skills: add explicit registry requirements and tighten secret scope

DeveshParagiri · DeveshParagiri · commit f3e2fe548e1e · 2026-02-24T01:02:23.000-05:00
diff --git a/skills/extropy/SKILL.md b/skills/extropy/SKILL.md
@@ -9,7 +9,6 @@ metadata:
       - extropy
     config_files:
       - ~/.config/extropy/config.json
-      - .env
     environment_variables:
       - OPENAI_API_KEY
       - ANTHROPIC_API_KEY
@@ -32,7 +31,7 @@ metadata:
       - provider API keys via environment variables only
     notes:
       - extropy reads model/provider settings from ~/.config/extropy/config.json
-      - extropy may load .env from the current working directory
+      - do not read raw .env contents unless explicitly requested by the user
 ---
 
 # Extropy Operator
@@ -50,10 +49,10 @@ Run experiments end to end, with strict quality gates and reproducible commands.
 ## Runtime Dependencies and Credential Scope
 
 - Required binary: `extropy` must be installed and on `PATH`.
-- Config files read: `~/.config/extropy/config.json` and project/local `.env` (if present).
+- Config file read: `~/.config/extropy/config.json`.
 - Credentials expected: provider API keys from env vars (`OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `OPENROUTER_API_KEY`, `DEEPSEEK_API_KEY`, `AZURE_API_KEY`/`AZURE_OPENAI_API_KEY`).
 - Azure endpoint vars: `AZURE_ENDPOINT` or `AZURE_OPENAI_ENDPOINT` when using Azure providers.
-- Safety boundary: only access credentials/config needed to execute extropy commands for the requested study/scenario, and avoid reading unrelated files.
+- Safety boundary: only access credentials/config needed to execute extropy commands for the requested study/scenario, do not inspect raw `.env` values, and avoid reading unrelated files.
 
 ## Canonical Pipeline
 
diff --git a/skills/extropy/agents/openai.yaml b/skills/extropy/agents/openai.yaml
@@ -0,0 +1,34 @@
+interface:
+  display_name: "Extropy Operator"
+  short_description: "Run Extropy CLI pipelines and analyze results"
+  default_prompt: "Use $extropy to run or debug an Extropy study end-to-end with evidence-backed output."
+
+requirements:
+  binaries:
+    - "extropy"
+  env_vars:
+    - "OPENAI_API_KEY"
+    - "ANTHROPIC_API_KEY"
+    - "OPENROUTER_API_KEY"
+    - "DEEPSEEK_API_KEY"
+    - "AZURE_API_KEY"
+    - "AZURE_ENDPOINT"
+    - "AZURE_OPENAI_API_KEY"
+    - "AZURE_OPENAI_ENDPOINT"
+    - "MODELS_FAST"
+    - "MODELS_STRONG"
+    - "SIMULATION_FAST"
+    - "SIMULATION_STRONG"
+    - "SIMULATION_MAX_CONCURRENT"
+    - "SIMULATION_RATE_TIER"
+    - "SIMULATION_RPM_OVERRIDE"
+    - "SIMULATION_TPM_OVERRIDE"
+  config_paths:
+    - "~/.config/extropy/config.json"
+  primary_credentials:
+    - "Provider API keys via environment variables"
+
+policy:
+  allow_implicit_invocation: false
+  credential_scope: "Only use credentials/config required for the requested Extropy task."
+  secret_handling: "Do not read raw .env contents unless explicitly requested."
