// concepts · 05

Skills, contracts and taste

The harness knows how to use skills, not just tools. Contract-forced skills are injected whole and become a gate; the rest appear as a light catalog and are loaded…

Format and selection

Skills follow the agentskills.io format (SKILL.md), installed via skill.sh (okami learn <source>). Two paths: contract/keyword-forced (injected whole, become a gate) and Claude-Code-style progressive disclosure (a light catalog always in the prompt; the relevant one loaded on demand).

Packaged skills

14 custom skills ship in skills/, all passing the scan:

  • frontend-shadcn · frontend-heroui · claude-design (one-off HTML)
  • humanizer · proactive-agent · tdd · writing-plans · communication-131
  • code-wiki · page-agent · kanban-orchestrator · honcho-memory
  • delegate-claude · delegate-codex (when to escalate to the strong model)

Project contracts

okami.yaml → contracts.ui declares hard, verifiable rules. The contract is injected into context and becomes exitCriteria — the design system stops being a suggestion.

okami.yaml
contracts:
  ui:
    library: shadcn
    component_source: '@/components/ui'
    forbid_inline_hex: true
    forbid_raw_css: true
    require_component_source: true

Verification gates

Before accepting a UI completion, okami gate runs, in order:

  1. Import AST — do they come from component_source? require importing the declared lib?
  2. No ad-hoc CSS — no loose <style> / inline hex outside the tokens.
  3. Design-token lint.
  4. Build + typecheck.
  5. Visual self-check — headless render → screenshot → critic.

Design taste

Approved attracts, rejected repels, “different” explores. Weighted attractors and repulsors live in .okami/taste.json per workspace. Choosing between candidates uses score(c) = w1·sim(attractors) − w2·sim(repulsors) − w3·sim(current). CLI: okami taste like/dislike/different.

Skill security

Skills are code + instructions that enter context directly — a vector for prompt injection, exfiltration and RCE. Nothing enters skills/ without a scan, which detects:

  • prompt injection / prompt-leak / stealth
  • destructive shell (rm -rf, fork bomb, pipe-to-shell)
  • exfiltration (Discord/Slack webhooks, requestbin/ngrok/pastebin)
  • secret access (~/.ssh, .aws, .codex/auth) and RCE/obfuscation (eval/exec/base64)
  • hidden unicode / Trojan Source (zero-width, bidi) and packed binaries
okami learn owner/repo     # download to quarantine, scan, promote if it passes
okami scan ./skills/x      # validate a skill on demand

Open this page in the interactive docs