner/repo/../../etc/passwd
# rejected: unsafe repository subdir
skillshare install github.com/owner/repo/skills/frontend
# still accepted

This also covers source formats beyond GitHub shorthand, including SSH URLs, file:// repos, Azure DevOps sources, generic HTTPS Git URLs, and blob-style SKILL.md paths from GitHub, GitLab, and Bitbucket.

Refs: #224.

Bug fix: metadata files stay readable

Skillshare now writes .metadata.json with 0644 permissions when saving metadata. This keeps metadata readable by Git and other tooling after install or update operations replace the file atomically.

Changelog

• ab8bc4c Merge branch 'main' of github.com:runkids/skillshare
• 377faa8 chore: release v0.20.16
• c5544c5 fix(install): preserve unsafe blob subdirs for validation
• 087b5ee fix(install): validate repo subdir and source name in ParseSourceWithOptions
• 0519b0b fix: preserve readable metadata permissions
• a897c2c test(backup): select newest backup dir to fix flaky symlink test
• d21d31e test(install): cover unsafe subdirs across source parsers

skillshare v0.20.15 Release Notes

TL;DR

1. Git operations fail visibly — dashboard branch refreshes, checkouts, and source URL edits now stop when remote updates fail instead of continuing with stale state.
2. Target cleanup is safer — target removal preserves config when filesystem cleanup fails, so users can fix the issue and retry.
3. Automation output is cleaner — version checks handle release-tag formats correctly and JSON-mode cleanup warnings no longer pollute parseable output.

Git operations fail visibly

Dashboard branch refreshes and checkouts now surface fetch failures. If a remote cannot be reached or authentication fails, Skillshare reports the problem instead of showing stale branch data or continuing a checkout with outdated information.

Source URL edits for tracked skills and agents are stricter too. Skillshare updates the repository remote before saving metadata, keeping the displayed source and the repository's remote in sync.

Target cleanup is safer

Removing a target from the dashboard now stops when Skillshare cannot inspect the target, remove managed files, or clean up symlinks. The target remains in config so users can fix permissions or filesystem state and try again without recreating it.

Version checks and JSON output are cleaner

Update checks now accept release versions with a leading v, while malformed versions still fail closed. Local metadata builds only advertise release versions when built from a clean exact tag; other builds stay in dev mode.

JSON-mode commands also stay quiet when temporary Git clone cleanup warnings occur, keeping automation-friendly output parseable.

Skill analysis failures are explicit

Skill linting now reports rule load problems instead of crashing or dropping the error after the first run. Analysis commands get a clear failure when lint rules cannot be loaded.

Dashboard polish

Audit finding severity dots are vertically centered next to their badges and messages.

Changelog

• 451785c chore: release v0.20.15
• 6f49546 fix(install): warn when temp repo cleanup fails
• 224607a fix(server): fail source updates when remote update fails
• e5cf18e fix(server): preserve targets when cleanup fails
• 140df6b fix(server): surface git fetch failures
• bf34d80 fix(ui): center audit finding severity dot
• 306bf99 fix(version): handle release version formats
• 7280ec2 fix(version): reject malformed version segments
• 1bcd02a fix: cache lint load error in package state to persist across Once calls
• 11c31ab fix: handle os.Remove and filepath.Rel errors in symlink conversion
• 5d68439 fix: propagate lint rule load errors
• 4439d11 fix: replace panic with error returns in loadLintRules and LintSkill

Notes

• Full changelog: https://github.com/runkids/skillshare/blob/main/CHANGELOG.md
• Security model docs: https://skillshare.runkids.cc/docs/guides/security
• Command reference: https://skillshare.runkids.cc/docs/commands

Contributors

@12britz

Contributors

• @12britz

skillshare v0.20.14 Release Notes

TL;DR

1. Push failure errors now redact token-auth URLs — failed push output is sanitized before it reaches CLI, API, or dashboard callers.
2. Push diagnostics stay useful — Skillshare still preserves Git and pre-push hook messages, including cases where Git only prints a generic "failed to push some refs" summary.

