feat(flow): log each flow method execution at INFO

Flows emit a Rich console message when they start ('Flow started with
ID: …') but produce no further log line until the next significant
event. When a flow appears to hang, this makes it hard to tell which
@start/@listen method is currently running.

Add a single INFO log at the entry of _execute_method that surfaces
the active method name. This works for both @start methods and
listeners since both paths funnel through _execute_method.

.github/workflows/build-uv-cache.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: ${{ matrix.python-version }}

.github/workflows/generate-tool-specs.yml

@@ -22,10 +22,10 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.CREWAI_TOOL_SPECS_APP_ID }}
-          private-key: ${{ secrets.CREWAI_TOOL_SPECS_PRIVATE_KEY }}
+          app_id: ${{ secrets.CREWAI_TOOL_SPECS_APP_ID }}
+          private_key: ${{ secrets.CREWAI_TOOL_SPECS_PRIVATE_KEY }}
 
       - name: Checkout code
         uses: actions/checkout@v4
@@ -34,7 +34,7 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.12"

.github/workflows/linter.yml

@@ -13,7 +13,7 @@ jobs:
       code: ${{ steps.filter.outputs.code }}
     steps:
       - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
+      - uses: dorny/paths-filter@v3
         id: filter
         with:
           filters: |
@@ -41,7 +41,7 @@ jobs:
             uv-main-py3.11-
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.11"

.github/workflows/nightly.yml

@@ -44,7 +44,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.12"
@@ -103,7 +103,7 @@ jobs:
       contents: read
     steps:
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.12"

.github/workflows/pr-size.yml

@@ -10,7 +10,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: codelytv/pr-size-labeler@095a41fca88b8764fd9e008ad269bcdb82bb38b9 # v1
+      - uses: codelytv/pr-size-labeler@v1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           xs_label: "size/XS"

.github/workflows/pr-title.yml

@@ -12,7 +12,7 @@ jobs:
   pr-title:
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+      - uses: amannn/action-semantic-pull-request@v5
         continue-on-error: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

@@ -34,7 +34,7 @@ jobs:
           python-version: "3.12"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
+        uses: astral-sh/setup-uv@v4
 
       - name: Build packages
         run: |
@@ -63,7 +63,7 @@ jobs:
           ref: ${{ inputs.release_tag || github.ref }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.12"
@@ -159,7 +159,7 @@ jobs:
 
       - name: Notify Slack
         if: success()
-        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
+        uses: slackapi/slack-github-action@v2.1.0
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: incoming-webhook

.github/workflows/tests.yml

@@ -13,7 +13,7 @@ jobs:
       code: ${{ steps.filter.outputs.code }}
     steps:
       - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
+      - uses: dorny/paths-filter@v3
         id: filter
         with:
           filters: |
@@ -51,7 +51,7 @@ jobs:
             uv-main-py${{ matrix.python-version }}-
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: ${{ matrix.python-version }}

.github/workflows/type-checker.yml

@@ -13,7 +13,7 @@ jobs:
       code: ${{ steps.filter.outputs.code }}
     steps:
       - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
+      - uses: dorny/paths-filter@v3
         id: filter
         with:
           filters: |
@@ -48,7 +48,7 @@ jobs:
             uv-main-py${{ matrix.python-version }}-
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: ${{ matrix.python-version }}

.github/workflows/update-test-durations.yml

@@ -38,7 +38,7 @@ jobs:
             uv-main-py${{ matrix.python-version }}-
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: ${{ matrix.python-version }}

.github/workflows/vulnerability-scan.yml

@@ -31,7 +31,7 @@ jobs:
             uv-main-py3.11-
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
+        uses: astral-sh/setup-uv@v6
         with:
           version: "0.11.3"
           python-version: "3.11"
@@ -46,39 +46,11 @@ jobs:
       - name: Run pip-audit
         run: |
           uv run pip-audit --desc --aliases --skip-editable --format json --output pip-audit-report.json \
-            --ignore-vuln PYSEC-2024-277 \
-            --ignore-vuln PYSEC-2026-89 \
-            --ignore-vuln PYSEC-2026-97 \
-            --ignore-vuln PYSEC-2025-148 \
-            --ignore-vuln PYSEC-2025-183 \
-            --ignore-vuln PYSEC-2025-189 \
-            --ignore-vuln PYSEC-2025-190 \
-            --ignore-vuln PYSEC-2025-191 \
-            --ignore-vuln PYSEC-2025-192 \
-            --ignore-vuln PYSEC-2025-193 \
-            --ignore-vuln PYSEC-2025-194 \
-            --ignore-vuln PYSEC-2025-195 \
-            --ignore-vuln PYSEC-2025-196 \
-            --ignore-vuln PYSEC-2025-197 \
-            --ignore-vuln PYSEC-2025-210 \
-            --ignore-vuln PYSEC-2026-139 \
-            --ignore-vuln PYSEC-2025-211 \
-            --ignore-vuln PYSEC-2025-212 \
-            --ignore-vuln PYSEC-2025-213 \
-            --ignore-vuln PYSEC-2025-214 \
-            --ignore-vuln PYSEC-2025-215 \
-            --ignore-vuln PYSEC-2025-216 \
-            --ignore-vuln PYSEC-2025-217 \
-            --ignore-vuln PYSEC-2025-218
+            --ignore-vuln CVE-2026-3219 \
+            --ignore-vuln GHSA-r374-rxx8-8654
         # Ignored CVEs:
-        #   PYSEC-2024-277      - joblib 1.5.3: disputed; NumpyArrayWrapper only used with trusted caches
-        #   PYSEC-2026-89       - markdown 3.10.2: DoS via malformed HTML; fix 3.8.1 — already past, advisory range is stale
-        #   PYSEC-2026-97       - nltk 3.9.4: arbitrary file read in filestring(); no fix available
-        #   PYSEC-2025-148      - onnx 1.21.0: path traversal in save_external_data; no fix available
-        #   PYSEC-2025-183      - pyjwt 2.12.1: disputed weak-encryption claim; key length is application-chosen
-        #   PYSEC-2025-189..197 - torch 2.11.0: memory-corruption/DoS in functions only reachable via untrusted models; no fix available
-        #   PYSEC-2025-210, PYSEC-2026-139 - torch 2.11.0: profiler/deserialization issues; no fix available
-        #   PYSEC-2025-211..218 - transformers 5.5.4: deserialization/code injection via malicious model checkpoints; no fix available
+        #   CVE-2026-3219      - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue
+        #   GHSA-r374-rxx8-8654 - paramiko 4.0.0 (SHA-1 in rsakey.py): no fix available; transitive via composio-core
         continue-on-error: true
 
       - name: Display results

lib/cli/src/crewai_cli/cli.py

@@ -26,7 +26,6 @@ from crewai_cli.replay_from_task import replay_task_command
 from crewai_cli.reset_memories_command import reset_memories_command
 from crewai_cli.run_crew import run_crew
 from crewai_cli.settings.main import SettingsCommand
-from crewai_cli.skills.main import SkillCommand
 from crewai_cli.task_outputs import load_task_outputs
 from crewai_cli.tools.main import ToolCommand
 from crewai_cli.train_crew import train_crew
@@ -547,56 +546,6 @@ def tool_publish(is_public: bool, force: bool) -> None:
     tool_cmd.publish(is_public, force)
 
 
-@crewai.group()
-def skill() -> None:
-    """Skill Repository related commands."""
-
-
-@skill.command(name="create")
-@click.argument("name")
-@click.option(
-    "--no-project",
-    "in_project",
-    is_flag=True,
-    default=True,
-    flag_value=False,
-    help="Create skill in current dir instead of ./skills/",
-)
-def skill_create(name: str, in_project: bool) -> None:
-    skill_cmd = SkillCommand()
-    skill_cmd.create(name, in_project=in_project)
-
-
-@skill.command(name="install")
-@click.argument("ref")
-def skill_install(ref: str) -> None:
-    skill_cmd = SkillCommand()
-    skill_cmd.install(ref)
-
-
-@skill.command(name="publish")
-@click.option(
-    "--force",
-    is_flag=True,
-    default=False,
-    show_default=True,
-    help="Skip git-state validation.",
-)
-@click.option("--public", "is_public", flag_value=True, default=False)
-@click.option("--private", "is_public", flag_value=False)
-@click.option("--org", default=None, help="Organisation slug (overrides settings).")
-def skill_publish(is_public: bool, org: str | None, force: bool) -> None:
-    skill_cmd = SkillCommand()
-    skill_cmd.publish(is_public, org=org, force=force)
-
-
-@skill.command(name="list")
-def skill_list() -> None:
-    """List locally installed skills."""
-    skill_cmd = SkillCommand()
-    skill_cmd.list_cached()
-
-
 @crewai.group()
 def template() -> None:
     """Browse and install project templates."""

