Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

yangshu2087/opencli-readonly-probe

Name: opencli-readonly-probe
Author: yangshu2087

.agents/skills/opencli-readonly-probe/SKILL.md

npx skillsauth add yangshu2087/Codex opencli-readonly-probe

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

OpenCLI Read-Only Probe

Overview

Use OpenCLI only through the workspace wrapper. The wrapper keeps OpenCLI out of global PATH, forces an isolated HOME/runtime for OpenCLI-backed commands, restricts commands to a small allowlist, and stops the OpenCLI daemon on exit. The GitHub status checks deliberately use local gh directly to avoid OpenCLI external auto-install behavior.

Wrapper:

/Users/yangshu/Codex/scripts/opencli-readonly.sh

Allowed Commands

| Need | Command | |---|---| | HackerNews public reads | scripts/opencli-readonly.sh hackernews top --limit 5 -f json | | Other HackerNews public reads | scripts/opencli-readonly.sh hackernews new|best|ask|show|jobs|search|user ... | | Local GitHub CLI version | scripts/opencli-readonly.sh gh --version | | Local GitHub auth status | scripts/opencli-readonly.sh gh auth status | | Codex Desktop CDP reachability | scripts/opencli-readonly.sh codex status | | Codex Desktop current model | scripts/opencli-readonly.sh codex model | | Codex Desktop current thread read | scripts/opencli-readonly.sh codex read |

Hard Rules

Do not run opencli directly for Codex work; use the wrapper.
Do not install OpenCLI globally or add shell completion.
Do not install the Browser Bridge extension unless the user explicitly approves it in a separate task.
Do not run write-capable commands: reddit, codex send/new/ask/export, gh repo/pr/issue, browser, plugin, install, or register.
The wrapper forces OpenCLI HOME into /tmp; gh --version and gh auth status use the local gh binary directly and never delegate to OpenCLI external CLI auto-install.
Treat codex read as sensitive: summarize only what is necessary and avoid exposing unrelated private thread content.
If Codex Desktop CDP is not reachable, report the gap; do not restart Codex with --remote-debugging-port unless explicitly asked.

Verification

Before trusting results, run the narrow checks:

bash -n /Users/yangshu/Codex/scripts/opencli-readonly.sh
/Users/yangshu/Codex/scripts/opencli-readonly.sh --help
/Users/yangshu/Codex/scripts/opencli-readonly.sh hackernews top --limit 3 -f json
/Users/yangshu/Codex/scripts/opencli-readonly.sh gh --version
/Users/yangshu/Codex/scripts/opencli-readonly.sh codex status

After use, confirm daemon cleanup:

curl -fsS --max-time 2 -H 'X-OpenCLI: 1' http://127.0.0.1:19825/status || true

yangshu2087/opencli-readonly-probe

.agents/skills/opencli-readonly-probe/SKILL.md

Use when evaluating OpenCLI from Codex with strict read-only constraints, especially for HackerNews, local GitHub CLI status, or Codex Desktop CDP reachability checks.

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add yangshu2087/Codex opencli-readonly-probe

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:36 PM36.1s1 file scanned

SKILL.md

name:: opencli-readonly-probe
description:: Use when evaluating OpenCLI from Codex with strict read-only constraints, especially for HackerNews, local GitHub CLI status, or Codex Desktop CDP reachability checks.

OpenCLI Read-Only Probe

Overview

Wrapper:

/Users/yangshu/Codex/scripts/opencli-readonly.sh

Allowed Commands

Hard Rules

Do not run opencli directly for Codex work; use the wrapper.
Do not install OpenCLI globally or add shell completion.
Do not install the Browser Bridge extension unless the user explicitly approves it in a separate task.
Do not run write-capable commands: reddit, codex send/new/ask/export, gh repo/pr/issue, browser, plugin, install, or register.
The wrapper forces OpenCLI HOME into /tmp; gh --version and gh auth status use the local gh binary directly and never delegate to OpenCLI external CLI auto-install.
Treat codex read as sensitive: summarize only what is necessary and avoid exposing unrelated private thread content.
If Codex Desktop CDP is not reachable, report the gap; do not restart Codex with --remote-debugging-port unless explicitly asked.

Verification

Before trusting results, run the narrow checks:

bash -n /Users/yangshu/Codex/scripts/opencli-readonly.sh
/Users/yangshu/Codex/scripts/opencli-readonly.sh --help
/Users/yangshu/Codex/scripts/opencli-readonly.sh hackernews top --limit 3 -f json
/Users/yangshu/Codex/scripts/opencli-readonly.sh gh --version
/Users/yangshu/Codex/scripts/opencli-readonly.sh codex status

After use, confirm daemon cleanup:

curl -fsS --max-time 2 -H 'X-OpenCLI: 1' http://127.0.0.1:19825/status || true

Related Skills

yangshu2087/terrashark

development

VerifiedTrustedCommunity

Use when explicitly reviewing, generating, refactoring, or migrating Terraform/OpenTofu IaC and checking failure modes such as identity churn, secrets, blast radius, CI drift, or compliance gates.

SKILL.mdUpdated Apr 16, 2026

yangshu2087/terrashark

yangshu2087/stitch-ui-prompt-architect

development

VerifiedTrustedCommunity

Use when the user explicitly mentions Google Stitch and wants a structured Stitch-ready UI prompt or prompt refinement from rough product/design ideas.

SKILL.mdUpdated Apr 16, 2026

yangshu2087/stitch-ui-prompt-architect

yangshu2087/stitch-react-components

development

VerifiedTrustedCommunity

Use when the user explicitly mentions Google Stitch and asks to convert Stitch designs into Vite, CRA, or generic React components.

SKILL.mdUpdated Apr 16, 2026

yangshu2087/stitch-react-components

yangshu2087/stitch-nextjs-components

development

VerifiedTrustedCommunity

Use when the user explicitly mentions Google Stitch and asks to convert Stitch designs into Next.js App Router components.

SKILL.mdUpdated Apr 16, 2026

yangshu2087/stitch-nextjs-components

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/yangshu2087/Codex.git

# Copy into Claude Code skills folder (global)
cp -r Codex/.agents/skills/opencli-readonly-probe ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

yangshu2087/Codex

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT