Skip to content

feat(engineering): add desktop-manager skill for Windows desktop automation#687

Open
FreyaFujo wants to merge 1 commit into
alirezarezvani:devfrom
FreyaFujo:feature/engineering-desktop-manager
Open

feat(engineering): add desktop-manager skill for Windows desktop automation#687
FreyaFujo wants to merge 1 commit into
alirezarezvani:devfrom
FreyaFujo:feature/engineering-desktop-manager

Conversation

@FreyaFujo

Copy link
Copy Markdown
Contributor

Summary

  • Adds engineering/desktop-manager/ — a new Windows-only skill for full desktop control from Claude Code via PowerShell + Win32 API, requiring no third-party tools or admin elevation
  • Three Python CLI scripts (stdlib-only): window_manager.py (list/snap/tile/move/focus), process_manager.py (list/launch/kill), desktop_snapshot.py (save/restore named layouts)
  • Win32 API reference in references/powershell-window-api.md covering GetWindowRect, SetWindowPos, ShowWindow, multi-monitor, DPI, virtual desktops

Test plan

  • skill_validator.py score: 100/100 (EXCELLENT)
  • skill_security_auditor.py --strict: PASS — 0 CRITICAL, 0 HIGH
  • script_tester.py: 3/3 PASS — syntax, argparse, stdlib-only, help, JSON output
  • python -m compileall engineering/desktop-manager/scripts/: clean
  • SKILL.md: 180 lines (under 500-line cap)
  • Manual: run python scripts/window_manager.py list on Windows 10/11 to verify window enumeration
  • Manual: run python scripts/window_manager.py tile --layout 2col to verify tiling

🤖 Generated with Claude Code

…mation

Adds a new Windows-only skill that enables full desktop control from Claude
Code via PowerShell and Win32 API — no third-party tools or admin rights needed.

- window_manager.py: list, snap (12 positions), tile (2col/3col/grid4), move, show/focus
- process_manager.py: list (windowed/all), launch by name or path, kill by name or PID
- desktop_snapshot.py: save/restore named layouts to ~/.desktop-snapshots/ with title fallback
- references/powershell-window-api.md: Win32 function reference, multi-monitor, DPI, virtual desktops

All scripts: stdlib-only, argparse CLI, --json flag, exit codes 0/1/2
Validation: skill_validator 100/100, security audit PASS (0 CRITICAL/HIGH), 180-line SKILL.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@alirezarezvani alirezarezvani left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this — the skill is genuinely useful and the SKILL.md is well-structured: clear slash-command table, a good "When this activates" trigger list, a thorough Win32 API reference, and stdlib-only scripts with sensible subcommand design. A few items need to be addressed before it can merge.

Blocking

1. Missing .claude-plugin/plugin.json + no marketplace.json entry.
Every skill package needs its own engineering/desktop-manager/.claude-plugin/plugin.json (name, description, version, author, homepage, repository, license, skills) and a registration entry in the root .claude-plugin/marketplace.json. This is enforced by scripts/check_plugin_json.py --all in CI, so the build will fail without it. Use the canonical ./-prefixed skills form — for a single-skill plugin with SKILL.md at the plugin root: "skills": ["./"].

2. PowerShell injection in process_manager.pylaunch_app().
--path and --args are escaped with .replace("'", "\\'"), but PowerShell single-quoted strings do not use backslash escaping — a literal single quote is escaped by doubling it (''). As written, an input containing ' breaks out of the quoted string and the remainder is interpreted as PowerShell. Unlike list/kill (which run names through _sanitize_name), launch --path and --args are passed through with only this broken escape, so this is a real injection vector.

Minimum fix:

target = path.replace("'", "''")     # PowerShell single-quote escaping
safe_args = args.replace("'", "''")

Better: pass arguments as a PowerShell array rather than interpolating a single string, and/or invoke via subprocess arg lists where possible. Please also add a one-line note in the SKILL.md "Requirements"/security section that --path/--args accept arbitrary executables by design (the caller is trusted), so the trust boundary is explicit.

3. Test plan is unverified.
The PR checklist lists skill_validator.py 100/100, skill_security_auditor.py --strict PASS, and script_tester.py 3/3 — but all boxes are unchecked. Please run them and paste the output (the security auditor in particular should be re-run after the escaping fix above). python -m compileall engineering/desktop-manager/scripts/ should be clean too.

Non-blocking (nice to have)

4. Slash commands aren't wired up. SKILL.md documents /desktop:windows, /desktop:tile, etc., but no commands/ files are included. The repo convention is a cs-* agent + /cs:* command per skill (see engineering/caveman, engineering/write-a-skill). Either add them or drop the slash-command table to match what ships.

5. Rebase onto current dev. This branch is based on the ~220-skill era; dev is now well ahead. Please rebase so the marketplace counts and surrounding structure line up and the diff stays clean.

The Windows-only scope is fine (metadata.platform: windows is honest about it). Once items 1–3 are in I'm happy to re-review. Targeting dev is correct 👍


Reviewed via Claude Code.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants