Files

DATA 6de0bf9f5b Initial commit: hardened DeerFlow factory

Vendored deer-flow upstream (bytedance/deer-flow) plus prompt-injection
hardening:

- New deerflow.security package: content_delimiter, html_cleaner,
  sanitizer (8 layers — invisible chars, control chars, symbols, NFC,
  PUA, tag chars, horizontal whitespace collapse with newline/tab
  preservation, length cap)
- New deerflow.community.searx package: web_search, web_fetch,
  image_search backed by a private SearX instance, every external
  string sanitized and wrapped in <<<EXTERNAL_UNTRUSTED_CONTENT>>>
  delimiters
- All native community web providers (ddg_search, tavily, exa,
  firecrawl, jina_ai, infoquest, image_search) replaced with hard-fail
  stubs that raise NativeWebToolDisabledError at import time, so a
  misconfigured tool.use path fails loud rather than silently falling
  back to unsanitized output
- Native client back-doors (jina_client.py, infoquest_client.py)
  stubbed too
- Native-tool tests quarantined under tests/_disabled_native/
  (collect_ignore_glob via local conftest.py)
- Sanitizer Layer 7 fix: only collapse horizontal whitespace, preserve
  newlines and tabs so list/table structure survives
- Hardened runtime config.yaml references only the searx-backed tools
- Factory overlay (backend/) kept in sync with deer-flow tree as a
  reference / source

See HARDENING.md for the full audit trail and verification steps.

2026-04-12 14:23:57 +02:00

2.6 KiB

Raw Permalink Blame History

name, description

name	description
surprise-me	Create a delightful, unexpected "wow" experience for the user by dynamically discovering and creatively combining other enabled skills. Triggers when the user says "surprise me" or any request expressing a desire for an unexpected creative showcase. Also triggers when the user is bored, wants inspiration, or asks for "something interesting".

Surprise Me

Deliver an unexpected, delightful experience by dynamically discovering available skills and combining them creatively.

Workflow

Step 1: Discover Available Skills

Read all the skills listed in the <available_skills>.

Step 2: Plan the Surprise

Select 1 to 3 skills and design a creative mashup. The goal is a single cohesive deliverable, not separate demos.

Creative combination principles:

Juxtapose skills in unexpected ways (e.g., a presentation about algorithmic art, a research report turned into a slide deck, a styled doc with canvas-designed illustrations)
Incorporate the user's known interests/context from memory if available
Prioritize visual impact and emotional delight over information density
The output should feel like a gift — polished, surprising, and fun

Theme ideas (pick or remix):

Something tied to today's date, season, or trending news
A mini creative project the user never asked for but would love
A playful "what if" concept
An aesthetic artifact combining data + design
A fun interactive HTML/React experience

Step 3: Fallback — No Other Skills Available

If no other skills are discovered (only surprise-me exists), use one of these fallbacks:

News-based surprise: Search today's news for a fascinating story, then create a beautifully designed HTML artifact presenting it in a visually striking way
Interactive HTML experience: Build a creative single-page web experience — generative art, a mini-game, a visual poem, an animated infographic, or an interactive story
Personalized artifact: Use known user context to create something personal and delightful

Step 4: Execute

Read the full SKILL.md body of each selected skill
Follow each skill's instructions for technical execution
Combine outputs into one cohesive deliverable
Present the result with minimal preamble — let the work speak for itself

Step 5: Reveal

Present the surprise with minimal spoilers. A short teaser line, then the artifact.

Good reveal: "I made you something ✨" + [the artifact]
Bad reveal: "I decided to combine the pptx skill with the canvas-design skill to create a presentation about..." (kills the surprise)

2.6 KiB Raw Permalink Blame History