Skills, contracts and taste
The harness knows how to use skills, not just tools. Contract-forced skills are injected whole and become a gate; the rest appear as a light catalog and are loaded…
Format and selection
Skills follow the agentskills.io format (SKILL.md), installed via skill.sh (okami learn <source>). Two paths: contract/keyword-forced (injected whole, become a gate) and Claude-Code-style progressive disclosure (a light catalog always in the prompt; the relevant one loaded on demand).
Packaged skills
14 custom skills ship in skills/, all passing the scan:
frontend-shadcn·frontend-heroui·claude-design(one-off HTML)humanizer·proactive-agent·tdd·writing-plans·communication-131code-wiki·page-agent·kanban-orchestrator·honcho-memorydelegate-claude·delegate-codex(when to escalate to the strong model)
Project contracts
okami.yaml → contracts.ui declares hard, verifiable rules. The contract is injected into context and becomes exitCriteria — the design system stops being a suggestion.
contracts:
ui:
library: shadcn
component_source: '@/components/ui'
forbid_inline_hex: true
forbid_raw_css: true
require_component_source: trueVerification gates
Before accepting a UI completion, okami gate runs, in order:
- Import AST — do they come from
component_source? require importing the declared lib? - No ad-hoc CSS — no loose
<style>/ inline hex outside the tokens. - Design-token lint.
- Build + typecheck.
- Visual self-check — headless render → screenshot → critic.
Design taste
Approved attracts, rejected repels, “different” explores. Weighted attractors and repulsors live in .okami/taste.json per workspace. Choosing between candidates uses score(c) = w1·sim(attractors) − w2·sim(repulsors) − w3·sim(current). CLI: okami taste like/dislike/different.
Skill security
Skills are code + instructions that enter context directly — a vector for prompt injection, exfiltration and RCE. Nothing enters skills/ without a scan, which detects:
- prompt injection / prompt-leak / stealth
- destructive shell (rm -rf, fork bomb, pipe-to-shell)
- exfiltration (Discord/Slack webhooks, requestbin/ngrok/pastebin)
- secret access (~/.ssh, .aws, .codex/auth) and RCE/obfuscation (eval/exec/base64)
- hidden unicode / Trojan Source (zero-width, bidi) and packed binaries
okami learn owner/repo # download to quarantine, scan, promote if it passes
okami scan ./skills/x # validate a skill on demand
