From ef45cd83494e2b835dd66f56baa4de70f8647b76 Mon Sep 17 00:00:00 2001
From: Shashank Sharma <shashank@factory.ai>
Date: Tue, 31 Mar 2026 13:09:58 -0700
Subject: [PATCH] security review plugins

---
 action.yml                                    | 62 ++-----------------
 security/action.yml                           | 34 ++--------
 .../templates/security-report-prompt.ts       |  2 +-
 .../templates/security-review-prompt.ts       |  2 +-
 4 files changed, 14 insertions(+), 86 deletions(-)

diff --git a/action.yml b/action.yml
index 9de9cb1..7918846 100644
--- a/action.yml
+++ b/action.yml
@@ -252,66 +252,16 @@ runs:
       env:
         EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }}
 
-    - name: Install Security Skills
+    - name: Install Security Plugin
       if: steps.prepare.outputs.contains_trigger == 'true' && steps.prepare.outputs.install_security_skills == 'true'
       shell: bash
       run: |
-        echo "Installing security skills from Factory-AI/skills..."
-        SKILLS_DIR="$HOME/.factory/skills"
-        mkdir -p "$SKILLS_DIR"
-
-        # Clone public skills repo (sparse checkout for efficiency)
-        TEMP_DIR=$(mktemp -d)
-        git clone --filter=blob:none --sparse \
-          "https://github.com/Factory-AI/skills.git" \
-          "$TEMP_DIR" 2>/dev/null || {
-          echo "Warning: Could not clone skills repo. Security skills will not be available."
-          exit 0
+        echo "Installing security-engineer plugin from factory-plugins marketplace..."
+        droid plugin marketplace add https://github.com/Factory-AI/factory-plugins 2>/dev/null || true
+        droid plugin install security-engineer@factory-plugins --scope user 2>/dev/null || {
+          echo "Warning: Could not install security-engineer plugin. Security review may have limited functionality."
         }
-
-        cd "$TEMP_DIR"
-        git sparse-checkout set \
-          skills/threat-model-generation \
-          skills/commit-security-scan \
-          skills/vulnerability-validation \
-          skills/security-review 2>/dev/null || true
-
-        # Copy skills to ~/.factory/skills/ and track installed count
-        INSTALLED_COUNT=0
-        for skill in threat-model-generation commit-security-scan vulnerability-validation security-review; do
-          if [ -d "skills/$skill" ]; then
-            cp -r "skills/$skill" "$SKILLS_DIR/"
-            echo "  Installed skill: $skill"
-            INSTALLED_COUNT=$((INSTALLED_COUNT + 1))
-          else
-            echo "  Warning: Skill not found in repo: $skill"
-          fi
-        done
-
-        # Cleanup
-        rm -rf "$TEMP_DIR"
-
-        # Verify at least one skill was installed
-        if [ "$INSTALLED_COUNT" -eq 0 ]; then
-          echo "Warning: No security skills were installed. The skills may not exist in the Factory-AI/skills repository."
-          echo "Security review will proceed but may have limited functionality."
-        else
-          echo "Security skills installation complete ($INSTALLED_COUNT skills installed)"
-        fi
-
-        # Verify skills exist in the target directory
-        echo "Verifying installed skills in $SKILLS_DIR..."
-        VERIFIED_COUNT=0
-        for skill in threat-model-generation commit-security-scan vulnerability-validation security-review; do
-          if [ -d "$SKILLS_DIR/$skill" ]; then
-            echo "  Verified: $skill"
-            VERIFIED_COUNT=$((VERIFIED_COUNT + 1))
-          fi
-        done
-
-        if [ "$VERIFIED_COUNT" -ne "$INSTALLED_COUNT" ]; then
-          echo "Warning: Skill verification mismatch. Expected $INSTALLED_COUNT, found $VERIFIED_COUNT in $SKILLS_DIR"
-        fi
+        echo "Security plugin installation complete"
 
     - name: Run Droid Exec
       id: droid
diff --git a/security/action.yml b/security/action.yml
index 45e1c4e..8427049 100644
--- a/security/action.yml
+++ b/security/action.yml
@@ -70,37 +70,15 @@ runs:
         FACTORY_API_KEY: ${{ inputs.factory_api_key }}
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
 
-    - name: Install Security Skills
+    - name: Install Security Plugin
       shell: bash
       run: |
-        echo "Installing security skills from Factory-AI/skills..."
-        SKILLS_DIR="$HOME/.factory/skills"
-        mkdir -p "$SKILLS_DIR"
-
-        TEMP_DIR=$(mktemp -d)
-        git clone --filter=blob:none --sparse \
-          "https://github.com/Factory-AI/skills.git" \
-          "$TEMP_DIR" 2>/dev/null || {
-          echo "Warning: Could not clone skills repo."
-          exit 0
+        echo "Installing security-engineer plugin from factory-plugins marketplace..."
+        droid plugin marketplace add https://github.com/Factory-AI/factory-plugins 2>/dev/null || true
+        droid plugin install security-engineer@factory-plugins --scope user 2>/dev/null || {
+          echo "Warning: Could not install security-engineer plugin. Security review may have limited functionality."
         }
-
-        cd "$TEMP_DIR"
-        git sparse-checkout set \
-          skills/threat-model-generation \
-          skills/commit-security-scan \
-          skills/vulnerability-validation \
-          skills/security-review 2>/dev/null || true
-
-        for skill in threat-model-generation commit-security-scan vulnerability-validation security-review; do
-          if [ -d "skills/$skill" ]; then
-            cp -r "skills/$skill" "$SKILLS_DIR/"
-            echo "  Installed skill: $skill"
-          fi
-        done
-
-        rm -rf "$TEMP_DIR"
-        echo "Security skills installation complete"
+        echo "Security plugin installation complete"
 
     - name: Generate Security Prompt
       id: prompt
diff --git a/src/create-prompt/templates/security-report-prompt.ts b/src/create-prompt/templates/security-report-prompt.ts
index 7a1a0be..636760f 100644
--- a/src/create-prompt/templates/security-report-prompt.ts
+++ b/src/create-prompt/templates/security-report-prompt.ts
@@ -43,7 +43,7 @@ The gh CLI is installed and authenticated via GH_TOKEN.
 
 ## Security Skills Available
 
-You have access to these Factory security skills (installed in ~/.factory/skills/):
+You have access to security skills from the security-engineer plugin (security-engineer@factory-plugins):
 
 1. **threat-model-generation** - Generate STRIDE-based threat model for the repository
 2. **commit-security-scan** - Scan code for security vulnerabilities
diff --git a/src/create-prompt/templates/security-review-prompt.ts b/src/create-prompt/templates/security-review-prompt.ts
index 7e4425f..b375099 100644
--- a/src/create-prompt/templates/security-review-prompt.ts
+++ b/src/create-prompt/templates/security-review-prompt.ts
@@ -38,7 +38,7 @@ ${notifyTeam ? `- Notify Team: ${notifyTeam} (mention on critical findings)` : "
 
 ## Security Skills Available
 
-You have access to these Factory security skills (installed in ~/.factory/skills/):
+You have access to security skills from the security-engineer plugin (security-engineer@factory-plugins):
 
 1. **threat-model-generation** - Generate STRIDE-based threat model for the repository
 2. **commit-security-scan** - Scan code changes for security vulnerabilities