feat: add APIs to list and download public remote skills#10448
feat: add APIs to list and download public remote skills#10448
Conversation
| pub async fn list_remote_skills(config: &Config) -> Result<Vec<RemoteSkillSummary>> { | ||
| let base_url = config.chatgpt_base_url.trim_end_matches('/'); | ||
| let base_url = base_url.strip_suffix("/backend-api").unwrap_or(base_url); | ||
| let url = format!("{base_url}/public-api/hazelnuts/"); |
There was a problem hiding this comment.
Public API has a slightly different format and it doesn't require Auth.
| .await | ||
| .context("Failed to create downloaded skills directory")?; | ||
|
|
||
| let allowed_files = hazelnut.files.keys().cloned().collect::<HashSet<String>>(); |
There was a problem hiding this comment.
remote skill will be a zip and need to unzip while downloading.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5d09d5c438
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
codex-rs/core/src/skills/remote.rs
Outdated
| hazelnut.name.clone() | ||
| }; | ||
| let output_dir = downloaded_skills_dir(config).join(dir_name); | ||
| tokio::fs::create_dir_all(&output_dir) | ||
| .await |
There was a problem hiding this comment.
The download directory is derived directly from hazelnut.name (falling back to id) and then joined onto codex_home/skills/downloaded without validation. If the public API returns a name containing path separators or .., the resulting output_dir can escape the intended base directory, and subsequent create_dir_all plus file extraction will write outside the skills cache. This is a real risk when downloading from a public catalog; consider normalizing dir_name to a safe single path component (e.g., reject components other than Normal, or use a slug) before joining.
Useful? React with 👍 / 👎.
xl-openai
force-pushed
the
xl/skill-share
branch
3 times, most recently
from
0dc3501 to
9f27df1
Compare
| let base_url = config.chatgpt_base_url.trim_end_matches('/'); | ||
| let base_url = base_url.strip_suffix("/backend-api").unwrap_or(base_url); | ||
| let url = format!("{base_url}/public-api/hazelnuts/"); |
There was a problem hiding this comment.
should we have a helper function for constructing public-api/hazelnuts url? Then we can utilize it in all the places
There was a problem hiding this comment.
Currently it is only used for skills-remote. we could do so if we need to use it in more places.
xl-openai
force-pushed
the
xl/skill-share
branch
from
9f27df1 to
a6851bc
Compare
xl-openai
force-pushed
the
xl/skill-share
branch
from
a6851bc to
4b3adf2
Compare
2 participants
Add API to list / download from remote public skills