Skip to content

fix(sync): repair leaderboard parser and cap community list to top N#29

Merged
runkids merged 3 commits into
mainfrom
fix/sync-community-parser-and-cap
Jun 1, 2026
Merged

fix(sync): repair leaderboard parser and cap community list to top N#29
runkids merged 3 commits into
mainfrom
fix/sync-community-parser-and-cap

Conversation

@runkids
Copy link
Copy Markdown
Owner

@runkids runkids commented Jun 1, 2026
edited
Loading

No description provided.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the skills catalog in the README and refactors the sync-community.sh script to rebuild the community list as a snapshot of the leaderboard (handling both additions and removals) rather than an ever-growing log. It also updates the HTML parsing logic in Node.js to handle multiple chunks safely. The review feedback highlights two important issues in scripts/sync-community.sh: a correctness bug where bracket-matching logic can fail if skill descriptions contain brackets, and a robustness issue where an empty community.json file causes jq to crash when iterating over a null value.

Comment thread scripts/sync-community.sh
if (m[1].includes('initialSkills')) { payload = m[1]; break; }
}
if (!payload) { process.exit(1); }
const inner = JSON.parse('\"' + payload + '\"');
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

正確性問題 (High):目前的括號匹配邏輯(第 63-66 行)在遇到 initialSkills 陣列中的字串欄位(例如 descriptionname)包含中括號 [] 時會出錯。例如,如果某個 Skill 的描述為 \"Support for [Markdown] formatting\",則內部的 ] 會導致 depth 提前歸零,從而截斷 JSON 字串並導致後續的 JSON.parse 失敗。\n\n建議將括號匹配邏輯修改為「狀態感知(State-aware)」的匹配器,忽略字串字面量內部的括號:\n\njavascript\n let depth = 0, i = arrStart;\n let inString = false, escape = false;\n for (; i < inner.length; i++) {\n const char = inner[i];\n if (escape) {\n escape = false;\n continue;\n }\n if (char === '\\\\') {\n escape = true;\n continue;\n }\n if (char === '\"') {\n inString = !inString;\n continue;\n }\n if (!inString) {\n if (char === '[') depth++;\n else if (char === ']') { depth--; if (depth === 0) break; }\n }\n }\n\n*(注意:由於此指令碼位於 Bash 雙引號中,反斜線需要進行雙重轉義,例如 \\\\)*

Copy link
Copy Markdown
Owner Author

@runkids runkids Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified — an unbalanced [ or ] inside a string field does truncate the extracted JSON (a balanced [Markdown] happens to survive, but a lone bracket breaks it). Fixed in 975aa5a with a state-aware scanner that skips brackets inside string literals (tracking inStr/esc). Regression: still parses all 600 leaderboard entries, plus synthetic cases with unbalanced ], unbalanced [, and escaped quotes all pass.

Comment thread scripts/sync-community.sh Outdated
official_names=$(jq -n \
--slurpfile hub "$HUB_FILE" \
--slurpfile comm "$community_file" \
'([$hub[0].skills[].name] - [$comm[0][].name]) | unique')
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

健壯性改進 (Medium):如果 community.json 檔案為空(0 位元組),jq--slurpfile comm 會讀入空陣列,此時 $comm[0]null。直接對 null 進行迭代($comm[0][].name)會導致 jq 拋出 Cannot iterate over null 錯誤並中斷執行。建議使用 // [] 運算子提供安全回退值。

Suggested change
'([$hub[0].skills[].name] - [$comm[0][].name]) | unique')
'([$hub[0].skills[].name] - [($comm[0] // [])[].name]) | unique')

Copy link
Copy Markdown
Owner Author

@runkids runkids Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed — a 0-byte community.json makes $comm[0] null and jq errors with "Cannot iterate over null". Fixed in 975aa5a using ($comm[0] // []).

@runkids
fix(sync): repair leaderboard parser and cap community list to top N
612c29f 
The skills.sh RSC payload moved initialSkills into a later
self.__next_f.push chunk. The old lazy regex started at the first push
and spliced across chunks, pulling in unescaped quotes that broke
JSON.parse — the sync job failed with 'Page format may have changed'.
Now match each push's escaped string individually and pick the chunk
containing initialSkills.

Also stop the community list from growing without bound: rebuild
community.json as a snapshot of the current top N instead of appending
forever. Newcomers are added, skills that fell out of the top N are
removed, and reviewed descriptions/tags on still-ranked entries are
preserved. Reapplying the rule shrinks the list 226 -> 113.
@runkids runkids force-pushed the fix/sync-community-parser-and-cap branch from c63675e to 612c29f Compare June 1, 2026 07:21
runkids added 2 commits June 1, 2026 15:28
@runkids
fix(sync): handle brackets in string fields and empty community.json
975aa5a 
Address code review on PR #29:
- State-aware bracket matcher in the RSC parser now ignores '[' / ']'
  inside string literals, so a skill description with an unbalanced
  bracket no longer truncates the extracted JSON.
- Guard official_names against a 0-byte community.json: $comm[0] is
  null for an empty file and iterating null crashed jq; fall back to [].
@runkids
feat(sync): skip HIGH/CRITICAL skills via security audit gate
85a0e93 
The PR audit job fails the build when a newly synced skill scores
HIGH/CRITICAL in skillshare audit. Add an audit gate to the sync
validation step: each newcomer's cloned directory is audited and any
HIGH/CRITICAL result is skipped, so the community list never collects
skills that would fail the audit job. Falls back to no filtering (with
a warning) when the skillshare CLI is unavailable.

Also drop the 10 existing runcomfy AI-media skills flagged HIGH/CRITICAL
(face-swap CRITICAL, the rest HIGH). They stay on the leaderboard, so a
future sync re-evaluates them through the gate and keeps skipping them —
a self-healing loop.

Verified: local audit.sh against origin/main passes (exit 0), all newly
added sources score MEDIUM or lower.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 1, 2026

Skill Audit Results

Audited 6 sources across 3 repos.

Source Status Risk
agentspace-so/runcomfy-agent-skills/ace-step ✅ Passed MEDIUM (48/100)
agentspace-so/runcomfy-agent-skills/elevenlabs-music-generation ✅ Passed MEDIUM (36/100)
agentspace-so/runcomfy-agent-skills/relight ✅ Passed MEDIUM (50/100)
microsoft/azure-skills/entra-agent-id ✅ Passed LOW (9/100)
mattpocock/skills/handoff ✅ Passed CLEAN (0/100)
mattpocock/skills/prototype ✅ Passed CLEAN (0/100)

All skills passed the security audit.

Audit Details

agentspace-so/runcomfy-agent-skills/ace-step

Risk: MEDIUM (48/100)

  MEDIUM: Auto-execute untrusted npm package without confirmation (SKILL.md:321)
  "- **Install via verified package manager only.** Use `npm i -g @runcomfy/cli` or `npx -y @runcomfy/cli`. **Agents must not pipe an arbitrary remote install script into a shell on the user's behalf** — if the operator wants the curl-pipe path documented at `docs.runcomfy.com/cli/install`, they should review the script first."

  LOW: External URL in markdown link (SKILL.md:28)
  "[runcomfy.com](https://www.runcomfy.com/?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) · [ACE Step base](https://www.runcomfy.com/models/acestep-ai/ace-step/text-to-audio?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) · [ACE Step 1.5](https://www.runcomfy.com/models/acestep-ai/ace-step-1.5/text-to-audio?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) · [CLI docs](https://docs.runcomfy.com/cli/introduction?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step)"

  LOW: External URL in markdown link (SKILL.md:59)
  "CLI deep dive: [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) skill."

  LOW: External URL in markdown link (SKILL.md:145)
  "**Catalog**: [audio-inpaint](https://www.runcomfy.com/models/acestep-ai/ace-step/audio-inpaint?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step)"

  LOW: External URL in markdown link (SKILL.md:204)
  "**Catalog**: [audio-outpaint](https://www.runcomfy.com/models/acestep-ai/ace-step/audio-outpaint?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step)"

  LOW: External URL in markdown link (SKILL.md:271)
  "For the routing skill that picks between them automatically based on intent, see [`ai-music`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-music) once it ships."

  LOW: External URL in markdown link (SKILL.md:296)
  "- [ACE Step on RunComfy](https://www.runcomfy.com/models/acestep-ai/ace-step/text-to-audio?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) — all four endpoints (base t2a, 1.5 t2a, inpaint, outpaint)"

  LOW: External URL in markdown link (SKILL.md:297)
  "- [All RunComfy models](https://www.runcomfy.com/models?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) — image, video, and audio endpoints"

  LOW: External URL in markdown link (SKILL.md:298)
  "- [docs.runcomfy.com/cli](https://docs.runcomfy.com/cli/introduction?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) — CLI install, authentication, troubleshooting"

  LOW: External URL in markdown link (SKILL.md:313)
  "Full reference: [docs.runcomfy.com/cli/troubleshooting](https://docs.runcomfy.com/cli/troubleshooting?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step)."

