Changelog

The launch-week push. Three crawler adapters (GitHub Code Search, ClawHub REST, Skills.sh sitemap) running in parallel pushed the catalog past 19k entries — 65 F-grade, 109 D-grade, browseable + filterable + paginated.

Shipped:

• GitHub Action — two-line YAML, scans every SKILL.md changed in a PR
• POST /scan/bulk — synchronous bulk endpoint backing the Action + any CI integration
• README badges — shields.io-style SVG endpoints (grade + score)
• RSS feeds — critical (D+F) push channel for security researchers + a catalog firehose
• Per-skill OG images at /c/[name]/opengraph-image so shared links land as branded report cards
• Catalog search + source / verified / min-stars filters + pagination (60/page)
• Admin panel — 10 surfaces incl. /admin/pricing tier editor, /admin/database health view
• Central pricing config + DB-backed tier override + per-tier show/hide + master visibility toggle
• Feature gating end-to-end: requireFeature(), <FeatureGate> UI, /premium/* API with 401/402/501 envelope
• Renamed-repo cleanup — GitHub 301-redirect handling so e.g. steipete/clawdis correctly re-attributes to openclaw/openclaw

The per-process pool singleton was being recreated every time Turbopack hot-reloaded the module, leaking a fresh 5-connection pool per save. After ~20 saves we'd exhaust Postgres max_connections and Auth.js would surface every DB call as AdapterError. Fix: stash the registry on globalThis so HMR re-evaluations reuse it. Also added idle_timeout: 30 so any future leak self-heals.

Catalog acquisition pipeline. Each adapter documented under /docs/sources with mechanism + permission story. ClawHub via cursor-paginated REST; Skills.sh via the public sitemap + per-repo GitHub Trees-API resolution; GitHub via size-band-partitioned Code Search to bypass the 1000-results-per-query cap.

Discovered ~13k skills inside 90 minutes of pipeline runtime. The crawler is workspace-scoped; rerun with pnpm --filter @skillox/api crawl -- --source skillssh --limit 5000.

Auth.js v5 with the Drizzle adapter, GitHub OAuth as the first provider. Sign-in auto-creates a creator profile keyed off the GitHub username; crawler-discovered creators with the same username get auto-claimed at L1 (verified human via GitHub) on first sign-in. Public creator pages at /creators/[slug]; dashboard at /creators/[slug]/dashboard.

Full Stripe integration shipped behind the STRIPE_SECRET_KEY flag (soft-fails 503 when absent). Pro tier checkout, Customer Portal for self-service management, Connect Express for creator payouts (80/20 split). Test mode works end-to-end; live mode needs the Stripe Business activation + product + price + webhook endpoint configured. See /docs/pro.

LLM-based adversarial probes alongside the existing regex instruction-injection rule. 10 probes across 4 categories (env-var-exfil, attacker-egress, instruction-override, capability-bypass), expanding over time. Three swappable backends behind one client: Ollama (local), Anthropic, Gemini, with an auto-selector that picks based on which API key is present.

npm i -g skillox works today. Audit + policy check run the same scanner engine as the hosted demo, locally, with zero network traffic. Apache-2.0. install, inventory, update, sign, and login are coming soon. See /docs/cli.

Initial stack-verified release. skillox.io landing page, /r/[id] result page with rich findings excerpts,/pricing teaser, Hono API with POST /scan + Turnstile + 10-scan/24h rate limit, BullMQ worker, 12-rule scanner (Apache-2.0), Postgres + Redis on a single Hetzner box. End-to-end scan in 30 seconds, anonymous + free.