Skip to content

fix(desktop): resolve skill install failure in packaged app#240

Merged
Siri-Ray merged 7 commits intomainfrom
fix/skillhub-install-logging
Mar 18, 2026
Merged

fix(desktop): resolve skill install failure in packaged app#240
Siri-Ray merged 7 commits intomainfrom
fix/skillhub-install-logging

Conversation

@alchemistklk
Copy link
Copy Markdown
Contributor

@alchemistklk alchemistklk commented Mar 18, 2026

Summary

  • Root cause: npx clawhub install fails with spawn npx ENOENT in the packaged Electron app because the API sidecar runs with a restricted env that has no shell PATH
  • Fix: Replace npx with direct bin resolution — process.execPath + require.resolve("clawhub/package.json") to find the bundled clawhub CLI
  • Sidecar copier fix: copyRuntimeDependencyClosure silently skipped bin-only packages (no main/exports). Added fallback to resolve via package.json
  • Security: Added slug validation and path traversal protection to desktop CatalogManager.uninstallSkill(), matching the existing API route validation
  • Logging: Added structured logging to both API skillhub routes and desktop CatalogManager for install/uninstall operations
  • Hard rule: Added "never use npx/npm/pnpm in packaged desktop code" to AGENTS.md

Test plan

  • pnpm vitest run tests/desktop/ — 14 tests pass (slug validation, path traversal, bin-only package resolution)
  • pnpm typecheck — all packages pass
  • Built unsigned macOS package and verified skill install works in packaged app
  • Verified API logs show skillhub install events at ~/Library/Application Support/@nexu/logs/runtime-units/api.log

@alchemistklk
fix(desktop): resolve skill install failure in packaged app
81b38c4 
npx is not available on PATH inside the packaged Electron environment,
causing community skill installs to fail with "spawn npx ENOENT". Replace
npx with direct bin resolution via process.execPath + require.resolve().

Also fixes the sidecar dependency copier silently skipping bin-only packages
(no main/exports), adds path traversal protection to desktop uninstall,
and adds structured logging to the skillhub install/uninstall flow.
@alchemistklk
Merge remote-tracking branch 'origin/main' into fix/skillhub-install-…
0465251 
…logging
@alchemistklk
fix(api): prefix BYOK model IDs for proxied providers
b3687eb 
When a BYOK provider uses a non-default baseUrl (e.g. LiteLLM proxy),
OpenClaw strips the provider prefix from model IDs. Use a byok_ prefixed
provider key so the full model ID (e.g. anthropic/claude-sonnet-4) is
preserved for the proxy.
@alchemistklk
chore(desktop): update runtime manifests and lockfile
aab6ea8
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Mar 18, 2026
edited
Loading

Deploying nexu-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6395420
Status: ✅  Deploy successful!
Preview URL: https://a2431a86.nexu-docs.pages.dev
Branch Preview URL: https://fix-skillhub-install-logging.nexu-docs.pages.dev

View logs

@alchemistklk
fix: normalize byok routing and remove broken cowork submodule
ce92d39
@alchemistklk
Merge remote-tracking branch 'origin/main' into fix/skillhub-install-…
6395420 
…logging

# Conflicts:
#	AGENTS.md
#	apps/api/src/lib/config-generator.ts
#	apps/desktop/main/runtime/manifests.ts
@alchemistklk
Copy link
Copy Markdown
Contributor Author

alchemistklk commented Mar 18, 2026

/cr

@slack-code-review-channel
Copy link
Copy Markdown

slack-code-review-channel Bot commented Mar 18, 2026

✅ CR topic created in Feishu topic group Refly CR.

@Siri-Ray Siri-Ray merged commit 5f740f1 into main Mar 18, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Siri-Ray Siri-Ray Siri-Ray approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alchemistklk @Siri-Ray