Run any Skill in Manus with one click

readme-demo-injector

Stars1

Forks0

UpdatedJune 17, 2026 at 14:12

Save a live third-party page (GitHub repo page, npmx/npm package page, docs site) as a local static copy and inject an element into it (badge, banner, widget) for demos without shipping to prod. Use when user wants to "demo X on the GitHub README", "inject the badge into a real page", "make this page work locally", "mock up how it looks on npmjs/github", or "download and serve this page with my change". Output is a directory servable with `npx serve`.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

jaysoo

jaysoo/dot-ai-config

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

SKILL.md

readonly

name

readme-demo-injector

description

README Demo Injector

Capture a real page, inject a local element (badge/banner/widget), serve statically. Lets Jack demo a feature on github.com/nrwl/nx or a package page without deploying.

Process

1. Capture the page

Pick capture method by host + rendering model:

curl (only if host is in the sandbox network allowlist, e.g. github.com): curl -sL <url> -o <dir>/index.html. CHECK the target element exists in static HTML before trusting this (see gotcha 1).
Playwright hydrated-DOM capture (default for SPA/blocked hosts):
1. Start a save-server (POST body -> file) on 127.0.0.1:
```
# save-server.py: BaseHTTPRequestHandler, do_POST writes body to /tmp/<name>.html,
# respond 200 with Access-Control-Allow-Origin: *
```
2. Navigate with playwright MCP, wait for hydration.
3. Capture, choosing transport by page CSP:
  - Page CSP allows connect-src 127.0.0.1 (npmx.dev does): browser_evaluate -> fetch('http://127.0.0.1:PORT/name', {method:'POST', body: '<!doctype html>\n' + document.documentElement.outerHTML})
  - Page CSP blocks localhost (github.com does): browser_run_code_unsafe -> get outerHTML via page.evaluate, then page.request.post(...) — Playwright's request context bypasses page CSP. (require/import('fs') are NOT available in that VM; POST is the only file transport.)
- NEVER return the full HTML as the tool result (hundreds of KB floods context). Always POST to the save-server.

2. Sanitize (python script written to a FILE — fish mangles `!=` in heredocs/inline)

In order:

Insert <base href="https://<origin>/"> right after <head> so relative assets/links resolve to the real origin.
Strip CSP meta tags: re.sub(r'<meta[^>]*Content-Security-Policy[^>]*>', '', s) — saved-page CSP blocks cross-origin styles AND the injected element (upgrade-insecure-requests also rewrites http localhost img URLs to https).
Strip ALL scripts: re.sub(r'<script\b[^>]*>.*?</script>', '', s, flags=re.S) + modulepreload/preload links. React/Nuxt hydration re-renders and DROPS injected nodes (timing-dependent — may look fine once then vanish). CSS <link>s stay; page remains styled.
STRIP SCRIPTS BEFORE INJECTING — otherwise the injection can land inside a script JSON payload and get stripped with it.

3. Inject

Find anchor point in the static markup (e.g. README badge row: locate alt="License" img, insert after its closing </a>).
Assert the injected marker survives in the final file (assert 'alt="..."' in s).
For GitHub README rows match shields style: ?style=for-the-badge (28px uppercase); npm-ish pages use flat/flat-square (20px).

4. Serve + verify

npx serve <dir> (or python3 -m http.server).
Screenshot via playwright; check the injected <img> has naturalWidth > 0 (0 = blocked/broken, e.g. CORP).
If the injected resource comes from another local app: that app must send Cross-Origin-Resource-Policy: cross-origin (helmet defaults to same-origin -> ERR_BLOCKED_BY_RESPONSE.NotSameOrigin).

Gotchas recap

Static curl of github.com keeps the README only in script payloads; the rendered <article> needs hydrated-DOM capture.
Multiple inline SVGs on one preview page collide on duplicate ids (clipPath) — embed via <img> tags instead.
file:// is blocked for playwright MCP — always serve over http.
Playwright MCP screenshots only write inside its allowed roots (cwd / .playwright-mcp) — clean up artifacts from the repo afterwards.

More from this repository

same repository

cnw-templates-dep-audit

jaysoo/dot-ai-config

Daily dependency-staleness audit for the CNW (Create Nx Workspace) template repos under ~/projects/cnw-templates/. Detects out-of-date deps (nx, @nx/*, AND third-party), applies safe upgrades within known compatibility constraints, verifies each repo (build/test/lint/typecheck/e2e), and opens one PR per repo that has updates. Use when "audit template deps", "check template dependencies", "update template deps", "template dep audit", or for a scheduled/daily run. Distinct from `cnw-update-templates` (which only nx-migrates the 4 base templates at the old flat paths).

2026-06-231

cnw-update-templates

jaysoo/dot-ai-config

Update all CNW (Create Nx Workspace) template repos to a target Nx version using nx migrate. Handles angular-template, react-template, typescript-template, and empty-template. Runs migrations, commits changes, but does NOT push without user confirmation. Use when "update templates", "cnw templates", "template update", "migrate templates", or specifying a version like "update templates to 22.7.0".

2026-06-231

pre-pr-review

jaysoo/dot-ai-config

Adversarial multi-dimension review of a branch's uncommitted/committed diff before opening or updating a PR. Fans out review dimensions (correctness, design conformance, copy/voice, hygiene/tests), adversarially verifies each finding, and drafts a terse PR description. Use for a pre-PR review, "review my branch before I open the PR", adversarial PR review, or a conformance gate before push. For deep maintainability/abstraction audits use thermo-nuclear-code-quality-review instead (complementary, not a substitute).

