overthinkos/ov
ov-foundation/skills/ov/SKILL.md
Overthink CLI (ov) binary installed into container/VM images for in-container use. Use when working with ov binary deployment inside containers, native D-Bus support, or the ov-full composition.
tools
Updated May 10, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins ovInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 5:30 AM146.1s1 file scanned
SKILL.md
- name:
- ov
- description:
- |
ov -- Overthink CLI binary
Layer Properties
| Property | Value |
|----------|-------|
| Install files | tasks:, bin/ov |
What It Provides
The ov binary inside containers serves two purposes:
-
Native D-Bus agent —
ov eval dbuscommands on the host delegate to the in-container binary viaengine exec container ov eval dbus <cmd> . <args>. The in-container ov connects to the local D-Bus session bus usinggodbus/dbus/v5(pure Go, no external tools needed). This is the primary path forov eval dbus notify,ov eval dbus call,ov eval dbus list, andov eval dbus introspect. -
In-container CLI — full ov functionality available inside the container for scripting, service management, and automation.
Updating the Binary — dual-path gotcha
The ov layer's copy: bin/ov task is resolved relative to the layer directory, so the image build reads layers/ov/bin/ov — NOT the repo-root bin/ov. Two independent paths need to stay in sync:
| Path | Who reads it |
|------|-------------|
| bin/ov (repo root) | Host-side ov invocations; users running /tmp/ov style tests |
| layers/ov/bin/ov | The ov layer's COPY into images during ov image build |
Canonical workflow — task build:ov compiles to repo-root AND syncs to the layer:
task build:ov # Builds + syncs both paths; rebuild images after.
ov image build <image> # Rebuild affected images.
Manual workflow — if you skip task build:ov and build with go build directly, you MUST sync the layer path, or images will bake the previous binary:
cd ov && go build -o ../bin/ov . # Only updates repo-root bin/ov.
cp bin/ov layers/ov/bin/ov # REQUIRED — sync to layer path.
ov image build <image> # Rebuild affected images.
Why this bites: ov image build uses auto-generated intermediate images (e.g., ghcr.io/overthinkos/fedora-ov-2-dbus-nodejs) that cache the ov layer. If you update bin/ov in repo-root but forget the layer copy, the intermediate's cache hit serves stale content. After cleaning up a stale dual-path situation, podman rmi 'ghcr.io/overthinkos/fedora-ov-2*' forces a clean intermediate rebuild.
ov status Probe
The ov probe checks:
- Whether the
ovbinary exists in the container - The CalVer version (
ov version)
Shows as ov:ok (2026.94.1417) in ov status detail view. Returns - for images without the ov layer.
Note: ov version writes to stdout via fmt.Println (the prior
println(version) emitted to stderr; the move to fmt.Println landed
with the MCP server work so the in-process tool-call path — which
captures os.Stdout — returns the CalVer correctly). The layer test at
layers/ov/layer.yml asserts stdout: matches [0-9]{4}\.[0-9]+. The
ov status probe uses CombinedOutput() so it's agnostic to the
stream.
Usage
# image.yml -- now included in all images with supervisord
my-image:
layers:
- ov
Used In Images
- Part of the
ov-fullcomposition layer (githubrunner, fedora-ov, arch-ov) - Now directly added to all images with supervisord (openclaw, jupyter, ollama, sway-browser-vnc, selkies-desktop, immich, etc.)
Related Layers
/ov-coder:ov-full-- composition that includes ov + virtualization + gocryptfs + socat/ov-coder:ov-mcp-- layers: [ov, supervisord] meta-composition that deploysov mcp serve(~192-tool MCP gateway) with a/workspacebind mount (volume NAMEproject) for build-mode tools + auto-fallback to overthinkos/overthink when nothing is bound/ov-foundation:dbus-- D-Bus session bus (ov eval dbus commands need this)/ov-selkies:swaync-- notification daemon (needed for ov eval dbus notify to show popups)
When to Use This Skill
Use when the user asks about:
- Installing the ov binary inside containers
- The ov-full composition layer
- In-container ov CLI usage
- Native D-Bus support (ov eval dbus commands delegate to in-container binary)
- Updating the ov layer binary after code changes
Related
/ov-build:layer— layer authoring reference (layer.ymlschema, task verbs, service declarations)/ov-build:eval— declarative testing (eval:block,ov eval image,ov eval live)
Related Skills
overthinkos/agents
development
VerifiedTrustedCommunity
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
SKILL.mdUpdated May 31, 2026
overthinkos/workspace-mount
tools
VerifiedTrustedCommunity
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
SKILL.mdUpdated May 30, 2026
overthinkos/android
development
VerifiedTrustedCommunity
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
SKILL.mdUpdated May 26, 2026
overthinkos/git-workflow
tools
VerifiedTrustedCommunity
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
SKILL.mdUpdated May 25, 2026