astra-sh

fork-and-publish-skill

Customizes an installed agent skill and ships it back upstream or as a versioned fork using qvr's edit/publish authoring loop. Use when a user wants to modify, customize, fork, release, or publish a qvr skill — e.g. "edit this skill", "publish my changes", "fork a skill to my own repo", "cut a v1.0.0 release of a skill", or "iterate on a skill and tag new versions". Covers qvr edit, diff, status, and publish (--fork --migrate --tag, --auto-commit, root vs nested layout), including the consume-mode round trip.

onboard-skills

Discovers and installs agent skills into a project (or the user-global lane) with the qvr CLI, treating qvr.lock as the single source of truth. Use when a user wants to find, add, register, or install skills from a skills registry or GitHub repo with qvr — e.g. "register a skill registry", "search for a qvr skill", "qvr add this skill", "install a skill globally", or "why is my skill not loading after I dropped it into the agent's skills directory". Covers registry add, search, the one-step add github.com/org/repo/skill form, --global, and sync.

reproduce-skill-env

Reproduces an exact agent-skill set across machines, teammates, and CI using qvr's portable manifest and lockfile guarantees. Use when a user wants to share, pin, replicate, or CI-gate their qvr skills — e.g. "export my skills", "import this skill manifest", "pin everything to exact commits", "make skills reproducible", "fail CI if skills drift", or "onboard a teammate to the same skills". Covers qvr export/import, --frozen pinning, and the sync --locked / sync --check CI assertions.

trace-skill-activity

Records and queries what agents actually did, attributed to the skill that was active, using qvr's experimental audit subsystem. Use when a user wants observability into agent or skill behavior — e.g. "track what my skills are doing", "audit agent tool calls", "which skill ran during this session", "show recent agent activity", or "export agent traces for analysis". Covers qvr audit enable, install-hooks, status, logs, sessions, and export. Experimental and opt-in; the command surface and storage may change.

verify-skill-supply-chain

Vets and continuously verifies the integrity and provenance of agent skills installed with qvr. Use when a user cares about skill security, trust, signing, tampering, or supply-chain integrity — e.g. "scan this skill for problems", "is this skill safe", "verify the skill hasn't drifted", "who is allowed to author this registry's skills", "check the signature", or "gate CI on skill integrity". Covers qvr scan, lock verify (--fail-on, --repair), trust pin/verify, and provenance.

Data & Documents Listed

clean-skill

A baseline skill that the security scanner must report as completely clean. Used as a false-positive gate.

malicious-skill-permissions

Fixture for the permissions check. Declares unrestricted Bash in allowed-tools and ships a dangerous executable script.

Data & Documents Listed

malicious-skill-data-exfil

Fixture for the data-exfiltration patterns. Designed to fire E2 (env harvesting), E3 (filesystem credential scan), and E4 (conversation export) in a single skill so the scanner regression test can assert the whole category at once.

malicious-skill-injection

Fixture for the prompt-injection check. Contains several documented injection patterns embedded as instructions, not as docs about injection.

malicious-skill-rogue-agent

Fixture for the rogue-agent rule family (RA1 self-modification, RA2 session persistence via crontab and shell rc). The fixture ships a SKILL.md plus a Python helper that overwrites its own source.

malicious-skill-secrets

Fixture for the secrets check. Contains hardcoded credential-shaped strings that the scanner must flag as critical findings.

malicious-skill-signatures

Fixture for the YARA-lite signature engine. Carries a small bash reverse-shell script (YR1_bash_reverse_shell) and a minimal PHP eval webshell (YR2_php_eval_shell) so the integration test can assert both critical signature matches in a single scan.

malicious-skill-tool-misuse

Fixture exercising the tool-misuse rule family (TM1a shell=True, TM1b rm -rf root, TM1c --no-verify, TM1d chmod 777, TM3 verify=False) and SC2 curl pipe shell. Used by the scanner integration test as the canonical "tool misuse" sample.