Bug fix: push failures redact tokens without hiding diagnostics

When Skillshare pushes to a Git remote using token-based authentication, a failed push can include the rewritten credential-bearing URL in Git's error output. That output is now sanitized before being shown to users or returned through API/UI callers, so token values are replaced instead of leaked.

The fix also keeps the useful part of the failure. If Git or a pre-push hook explains why the push was rejected, Skillshare preserves that diagnostic text instead of reducing the error to a generic push failure.

Refs: #214.

Changelog

• 5740574 chore: release v0.20.14
• 01d721a fix(git): preserve push stdout diagnostics
• b48d23b fix(git): sanitize push remote error output

skillshare v0.20.13 Release Notes

TL;DR

1. update --all no longer hides missing tracked repos — the batch path and project mode now report tracked repos that are declared in metadata but missing on disk, instead of silently skipping them.
2. Rehydrate from the web dashboard — the Updates page lists missing tracked repos with a one-click Rehydrate button, and Dashboard "Update All" warns about them instead of reporting nothing to update.

Bug fix: update --all reports missing tracked repos everywhere

v0.20.10 added missing tracked repository detection, and v0.20.11 fixed grouped rehydration. But the detection in update --all only fired when the missing repo happened to be the single update target. With more than one item to update — the common case — the batch path skipped missing repos with no message, and project mode (-p) never looked for them at all.

Now both paths surface every missing tracked repo with a warning and a one-step recovery hint:

skillshare update --all
# ! 1 tracked repo(s) declared in metadata but missing on disk:
# ! _team-skills clone directory absent
# → Run 'skillshare install' to rehydrate tracked repositories
skillshare install # rehydrate the clones from metadata

update --all --json now carries an aggregated missing_tracked_repos summary (the names plus a one-shot rehydrate hint), and each missing repo appears as a skipped item with the concise error clone directory absent.

Refs: #212.

New feature: rehydrate missing tracked repos from the web dashboard

The same recovery is now available in the dashboard. When tracked repos are declared in metadata but their clone directories are absent, the Updates page shows a warning banner listing them with a one-click Rehydrate button that re-clones them from metadata. The Update All action on the Dashboard also warns about missing repos and points to rehydrate, instead of reporting that there is nothing to update.

Refs: #212.

Changelog

• 3ad54ab chore: release v0.20.13
• 68639be ci(website): deploy to cloudflare pages
• fee0698 ci(website): split build and deploy jobs
• 80f1e04 fix(ui): surface missing tracked repos on Dashboard "Update All"
• 54dd7d1 fix(update): surface missing tracked repos in update --all across CLI, API, and UI

skillshare v0.20.12 Release Notes

TL;DR

1. Droid syncs custom droids as agents — the droid target now distributes custom droids alongside skills, and accepts factory as an alias.
2. Project-mode agent symlinks are now relative — agent symlinks created in project mode survive moving or re-checking out the repository.
3. Factory alias and web UI agent filters now match CLI behavior — factory resolves Droid's agents path, and dashboard sync respects target-level agent include/exclude filters.

New feature: Droid custom droids sync as agents

The droid target already synced skills to ~/.factory/skills. It now also syncs custom droids — .md files with YAML frontmatter — through the existing agents sync, mapping them to ~/.factory/droids (global) and .factory/droids (project). Project-level droids override personal ones, matching Droid's own resolution.

The target is also reachable by its brand name via the new factory alias:

skillshare target add factory # same as: skillshare target add droid
skillshare sync agents

Refs: #213.

Bug fix: project-mode agent symlinks are now relative

skillshare sync agents created absolute symlinks in project mode, which broke when the repository was moved to a new path or checked out on another machine. Agent symlinks now use relative paths, matching how project skill symlinks already work, so a synced project stays portable.

Bug fix: Factory alias syncs Droid agents correctly

Adding the Droid target by its factory alias now resolves both the skills path and the built-in agents path. skillshare sync agents writes custom droids to ~/.factory/droids in global mode and .factory/droids in project mode instead of skipping factory as an agentless target.

Bug fix: Web UI sync respects agent filters

Dashboard sync now honors target-level agents.include and agents.exclude filters before syncing agents, matching skillshare sync from the CLI. The same filtered agent set is used for pruning, so agents that become excluded are removed from target directories on the next sync.

Refs: #211.

Changelog

• 060886c chore: release v0.20.12
• 9176c86 feat(targets): add agents sync and factory alias to droid target
• 51656e9 fix(sync): keep project agent symlinks stable across syncs on symlinked paths
• 59754ca fix(sync): resolve agent target aliases
• abdee14 fix(ui): respect agent filters during sync
• 2b08bdf fix: use relative project symlinks for agents

skillshare v0.20.11 Release Notes

TL;DR

1. Grouped tracked repository recovery is fixed — skillshare install now rehydrates tracked repos installed with --track --into <group> at their original grouped path.

Bug fix: grouped tracked repositories rehydrate correctly

v0.20.10 added missing tracked repository detection and the skillshare install recovery path for fresh clones. v0.20.11 fixes the grouped tracked repo case: if a repo was installed with --track --into <group>, rehydrate now restores the clone under the original group instead of applying the group twice.

skillshare install https://github.com/team/skills.git --track --into team
# On another machine or after removing the local clone:
skillshare install
skillshare sync

This keeps the cross-machine recovery flow working for both top-level tracked repos and grouped tracked repos.

Changelog

• 78b3fc0 chore: release v0.20.11
• cfe3d90 fix: rehydrate tracked repos under groups

skillshare v0.20.10 Release Notes

TL;DR

1. Missing tracked repositories are now visible — if a fresh clone has tracked repo metadata but the local _repo/ clone is missing, Skillshare reports it instead of silently showing no tracked repos.
2. Recovery is explicit — status, check, update --all, and doctor now point users to skillshare install to rehydrate tracked repos from metadata.

Bug fix: missing tracked repositories after a fresh clone

Tracked repository clone directories are intentionally ignored by git because they preserve their own .git directories. That keeps your Skillshare source repo from accidentally committing nested git repos, but it also means a second machine can have .metadata.json entries for tracked repos while the actual _repo/ clone directories are absent.

Previously, commands such as skillshare status --json, skillshare check --json, and skillshare update --all --json only looked for tracked repos that existed on disk. In that split state they could report an empty tracked repo list or zero updates, making cross-machine setup look successful even though the tracked skills were missing.

Skillshare now detects metadata-backed tracked repos whose clone directory is missing and reports them clearly. The recovery path is the no-argument install command:

skillshare install
skillshare sync

For project mode, use:

skillshare install -p
skillshare sync -p

doctor --json also includes a warning with the same suggestion, and update --all --json counts the missing repo as skipped with an explanatory item so automation can detect the problem.

Changelog

• ecb31a0 chore: release v0.20.10
• 6a0d1b7 ci(release): add proposal for release-please automation
• ef57f03 fix: report missing tracked repositories
• 10d94a3 fix: suggest install for missing tracked repos

Notes

• Full changelog: https://github.com/runkids/skillshare/blob/main/CHANGELOG.md
• Security model docs: https://skillshare.runkids.cc/docs/guides/security
• Command reference: https://skillshare.runkids.cc/docs/commands

Contributors

@rhysmcneill

Contributors

• @rhysmcneill

skillshare v0.20.9 Release Notes

TL;DR

1. Batch enable/disable in the web dashboard — select multiple skills or agents on the Resources page and enable or disable them all at once.
2. enabled: false now works for tier and cross-skill audit rules — disabling one of these rules in audit-rules.yaml actually stops it from firing.

New feature: batch enable/disable in the web dashboard

Until now the dashboard could only enable or disable one resource at a time, through the right-click menu or the detail page. With a large source directory, turning a whole group on or off meant a lot of repeated clicks.

The Resources page now has a selection mode. Click Select in the toolbar, then tick the skills or agents you want — in any view:

• Grid and table views show a checkbox on each item.
• Folder view adds a select-all checkbox on each folder, so you can grab an entire folder (and its subfolders) in one click.

A bottom action bar shows how many items are selected, with Enable and Disable buttons. Enabling applies immediately; disabling asks for confirmation first and lists what will be turned off. It works for both skills (managed via .skillignore) and agents (.agentignore), and the same checkbox style is used across every view.

