potiuk opened a new pull request, #84: URL: https://github.com/apache/airflow-steward/pull/84
> [!NOTE] > **Stacked on top of [#81](https://github.com/apache/airflow-steward/pull/81)** (security-audit fixes). Once #81 merges, this PR's base auto-rebases to `main`. ## Summary Adapts the upstream `skill-creator` skill from [`JuliusBrussee/awesome-claude-skills`](https://github.com/JuliusBrussee/awesome-claude-skills/tree/5380239b724883543db9e9e2de56c4dd8796090d/skill-creator) (Apache-2.0) into a new framework skill at `.claude/skills/write-skill/`. The upstream flow shape (anatomy of a skill, progressive disclosure, 6-step creation process) is preserved; the framework-specific shape and the prompt-injection-defence patterns from the [2026-05 audit](https://gist.github.com/andrew/0bc8bdaac6902656ccf3b1400ad160f0) are baked in as defaults so future skills authored through this flow inherit those lessons rather than rediscovering them in a future audit. ## Substantial adaptations vs. upstream | Adaptation | Why | |---|---| | Renamed `skill-creator` → `write-skill` | Matches the framework's verb-prefixed naming convention. | | Frontmatter rewritten to framework schema (`license: Apache-2.0` exact string, `when_to_use` alongside `description`, SPDX comment, placeholder-convention comment) | Framework's existing skills follow this shape; the validator enforces it. | | Step 3 uses the adapted `scripts/init_skill.py` | Scaffolds Adopter overrides, Snapshot drift, placeholder convention, SPDX header, plus conditional placeholders for the injection-guard callout (Pattern 4) and Privacy-LLM gate-check (Pattern 6). | | Step 5 (packaging) dropped — `package_skill.py` and `quick_validate.py` not included | The framework distributes skills via the snapshot model documented in `docs/setup/install-recipes.md`, not zip artefacts. Validation is via the existing `tools/skill-validator/`. | | **New Step 5 (security checklist)** — hard walk-through of the 9 prompt-injection-defence patterns | The load-bearing adaptation. Patterns live in `.claude/skills/write-skill/security-checklist.md`. | ## Attribution (per ASF [licensing-howto](https://infra.apache.org/licensing-howto.html)) - **LICENSE.txt** copied verbatim from upstream into `.claude/skills/write-skill/LICENSE.txt`. - **NOTICE** updated with a *"Third-party content"* section crediting Julius Brussee and the upstream repo. - **`SKILL.md` § Provenance** pins the exact upstream commit (`5380239b`) and enumerates the adaptations so a future maintainer can diff against the upstream cleanly. ## What lives in the new skill directory ```text .claude/skills/write-skill/ ├── LICENSE.txt # Apache-2.0, kept from upstream ├── SKILL.md # adapted, ~330 lines ├── security-checklist.md # 9 audit patterns + recipes, ~190 lines └── scripts/ └── init_skill.py # adapted scaffolder, ~210 lines ``` ## Test plan - [x] `prek run --all-files` clean against PR #81's tip. - [x] Smoke-test: `python3 .claude/skills/write-skill/scripts/init_skill.py test-skill --path /tmp/test-skill` scaffolds the expected layout. - [ ] After merge, write a real skill through this flow on a small task and confirm the scaffolded SKILL.md needs only filling in (no structural surgery). The next "I want a skill that does X" request is the natural test case. - [ ] After merge, the `tools/skill-validator/` run against the scaffolded SKILL.md should pass once the TODO markers are filled — confirm on the first real use. ## Out of scope - Wiring the security-checklist patterns into existing skills as automated checks — the patterns are documented expectations met by the skill author, not mechanically enforced. PR #81 already audited the existing skills against these patterns; this PR ensures *new* skills inherit them by default. - Adapting `package_skill.py` from upstream — the framework doesn't distribute via zip, so the script has no place to land. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
