Skip to content

Add Imans CLI skill#15

Open
zamoty wants to merge 1 commit into
zeroclaw-labs:masterfrom
zamoty:add-imans-skill
Open

Add Imans CLI skill#15
zamoty wants to merge 1 commit into
zeroclaw-labs:masterfrom
zamoty:add-imans-skill

Conversation

@zamoty

@zamoty zamoty commented Jun 5, 2026

Copy link
Copy Markdown

Adds a Community skill for the official Imans CLI.

The skill helps ZeroClaw agents query read-only Imans workspace, catalog, product, product variant, sales order, order item, and classification data via the imans CLI.

Validation run locally:

  • git diff --check
  • Registry JSON parse check
  • ZeroClaw frontmatter and registry/folder consistency checks copied from the validation workflow

Runtime requirement:

  • imans must be installed and authenticated where ZeroClaw executes shell commands.

@Audacity88 Audacity88 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Context: I reviewed current head f75a16f against the live PR state, current master, the submitted skill files, and the skills-repo validation/security workflow rules. There are no prior reviews or comments on this PR, and GitHub currently reports no checks for the branch. I also ran local spot checks in an isolated PR-head worktree: git diff --check origin/master...HEAD, registry JSON parsing, registry/folder sync, SKILL frontmatter validation, file-policy checks, content-scan patterns, and permission-audit shape. Structure and file-policy checks passed, but the content scan fails on the installer command; permission audit also reports the expected elevated-risk warning for shell_exec.

@zamoty thanks for the submission. A read-only CLI skill for Imans data can fit this registry, but the current install instructions cross a security boundary we should not publish as-is.

🟢 What looks good — the skill keeps the runtime scope narrow

The skill is scoped to read-only workspace, catalog, product, variant, sales-order, order-item, and classification queries. It asks for only shell_exec, prefers JSON output, tells the agent not to print raw API tokens, and calls out that order/customer data should be treated as sensitive. That is the right general direction for a business-data CLI skill.

🔴 Blocking — remove the pipe-to-shell installer from the submitted docs

Both README.md and SKILL.md tell the user or agent to install Imans with curl -fsSL https://imans.ai/install | bash. The skills repo security workflow explicitly scans changed Markdown/JSON for this shape with the curl ... | bash dangerous-shell rule, and the local workflow-equivalent content scan fails on both occurrences.

For a community skill that grants shell_exec, we should not teach the agent to fetch a remote script and pipe it straight into a shell. Please remove that command from the skill and README. It is fine to say that imans must already be installed, link or point users to the official installation docs, and keep package-manager examples that do not pipe remote content into a shell. After installation, the skill can still verify with imans version and imans auth test --quiet.

🟡 Warning — tighten user-provided CLI argument handling while editing this

The command list includes placeholders like imans products list --search "<query>" --json and ID/date placeholders. Those are useful examples, but because this skill runs through shell_exec, please add a short rule that the agent must not concatenate raw user text into shell commands. User-provided search terms, profile names, IDs, and dates should be safely quoted/escaped for the shell, and the final command should avoid exposing tokens or sensitive output.

🟡 Warning — the branch still needs reported validation/security checks

GitHub currently reports no checks on this branch. My local spot checks are useful review evidence, but they do not replace the repository's validation and security-scan workflows. Once the installer command is fixed, please make sure the branch gets the normal reported checks before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants