github runkids/skillshare v0.16.4
on GitHub

latest releases: v0.19.5, v0.19.4, v0.19.3...
one month ago

🔒 skillshare v0.16.4 Release Notes

Release date: 2026-02-28

TL;DR

v0.16.4 is a safety, correctness, and performance release focused on duplicate prevention, target path fixes, audit rule expansion, and gitignore batch optimization:

  1. Cross-path duplicate detectioninstall blocks accidental duplicates across different paths with a clear hint
  2. Same-repo skip — reinstalls show friendly ⊘ skipped instead of an error
  3. universal target fix — corrected path to ~/.agents/skills + coexistence docs with npx skills
  4. 5 new audit rulesfetch-with-pipe, ip-address-url, data-uri (31 → 36 total patterns)
  5. Batch gitignore performance.gitignore ops batched to a single read/write; fixes hang on large projects
  6. status/doctor at scale — single discovery pass + cached target checks + async version check + spinner
  7. TUI action safetylist TUI actions now confirm before executing and pass explicit mode flags

What's New

1) Cross-path duplicate detection

install now tracks which repo each skill came from and blocks accidental duplicates across different paths. If you installed runkids/feature-radar --into feature-radar and later try runkids/feature-radar without --into, the CLI detects the conflict: 

✗ this repo is already installed at skills/feature-radar/scan (and 2 more)
  Use 'skillshare update' to refresh, or reinstall with --force to allow duplicates

This check runs in all install paths: CLI direct, CLI discovery, Web UI single, and Web UI batch. Use --force to intentionally allow duplicates. The Web UI returns HTTP 409 when duplicates are found.

2) Same-repo skip

Reinstalling a skill from the same repo now shows a friendly skip indicator () instead of an error. Skipped skills are grouped by directory with a repo label in the summary output.

3) universal target fix + coexistence docs

The universal target now points to the correct path (~/.agents/skills instead of ~/.config/agents/skills). This is a shared agent directory that multiple AI CLIs can read from — also used by the npx skills CLI.

init and init --discover automatically include the universal target whenever any AI CLI is detected, labeled as "shared agent directory" to clarify its purpose.

New FAQ section documents coexistence with npx skills:

  • Both tools can manage ~/.agents/skills/ simultaneously (skillshare uses symlinks, npx skills uses real directories)
  • Prune logic won't delete the other tool's files
  • Name collisions should be avoided; copy mode is more aggressive than merge mode
  • npx skills list won't show skillshare-synced skills (lock file vs directory scan)

4) 5 new audit rules (31 → 36)

Five new rules close detection gaps in the security scanner:

Rule Severity What it catches
fetch-with-pipe (×3) HIGH curl | bash, wget | sh, pipes to python/node/ruby/perl/zsh/fish
ip-address-url MEDIUM https://203.0.113.50/... — raw IP URLs that bypass DNS security (private ranges excluded)
data-uri MEDIUM ](data:text/html,...) — embedded executable content in markdown links

fetch-with-pipe is automatically suppressed inside markdown code fences (same as destructive-commands, suspicious-fetch, etc.), so legitimate install documentation doesn't trigger false positives.

5) Batch gitignore performance

.gitignore updates during install reconciliation and uninstall are now batched into a single file read/write instead of one per skill. This eliminates a hang that occurred when .gitignore grew large (100K+ lines) in projects with many installed skills.

Previously, ReconcileProjectSkills called UpdateGitIgnore per-skill inside a WalkDir loop, re-reading the entire file each time — O(N×M) complexity. Now it collects entries during the walk and calls UpdateGitIgnoreBatch once. The same batch pattern applies to RemoveFromGitIgnoreBatch in uninstall (both global and project modes).

6) status and doctor at scale

Both commands now run a single skill discovery pass instead of repeating it per-section:

  • status: 7× discovery → 1× (tracked repos extracted from existing results; printSourceStatus takes pre-computed count)
  • doctor: 5× discovery → 1× (all check functions receive the shared []DiscoveredSkill)
  • Target status checks (CheckStatusMerge/CheckStatusCopy) are cached so drift detection reuses the first result instead of calling again
  • doctor overlaps its GitHub version check (3s timeout) with local I/O via goroutine
  • A spinner is shown during discovery so the CLI doesn't appear frozen on large skill sets

7) Other fixes

  • --force hint accuracy — force hints now use the actual repo URL (not per-skill subpath) and include --into when applicable
  • update root-level skills — root-level skill repos (SKILL.md at repo root) no longer appear stale during batch update; fixed Subdir normalization mismatch
  • update batch summary — aligned with sync-style single-line stats format with color-coded counts
  • pull project mode leakpull now forces --global for post-pull sync, preventing project-mode auto-detection when run inside a project directory
  • list TUI action safetyaudit, update, and uninstall actions in the skill list TUI now show a confirmation overlay before executing; actions pass explicit --global/--project mode flags to prevent mode mismatch
  • Unified batch summaryinstall, uninstall, and update share a consistent single-line summary format with color-coded counts and elapsed time
  • Command output spacing — trailing blank line after command output for consistent terminal readability

Migration

No breaking changes. Drop-in upgrade from v0.16.3.

Changelog

  • 1f8fbd4 docs(website): add status/doctor perf entry to changelog
  • 1a207e6 feat(audit): add fetch-with-pipe, ip-address-url, and data-uri rules
  • 5d9a773 feat(init): label universal as shared agent directory and add coexistence docs
  • 666091a feat(install): add cross-path duplicate detection and same-repo skip
  • 1099ba4 feat(ui): unified batch summary and output patterns across commands
  • 65402b9 feat(update): add phase headers and scanning spinner for batch mode
  • 429e67a fix(audit): downgrade data-uri severity to MEDIUM
  • 79f26f2 fix(docs): correct broken anchor link in docker-sandbox page
  • 8997196 fix(init): correct universal target path and auto-include in init
  • 13acc75 fix(list): add in-TUI confirmation and explicit mode flags for actions
  • 965f060 fix(pull): force global sync after pull to avoid project mode auto-detection
  • 6ca6f58 fix(test): adapt online audit parity test for skip-unchanged optimisation
  • e14ef99 fix(ui): add trailing blank line after command output
  • d86ee8c fix(ui): align spinner output and skip backup when no skills
  • 41fe18b fix(update): normalize empty Subdir to "." for root-level skill repos
  • 9a7ee1b fix: address code review findings (3 important + 5 suggestions)
  • 6a5d2ea perf(collect): remove eager calculateDirSize from FindLocalSkills
  • 4c70b7d perf(gitignore): batch read/write for install reconcile and uninstall
  • 5017df2 perf(status,doctor): eliminate redundant discovery and CheckStatus calls
  • 0f29dd3 perf(update): remove per-skill delay in batch update loop
  • b4a4969 perf(update): skip unchanged skills in grouped repo updates
  • 51d2e3a perf(update): speed up grouped updates and unstick progress bar
  • 0f2d66e refactor(update): align batch summary with sync-style single-line format
Check out latest releases or
releases around runkids/skillshare v0.16.4

Don't miss a new skillshare release

NewReleases is sending notifications on new releases.

Get notifications