github runkids/skillshare v0.15.3
on GitHub

latest releases: v0.18.9, v0.18.8, v0.18.7...
one month ago

🛠️ skillshare v0.15.3 Release Notes

Release date: 2026-02-22

TL;DR

v0.15.3 adds batch audit scanning, a new audit rule, hub auth token injection, and changes pull to merge by default:

  1. Multi-name and --group audit — scan specific skills or entire groups in one command
  2. External link detection — new external-link-0 rule catches external URLs in markdown links
  3. Hub auth tokenssearch --hub auto-injects tokens for private hub indexes
  4. Pull merges by default — first pull with both local and remote skills now attempts merge instead of failing
  5. Parallel audit refactor — shared audit.ParallelScan() replaces three duplicated worker pools

What's New

1) Multi-name and --group for audit

Scan multiple skills at once, or entire groups: 

skillshare audit react-patterns typescript-utils   # Multiple skills
skillshare audit --group frontend                  # All skills in frontend/
skillshare audit my-skill -G backend -G devops     # Mix names and groups

Key details:

  • Names are matched by flat name or basename with short-name fallback
  • --group/-G is repeatable and can be mixed with positional names
  • Unresolved names produce a warning but don't block the scan
  • Results include the same per-skill output, risk scores, and summary as all-skills scan

2) External link audit rule (closes #38)

New external-link-0 rule (LOW severity) detects external URLs in markdown links: 

[1/1] ! my-skill    0.1s
      └─ LOW: External URL in markdown link (SKILL.md:5)
         "[docs](https://example.com/guide)"
  • Catches [text](https://...) patterns that may indicate prompt injection vectors or unnecessary token consumption
  • Localhost and loopback links (127.0.0.1, 0.0.0.0, localhost) are excluded
  • Disable via audit-rules.yaml: - id: external-link-0 / enabled: false

This completes #38 — dangling link detection was added in v0.15.1, and external link detection is added in this release. Together they cover both failure modes described in the issue: broken local links that send agents on wild goose chases, and external links that serve as injection vectors.

Note on #39: PR #39 was a community contribution for the same feature. The functionality was implemented natively in v0.15.1 (dangling-link) and v0.15.3 (external-link) with a different approach — structural checks integrated into the existing audit rule engine with disable/override support via audit-rules.yaml. PR #39 is closed as superseded. Thank you for the contribution and the well-articulated issue that drove this work!

3) Auth tokens for hub search

search --hub now automatically injects authentication tokens when fetching hub indexes over HTTPS: 

export GITHUB_TOKEN=ghp_...
skillshare search --hub https://private.corp/hub.json   # Token auto-injected

Supported tokens (same resolution as install/update):

  • GITHUB_TOKEN / GH_TOKEN for GitHub
  • GITLAB_TOKEN for GitLab
  • BITBUCKET_TOKEN for Bitbucket
  • SKILLSHARE_GIT_TOKEN as generic fallback

No configuration needed — if the token env var is set, it's used automatically.

Behavior Changes

pull merges by default

Previously, when both local and remote had skills on first pull, pull refused with a non-zero exit code requiring --force or manual intervention.

Now pull attempts a git merge to combine both sides. If the merge succeeds, both local and remote skills are preserved. On conflict: 

$ skillshare pull
Failed to merge remote history
  Or force-pull: skillshare pull --force  (replaces local with remote)

--force behavior is unchanged — it always replaces local with remote.

Bug Fixes

audit resolves nested skill names

skillshare audit nested__skill now correctly finds skills by flat name or basename with short-name fallback. Previously, nested skills could only be audited by exact path.

CodeX SKILL.md description over 1024 chars (fixes #40)

CodeX (OpenAI) enforces a 1024-character limit on skill descriptions. The built-in skills/skillshare/SKILL.md description exceeded this limit, causing a startup error. The description has been trimmed to 803 characters.

Internal

  • Parallel audit refactor — extracted shared audit.ParallelScan() helper, replacing three duplicated worker pools in auditInstalled(), auditFiltered(), and handleAuditAll() (net -46 lines)
  • Devcontainer token loading.env file tokens and host environment fallback now work correctly

Upgrading

# Homebrew
brew upgrade skillshare

# Go install
go install github.com/runkids/skillshare/cmd/skillshare@v0.15.3

# Self-upgrade
skillshare upgrade

Changelog

  • 8778add feat: add external-link-0 audit rule to detect external URLs in markdown links
  • 0d3799d feat: add multi-name and --group support for audit command
  • 3b8c681 feat: auto-inject auth tokens for hub search and Web UI git operations
  • 13d9b82 fix: devcontainer token loading from .env and host env fallback
  • 52f55c8 fix: pull merges by default when both sides have skills, audit resolves nested skill names
  • 0542e75 fix: trim built-in skill description under 1024 chars and update references
  • d692d14 perf: parallelize audit scanning in CLI and API handlers
  • 97e2a2d refactor: extract shared parallel audit scan helper
Check out latest releases or
releases around runkids/skillshare v0.15.3

Don't miss a new skillshare release

NewReleases is sending notifications on new releases.

Get notifications