lib/cli/src/crewai_cli/git.py

@@ -40,7 +40,7 @@ class Repository:
             encoding="utf-8",
         ).strip()
 
-    @cached_property
+    @cached_property  # noqa: B019
     def is_git_repo(self) -> bool:
         """Check if the current directory is a git repository."""
         try:

lib/cli/src/crewai_cli/skills/main.py

@@ -1,415 +0,0 @@
-"""Skill Repository CLI commands for CrewAI."""
-
-from __future__ import annotations
-
-import base64
-import io
-import json
-import os
-from pathlib import Path
-import tarfile
-import zipfile
-
-from rich.console import Console
-from rich.table import Table
-
-from crewai_cli.command import BaseCommand, PlusAPIMixin
-from crewai_cli.config import Settings
-from crewai_cli.constants import DEFAULT_CREWAI_ENTERPRISE_URL
-
-
-console = Console()
-
-_SKILL_MD_TEMPLATE = """\
----
-name: {name}
-version: 0.1.0
-description: |
-  A short description of what this skill does.
----
-
-## Instructions
-
-Describe the skill behaviour here. This section is shown to the agent at activation time.
-"""
-
-
-class SkillCommand(BaseCommand, PlusAPIMixin):
-    """Skill Repository related operations for CrewAI projects."""
-
-    def __init__(self) -> None:
-        BaseCommand.__init__(self)
-        PlusAPIMixin.__init__(self, telemetry=self._telemetry)
-
-    # ------------------------------------------------------------------
-    # create
-    # ------------------------------------------------------------------
-
-    def create(self, name: str, in_project: bool = True) -> None:
-        """Scaffold a new skill directory.
-
-        If pyproject.toml is present (crew project), creates ./skills/{name}/.
-        Otherwise creates ./{name}/.
-        """
-        if in_project and os.path.isfile("pyproject.toml"):
-            skill_dir = Path("skills") / name
-        else:
-            skill_dir = Path(name)
-
-        if skill_dir.exists():
-            console.print(f"[red]Directory {skill_dir} already exists.[/red]")
-            raise SystemExit(1)
-
-        skill_dir.mkdir(parents=True)
-        (skill_dir / "scripts").mkdir()
-        (skill_dir / "references").mkdir()
-        (skill_dir / "assets").mkdir()
-
-        skill_md = skill_dir / "SKILL.md"
-        skill_md.write_text(_SKILL_MD_TEMPLATE.format(name=name))
-
-        console.print(
-            f"[green]Created skill [bold]{name}[/bold] at [bold]{skill_dir}[/bold].[/green]"
-        )
-        console.print(f"Edit [bold]{skill_md}[/bold] to define the skill instructions.")
-
-    # ------------------------------------------------------------------
-    # install
-    # ------------------------------------------------------------------
-
-    def install(self, ref: str) -> None:
-        """Download and install a registry skill.
-
-        Format: @org/name
-
-        Inside a crew project (pyproject.toml present): installs to ./skills/{name}/
-        Outside a project: installs to ~/.crewai/skills/{org}/{name}/
-        """
-        if not ref.startswith("@"):
-            console.print(
-                "[red]Invalid skill reference. Use the format @org/name.[/red]"
-            )
-            raise SystemExit(1)
-
-        without_at = ref[1:]
-        if without_at.count("/") != 1:
-            console.print(
-                "[red]Invalid skill reference. Use the format @org/name.[/red]"
-            )
-            raise SystemExit(1)
-
-        org, name = without_at.split("/", 1)
-        if (
-            not org
-            or not name
-            or org.startswith(".")
-            or name.startswith(".")
-            or len(Path(org).parts) != 1
-            or len(Path(name).parts) != 1
-        ):
-            console.print(
-                "[red]Invalid skill reference: org and name must be single, "
-                "non-empty path segments (no slashes, no '..').[/red]"
-            )
-            raise SystemExit(1)
-
-        self._print_current_organization()
-        console.print(f"[bold blue]Downloading skill {ref}...[/bold blue]")
-
-        get_response = self.plus_api_client.get_skill(org, name)
-
-        if get_response.status_code == 404:
-            console.print(
-                f"[red]Skill {ref} not found. Ensure it has been published and you have access.[/red]"
-            )
-            raise SystemExit(1)
-        if get_response.status_code != 200:
-            console.print(
-                f"[red]Failed to download skill {ref}: {get_response.status_code}[/red]"
-            )
-            raise SystemExit(1)
-
-        data = get_response.json()
-        version = data.get("latest_version") or data.get("version")
-
-        download_url = data.get("download_url")
-        if download_url:
-            import httpx
-
-            dl_response = httpx.get(download_url, follow_redirects=True)
-            dl_response.raise_for_status()
-            archive_bytes = dl_response.content
-        else:
-            encoded = data.get("file", "")
-            if "," in encoded:
-                encoded = encoded.split(",", 1)[1]
-            archive_bytes = base64.b64decode(encoded)
-
-        in_project = os.path.isfile("pyproject.toml")
-        if in_project:
-            dest = Path("skills") / name
-            dest.mkdir(parents=True, exist_ok=True)
-            self._unpack_archive(archive_bytes, dest)
-            console.print(
-                f"[green]Installed [bold]{ref}[/bold]{' (' + version + ')' if version else ''} to [bold]{dest}[/bold].[/green]"
-            )
-        else:
-            try:
-                from crewai.skills.cache import SkillCacheManager
-
-                cache = SkillCacheManager()
-                cache.store(org, name, version, archive_bytes)
-            except ImportError:
-                # Fallback if SDK not installed — write directly
-                cache_dir = Path.home() / ".crewai" / "skills" / org / name
-                if cache_dir.exists():
-                    import shutil
-
-                    shutil.rmtree(cache_dir)
-                cache_dir.mkdir(parents=True, exist_ok=True)
-                self._unpack_archive(archive_bytes, cache_dir)
-                # Write metadata so `crewai skill list` can discover it
-                from datetime import datetime, timezone
-
-                meta = {
-                    "org": org,
-                    "name": name,
-                    "version": version,
-                    "installed_at": datetime.now(tz=timezone.utc).isoformat(),
-                }
-                (cache_dir / ".crewai_meta.json").write_text(json.dumps(meta, indent=2))
-            console.print(
-                f"[green]Installed [bold]{ref}[/bold]{' (' + version + ')' if version else ''} to global cache.[/green]"
-            )
-
-    # ------------------------------------------------------------------
-    # publish
-    # ------------------------------------------------------------------
-
-    def publish(self, is_public: bool, org: str | None, force: bool = False) -> None:
-        """Publish the skill in the current directory to the registry."""
-        skill_md = Path("SKILL.md")
-        if not skill_md.exists():
-            console.print(
-                "[red]No SKILL.md found in current directory. "
-                "Run this command from inside a skill directory.[/red]"
-            )
-            raise SystemExit(1)
-
-        # Parse frontmatter to extract name + version
-        try:
-            frontmatter = self._parse_frontmatter(skill_md.read_text())
-        except ValueError as exc:
-            console.print(f"[red]Failed to parse SKILL.md frontmatter: {exc}[/red]")
-            raise SystemExit(1) from exc
-
-        name = frontmatter.get("name")
-        version = frontmatter.get("version")
-        description = frontmatter.get("description")
-
-        if not name:
-            console.print(
-                "[red]SKILL.md frontmatter must include a 'name' field.[/red]"
-            )