  LOW: External URL in markdown link (SKILL.md:334)
  "- [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) — the underlying CLI"

  LOW: External URL in markdown link (SKILL.md:335)
  "- [`elevenlabs-music-generation`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/elevenlabs-music-generation) — premium-tier music alternative"

  LOW: External URL in markdown link (SKILL.md:336)
  "- [`ai-music`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-music) — router that picks between ACE Step and ElevenLabs Music based on intent"

  LOW: External URL in markdown link (SKILL.md:337)
  "- [All RunComfy audio models](https://www.runcomfy.com/models?utm_source=skills.sh&utm_medium=skill&utm_campaign=ace-step) — the full audio catalog"

  INFO: interpreter commands found (2 occurrence(s)) — Turing-complete runtime can execute arbitrary operations (.:0)
  ""

agentspace-so/runcomfy-agent-skills/elevenlabs-music-generation

Risk: MEDIUM (36/100)

  MEDIUM: Auto-execute untrusted npm package without confirmation (SKILL.md:174)
  "- **Install via verified package manager only.** Use `npm i -g @runcomfy/cli` or `npx -y @runcomfy/cli`. **Agents must not pipe an arbitrary remote install script into a shell on the user's behalf** — if the operator wants the curl-pipe path documented at `docs.runcomfy.com/cli/install`, they should review the script first."

  LOW: External URL in markdown link (SKILL.md:27)
  "[runcomfy.com](https://www.runcomfy.com/?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation) · [ElevenLabs Music model](https://www.runcomfy.com/models/elevenlabs/elevenlabs/music-generation?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation) · [CLI docs](https://docs.runcomfy.com/cli/introduction?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation)"

  LOW: External URL in markdown link (SKILL.md:51)
  "CLI deep dive: [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) skill."

  LOW: External URL in markdown link (SKILL.md:74)
  "| `output_format` | string | no | `mp3_standard` | `mp3_standard` (default), or WAV — see the [model page](https://www.runcomfy.com/models/elevenlabs/elevenlabs/music-generation?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation) API tab for the full format list |"

  LOW: External URL in markdown link (SKILL.md:166)
  "Full reference: [docs.runcomfy.com/cli/troubleshooting](https://docs.runcomfy.com/cli/troubleshooting?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation)."

  LOW: External URL in markdown link (SKILL.md:184)
  "- [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) — the underlying CLI, schema discovery, polling modes, scripting"

  LOW: External URL in markdown link (SKILL.md:185)
  "- [ElevenLabs Music model page](https://www.runcomfy.com/models/elevenlabs/elevenlabs/music-generation?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation) — full API tab with the latest schema"

  LOW: External URL in markdown link (SKILL.md:186)
  "- [All RunComfy models](https://www.runcomfy.com/models?utm_source=skills.sh&utm_medium=skill&utm_campaign=elevenlabs-music-generation) — image, video, and audio endpoints"

  LOW: External URL in markdown link (SKILL.md:187)
  "- [`ai-video-generation`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-video-generation) — pair a generated track with a generated video"

  LOW: External URL in markdown link (SKILL.md:188)
  "- [`ai-avatar-video`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-avatar-video) — talking-head video (different audio path — speech, not music)"

  INFO: interpreter commands found (2 occurrence(s)) — Turing-complete runtime can execute arbitrary operations (.:0)
  ""

agentspace-so/runcomfy-agent-skills/relight

Risk: MEDIUM (50/100)

  MEDIUM: Auto-execute untrusted npm package without confirmation (SKILL.md:168)
  "- **Install via verified package manager only.** Use `npm i -g @runcomfy/cli` or `npx -y @runcomfy/cli`. **Agents must not pipe an arbitrary remote install script into a shell on the user's behalf**."

  LOW: External URL in markdown link (SKILL.md:26)
  "[runcomfy.com](https://www.runcomfy.com/?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) · [Qwen Edit relight](https://www.runcomfy.com/models/qwen/qwen-edit-2509/lora/relight?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) · [CLI docs](https://docs.runcomfy.com/cli/introduction?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight)"

  LOW: External URL in markdown link (SKILL.md:43)
  "CLI deep dive: [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) skill."

