ocas-forge
Facilitates the design, construction, and validation of Agent Skill packages through a structured six-phase pipeline.
Install this skill
or
85/100
Security score
The ocas-forge skill was audited on Jun 13, 2026 and we found 3 security issues across 1 threat category. Review the findings below before installing.
Categories Tested
Security Issues
medium line 141
Access to home directory dotfiles
SourceSKILL.md
| 139 | ## Cross-platform portability |
| 140 | |
| 141 | Skills that hardcode `~/.hermes/` paths will NOT work on other agent harnesses (OpenClaw, Claude Code, Cursor, etc.). When building a new skill: |
| 142 | |
| 143 | - **Use `{agent_root}`** as the base for all paths inside the skill's storage layout diagrams. This variable resolves to whatever harness the skill runs on. |
medium line 144
Access to home directory dotfiles
SourceSKILL.md
| 142 | |
| 143 | - **Use `{agent_root}`** as the base for all paths inside the skill's storage layout diagrams. This variable resolves to whatever harness the skill runs on. |
| 144 | - **NEVER hardcode `~/.hermes/`** in file paths, storage diagrams, or operational descriptions. Even for Hermes-native skills, use `{agent_root}/sessions/`, `{agent_root}/skills/`, `{agent_root}/references/` instead. |
| 145 | - **Mention the target harness** in the frontmatter with a `requires:` field if the skill depends on Hermes-specific tools (`memory`, `skill_manage`, `session_search`, `cronjob`). Example: `requires: hermes`. This tells other harnesses to skip the skill. |
| 146 | - **Document Hermes-specific tool dependencies** in a "Required tools" section so future porters know what to adapt. |
medium line 175
Access to home directory dotfiles
SourceSKILL.md
| 173 | - **Non-durable fixes**: If a fix or rule is added to a skill, ensure it is in the skill's own git repo or in MEMORY.md — not in hermes core, which gets wiped on updates. |
| 174 | - **Skill library organization**: The target shape is CLASS-LEVEL umbrella skills. Session-specific artifacts should be absorbed into existing umbrellas, not created as standalone skills. |
| 175 | - **Frontend anti-slop reference**: When building any skill that produces or evaluates frontend UI, load the anti-slop rules from the taste-skill reference at `~/.hermes/references/design/taste-skill/anti-slop-rules.md` and the pre-flight checklist at `~/.hermes/references/design/taste-skill/anti-slop-preflight.md`. These are the canonical AI-frontend anti-pattern references. See `~/.hermes/references/design/INDEX.md` §6 for the full taste-skill integration. |
| 176 | - **Runaway repo creation (`forge.sync`)**: The `forge.sync` and `forge.consolidate` workflows call `gh repo create` for any skill they process, and default to `--public`. Before creating any GitHub repo, check whether the skill is a known 3rd-party skill (hermes-agent bundled skills, agentskill.sh skills, hub-installed skills, etc.). If it is, **do NOT create a repo for it**. Creating repos for 3rd-party skills pollutes the user's GitHub and can accidentally publish code that isn't theirs. Keep 3rd-party skills local-only unless the user explicitly asks to publish. |
| 177 | - **Panic reporting**: When checking for the existence of skills or repos, verify the actual state (local directory, git remote, GitHub API) before reporting catastrophic findings like "lost and deleted with no copy." Incorrect panic reports erode trust and waste investigation time. |
Scanned on Jun 13, 2026
View Security DashboardRating
5.01
Rate this skill
Categoryproduct
UpdatedJune 13, 2026
claudeclaude-codecursorhermesfrontenddesigndocxgitapitestingproduct-managertechnical-pmgrowth-pmux-designerbackend-developergithubproductdesigndevelopment
indigokarasu/forge