-            raise SystemExit(1)
-
-        if not version:
-            console.print(
-                "[red]SKILL.md frontmatter must include a 'version' field before publishing.[/red]"
-            )
-            raise SystemExit(1)
-
-        settings = Settings()
-        effective_org = org or settings.org_name
-        if not effective_org:
-            console.print(
-                "[red]No organisation set. Run `crewai org switch <org_id>` first, "
-                "or pass --org.[/red]"
-            )
-            raise SystemExit(1)
-
-        self._print_current_organization()
-        console.print(
-            f"[bold blue]Publishing skill [bold]{name}[/bold] v{version} to {effective_org}...[/bold blue]"
-        )
-
-        archive_bytes = self._build_skill_tarball()
-        encoded_file = "data:application/x-gzip;base64," + base64.b64encode(
-            archive_bytes
-        ).decode("utf-8")
-
-        response = self.plus_api_client.publish_skill(
-            org=effective_org,
-            name=name,
-            version=version,
-            is_public=is_public,
-            description=description,
-            encoded_file=encoded_file,
-        )
-
-        self._validate_response(response)
-
-        base_url = settings.enterprise_base_url or DEFAULT_CREWAI_ENTERPRISE_URL
-        console.print(
-            f"[green]Published [bold]{effective_org}/{name}[/bold] v{version}.\n\n"
-            "Security checks are running in the background. "
-            "Your skill will be available once checks complete.\n"
-            f"Monitor status at: {base_url}/crewai_plus/skills/{effective_org}/{name}[/green]"
-        )
-
-    # ------------------------------------------------------------------
-    # list_cached
-    # ------------------------------------------------------------------
-
-    def list_cached(self) -> None:
-        """Show locally installed skills."""
-        table = Table(title="Installed Skills", show_lines=True)
-        table.add_column("Source", style="dim")
-        table.add_column("Ref")
-        table.add_column("Version")
-        table.add_column("Path")
-
-        # Project-local ./skills/
-        local_skills_dir = Path("skills")
-        if local_skills_dir.is_dir():
-            for skill_dir in sorted(local_skills_dir.iterdir()):
-                if skill_dir.is_dir() and (skill_dir / "SKILL.md").exists():
-                    version = self._read_version(skill_dir / "SKILL.md")
-                    table.add_row(
-                        "project",
-                        skill_dir.name,
-                        version or "-",
-                        str(skill_dir),
-                    )
-
-        # Global cache
-        cache_root = Path.home() / ".crewai" / "skills"
-        if cache_root.exists():
-            for org_dir in sorted(cache_root.iterdir()):
-                if not org_dir.is_dir():
-                    continue
-                for skill_dir in sorted(org_dir.iterdir()):
-                    meta_file = skill_dir / ".crewai_meta.json"
-                    if meta_file.exists():
-                        try:
-                            meta = json.loads(meta_file.read_text())
-                            table.add_row(
-                                "cache",
-                                f"@{meta['org']}/{meta['name']}",
-                                meta.get("version") or "-",
-                                str(skill_dir),
-                            )
-                        except (json.JSONDecodeError, KeyError):
-                            console.print(
-                                f"[yellow]Warning: skipping malformed cache entry at {meta_file}[/yellow]"
-                            )
-
-        console.print(table)
-
-    # ------------------------------------------------------------------
-    # internal helpers
-    # ------------------------------------------------------------------
-
-    def _print_current_organization(self) -> None:
-        settings = Settings()
-        if settings.org_uuid:
-            console.print(
-                f"Current organization: {settings.org_name} ({settings.org_uuid})",
-                style="bold blue",
-            )
-        else:
-            console.print(
-                "No organization currently set. We recommend setting one before using: "
-                "`crewai org switch <org_id>` command.",
-                style="yellow",
-            )
-
-    def _unpack_archive(self, archive_bytes: bytes, dest: Path) -> None:
-        """Unpack a .tar.gz or .zip archive into dest."""
-        # Try tar first, then zip
-        try:
-            with tarfile.open(fileobj=io.BytesIO(archive_bytes), mode="r:gz") as tf:
-                try:
-                    tf.extractall(dest, filter="data")
-                except TypeError:
-                    _safe_extractall(tf, dest)
-            return
-        except tarfile.TarError:
-            pass
-
-        # Fallback: zip
-        with zipfile.ZipFile(io.BytesIO(archive_bytes)) as zf:
-            _safe_extract_zip(zf, dest)
-
-    def _build_skill_tarball(self) -> bytes:
-        """Build an in-memory .tar.gz of SKILL.md + scripts/ + references/ + assets/."""
-        buf = io.BytesIO()
-        with tarfile.open(fileobj=buf, mode="w:gz") as tf:
-            tf.add("SKILL.md")
-            for folder in ("scripts", "references", "assets"):
-                folder_path = Path(folder)
-                if folder_path.is_dir():
-                    for fpath in sorted(folder_path.rglob("*")):
-                        if fpath.is_file():
-                            tf.add(str(fpath))
-        return buf.getvalue()
-
-    def _parse_frontmatter(self, content: str) -> dict[str, str]:
-        """Extract YAML frontmatter fields from a SKILL.md string.
-
-        Reuses crewai.skills.parser when available, with a minimal
-        fallback for environments where the full SDK isn't installed.
-        """
-        try:
-            from crewai.skills.parser import parse_frontmatter
-
-            fm_dict, _ = parse_frontmatter(content)
-            return fm_dict
-        except ImportError:
-            pass
-
-        # Fallback: minimal YAML parsing without SDK dependency
-        import re
-
-        match = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
-        if not match:
-            raise ValueError("No YAML frontmatter block found")
-        try:
-            import yaml
-
-            return yaml.safe_load(match.group(1)) or {}
-        except ImportError:
-            result: dict[str, str] = {}
-            for line in match.group(1).splitlines():
-                if ":" in line:
-                    key, _, value = line.partition(":")
-                    result[key.strip()] = value.strip()
-            return result
-
-    def _read_version(self, skill_md: Path) -> str | None:
-        """Read the version field from a SKILL.md file, or None."""
-        try:
-            fm = self._parse_frontmatter(skill_md.read_text())
-            return fm.get("version")
-        except Exception:
-            return None
-
-
-def _safe_extractall(tf: tarfile.TarFile, dest: Path) -> None:
-    """Path-traversal-safe extraction for Python < 3.12."""
-    dest_resolved = dest.resolve()
-    for member in tf.getmembers():
-        member_path = (dest / member.name).resolve()
-        if not member_path.is_relative_to(dest_resolved):
-            raise ValueError(f"Blocked path traversal attempt: {member.name!r}")
-    tf.extractall(dest)  # noqa: S202
-
-
-def _safe_extract_zip(zf: zipfile.ZipFile, dest: Path) -> None:
-    """Path-traversal-safe ZIP extraction."""
-    dest_resolved = dest.resolve()
-    for member in zf.namelist():
-        member_path = (dest / member).resolve()
-        if not member_path.is_relative_to(dest_resolved):
-            raise ValueError(f"Blocked path traversal attempt: {member!r}")
-    zf.extractall(dest)  # noqa: S202

