feat(skills): add dependency declaration and auto-install for skills

[mvanhorn]

Summary

Add a dependencies field to SKILL.md frontmatter so skills can declare pip packages they need. The skill loader checks for missing packages on first load and installs them automatically.

Why this matters

Skills that need Python packages (pandas for data-analysis, matplotlib for chart-visualization) fail silently at runtime with ImportError. There is no way to declare what a skill needs.

Source	Evidence
CrewAI	Agents declare pip requirements per task
skill-creator template	Has TODO items for dependency management

Changes

• types.py: SkillDependencies dataclass with pip and npm fields, added to Skill
• parser.py: Secondary pass using yaml.safe_load() to extract nested dependencies from frontmatter
• loader.py: ensure_skill_dependencies() checks missing pip packages via importlib.util.find_spec(), installs via uv pip install with fallback to pip. Caches per skill to avoid redundant installs.
• skill-creator template: Commented example of dependencies field

SKILL.md format

dependencies:
  pip:
    - pandas>=2.0
    - matplotlib

Testing

3 new tests + all 19 existing skill tests pass.

• test_parse_skill_with_dependencies - parses pip and npm deps from frontmatter
• test_parse_skill_without_dependencies_is_backward_compatible - no deps = None
• test_ensure_skill_dependencies_installs_missing_pip_packages - mocked install with caching

This contribution was developed with AI assistance (Codex).

[Copilot]

Pull request overview

Adds first-class dependency declarations to skills so SKILL.md frontmatter can specify required packages, and the loader will attempt to auto-install missing pip dependencies when enabled skills are loaded.

Changes:

• Introduces SkillDependencies and adds optional dependencies to the Skill model.
• Extends SKILL.md parsing to read nested dependencies from frontmatter (via yaml.safe_load).
• Adds runtime dependency enforcement in load_skills() (pip install via uv/pip) plus new tests and a template example.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
skills/public/skill-creator/scripts/init_skill.py	Documents the new dependencies frontmatter field via commented example.
backend/tests/test_skill_dependencies.py	Adds tests for dependency parsing and auto-install behavior with caching.
backend/packages/harness/deerflow/skills/types.py	Adds SkillDependencies and attaches it to the Skill dataclass.
backend/packages/harness/deerflow/skills/parser.py	Parses dependencies from SKILL.md frontmatter using a YAML pass.
backend/packages/harness/deerflow/skills/loader.py	Implements ensure_skill_dependencies() and invokes it for enabled skills during load.

[Copilot]

ensure_skill_dependencies() adds skill_key to _CHECKED_SKILL_DEPENDENCIES before it has verified dependencies are present and before any install attempt succeeds. If the dependency list changes later (or an install fails transiently), the skill will be permanently skipped for the lifetime of the process. Consider only caching after a successful check/install, or include a hash of the declared dependencies in the cache key and avoid marking as checked on failures.

[Copilot]

The missing-package detection uses importlib.util.find_spec() on the raw requirement string (e.g. the documented example pandas>=2.0). find_spec('pandas>=2.0') will always fail, causing unnecessary reinstalls/forced upgrades on every process start. Parse PEP 508 requirement strings (extras/version markers) to extract the distribution name, and check installation via importlib.metadata (or packaging.requirements.Requirement) rather than module specs.

[Copilot]

subprocess.run(command) is invoked without check=True, timeout, or logging; if the install fails, the loader will continue and the skill will still fail later with ImportError (and is currently cached as “checked”). Also, calling pip as a bare executable can install into the wrong environment (or be missing entirely). Consider running installs via the current interpreter (sys.executable -m pip) and for uv explicitly targeting the same Python, and treat non-zero exit codes as errors with a helpful message.

[Copilot]

load_skills() now auto-installs declared dependencies for every enabled skill. Because ExtensionsConfig.is_skill_enabled() defaults to enabled for custom skills too, a newly installed custom skill can trigger arbitrary pip install execution as soon as skills are listed/loaded (e.g. via /api/skills or prompt generation). This is a significant security risk; consider gating auto-install behind an explicit config flag (default false) and/or restricting installs to trusted admins/allowlisted packages.

[Copilot]

parse_skill_file() now accepts a dependencies key in SKILL.md frontmatter, but deerflow.skills.validation.ALLOWED_FRONTMATTER_PROPERTIES currently does not include dependencies (and install_skill_from_archive() validates frontmatter). This means skills that declare dependencies will likely be rejected during installation/validation. Update the validation allowlist and validation rules to include the new field so the feature works end-to-end.

[Copilot]

The PR description documents version-pinned requirements (e.g. pandas>=2.0), but the current tests only cover bare names. Add coverage for specifiers/extras/markers (e.g. requests>=2, pydantic-core>=2; python_version>='3.12') to ensure ensure_skill_dependencies() correctly detects “already installed” without attempting installs due to find_spec() failing on non-module strings.