xixu-me/develop-userscripts
skills/develop-userscripts/SKILL.md
Use when building, debugging, packaging, or publishing browser userscripts for Tampermonkey or ScriptCat, including GM APIs, metadata blocks, permission issues, @match/@grant/@connect setup, ScriptCat background or scheduled scripts, UserConfig blocks, or subscription workflows.
$ install --global
skillsauthnpx skillsauth add xixu-me/skills develop-userscriptsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 9:54 PM5.5s3 files scanned
SKILL.md
- name:
- develop-userscripts
- description:
- Use when building, debugging, packaging, or publishing browser userscripts for Tampermonkey or ScriptCat, including GM APIs, metadata blocks, permission issues, @match/@grant/@connect setup, ScriptCat background or scheduled scripts, UserConfig blocks, or subscription workflows.
Userscript work usually breaks at the runtime and metadata boundary, not in the page logic. Choose the runtime first, declare the minimum permissions up front, then debug in the environment where the script actually runs.
When to Use
Use this skill for:
- writing or fixing a Tampermonkey or ScriptCat userscript
- debugging injection timing, missing permissions, CSP workarounds, update checks, or
GM_*behavior - deciding between a portable foreground script and ScriptCat-only
@backgroundor@crontab - adding config UI with
==UserConfig== - packaging a ScriptCat
==UserSubscribe==bundle or preparing a CloudCat-compatible script
Do not use this skill for full browser extension development or general browser automation outside userscript managers.
Runtime Selection
digraph userscript_runtime {
"Need page DOM or page context?" [shape=diamond];
"Need persistent or scheduled work?" [shape=diamond];
"Need to install many scripts as one package?" [shape=diamond];
"Portable foreground script" [shape=box];
"ScriptCat background or crontab script" [shape=box];
"ScriptCat subscription package" [shape=box];
"Need page DOM or page context?" -> "Portable foreground script" [label="yes"];
"Need page DOM or page context?" -> "Need persistent or scheduled work?" [label="no"];
"Need persistent or scheduled work?" -> "ScriptCat background or crontab script" [label="yes"];
"Need persistent or scheduled work?" -> "Need to install many scripts as one package?" [label="no"];
"Need to install many scripts as one package?" -> "ScriptCat subscription package" [label="yes"];
"Need to install many scripts as one package?" -> "Portable foreground script" [label="no"];
}
Preflight
- Confirm the manager and browser. On Manifest V3 browsers, ScriptCat may require
Allow User Scriptsor browser developer mode before scripts run. - Decide page script versus background script before writing code. ScriptCat background scripts cannot touch the DOM.
- Start with metadata, not implementation:
@match,@grant,@connect,@run-at, and any update URLs. - Prefer portable
==UserScript==patterns for ordinary page scripts. Only switch to ScriptCat-only headers when the requested behavior actually needs them.
Workflow
- Choose the runtime and metadata first.
- Declare the smallest permission surface that fits the task.
- Implement against the runtime you chose.
- Debug where the code really runs.
- Foreground scripts: page console plus manager logs.
- ScriptCat background scripts: run log first, then
background.htmlfor real-environment debugging.
- Publish with the right update model.
- Normal scripts: keep
@versionaccurate and add@updateURLor@downloadURLonly when needed. - Subscription bundles: use
==UserSubscribe==, HTTPS URLs, and subscription-level@connect.
- Normal scripts: keep
Quick Reference
| Intent | Default choice | Watch for |
| ------------------------------------ | -------------------------------------------- | ------------------------------------------------------------------------- |
| Page UI, DOM scraping, page patching | Portable ==UserScript== | @match, @grant, @run-at, CSP-sensitive injection |
| Cross-origin API access | GM_xmlhttpRequest with explicit @connect | Missing hosts, cookie behavior differences, user authorization |
| Long-running worker | ScriptCat @background | No DOM, must return Promise for async work |
| Scheduled task | ScriptCat @crontab | Only first @crontab counts, prefer 5-field cron, avoid interval overlap |
| User-editable settings | ==UserConfig== plus GM_getValue | Block placement and group.key naming |
| Silent bundle install and updates | ==UserSubscribe== | HTTPS, user.sub.js, subscription connect overrides child scripts |
Common Mistakes
- Missing
@grantfor APIs the script actually uses. - Missing
@connectfor hosts used byGM_xmlhttpRequestorGM_cookie. - Treating
@includeas a better default than@matchfor ordinary host targeting. - Using DOM APIs inside ScriptCat background or cron scripts.
- Returning from a ScriptCat background script before async GM work is truly finished.
- Mixing
==UserScript==and==UserSubscribe==packaging concepts. - Putting
==UserConfig==in the wrong place or reading config keys without thegroup.keyname. - Assuming Tampermonkey and ScriptCat storage, notification, or request behavior is identical.
References
references/metadata-and-api-map.mdreferences/scriptcat-extensions.md
Related Skills
xixu-me/xget
tools
VerifiedTrustedCommunity
Use when tasks involve Xget URL rewriting, registry/package/container/API acceleration, integrating Xget into Git, download tools, package managers, container builds, AI SDKs, CI/CD, deployment, self-hosting, or adapting commands and config from the live README `Use Cases` section into files, environments, shells, or base URLs.
34SKILL.mdUpdated Apr 15, 2026
xixu-me/xdrop
tools
VerifiedTrustedCommunity
Use this skill when the user wants to send or fetch files through an Xdrop server from the terminal, asks to automate encrypted Xdrop share-link workflows, provides an Xdrop `/t/:transferId#k=...` link to download and decrypt locally, or needs Xdrop CLI flags such as `--quiet`, `--json`, `--expires-in`, `--output`, or `--api-url`, even if they do not explicitly mention the skill name.
34SKILL.mdUpdated Apr 15, 2026
xixu-me/use-my-browser
tools
VerifiedTrustedCommunity
Use when work depends on the user's live browser session or visible rendered state rather than static fetches, especially for browser debugging contexts or DevTools-selected elements or requests, logged-in dashboards or CMS flows, localhost apps, forms, uploads, downloads, media inspection, DOM or iframe inspection, Shadow DOM, or browser failures that look like soft 404s, auth walls, anti-bot checks, or rate limits.
34SKILL.mdUpdated Apr 15, 2026
xixu-me/tzst
tools
VerifiedTrustedCommunity
Use when the user needs to create, extract, flatten, list, test, install, script, or troubleshoot `tzst` CLI workflows for `.tzst` or `.tar.zst` archives, including compression levels, streaming mode, extraction filters, conflict resolution, JSON output, or standalone binary setup, even if they describe the archive task without naming `tzst`.
34SKILL.mdUpdated Apr 15, 2026