lib/cli/tests/skills/test_main.py

@@ -1,205 +0,0 @@
-"""Tests for SkillCommand CLI."""
-
-from __future__ import annotations
-
-import io
-import os
-import tempfile
-import zipfile
-from contextlib import contextmanager
-from datetime import datetime, timedelta
-from pathlib import Path
-from unittest.mock import MagicMock, patch
-
-import pytest
-
-from crewai_cli.shared.token_manager import TokenManager
-
-
-@contextmanager
-def in_temp_dir():
-    original = os.getcwd()
-    with tempfile.TemporaryDirectory() as td:
-        os.chdir(td)
-        try:
-            yield td
-        finally:
-            os.chdir(original)
-
-
-@pytest.fixture
-def skill_command():
-    with tempfile.TemporaryDirectory() as temp_dir:
-        with patch.object(
-            TokenManager, "_get_secure_storage_path", return_value=Path(temp_dir)
-        ):
-            TokenManager().save_tokens(
-                "test-token", (datetime.now() + timedelta(seconds=36000)).timestamp()
-            )
-            from crewai_cli.skills.main import SkillCommand
-            cmd = SkillCommand()
-            yield cmd
-
-
-# ---------------------------------------------------------------------------
-# create
-# ---------------------------------------------------------------------------
-
-class TestSkillCreate:
-    def test_create_in_project(self, skill_command, tmp_path):
-        with in_temp_dir():
-            # Simulate being inside a project
-            Path("pyproject.toml").write_text("[tool.poetry]\nname = 'test'\n")
-            skill_command.create("my-skill")
-            assert Path("skills/my-skill/SKILL.md").exists()
-            assert Path("skills/my-skill/scripts").is_dir()
-            assert Path("skills/my-skill/references").is_dir()
-            assert Path("skills/my-skill/assets").is_dir()
-
-    def test_create_outside_project(self, skill_command, tmp_path):
-        with in_temp_dir():
-            skill_command.create("standalone-skill", in_project=False)
-            assert Path("standalone-skill/SKILL.md").exists()
-
-    def test_create_adds_name_to_skill_md(self, skill_command):
-        with in_temp_dir():
-            skill_command.create("hello-world", in_project=False)
-            content = Path("hello-world/SKILL.md").read_text()
-            assert "name: hello-world" in content
-            assert "version: 0.1.0" in content
-
-    def test_create_fails_if_dir_exists(self, skill_command):
-        with in_temp_dir():
-            Path("existing-skill").mkdir()
-            with pytest.raises(SystemExit):
-                skill_command.create("existing-skill", in_project=False)
-
-
-# ---------------------------------------------------------------------------
-# install
-# ---------------------------------------------------------------------------
-
-class TestSkillInstall:
-    def _zip_skill(self, name: str) -> bytes:
-        buf = io.BytesIO()
-        with zipfile.ZipFile(buf, "w") as zf:
-            zf.writestr("SKILL.md", f"---\nname: {name}\ndescription: Test.\n---\nInstructions.")
-        return buf.getvalue()
-
-    def test_install_invalid_ref_no_at(self, skill_command):
-        with pytest.raises(SystemExit):
-            skill_command.install("acme/my-skill")
-
-    def test_install_invalid_ref_no_slash(self, skill_command):
-        with pytest.raises(SystemExit):
-            skill_command.install("@acmeskill")
-
-    def test_install_404(self, skill_command):
-        mock_resp = MagicMock()
-        mock_resp.status_code = 404
-        skill_command.plus_api_client.get_skill = MagicMock(return_value=mock_resp)
-
-        with pytest.raises(SystemExit):
-            skill_command.install("@acme/ghost")
-
-    def test_install_in_project(self, skill_command):
-        import base64
-        archive = self._zip_skill("my-skill")
-        encoded = "data:application/zip;base64," + base64.b64encode(archive).decode()
-
-        mock_resp = MagicMock()
-        mock_resp.status_code = 200
-        mock_resp.json.return_value = {"file": encoded, "version": "1.0.0"}
-        skill_command.plus_api_client.get_skill = MagicMock(return_value=mock_resp)
-
-        with in_temp_dir():
-            Path("pyproject.toml").write_text("[tool]\n")
-            skill_command.install("@acme/my-skill")
-            assert Path("skills/my-skill/SKILL.md").exists()
-
-
-# ---------------------------------------------------------------------------
-# publish
-# ---------------------------------------------------------------------------
-
-class TestSkillPublish:
-    def test_publish_no_skill_md(self, skill_command):
-        with in_temp_dir():
-            with pytest.raises(SystemExit):
-                skill_command.publish(is_public=True, org="acme")
-
-    def test_publish_missing_version(self, skill_command):
-        with in_temp_dir():
-            Path("SKILL.md").write_text(
-                "---\nname: my-skill\ndescription: Test.\n---\nInstructions."
-            )
-            with pytest.raises(SystemExit):
-                skill_command.publish(is_public=True, org="acme")
-
-    def test_publish_missing_name(self, skill_command):
-        with in_temp_dir():
-            Path("SKILL.md").write_text(
-                "---\ndescription: Test.\nversion: 1.0.0\n---\nInstructions."
-            )
-            with pytest.raises(SystemExit):
-                skill_command.publish(is_public=True, org="acme")
-
-    def test_publish_no_org(self, skill_command):
-        with in_temp_dir():
-            Path("SKILL.md").write_text(
-                "---\nname: my-skill\nversion: 1.0.0\ndescription: Test.\n---\nInstructions."
-            )
-            with patch.object(skill_command, "plus_api_client") as mock_client:
-                mock_resp = MagicMock()
-                mock_resp.is_success = True
-                mock_resp.status_code = 200
-                mock_resp.json.return_value = {}
-                mock_client.publish_skill.return_value = mock_resp
-                # No org set → should SystemExit (no org_name in settings)
-                with patch("crewai_cli.skills.main.Settings") as mock_settings_cls:
-                    mock_settings_cls.return_value.org_name = None
-                    mock_settings_cls.return_value.enterprise_base_url = None
-                    with pytest.raises(SystemExit):
-                        skill_command.publish(is_public=True, org=None)
-
-    def test_publish_calls_api(self, skill_command):
-        with in_temp_dir():
-            Path("SKILL.md").write_text(
-                "---\nname: my-skill\nversion: 1.0.0\ndescription: A test skill.\n---\nInstructions."
-            )
-            mock_resp = MagicMock()
-            mock_resp.is_success = True
-            mock_resp.status_code = 200
-            mock_resp.json.return_value = {}
-            skill_command.plus_api_client.publish_skill = MagicMock(return_value=mock_resp)
-            with patch("crewai_cli.skills.main.Settings") as mock_settings_cls:
-                mock_settings_cls.return_value.org_name = "acme"
-                mock_settings_cls.return_value.enterprise_base_url = None
-
-                skill_command.publish(is_public=False, org="acme")
-
-            skill_command.plus_api_client.publish_skill.assert_called_once()
-            call_kwargs = skill_command.plus_api_client.publish_skill.call_args
-            assert call_kwargs.kwargs["name"] == "my-skill"
-            assert call_kwargs.kwargs["version"] == "1.0.0"
-
-
-# ---------------------------------------------------------------------------
-# list_cached
-# ---------------------------------------------------------------------------
-
-class TestSkillListCached:
-    def test_list_cached_empty(self, skill_command, capsys):
-        with in_temp_dir():
-            skill_command.list_cached()
-            # Should not raise
-
-    def test_list_cached_shows_project_skills(self, skill_command, capsys):
-        with in_temp_dir():
-            skill_dir = Path("skills/my-skill")
-            skill_dir.mkdir(parents=True)
-            (skill_dir / "SKILL.md").write_text(
-                "---\nname: my-skill\nversion: 0.5.0\ndescription: A skill.\n---\nBody."
-            )
-            skill_command.list_cached()
-            # Should complete without error

lib/crewai-core/src/crewai_core/plus_api.py

@@ -140,7 +140,6 @@ class PlusAPI:
     """Client for working with the CrewAI+ API."""
 
     TOOLS_RESOURCE: Final = "/crewai_plus/api/v1/tools"
-    SKILLS_RESOURCE: Final = "/crewai_plus/api/v1/skills"
     ORGANIZATIONS_RESOURCE: Final = "/crewai_plus/api/v1/me/organizations"
     CREWS_RESOURCE: Final = "/crewai_plus/api/v1/crews"
     AGENTS_RESOURCE: Final = "/crewai_plus/api/v1/agents"
@@ -229,47 +228,6 @@ class PlusAPI:
         }
         return self._make_request("POST", f"{self.TOOLS_RESOURCE}", json=params)
 
-    def get_skill(
-        self, org: str, name: str, version: str | None = None
-    ) -> httpx.Response:
-        params: dict[str, str] = {}
-        if version is not None:
-            params["version"] = version
-        return self._make_request(
-            "GET",
-            f"{self.SKILLS_RESOURCE}/{org}/{name}",
-            params=params or None,
-        )
-
-    def publish_skill(
-        self,
-        org: str,
-        name: str,
-        version: str,
-        is_public: bool,
-        description: str | None,
-        encoded_file: str,
-    ) -> httpx.Response:
-        payload = {
-            "org": org,
-            "name": name,
-            "version": version,
-            "public": is_public,
-            "description": description,
-            "file": encoded_file,
-        }
-        return self._make_request("POST", self.SKILLS_RESOURCE, json=payload)
-
-    def list_skills(self, org: str | None = None) -> httpx.Response:
-        params: dict[str, str] = {}
-        if org is not None:
-            params["org"] = org
-        return self._make_request(
-            "GET",
-            self.SKILLS_RESOURCE,
-            params=params or None,
-        )
-
     def deploy_by_name(self, project_name: str) -> httpx.Response:
         return self._make_request(
             "POST", f"{self.CREWS_RESOURCE}/by-name/{project_name}/deploy"

lib/crewai/src/crewai/agent/core.py

@@ -434,7 +434,7 @@ class Agent(BaseAgent):
         from crewai.crew import Crew
 
         if resolved_crew_skills is None:
-            crew_skills: list[Path | SkillModel | str] | None = (
+            crew_skills: list[Path | SkillModel] | None = (
                 self.crew.skills
                 if isinstance(self.crew, Crew) and isinstance(self.crew.skills, list)
                 else None
@@ -446,7 +446,7 @@ class Agent(BaseAgent):
             return
 
         needs_work = self.skills and any(
-            isinstance(s, (Path, str))
+            isinstance(s, Path)
             or (isinstance(s, SkillModel) and s.disclosure_level < INSTRUCTIONS)
             for s in self.skills
         )
@@ -454,28 +454,14 @@ class Agent(BaseAgent):
             return
 
