Add Imans CLI skill#15
Conversation
Audacity88
left a comment
There was a problem hiding this comment.
Context: I reviewed current head f75a16f against the live PR state, current master, the submitted skill files, and the skills-repo validation/security workflow rules. There are no prior reviews or comments on this PR, and GitHub currently reports no checks for the branch. I also ran local spot checks in an isolated PR-head worktree: git diff --check origin/master...HEAD, registry JSON parsing, registry/folder sync, SKILL frontmatter validation, file-policy checks, content-scan patterns, and permission-audit shape. Structure and file-policy checks passed, but the content scan fails on the installer command; permission audit also reports the expected elevated-risk warning for shell_exec.
@zamoty thanks for the submission. A read-only CLI skill for Imans data can fit this registry, but the current install instructions cross a security boundary we should not publish as-is.
🟢 What looks good — the skill keeps the runtime scope narrow
The skill is scoped to read-only workspace, catalog, product, variant, sales-order, order-item, and classification queries. It asks for only shell_exec, prefers JSON output, tells the agent not to print raw API tokens, and calls out that order/customer data should be treated as sensitive. That is the right general direction for a business-data CLI skill.
🔴 Blocking — remove the pipe-to-shell installer from the submitted docs
Both README.md and SKILL.md tell the user or agent to install Imans with curl -fsSL https://imans.ai/install | bash. The skills repo security workflow explicitly scans changed Markdown/JSON for this shape with the curl ... | bash dangerous-shell rule, and the local workflow-equivalent content scan fails on both occurrences.
For a community skill that grants shell_exec, we should not teach the agent to fetch a remote script and pipe it straight into a shell. Please remove that command from the skill and README. It is fine to say that imans must already be installed, link or point users to the official installation docs, and keep package-manager examples that do not pipe remote content into a shell. After installation, the skill can still verify with imans version and imans auth test --quiet.
🟡 Warning — tighten user-provided CLI argument handling while editing this
The command list includes placeholders like imans products list --search "<query>" --json and ID/date placeholders. Those are useful examples, but because this skill runs through shell_exec, please add a short rule that the agent must not concatenate raw user text into shell commands. User-provided search terms, profile names, IDs, and dates should be safely quoted/escaped for the shell, and the final command should avoid exposing tokens or sensitive output.
🟡 Warning — the branch still needs reported validation/security checks
GitHub currently reports no checks on this branch. My local spot checks are useful review evidence, but they do not replace the repository's validation and security-scan workflows. Once the installer command is fixed, please make sure the branch gets the normal reported checks before merge.
Adds a Community skill for the official Imans CLI.
The skill helps ZeroClaw agents query read-only Imans workspace, catalog, product, product variant, sales order, order item, and classification data via the
imansCLI.Validation run locally:
git diff --checkRuntime requirement:
imansmust be installed and authenticated where ZeroClaw executes shell commands.