  LOW: External URL in markdown link (SKILL.md:75)
  "**Catalog**: [Qwen Edit relight](https://www.runcomfy.com/models/qwen/qwen-edit-2509/lora/relight?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) · [`qwen-image` collection](https://www.runcomfy.com/models/collections/qwen-image?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight)"

  LOW: External URL in markdown link (SKILL.md:114)
  "For broader edit treatment see [`image-edit`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/image-edit)."

  LOW: External URL in markdown link (SKILL.md:136)
  "- **Generate from scratch** — see [`ai-image-generation`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-image-generation)."

  LOW: External URL in markdown link (SKILL.md:137)
  "- **Relight a video** — RunComfy has ComfyUI workflows for product / video relighting (IC-Light variants); CLI endpoint is image-only today. See [runcomfy.com/comfyui-workflows](https://www.runcomfy.com/comfyui-workflows?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) for IC-Light video workflows."

  LOW: External URL in markdown link (SKILL.md:143)
  "- [`qwen-image` collection](https://www.runcomfy.com/models/collections/qwen-image?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) — Qwen Edit base + LoRA variants (relight, skin, others)"

  LOW: External URL in markdown link (SKILL.md:144)
  "- [`best-image-editing-models` collection](https://www.runcomfy.com/models/collections/best-image-editing-models?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight)"

  LOW: External URL in markdown link (SKILL.md:145)
  "- [Train a custom relight LoRA](https://www.runcomfy.com/trainer?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight) — capture a brand's lighting signature as a LoRA and apply on relight pass"

  LOW: External URL in markdown link (SKILL.md:160)
  "Full reference: [docs.runcomfy.com/cli/troubleshooting](https://docs.runcomfy.com/cli/troubleshooting?utm_source=skills.sh&utm_medium=skill&utm_campaign=relight)."

  LOW: External URL in markdown link (SKILL.md:180)
  "- [`runcomfy-cli`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/runcomfy-cli) — the underlying CLI"

  LOW: External URL in markdown link (SKILL.md:181)
  "- [`image-edit`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/image-edit) — full image-edit router"

  LOW: External URL in markdown link (SKILL.md:182)
  "- [`ai-image-generation`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/ai-image-generation) — text-to-image / image-to-image router"

  LOW: External URL in markdown link (SKILL.md:183)
  "- [`image-inpainting`](https://www.skills.sh/agentspace-so/runcomfy-agent-skills/image-inpainting) — mask-driven region edits"

microsoft/azure-skills/entra-agent-id

Risk: LOW (9/100)

  LOW: External URL in markdown link (references/known-limitations.md:52)
  "28. **MSAL complexity** — Agent ID scenarios require managing Federated Identity Credentials manually. For .NET use [Microsoft.Identity.Web.AgentIdentities](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.AgentIdentities/README.AgentIdentities.md). For other languages use the [Microsoft Entra SDK for AgentID](https://learn.microsoft.com/en-us/entra/msidweb/agent-id-sdk/overview)."

  LOW: External URL in markdown link (references/known-limitations.md:56)
  "Report unlisted issues via [aka.ms/agentidfeedback](https://aka.ms/agentidfeedback)."

  LOW: External URL in markdown link (references/sdk-sidecar.md:5)
  "Image: `mcr.microsoft.com/entra-sdk/auth-sidecar:1.0.0-azurelinux3.0-distroless`. See [GitHub releases](https://github.com/AzureAD/microsoft-identity-web/releases) for tags."

mattpocock/skills/handoff

Risk: CLEAN (0/100)

mattpocock/skills/prototype

Risk: CLEAN (0/100)

@runkids runkids merged commit a4364f6 into main Jun 1, 2026
3 checks passed
runkids added a commit that referenced this pull request Jun 1, 2026
@runkids
fix(sync): handle brackets in string fields and empty community.json
920fdfe 
Address code review on PR #29:
- State-aware bracket matcher in the RSC parser now ignores '[' / ']'
  inside string literals, so a skill description with an unbalanced
  bracket no longer truncates the extracted JSON.
- Guard official_names against a 0-byte community.json: $comm[0] is
  null for an empty file and iterating null crashed jq; fall back to [].
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@runkids