         seen: set[str] = set()
-        resolved: list[Path | SkillModel | str] = []
-        items: list[Path | SkillModel | str] = list(self.skills) if self.skills else []
+        resolved: list[Path | SkillModel] = []
+        items: list[Path | SkillModel] = list(self.skills) if self.skills else []
 
         if crew_skills:
             items.extend(crew_skills)
 
         for item in items:
-            if isinstance(item, str):
-                from crewai.skills.registry import (
-                    is_registry_ref,
-                    parse_registry_ref,
-                    resolve_registry_ref,
-                )
-
-                if is_registry_ref(item):
-                    skill = resolve_registry_ref(item, source=self)
-                    org, _ = parse_registry_ref(item)
-                    dedup_key = f"{org}/{skill.name}"
-                    if dedup_key not in seen:
-                        seen.add(dedup_key)
-                        resolved.append(skill)
-            elif isinstance(item, Path):
+            if isinstance(item, Path):
                 discovered = discover_skills(item, source=self)
                 for skill in discovered:
                     if skill.name not in seen:

lib/crewai/src/crewai/agents/agent_builder/base_agent.py

@@ -334,9 +334,9 @@ class BaseAgent(BaseModel, ABC, metaclass=AgentMeta):
             "If not set, falls back to crew memory."
         ),
     )
-    skills: list[Path | Skill | str] | None = Field(
+    skills: list[Path | Skill] | None = Field(
         default=None,
-        description="Agent Skills. Accepts paths for discovery, pre-loaded Skill objects, or '@org/name' registry refs.",
+        description="Agent Skills. Accepts paths for discovery or pre-loaded Skill objects.",
         min_length=1,
     )
     execution_context: ExecutionContext | None = Field(default=None)
@@ -429,20 +429,6 @@ class BaseAgent(BaseModel, ABC, metaclass=AgentMeta):
     def process_model_config(cls, values: Any) -> dict[str, Any]:
         return process_config(values, cls)
 
-    @field_validator("skills", mode="before")
-    @classmethod
-    def coerce_skill_strings(cls, skills: Any) -> Any:
-        """Coerce plain path strings to Path objects; keep @-prefixed refs as str."""
-        if not isinstance(skills, list):
-            return skills
-        result = []
-        for item in skills:
-            if isinstance(item, str) and not item.startswith("@"):
-                result.append(Path(item))
-            else:
-                result.append(item)
-        return result
-
     @field_validator("tools")
     @classmethod
     def validate_tools(cls, tools: list[Any]) -> list[BaseTool]:

lib/crewai/src/crewai/crew.py

@@ -341,9 +341,9 @@ class Crew(FlowTrackable, BaseModel):
         default=None,
         description="Knowledge for the crew.",
     )
-    skills: list[Path | Skill | str] | None = Field(
+    skills: list[Path | Skill] | None = Field(
         default=None,
-        description="Skill search paths, pre-loaded Skill objects, or '@org/name' registry refs applied to all agents in the crew.",
+        description="Skill search paths or pre-loaded Skill objects applied to all agents in the crew.",
     )
 
     security_config: SecurityConfig = Field(
@@ -526,20 +526,6 @@ class Crew(FlowTrackable, BaseModel):
         if max_seq > 0:
             set_emission_counter(max_seq)
 
-    @field_validator("skills", mode="before")
-    @classmethod
-    def coerce_skill_strings(cls, skills: Any) -> Any:
-        """Coerce plain path strings to Path objects; keep @-prefixed refs as str."""
-        if not isinstance(skills, list):
-            return skills
-        result = []
-        for item in skills:
-            if isinstance(item, str) and not item.startswith("@"):
-                result.append(Path(item))
-            else:
-                result.append(item)
-        return result
-
     @field_validator("id", mode="before")
     @classmethod
     def _deny_user_set_id(cls, v: UUID4 | None, info: Any) -> UUID4 | None:

lib/crewai/src/crewai/events/types/skill_events.py

@@ -60,20 +60,3 @@ class SkillLoadFailedEvent(SkillEvent):
 
     type: Literal["skill_load_failed"] = "skill_load_failed"
     error: str
-
-
-class SkillDownloadStartedEvent(SkillEvent):
-    """Event emitted when a registry skill download begins."""
-
-    type: Literal["skill_download_started"] = "skill_download_started"
-    registry_ref: str
-    version: str | None = None
-
-
-class SkillDownloadCompletedEvent(SkillEvent):
-    """Event emitted when a registry skill download completes."""
-
-    type: Literal["skill_download_completed"] = "skill_download_completed"
-    registry_ref: str
-    version: str | None = None
-    cache_path: Path | None = None

lib/crewai/src/crewai/flow/flow.py

@@ -2633,6 +2633,7 @@ class Flow(BaseModel, Generic[T], metaclass=FlowMeta):
             the event_id of the MethodExecutionFinishedEvent, or None if events
             are suppressed.
         """
+        logger.info("Executing flow method: %s", method_name)
         try:
             dumped_params = {f"_{i}": arg for i, arg in enumerate(args)} | (
                 kwargs or {}

lib/crewai/src/crewai/skills/__init__.py

@@ -3,20 +3,15 @@
 Provides filesystem-based skill packaging with progressive disclosure.
 """
 
-from crewai.skills.cache import SkillCacheManager
 from crewai.skills.loader import activate_skill, discover_skills
 from crewai.skills.models import Skill, SkillFrontmatter
 from crewai.skills.parser import SkillParseError
-from crewai.skills.registry import is_registry_ref, resolve_registry_ref
 
 
 __all__ = [
     "Skill",
-    "SkillCacheManager",
     "SkillFrontmatter",
     "SkillParseError",
     "activate_skill",
     "discover_skills",
-    "is_registry_ref",
-    "resolve_registry_ref",
 ]

lib/crewai/src/crewai/skills/cache.py

@@ -1,148 +0,0 @@
-"""Cache manager for registry-downloaded skills.
-
-Manages ~/.crewai/skills/{org}/{name}/ as the global skill cache.
-One version is stored per skill (last install wins).
-"""
-
-from __future__ import annotations
-
-from datetime import datetime, timezone
-import json
-import logging
-from pathlib import Path
-import tarfile
-from typing import TypedDict
-import zipfile
-
-
-_logger = logging.getLogger(__name__)
-
-
-_CACHE_ROOT = Path.home() / ".crewai" / "skills"
-_META_FILENAME = ".crewai_meta.json"
-
-
-class SkillMetadata(TypedDict):
-    org: str
-    name: str
-    version: str | None
-    installed_at: str
-
-
-class SkillCacheManager:
-    """Manages the global skill cache at ~/.crewai/skills/."""
-
-    def __init__(self, cache_root: Path | None = None) -> None:
-        self._root = cache_root or _CACHE_ROOT
-
-    def _skill_dir(self, org: str, name: str) -> Path:
-        return self._root / org / name
-
-    def get_cached_path(self, org: str, name: str) -> Path | None:
-        """Return the cached skill directory path if it exists, else None."""
-        skill_dir = self._skill_dir(org, name)
-        meta_file = skill_dir / _META_FILENAME
-        if skill_dir.is_dir() and meta_file.exists():
-            return skill_dir
-        return None
-
-    def store(
-        self, org: str, name: str, version: str | None, archive_bytes: bytes
-    ) -> Path:
-        """Unpack an archive into the cache and write metadata.
-
-        Uses tarfile with filter='data' for path-traversal protection.
-
-        Args:
-            org: Organisation slug.
-            name: Skill name.
-            version: Semantic version string, or None if unknown.
-            archive_bytes: Raw bytes of a .tar.gz archive.
-
-        Returns:
-            Path to the stored skill directory.
-        """
-        skill_dir = self._skill_dir(org, name)
-        # Wipe any previous version
-        if skill_dir.exists():
-            import shutil
-
-            shutil.rmtree(skill_dir)
-        skill_dir.mkdir(parents=True, exist_ok=True)
-
-        import io
-
-        # Try tar.gz first, fall back to zip
-        try:
-            with tarfile.open(fileobj=io.BytesIO(archive_bytes), mode="r:gz") as tf:
-                try:
-                    tf.extractall(skill_dir, filter="data")
-                except TypeError:
-                    _safe_extractall(tf, skill_dir)
-        except tarfile.TarError:
-            with zipfile.ZipFile(io.BytesIO(archive_bytes)) as zf:
-                _safe_extract_zip(zf, skill_dir)
-
-        meta: SkillMetadata = {
-            "org": org,
-            "name": name,
-            "version": version,
-            "installed_at": datetime.now(tz=timezone.utc).isoformat(),
-        }
-        (skill_dir / _META_FILENAME).write_text(json.dumps(meta, indent=2))
-        return skill_dir
-
-    def list_cached(self) -> list[SkillMetadata]:
-        """Return metadata for every cached skill."""
-        results: list[SkillMetadata] = []
-        if not self._root.exists():
-            return results
-        for org_dir in sorted(self._root.iterdir()):
-            if not org_dir.is_dir():
-                continue
-            for skill_dir in sorted(org_dir.iterdir()):
-                meta_file = skill_dir / _META_FILENAME
-                if meta_file.exists():
-                    try:
-                        results.append(json.loads(meta_file.read_text()))
-                    except (json.JSONDecodeError, KeyError):
-                        _logger.debug(
-                            "Skipping malformed cache entry: %s",
-                            meta_file,
-                            exc_info=True,
-                        )
-        return results
-
-    def invalidate(self, org: str, name: str) -> bool:
-        """Remove a cached skill.
-
-        Returns:
-            True if the cache entry existed and was removed, False otherwise.
-        """
-        skill_dir = self._skill_dir(org, name)
-        if skill_dir.exists():
-            import shutil
-
-            shutil.rmtree(skill_dir)
-            return True
-        return False
-
-
-def _safe_extractall(tf: tarfile.TarFile, dest: Path) -> None:
-    """Path-traversal-safe extraction for Python < 3.12."""
-    dest_resolved = dest.resolve()
-    for member in tf.getmembers():
-        member_path = (dest / member.name).resolve()
-        if not member_path.is_relative_to(dest_resolved):
-            raise ValueError(f"Blocked path traversal attempt: {member.name!r}")
-    tf.extractall(dest)  # noqa: S202
-
-
-def _safe_extract_zip(zf: zipfile.ZipFile, dest: Path) -> None:
-    """Path-traversal-safe ZIP extraction."""
-    dest_resolved = dest.resolve()
-    for member in zf.namelist():
-        member_path = (dest / member).resolve()
-        if not member_path.is_relative_to(dest_resolved):
-            raise ValueError(f"Blocked path traversal attempt: {member!r}")
-    zf.extractall(dest)  # noqa: S202

