Skip to content

fix(xurl): use install kind "node" instead of invalid "npm"#27

Open
not-stbenjam wants to merge 1 commit into
steipete:mainfrom
not-stbenjam:fix/xurl-install-kind-node
Open

fix(xurl): use install kind "node" instead of invalid "npm"#27
not-stbenjam wants to merge 1 commit into
steipete:mainfrom
not-stbenjam:fix/xurl-install-kind-node

Conversation

@not-stbenjam

@not-stbenjam not-stbenjam commented Jul 8, 2026

Copy link
Copy Markdown

Trivial fix that skillsaw caught. It triggered the
openclaw-metadata rule:

⚠ WARNING (openclaw-metadata) [skills/xurl/SKILL.md:21]:
'metadata.openclaw.install[1].kind' is 'npm', expected one of:
['brew', 'download', 'go', 'node', 'uv']

npm isn't a valid install kind — it's a value of the
skills.install.nodeManager setting (npm/pnpm/yarn/bun), which the
node kind honors. npm-based installs use kind: "node" with a package
field, so this changes only kind (id/package/bins are left as-is).

             {
               "id": "npm",
-              "kind": "npm",
+              "kind": "node",
               "package": "@xdevplatform/xurl",
               "bins": ["xurl"],
               "label": "Install xurl (npm)",
             },

Real-behavior proof (openclaw 2026.6.11, throwaway container)

Ran openclaw's own skills info against the bundled xurl skill, toggling
only the second installer's kind. Notably the published package already
ships kind: "npm", so this reproduces against the shipped metadata.

Before — kind: "npm" (as shipped): openclaw drops the installer as an
unsupported kind. The npm option never appears — only brew is offered, so
xurl is uninstallable via openclaw on any machine without Homebrew:

$ openclaw skills info xurl
Install options:
  → Install xurl (brew)
"install": [
  { "id": "brew", "kind": "brew", "label": "Install xurl (brew)", "bins": ["xurl"] }
]

After — kind: "node" (this PR): openclaw resolves the installer and
surfaces the npm option:

$ openclaw skills info xurl
Install options:
  → Install @xdevplatform/xurl (npm)
"install": [
  { "id": "npm", "kind": "node", "label": "Install @xdevplatform/xurl (npm)", "bins": ["xurl"] }
]

The id: "npm" selector is preserved (kept from the original), so this
isn't a compatibility change — only the invalid kind is corrected.

Refs: https://docs.openclaw.ai/tools/skills

@clawsweeper

clawsweeper Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 7:24 AM ET / 11:24 UTC.

Summary
The PR changes the xurl skill's npm install entry from invalid kind: "npm" to OpenClaw's node install kind while preserving the npm install id.

Reproducibility: yes. source inspection shows current main uses unsupported kind: "npm" for the xurl npm installer, and the PR body provides a before/after openclaw skills info xurl transcript. I did not rerun OpenClaw locally in this read-only review.

Review metrics: 2 noteworthy metrics.

  • Skill metadata diff: 1 file changed, 1 insertion, 1 deletion. The entire patch is a single installer metadata correction for one bundled skill.
  • Prior findings: 1 rechecked, 0 remain. The current head preserved the npm install id and added runtime proof, resolving the previous review blocker.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • [P2] No repair lane is needed; the contributor force-push resolved the prior blocker, and the remaining action is ordinary maintainer review or merge.

Security
Cleared: No concrete security or supply-chain concern found; the patch activates the existing declared npm package through OpenClaw's documented node installer kind and adds no new dependency source.

Review details

Best possible solution:

Merge the narrow metadata fix after normal maintainer checks, preserving id: "npm" while using kind: "node".

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection shows current main uses unsupported kind: "npm" for the xurl npm installer, and the PR body provides a before/after openclaw skills info xurl transcript. I did not rerun OpenClaw locally in this read-only review.

Is this the best way to solve the issue?

