
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@glapsfun/tflow
Advanced tools
A factory for authoring Agent Skills to the agentskills.io open standard.
A factory for authoring Agent Skills to the agentskills.io open standard (spec v1).
tflow produces portable Agent Skills — Markdown SKILL.md files paired with POSIX sh
scripts. There is no compiled application: the deliverables are the skills themselves and
the scripts that author and validate them. The keystone is validate.sh, the linter every
artifact is gated through (spec compliance, tflow conventions, and portability).
tflow-skill-idea — interactive idea shaping: Five Whys and a human-chosen
direction turn a raw prompt into a research-ready eight-field idea brief.tflow-research — bounded web research synthesized into a sourced decision brief
across brainstorm, find-idea, and improve-idea modes.tflow-skill-test — TDD for skills: a define mode that writes the test plan
before the skill exists, and a run mode that executes the three-layer pass
(structural gate, script checks, judged eval scenarios).tflow-skill-creator — the disciplined factory loop that takes a skill from intent to
distributable evidence: the init / validate / improve / package scripts plus the
run-tests.sh self-test suite.tflow-skill-factory — the loop controller: idea → research → validate →
test-plan → create → test-run → check → doc, with bounded re-research and
improvement loops, artifact gates between every phase, and a final run summary.tflow-prompt — prompt enhancement: rewrites a raw or first-draft prompt
using established prompt-engineering techniques and returns the stronger
prompt plus an auditable change log.tflow-gateway — the family front door: sharpens a raw request with
tflow-prompt, discovers the installed tflow skills, routes to the best
fit, and accepts the result against acceptance checks fixed before
delegation, with a bounded re-delegation loop.# Validate a single skill directory (exit 0 = pass, 1 = fail, 2 = usage error)
sh skills/tflow-skill-creator/scripts/validate.sh <skill-dir>
sh skills/tflow-skill-creator/scripts/validate.sh --quiet <skill-dir> # suppress PASS lines
# Run the full self-test suite (runs validate.sh against every fixture)
sh skills/tflow-skill-creator/scripts/run-tests.sh
# Lint the real skill scripts (POSIX sh). The non-recursive glob skips the
# scripts/fixtures/ tree on purpose — some fixtures are intentionally broken.
# The excludes mirror the pre-commit gate: SC2115/SC2016/SC2329 are intentional
# and guarded. No shellcheck on PATH? `pre-commit run shellcheck` vendors one.
shellcheck --shell=sh --exclude=SC2115,SC2016,SC2329 skills/*/scripts/*.sh
skills/<name>/
SKILL.md # frontmatter + body, must pass validate.sh
scripts/ # POSIX sh scripts (validate, init, improve, package, run-tests)
references/ # supporting reference material
assets/ # templates and other static assets
Skills install portably under both .claude/skills/ and .codex/skills/ — the same
SKILL.md must validate in either location.
npx install, every flag with real CLI output, and troubleshooting.1.0.0 graduation criterion.npm version → git push --follow-tags flow.The three docs/ guides are linked as absolute GitHub URLs because docs/ is not shipped
in the npm tarball; the CHANGELOG.md link is relative because it does ship.
pip install pre-commit
pre-commit install
Contributions run through a three-check gate, enforced identically by the local
pre-commit hook and by GitHub Actions CI (.github/workflows/ci.yml) on every push to
main and every pull request:
--shell=sh) on the skill scripts, with scripts/fixtures/
excluded so intentionally-broken fixtures don't fail the lint.run-tests.sh).Skill scripts stay POSIX sh (#!/bin/sh, set -eu, no bashisms, no hardcoded runtime
paths). The pre-commit / CI tooling is a separate Python-based dev layer and does not relax
that rule. Any change to a validate.sh rule needs a matching pass-* / fail-* fixture so
the self-test suite keeps the gate honest.
Released under the MIT License (© 2026 glapsfun). See LICENSE.
FAQs
A factory for authoring Agent Skills to the agentskills.io open standard.
The npm package @glapsfun/tflow receives a total of 167 weekly downloads. As such, @glapsfun/tflow popularity was classified as not popular.
We found that @glapsfun/tflow demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.