2026-06-181

nx-docs-iterate

jaysoo/dot-ai-config

Validate-and-ship loop for nx astro-docs changes. Runs prettier, vale, the STYLE_GUIDE structural pass, an anchor sweep, then amends the squashed commit and force-pushes with 1Password op-request logging. Use after every docs edit round in the nx repo. Triggers on "docs iterate", "amend and push the docs", "ship the docs change", "docs validate and push".

2026-06-171

nx-deprecate-config-helper

jaysoo/dot-ai-config

Warn-only deprecation of a first-party Nx bundler config helper (composePlugins/withNx/withWeb/withReact and friends) for removal in the next major. Use when asked to "deprecate <helper>", for a "config helpers deprecated" milestone NXC ticket, or any of the @nx/{vite,webpack,rspack,next,expo,rollup}/react config-composition helpers. Triggers on "deprecate config helper", "deprecate withNx/withWeb/withReact/composePlugins", "warn-only deprecate <helper>".

2026-06-091

nx-scorecard

jaysoo/dot-ai-config

Compute Nx CLI scorecard metrics for a month: GitHub issues/PRs (nrwl/nx), Linear high-priority misc issues, and npm download counts with YoY growth. Outputs a Notion-ready markdown table. Use when user says "scorecard", "nx scorecard", "cli scorecard", "monthly scorecard", or asks for the Nx CLI team's monthly issue/PR/download metrics.

2026-06-091

name

readme-demo-injector

description

README Demo Injector

Capture a real page, inject a local element (badge/banner/widget), serve statically. Lets Jack demo a feature on github.com/nrwl/nx or a package page without deploying.

Process

1. Capture the page

Pick capture method by host + rendering model:

curl (only if host is in the sandbox network allowlist, e.g. github.com): curl -sL <url> -o <dir>/index.html. CHECK the target element exists in static HTML before trusting this (see gotcha 1).
Playwright hydrated-DOM capture (default for SPA/blocked hosts):
1. Start a save-server (POST body -> file) on 127.0.0.1:
```
# save-server.py: BaseHTTPRequestHandler, do_POST writes body to /tmp/<name>.html,
# respond 200 with Access-Control-Allow-Origin: *
```
2. Navigate with playwright MCP, wait for hydration.
3. Capture, choosing transport by page CSP:
  - Page CSP allows connect-src 127.0.0.1 (npmx.dev does): browser_evaluate -> fetch('http://127.0.0.1:PORT/name', {method:'POST', body: '<!doctype html>\n' + document.documentElement.outerHTML})
  - Page CSP blocks localhost (github.com does): browser_run_code_unsafe -> get outerHTML via page.evaluate, then page.request.post(...) — Playwright's request context bypasses page CSP. (require/import('fs') are NOT available in that VM; POST is the only file transport.)
- NEVER return the full HTML as the tool result (hundreds of KB floods context). Always POST to the save-server.

2. Sanitize (python script written to a FILE — fish mangles `!=` in heredocs/inline)

In order:

Insert <base href="https://<origin>/"> right after <head> so relative assets/links resolve to the real origin.
Strip CSP meta tags: re.sub(r'<meta[^>]*Content-Security-Policy[^>]*>', '', s) — saved-page CSP blocks cross-origin styles AND the injected element (upgrade-insecure-requests also rewrites http localhost img URLs to https).
Strip ALL scripts: re.sub(r'<script\b[^>]*>.*?</script>', '', s, flags=re.S) + modulepreload/preload links. React/Nuxt hydration re-renders and DROPS injected nodes (timing-dependent — may look fine once then vanish). CSS <link>s stay; page remains styled.
STRIP SCRIPTS BEFORE INJECTING — otherwise the injection can land inside a script JSON payload and get stripped with it.

3. Inject

Find anchor point in the static markup (e.g. README badge row: locate alt="License" img, insert after its closing </a>).
Assert the injected marker survives in the final file (assert 'alt="..."' in s).
For GitHub README rows match shields style: ?style=for-the-badge (28px uppercase); npm-ish pages use flat/flat-square (20px).

4. Serve + verify

npx serve <dir> (or python3 -m http.server).
Screenshot via playwright; check the injected <img> has naturalWidth > 0 (0 = blocked/broken, e.g. CORP).
If the injected resource comes from another local app: that app must send Cross-Origin-Resource-Policy: cross-origin (helmet defaults to same-origin -> ERR_BLOCKED_BY_RESPONSE.NotSameOrigin).

Gotchas recap

Static curl of github.com keeps the README only in script payloads; the rendered <article> needs hydrated-DOM capture.
Multiple inline SVGs on one preview page collide on duplicate ids (clipPath) — embed via <img> tags instead.
file:// is blocked for playwright MCP — always serve over http.
Playwright MCP screenshots only write inside its allowed roots (cwd / .playwright-mcp) — clean up artifacts from the repo afterwards.

readme-demo-injector

README Demo Injector

Process

1. Capture the page

2. Sanitize (python script written to a FILE — fish mangles != in heredocs/inline)

3. Inject

4. Serve + verify

Gotchas recap

More from this repository

README Demo Injector

Process

1. Capture the page

2. Sanitize (python script written to a FILE — fish mangles != in heredocs/inline)

3. Inject

4. Serve + verify

Gotchas recap

More from this repository

2. Sanitize (python script written to a FILE — fish mangles `!=` in heredocs/inline)

2. Sanitize (python script written to a FILE — fish mangles `!=` in heredocs/inline)