lib/crewai/src/crewai/skills/models.py

@@ -78,10 +78,6 @@ class SkillFrontmatter(BaseModel):
         alias="allowed-tools",
         description="Pre-approved tool names the skill may use, parsed from a space-delimited string in frontmatter.",
     )
-    version: str | None = Field(
-        default=None,
-        description="Semantic version of the skill, e.g. '1.0.0'. Optional for local skills.",
-    )
 
     @model_validator(mode="before")
     @classmethod

lib/crewai/src/crewai/skills/registry.py

@@ -1,223 +0,0 @@
-"""Registry reference resolution for the Agent Skills standard.
-
-Handles @org/skill-name references, local-first resolution, and downloads
-via the CrewAI+ API with a global cache at ~/.crewai/skills/.
-"""
-
-from __future__ import annotations
-
-import logging
-from pathlib import Path
-import sys
-from typing import Any
-
-from crewai.skills.cache import SkillCacheManager
-
-
-_logger = logging.getLogger(__name__)
-
-
-class SkillNotCachedError(Exception):
-    """Raised when a registry skill is not cached and the environment is non-interactive."""
-
-    def __init__(self, ref: str) -> None:
-        super().__init__(
-            f"Skill {ref!r} is not cached locally. "
-            f"Run `crewai skill install {ref}` to install it first."
-        )
-        self.ref = ref
-
-
-def is_registry_ref(value: Any) -> bool:
-    """Return True if *value* looks like a registry reference (@org/name)."""
-    return isinstance(value, str) and value.startswith("@")
-
-
-def parse_registry_ref(ref: str) -> tuple[str, str]:
-    """Parse '@org/skill-name' into (org, name).
-
-    Args:
-        ref: A registry reference, e.g. '@acme/my-skill'.
-
-    Returns:
-        A (org, name) tuple.
-
-    Raises:
-        ValueError: If the reference format is invalid.
-    """
-    if not ref.startswith("@"):
-        raise ValueError(f"Registry reference must start with '@', got: {ref!r}")
-    without_at = ref[1:]
-    if without_at.count("/") != 1:
-        raise ValueError(
-            f"Registry reference must be in '@org/name' format, got: {ref!r}"
-        )
-    org, name = without_at.split("/", 1)
-    if (
-        not org
-        or not name
-        or org.startswith(".")
-        or name.startswith(".")
-        or "/" in org
-        or "/" in name
-    ):
-        raise ValueError(
-            f"Registry reference org and name must be single, non-empty path "
-            f"segments (no '..' or leading dots), got: {ref!r}"
-        )
-    return org, name
-
-
-def _is_noninteractive() -> bool:
-    """Return True in CI or explicitly non-interactive environments."""
-    import os
-
-    return (
-        os.environ.get("CI") == "1"
-        or os.environ.get("CREWAI_NONINTERACTIVE") == "1"
-        or not sys.stdin.isatty()
-    )
-
-
-def resolve_registry_ref(
-    ref: str,
-    source: Any = None,
-) -> Skill:  # type: ignore[name-defined]  # noqa: F821
-    """Resolve a registry reference to a Skill object.
-
-    Resolution order:
-    1. ./skills/{name}/ in the current working directory (project-local)
-    2. ~/.crewai/skills/{org}/{name}/ (global cache)
-    3. Download from registry (interactive only; raises SkillNotCachedError in CI)
-
-    Args:
-        ref: A registry reference, e.g. '@acme/my-skill'.
-        source: Optional source object passed through to skill loaders (for events).
-
-    Returns:
-        A Skill loaded at INSTRUCTIONS disclosure level.
-
-    Raises:
-        SkillNotCachedError: When not cached and running in non-interactive mode.
-    """
-    from crewai.skills.loader import activate_skill
-    from crewai.skills.parser import load_skill_metadata
-
-    org, name = parse_registry_ref(ref)
-
-    # 1. Project-local: ./skills/{name}/
-    local_path = Path.cwd() / "skills" / name
-    if local_path.is_dir() and (local_path / "SKILL.md").exists():
-        try:
-            skill = load_skill_metadata(local_path)
-            return activate_skill(skill, source=source)
-        except Exception:
-            _logger.debug("Failed to load local skill at %s", local_path, exc_info=True)
-
-    # 2. Global cache
-    cache = SkillCacheManager()
-    cached_path = cache.get_cached_path(org, name)
-    if cached_path is not None and (cached_path / "SKILL.md").exists():
-        try:
-            skill = load_skill_metadata(cached_path)
-            return activate_skill(skill, source=source)
-        except Exception:
-            _logger.debug(
-                "Failed to load cached skill at %s", cached_path, exc_info=True
-            )
-
-    # 3. Download
-    if _is_noninteractive():
-        raise SkillNotCachedError(ref)
-
-    return download_skill(org, name, source=source)
-
-
-def download_skill(
-    org: str,
-    name: str,
-    source: Any = None,
-) -> Skill:  # type: ignore[name-defined]  # noqa: F821
-    """Download a skill from the registry and store it in the cache.
-
-    Args:
-        org: Organisation slug.
-        name: Skill name.
-        source: Optional source for event emission.
-
-    Returns:
-        The downloaded Skill at INSTRUCTIONS level.
-    """
-    from crewai.skills.loader import activate_skill
-    from crewai.skills.parser import load_skill_metadata
-
-    ref = f"@{org}/{name}"
-
-    try:
-        from crewai.events.event_bus import crewai_event_bus
-        from crewai.events.types.skill_events import (
-            SkillDownloadCompletedEvent,
-            SkillDownloadStartedEvent,
-        )
-
-        _has_events = True
-    except ImportError:
-        _has_events = False
-
-    if _has_events:
-        crewai_event_bus.emit(
-            source,
-            event=SkillDownloadStartedEvent(
-                registry_ref=ref,
-            ),
-        )
-
-    try:
-        from crewai_core.plus_api import PlusAPI
-
-        api = PlusAPI()
-        response = api.get_skill(org, name)
-        response.raise_for_status()
-        data = response.json()
-    except Exception as exc:
-        raise RuntimeError(
-            f"Failed to download skill {ref!r} from registry: {exc}"
-        ) from exc
-
-    import base64
-
-    import httpx
-
-    version = data.get("latest_version") or data.get("version")
-
-    download_url = data.get("download_url")
-    if download_url:
-        dl_response = httpx.get(download_url, follow_redirects=True)
-        dl_response.raise_for_status()
-        archive_bytes = dl_response.content
-    else:
-        encoded = data.get("file", "")
-        # Strip data URI prefix if present
-        if "," in encoded:
-            encoded = encoded.split(",", 1)[1]
-        archive_bytes = base64.b64decode(encoded)
-
-    cache = SkillCacheManager()
-    skill_dir = cache.store(org, name, version, archive_bytes)
-
-    if _has_events:
-        crewai_event_bus.emit(
-            source,
-            event=SkillDownloadCompletedEvent(
-                registry_ref=ref,
-                version=version,
-                cache_path=skill_dir,
-            ),
-        )
-
-    if not (skill_dir / "SKILL.md").exists():
-        raise RuntimeError(
-            f"Skill archive for {ref!r} downloaded but no SKILL.md found in {skill_dir}"
-        )
-    skill = load_skill_metadata(skill_dir)
-    return activate_skill(skill, source=source)

lib/crewai/tests/skills/test_cache.py

@@ -1,116 +0,0 @@
-"""Tests for SkillCacheManager."""
-
-from __future__ import annotations
-
-import gzip
-import io
-import json
-import tarfile
-from pathlib import Path
-
-from crewai.skills.cache import SkillCacheManager
-
-
-def _make_tar_gz(files: dict[str, str]) -> bytes:
-    """Build an in-memory .tar.gz containing the given filename → content mapping."""
-    buf = io.BytesIO()
-    with gzip.GzipFile(fileobj=buf, mode="wb") as gz:
-        gz_buf = io.BytesIO()
-        with tarfile.open(fileobj=gz_buf, mode="w") as tf:
-            for name, content in files.items():
-                data = content.encode()
-                info = tarfile.TarInfo(name=name)
-                info.size = len(data)
-                tf.addfile(info, io.BytesIO(data))
-        gz.write(gz_buf.getvalue())
-    buf.seek(0)
-    # Re-create properly: gzip wrapping a tar stream
-    out = io.BytesIO()
-    with tarfile.open(fileobj=out, mode="w:gz") as tf:
-        for name, content in files.items():
-            data = content.encode()
-            info = tarfile.TarInfo(name=name)
-            info.size = len(data)
-            tf.addfile(info, io.BytesIO(data))
-    return out.getvalue()
-
-
-class TestSkillCacheManager:
-    def test_get_cached_path_missing(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        assert cache.get_cached_path("acme", "my-skill") is None
-
-    def test_store_and_retrieve(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive = _make_tar_gz({"SKILL.md": "---\nname: my-skill\n---\nHello"})
-        dest = cache.store("acme", "my-skill", "1.0.0", archive)
-
-        assert dest.is_dir()
-        assert (dest / "SKILL.md").exists()
-
-        retrieved = cache.get_cached_path("acme", "my-skill")
-        assert retrieved == dest
-
-    def test_store_writes_metadata(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive = _make_tar_gz({"SKILL.md": "content"})
-        dest = cache.store("acme", "my-skill", "2.3.4", archive)
-
-        meta_file = dest / ".crewai_meta.json"
-        assert meta_file.exists()
-        meta = json.loads(meta_file.read_text())
-        assert meta["org"] == "acme"
-        assert meta["name"] == "my-skill"
-        assert meta["version"] == "2.3.4"
-        assert "installed_at" in meta
-
-    def test_store_overwrites_previous_version(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive_v1 = _make_tar_gz({"SKILL.md": "v1", "extra.txt": "old"})
-        cache.store("acme", "my-skill", "1.0.0", archive_v1)
-
-        archive_v2 = _make_tar_gz({"SKILL.md": "v2"})
-        dest = cache.store("acme", "my-skill", "2.0.0", archive_v2)
-
-        # Old file should be gone
-        assert not (dest / "extra.txt").exists()
-        assert (dest / "SKILL.md").read_text() == "v2"
-
-        meta = json.loads((dest / ".crewai_meta.json").read_text())
-        assert meta["version"] == "2.0.0"
-
-    def test_list_cached_empty(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        assert cache.list_cached() == []
-
-    def test_list_cached(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive = _make_tar_gz({"SKILL.md": "x"})
-        cache.store("acme", "skill-a", "1.0.0", archive)
-        cache.store("acme", "skill-b", "0.1.0", archive)
-        cache.store("other-org", "skill-c", None, archive)
-
-        entries = cache.list_cached()
-        names = {e["name"] for e in entries}
-        assert names == {"skill-a", "skill-b", "skill-c"}
-
-    def test_invalidate_existing(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive = _make_tar_gz({"SKILL.md": "x"})
-        cache.store("acme", "my-skill", "1.0.0", archive)
-
-        removed = cache.invalidate("acme", "my-skill")
-        assert removed is True
-        assert cache.get_cached_path("acme", "my-skill") is None
-
-    def test_invalidate_missing(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        removed = cache.invalidate("acme", "ghost-skill")
-        assert removed is False
-
-    def test_store_version_none(self, tmp_path: Path) -> None:
-        cache = SkillCacheManager(cache_root=tmp_path)
-        archive = _make_tar_gz({"SKILL.md": "x"})
-        dest = cache.store("acme", "my-skill", None, archive)
-        meta = json.loads((dest / ".crewai_meta.json").read_text())
-        assert meta["version"] is None

lib/crewai/tests/skills/test_models_version.py

@@ -1,32 +0,0 @@
-"""Tests for the version field added to SkillFrontmatter."""
-
-from __future__ import annotations
-
-import pytest
-from pydantic import ValidationError
-
-from crewai.skills.models import SkillFrontmatter
-
-
-class TestSkillFrontmatterVersion:
-    def test_version_defaults_to_none(self) -> None:
-        fm = SkillFrontmatter(name="my-skill", description="A skill.")
-        assert fm.version is None
-
-    def test_version_can_be_set(self) -> None:
-        fm = SkillFrontmatter(name="my-skill", description="A skill.", version="1.2.3")
-        assert fm.version == "1.2.3"
-
-    def test_existing_frontmatter_without_version_still_valid(self) -> None:
-        """Backward compat: existing SKILL.md files without version must still parse."""
-        fm = SkillFrontmatter(name="old-skill", description="Old skill without version.")
-        assert fm.version is None
-
-    def test_version_is_optional_string(self) -> None:
-        fm = SkillFrontmatter(name="my-skill", description="Desc.", version=None)
-        assert fm.version is None
-
-    def test_frontmatter_is_frozen(self) -> None:
-        fm = SkillFrontmatter(name="my-skill", description="A skill.", version="1.0.0")
-        with pytest.raises(ValidationError):
-            fm.version = "2.0.0"  # type: ignore[misc]

lib/crewai/tests/skills/test_registry.py

@@ -1,129 +0,0 @@
-"""Tests for SkillRegistry."""
-
-from __future__ import annotations
-
-from pathlib import Path
-from unittest.mock import MagicMock, patch
-
-import pytest
-
-from crewai.skills.registry import (
-    SkillNotCachedError,
-    is_registry_ref,
-    parse_registry_ref,
-)
-
-
-class TestIsRegistryRef:
-    def test_at_prefixed(self) -> None:
-        assert is_registry_ref("@acme/my-skill") is True
-
-    def test_plain_string(self) -> None:
-        assert is_registry_ref("my-skill") is False
-
-    def test_path_like_string(self) -> None:
-        assert is_registry_ref("./skills/my-skill") is False
-
-    def test_non_string(self) -> None:
-        assert is_registry_ref(None) is False
-        assert is_registry_ref(42) is False
-        assert is_registry_ref(Path("something")) is False
-
-
-class TestParseRegistryRef:
-    def test_valid(self) -> None:
-        assert parse_registry_ref("@acme/my-skill") == ("acme", "my-skill")
-
-    def test_valid_with_dashes(self) -> None:
-        assert parse_registry_ref("@my-org/cool-skill") == ("my-org", "cool-skill")
-
-    def test_missing_at(self) -> None:
-        with pytest.raises(ValueError, match="must start with '@'"):
-            parse_registry_ref("acme/my-skill")
-
-    def test_missing_slash(self) -> None:
-        with pytest.raises(ValueError, match="'@org/name' format"):
-            parse_registry_ref("@acme-skill")
-
-    def test_empty_org(self) -> None:
-        with pytest.raises(ValueError, match="non-empty"):
-            parse_registry_ref("@/my-skill")
-
-    def test_empty_name(self) -> None:
-        with pytest.raises(ValueError, match="non-empty"):
-            parse_registry_ref("@acme/")
-
-
-class TestResolveRegistryRef:
-    """Test resolution order and CI mode behaviour."""
-
-    def _make_skill_dir(self, base: Path, name: str) -> Path:
-        """Write a minimal SKILL.md into base/name/."""
-        skill_dir = base / name
-        skill_dir.mkdir(parents=True)
-        (skill_dir / "SKILL.md").write_text(
-            f"---\nname: {name}\ndescription: Test skill.\n---\n\nInstructions."
-        )
-        return skill_dir
-
-    def test_resolves_project_local(self, tmp_path: Path) -> None:
-        """Local ./skills/{name}/ takes priority over cache."""
-        skills_dir = tmp_path / "skills"
-        skills_dir.mkdir()
-        self._make_skill_dir(skills_dir, "my-skill")
-
-        # Mock SkillCacheManager to return None (not cached) so only local is hit
-        mock_cache = MagicMock()
-        mock_cache.get_cached_path.return_value = None
-
-        with (
-            patch("crewai.skills.registry._is_noninteractive", return_value=False),
-            patch.object(Path, "cwd", return_value=tmp_path),
-            patch("crewai.skills.registry.SkillCacheManager", return_value=mock_cache),
-        ):
-            from crewai.skills.registry import resolve_registry_ref
-            skill = resolve_registry_ref("@acme/my-skill")
-
-        assert skill.name == "my-skill"
-
-    def test_raises_in_ci_when_not_cached(self, tmp_path: Path) -> None:
-        """In CI mode, raise SkillNotCachedError if no local or cached copy."""
-        mock_cache = MagicMock()
-        mock_cache.get_cached_path.return_value = None
-
-        with (
-            patch("crewai.skills.registry._is_noninteractive", return_value=True),
-            patch.object(Path, "cwd", return_value=tmp_path),
-            patch("crewai.skills.registry.SkillCacheManager", return_value=mock_cache),
-        ):
-            from crewai.skills.registry import resolve_registry_ref
-            with pytest.raises(SkillNotCachedError) as exc_info:
-                resolve_registry_ref("@acme/ghost-skill")
-            assert "@acme/ghost-skill" in str(exc_info.value)
-
-    def test_resolves_from_cache(self, tmp_path: Path) -> None:
-        """Falls back to global cache when no project-local skill exists."""
-        cache_dir = tmp_path / "acme" / "cached-skill"
-        cache_dir.mkdir(parents=True)
-        (cache_dir / "SKILL.md").write_text(
-            "---\nname: cached-skill\ndescription: Cached.\n---\n\nCached instructions."
-        )
-
-        mock_cache = MagicMock()
-        mock_cache.get_cached_path.return_value = cache_dir
-
-        # tmp_path has no ./skills/ directory
-        with (
-            patch("crewai.skills.registry._is_noninteractive", return_value=False),
-            patch.object(Path, "cwd", return_value=tmp_path),
-            patch("crewai.skills.registry.SkillCacheManager", return_value=mock_cache),
-        ):
-            from crewai.skills.registry import resolve_registry_ref
-            skill = resolve_registry_ref("@acme/cached-skill")
-
-        assert skill.name == "cached-skill"
-
-    def test_skill_not_cached_error_contains_ref(self) -> None:
-        err = SkillNotCachedError("@foo/bar")
-        assert "@foo/bar" in str(err)
-        assert err.ref == "@foo/bar"

pyproject.toml

@@ -187,8 +187,6 @@ exclude-newer = "3 days"
 # urllib3 <2.7.0 has GHSA-qccp-gfcp-xxvc (ProxyManager cross-origin redirect leaks Authorization/Cookie) and GHSA-mf9v-mfxr-j63j (streaming decompression-bomb bypass); force 2.7.0+.
 # langsmith <0.8.0 has GHSA-3644-q5cj-c5c7 (public prompt manifest deserialization, SSRF/secret disclosure); force 0.8.0+.
 # authlib <1.6.11 has GHSA-jj8c-mmj3-mmgv (CSRF bypass in cache-based state storage).
-# pip <26.1.1 has GHSA-58qw-9mgm-455v (archive handling); OSV considers 26.1.1 unaffected.
-# paramiko <5.0.0 has GHSA-r374-rxx8-8654 (SHA-1 in rsakey.py); OSV considers 5.0.0 unaffected. Transitive via composio-core.
 # litellm 1.83.8+ hard-pins openai==2.24.0, missing openai.types.responses used by crewai;
 # override to >=2.30.0 (the version litellm 1.83.7 used) until upstream relaxes the pin.
 override-dependencies = [
@@ -207,8 +205,6 @@ override-dependencies = [
     "gitpython>=3.1.50,<4",
     "langsmith>=0.8.0,<1",
     "authlib>=1.6.11",
-    "pip>=26.1.1",
-    "paramiko>=5.0.0",
 ]
 
 [tool.uv.workspace]

uv.lock

@@ -13,7 +13,7 @@ resolution-markers = [
 ]
 
 [options]
-exclude-newer = "2026-05-17T14:20:01.778505Z"
+exclude-newer = "2026-05-16T15:32:24.373474Z"
 exclude-newer-span = "P3D"
 
 [manifest]
@@ -34,9 +34,7 @@ overrides = [
     { name = "langsmith", specifier = ">=0.8.0,<1" },
     { name = "onnxruntime", marker = "python_full_version < '3.11'", specifier = "<1.24" },
     { name = "openai", specifier = ">=2.30.0,<3" },
-    { name = "paramiko", specifier = ">=5.0.0" },
     { name = "pillow", specifier = ">=12.1.1" },
-    { name = "pip", specifier = ">=26.1.1" },
     { name = "pypdf", specifier = ">=6.10.2,<7" },
     { name = "python-multipart", specifier = ">=0.0.27,<1" },
     { name = "rich", specifier = ">=13.7.1" },
@@ -5790,7 +5788,7 @@ wheels = [
 
 [[package]]
 name = "paramiko"
-version = "5.0.0"
+version = "4.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "bcrypt" },
@@ -5798,9 +5796,9 @@ dependencies = [
     { name = "invoke" },
     { name = "pynacl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/62/93/dcc25d52f49022ae6175d15e6bd751f1acc99b98bc61fc55e5155a7be2e7/paramiko-5.0.0.tar.gz", hash = "sha256:36763b5b95c2a0dcfdf1abc48e48156ee425b21efe2f0e787c2dd5a95c0e5e79", size = 1548586, upload-time = "2026-05-09T18:28:52.256Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1f/e7/81fdcbc7f190cdb058cffc9431587eb289833bdd633e2002455ca9bb13d4/paramiko-4.0.0.tar.gz", hash = "sha256:6a25f07b380cc9c9a88d2b920ad37167ac4667f8d9886ccebd8f90f654b5d69f", size = 1630743, upload-time = "2025-08-04T01:02:03.711Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/82/5b/eadf6d45de38d30ab603f49393b6cd2cbe7e233af8cf90197e32782b68a9/paramiko-5.0.0-py3-none-any.whl", hash = "sha256:b7044611c30140d9a75261653210e2002977b71a0497ff3ba0d98d7edbf62f7c", size = 208919, upload-time = "2026-05-09T18:28:50.295Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/90/a744336f5af32c433bd09af7854599682a383b37cfd78f7de263de6ad6cb/paramiko-4.0.0-py3-none-any.whl", hash = "sha256:0e20e00ac666503bf0b4eda3b6d833465a2b7aff2e2b3d79a8bba5ef144ee3b9", size = 223932, upload-time = "2025-08-04T01:02:02.029Z" },
 ]
 
 [[package]]
@@ -6062,11 +6060,11 @@ wheels = [
 
 [[package]]
 name = "pip"
-version = "26.1.1"
+version = "26.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400, upload-time = "2026-05-04T19:02:21.248Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/73/7e/d2b04004e1068ad4fdfa2f227b839b5d03e602e47cdbbf49de71137c9546/pip-26.1.tar.gz", hash = "sha256:81e13ebcca3ffa8cc85e4deff5c27e1ee26dea0aa7fc2f294a073ac208806ff3", size = 1840316, upload-time = "2026-04-26T21:00:05.406Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777, upload-time = "2026-05-04T19:02:18.9Z" },
+    { url = "https://files.pythonhosted.org/packages/70/7a/be4bd8bcbb24ea475856dd68159d78b03b2bb53dae369f69c9606b8888f5/pip-26.1-py3-none-any.whl", hash = "sha256:4e8486d821d814b77319acb7b9e8bf5a4ee7590a643e7cb21029f209be8573c1", size = 1812804, upload-time = "2026-04-26T21:00:03.194Z" },
 ]
 
 [[package]]