Title: [BUG] Root marketplace.json skill source paths missing skills/` prefix — all 7 plugins load 0 skills
Body:
Summary
The repo-root marketplace manifest .claude-plugin/marketplace.json declares every skill source path relative to the repo root (e.g. ./appsec/sast-semgrep), but the skills actually live under skills/ (e.g. skills/appsec/sast-semgrep). As a result Claude Code resolves all 31 source paths to non-existent directories, every one of the 7 plugins loads 0 skills, and /doctor reports setup errors (14 in my install).
Environment
- Claude Code
2.1.165
- Marketplace commit
6e25a4b (feat(tooling): add validate_skill.py, pre-commit hook, fix offsec docs)
- Repo:
AgentSecOps/SecOpsAgentKit
Evidence
.claude-plugin/marketplace.json (repo root) declares:
{
"name": "appsec-skills",
"skills": [
"./appsec/sast-semgrep",
"./appsec/sast-bandit",
"./appsec/dast-zap"
]
}But the actual directory layout is:
SecOpsAgentKit/
├── .claude-plugin/marketplace.json <-- broken paths (./appsec/...)
├── skills/
│ ├── .claude-plugin/marketplace.json <-- correct paths (resolve OK)
│ └── appsec/
│ ├── sast-semgrep/ <-- skills really here
│ ├── sast-bandit/
│ └── ...
Programmatic check across the root manifest:
paths missing skills/ prefix (broken): 31
paths OK: 0
plugins total: 7
Notably, the second manifest at skills/.claude-plugin/marketplace.json has paths that DO resolve (relative to skills/). The root copy appears to be a stale/incorrect duplicate.
Impact
All 5 enabled plugins (devsecops, secsdlc, compliance, incident-response, threatmodel) plus appsec and offsec load no skills and surface errors in /doctor. Users must disable the plugins as a workaround.
Suggested fix
Either:
- Prefix every
source/skills path in .claude-plugin/marketplace.json with skills/ (e.g. ./skills/appsec/sast-semgrep), or
- Remove the duplicate root
.claude-plugin/marketplace.json and make skills/.claude-plugin/marketplace.json the canonical manifest.
The existing validate_skill.py / pre-commit hook (added in 6e25a4b) could be extended to assert that every declared source path resolves to an existing directory, which would have caught this.
Workaround
Disable the affected plugins in ~/.claude/settings.json enabledPlugins until fixed.
Title:
[BUG] Root marketplace.json skill source paths missingskills/` prefix — all 7 plugins load 0 skillsBody:
Summary
The repo-root marketplace manifest
.claude-plugin/marketplace.jsondeclares every skillsourcepath relative to the repo root (e.g../appsec/sast-semgrep), but the skills actually live underskills/(e.g.skills/appsec/sast-semgrep). As a result Claude Code resolves all 31 source paths to non-existent directories, every one of the 7 plugins loads 0 skills, and/doctorreports setup errors (14 in my install).Environment
2.1.1656e25a4b(feat(tooling): add validate_skill.py, pre-commit hook, fix offsec docs)AgentSecOps/SecOpsAgentKitEvidence
.claude-plugin/marketplace.json(repo root) declares:{ "name": "appsec-skills", "skills": [ "./appsec/sast-semgrep", "./appsec/sast-bandit", "./appsec/dast-zap" ] }But the actual directory layout is:
Programmatic check across the root manifest:
Notably, the second manifest at
skills/.claude-plugin/marketplace.jsonhas paths that DO resolve (relative toskills/). The root copy appears to be a stale/incorrect duplicate.Impact
All 5 enabled plugins (
devsecops,secsdlc,compliance,incident-response,threatmodel) plusappsecandoffsecload no skills and surface errors in/doctor. Users must disable the plugins as a workaround.Suggested fix
Either:
source/skillspath in.claude-plugin/marketplace.jsonwithskills/(e.g../skills/appsec/sast-semgrep), or.claude-plugin/marketplace.jsonand makeskills/.claude-plugin/marketplace.jsonthe canonical manifest.The existing
validate_skill.py/ pre-commit hook (added in6e25a4b) could be extended to assert that every declaredsourcepath resolves to an existing directory, which would have caught this.Workaround
Disable the affected plugins in
~/.claude/settings.jsonenabledPluginsuntil fixed.