This is a dashboard-only feature; the CLI's existing skillshare enable / skillshare disable commands are unchanged.

Bug fix: enabled: false for tier and cross-skill audit rules

Tier and cross-skill audit findings are generated by the scanner rather than read straight from the rule list, so setting enabled: false on one of them in audit-rules.yaml showed it as disabled in the rule listing but didn't actually stop the scan — it still fired at full severity.

Disabling a tier or cross-skill rule now suppresses it in both the per-skill scan and the single-file scan, matching how regular rules already behave.

Changelog

• 26ca9f0 chore: release v0.20.9
• 90f9609 feat(resources): add batch enable/disable in web UI
• 6e86537 fix(audit): honor enabled:false for synthetic tier and cross-skill findings

skillshare v0.20.8 Release Notes

TL;DR

1. SSH-only GitHub Enterprise hubs install correctly — same-host domain-prefixed entries from an SSH hub now inherit the hub's SSH login instead of falling back to HTTPS.
2. Private SSH hub previews work better — SSH GitHub/GHE previews fall back to a shallow clone when API access is unavailable, so the dashboard can show full SKILL.md content.
3. Complex .skillignore patterns are faster — repeated ** rules no longer cause slow scans.

Bug fix: SSH-only GitHub Enterprise hub installs

Some teams keep their hub index in a private GitHub Enterprise repository and access it only over SSH:

skillshare hub add acme@acme.ghe.com:Org/skills.git --label team
skillshare search reviewer --hub team

When that hub returned a same-host domain-prefixed source such as acme.ghe.com/Org/skills/skills/reviewer, skillshare treated it as an HTTPS source and the install could fail without a token.

Search results from an SSH GitHub/GHE hub now inherit the hub's SSH username and host for same-host domain-prefixed entries. Explicit HTTPS or SSH entries keep their exact source, cross-host entries are left alone, and local or in-memory indexes keep the previous behavior.

Bug fix: private SSH hub previews

The dashboard preview can now show full skill content for more SSH-only private hub results. For SSH GitHub/GHE sources, skillshare still uses the Contents API when a token is available, but falls back to a shallow clone when no token exists or the API rejects the request.

This keeps preview behavior aligned with install behavior: if your SSH keys can clone the source, the preview can usually read its SKILL.md too.

Performance: faster .skillignore globstar matching

Repeated globstar patterns such as **/**/** could make ignore matching slow during scans. The matcher now avoids that backtracking pattern, so commands that walk skills and apply .skillignore rules stay responsive even with complex ignore files.

Changelog

• e4ba033 chore: release v0.20.8
• 872a6ad fix(skillignore): memoize matchSegments to prevent exponential backtracking
• 4b9d04a optimize skillignore globstar memoization
• 6b8923d replace em dash with colon in test message to avoid Unicode warning

skillshare v0.20.7 Release Notes

TL;DR

1. Disabled skills uninstall cleanly from the dashboard — skills hidden by .skillignore can now be removed from the item menu or detail page without a misleading "skill not found" error.
2. Trash stays responsive with large lists — the Trash page now renders long skill and agent trash folders incrementally instead of loading every card at once.

Bug fix: single-skill uninstall for disabled skills

Disabled skills still appear in the dashboard so you can review, re-enable, or remove them. In some single-resource uninstall flows, removing one of those disabled skills could fail with "skill not found" even though the skill was visible on the Resources page.

Single-skill uninstall now resolves disabled skills the same way the list and batch uninstall flows do. If a skill is hidden by .skillignore, you can still uninstall it from the dashboard and it will move to trash as expected.

Performance: faster Trash page for large trash folders

The Trash page now virtualizes long lists of trashed skills and agents. Instead of rendering every trashed item card at once, the dashboard renders the visible list incrementally as you scroll.

This keeps the page responsive when your trash folder contains many old skills or agents, while preserving the same restore, delete, and empty-trash controls.

Changelog

• e81b042 chore: release v0.20.7
• 419bbaa fix(server): uninstall disabled skills from resource endpoint
• 306d1e3 perf(ui): virtualize trash list