Yes, changing only the install kind to node while preserving the existing npm id/package/bins is the narrowest maintainable fix for the metadata contract.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 0b3e10b735ad.

Label changes

Label changes:

  • add proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes after-fix terminal proof showing the corrected xurl npm install option appears in openclaw skills info xurl.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body now includes after-fix terminal proof showing the corrected xurl npm install option appears in openclaw skills info xurl.
  • remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
  • remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.
  • remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.

Label justifications:

  • P2: This is a normal-priority skill install metadata bug with limited blast radius to the xurl install option.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body now includes after-fix terminal proof showing the corrected xurl npm install option appears in openclaw skills info xurl.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes after-fix terminal proof showing the corrected xurl npm install option appears in openclaw skills info xurl.
Evidence reviewed

What I checked:

  • Current main has the invalid installer kind: Current main declares the xurl npm installer with id: "npm" and kind: "npm", matching the reported metadata bug. (skills/xurl/SKILL.md:20, 0b3e10b735ad)
  • Current PR head makes the narrow metadata change: At PR head, the same install entry keeps id: "npm" and changes only kind to node, while leaving package, bins, and label intact. (skills/xurl/SKILL.md:20, fc04b99d5087)
  • Prior ClawSweeper blocker was fixed: The diff from the earlier reviewed SHA to current head changes the install id back from node to npm, so the prior compatibility finding no longer applies. (skills/xurl/SKILL.md:20, fc04b99d5087)
  • Installer-kind contract matches the patch: The public OpenClaw macOS skill docs describe metadata.openclaw.install options as brew, node, go, uv, and download, and mention node-manager preference for node-backed installs. (docs.openclaw.ai)
  • Real behavior proof is now present: The PR body includes a before/after terminal transcript for openclaw skills info xurl, showing the npm option absent with kind: "npm" and present after changing it to kind: "node". (fc04b99d5087)
  • Feature history: Git blame and log show the xurl skill metadata, including the original invalid npm kind, was introduced in commit 789e05a by Peter Steinberger. (skills/xurl/SKILL.md:20, 789e05a7c434)

Likely related people:

  • steipete: Git blame and git log --follow show Peter Steinberger introduced the xurl skill metadata and is the only local history contributor across skills/xurl/SKILL.md and the skills tree sample inspected. (role: feature history owner; confidence: high; commits: 789e05a7c434, 0b3e10b735ad; files: skills/xurl/SKILL.md, skills)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (1 earlier review cycle)
  • reviewed 2026-07-08T11:10:28.707Z sha 070bff9 :: needs real behavior proof before merge. :: [P2] Preserve the existing npm install id

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jul 8, 2026
skillsaw caught this via the openclaw-metadata rule:

  WARNING (openclaw-metadata) [skills/xurl/SKILL.md:21]:
  'metadata.openclaw.install[1].kind' is 'npm', expected one of:
  ['brew', 'download', 'go', 'node', 'uv']

npm is not a valid install kind -- it's a value of the
skills.install.nodeManager setting (npm/pnpm/yarn/bun), which the "node"
kind honors. npm-based installs use kind: node with a "package" field.

openclaw's installer switches on spec.kind with cases for
brew/node/go/uv/download and a default of "unsupported installer", so a
kind: npm entry is dropped. Only kind is changed; id/package/bins are
left as-is.

Refs: https://docs.openclaw.ai/tools/skills
@not-stbenjam not-stbenjam force-pushed the fix/xurl-install-kind-node branch from 070bff9 to fc04b99 Compare July 8, 2026 11:20
@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jul 8, 2026
@not-stbenjam

Copy link
Copy Markdown
Author

Companion fix upstream in openclaw/openclaw#102158 — same xurl kind: "npm""node" change against openclaw's bundled copy of this skill (the copy users actually execute), plus removal of a separate dead kind: "apt" entry in the github skill. The two xurl copies are byte-identical, so both need the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant