jfrog · yanivt-jfrog · May 28, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.cursor-plugin/marketplace.json b/.cursor-plugin/marketplace.json
@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "JFrog Platform plugins for Cursor",
-    "version": "0.4.0",
+    "version": "0.5.0",
     "pluginRoot": "plugins"
   },
   "plugins": [

diff --git a/README.md b/README.md
@@ -2,6 +2,12 @@
 
 JFrog plugin for [Cursor](https://cursor.com): artifact management, security scanning, supply-chain best practices, and Agent Guard.
 
+## What's new in v0.5.0
+
+- **Official skills.** The plugin now uses the official [jfrog-skills](https://github.com/jfrog/jfrog-skills) v0.11.0, replacing the previously bundled skill content. This brings structured reference files, automation scripts, and a three-tier tool selection strategy (MCP, CLI, REST/GraphQL).
+- **Package safety skill.** New `jfrog-package-safety-and-download` skill for checking whether packages are safe, curated, or allowed before downloading them through Artifactory.
+---
+
 ## Features
 
 The JFrog plugin provides the following capabilities, grouped by component:
@@ -21,7 +27,7 @@ Before installing, make sure you have:
 - **JFrog host URL and access token** — Your JFrog platform URL and a valid access token.
 - **Cursor** — Installed with AI features enabled.
 - **Node.js** (≥ 14) — with `npx` on your `PATH`.
-- **JFrog CLI** (≥ 2.x, optional) — Recommended for `jf config add` authentication (see [Authentication](#authentication)).
+- **JFrog CLI** (≥ 2.x, optional) — If missing, the agent will attempt to install it. Recommended for CLI-based operations (see [Authentication](#authentication)).
 - **JFrog Platform access** (optional) — If you want to use the Agent Guard feature, your JFrog subscription needs to include the AI Catalog entitlement. Contact your JFrog account team if you're unsure whether it's enabled.
 - **JFrog project** (optional) — If you want to use the Agent Guard feature.
 
@@ -46,19 +52,12 @@ Use either the marketplace link from the [Configure Cursor](https://docs.jfrog.c
 
 | Variable | Description |
 | --- | --- |
-| `JFROG_URL` | Your JFrog platform URL, e.g. `https://mycompany.jfrog.io` |
+| `JFROG_PLATFORM_URL` | Your JFrog platform URL, e.g. `mycompany.jfrog.io` |
 | `JFROG_ACCESS_TOKEN` | Your JFrog access token |
 
 ### 2. Configure the JFrog CLI
 
-If you have never configured the JFrog CLI on this machine:
-
-1. Open your terminal.
-2. Run:
-   ```bash
-   jf config add
-   ```
-3. Follow the interactive prompts to enter the same JFrog platform URL and access token.
+Run `jf login` for browser-based setup, or set the `JFROG_ACCESS_TOKEN` environment variable. MCP-based workflows authenticate via OAuth and require no additional configuration.
 
 ---
 

diff --git a/plugins/jfrog/.cursor-plugin/plugin.json b/plugins/jfrog/.cursor-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "jfrog",
   "displayName": "JFrog Platform",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "JFrog Platform integration with MCP, security skills, supply-chain best practices, and JFrog Agent Guard governance for adding, removing, and listing MCP servers.",
   "author": {
     "name": "JFrog",
@@ -18,10 +18,12 @@
     "supply-chain",
     "devops",
     "artifacts",
-    "mcp",
     "ai-catalog"
   ],
   "logo": "assets/logo.svg",
-  "skills": ["skills/jfrog/SKILL.md"],
+  "skills": [
+    "skills/jfrog/SKILL.md",
+    "skills/jfrog-package-safety-and-download/SKILL.md"
+  ],
   "hooks": "hooks/hooks.json"
 }
diff --git a/plugins/jfrog/README.md b/plugins/jfrog/README.md
@@ -1,6 +1,6 @@
 # jfrog
 
-JFrog Platform integration for Cursor — artifact management, security scanning, and supply-chain best practices.
+JFrog Platform integration for Cursor — artifact management, security scanning, supply-chain best practices, and Agent Guard.
 
 ## Prerequisites
 
@@ -9,9 +9,9 @@ JFrog Platform integration for Cursor — artifact management, security scanning
    - Navigate to **Administration > General > Settings** in the JFrog UI.
    - Toggle the **MCP Server** option ON and save.
 3. Set the `JFROG_PLATFORM_URL` environment variable to your JFrog instance (e.g., `mycompany.jfrog.io`).
-4. **JFrog CLI** (`jf`) is used by several skills for authentication and REST API operations. It will be installed automatically if missing. Install manually via `brew install jfrog-cli` or the [official install script](https://jfrog.com/help/r/jfrog-cli/install-the-jfrog-cli).
+4. **JFrog CLI** (`jf`) is used by the skills for authentication and REST/GraphQL API operations. If missing, the agent will attempt to install it. You can also install manually via `brew install jfrog-cli` or the [official install script](https://jfrog.com/help/r/jfrog-cli/install-the-jfrog-cli).
 
-Authentication is handled automatically — **OAuth** for MCP-based workflows, **browser-based login** (`jf config`) for CLI/REST-based skills. No manual API keys or tokens required.
+CLI authentication options: run `jf login` for browser-based setup, or set the `JFROG_ACCESS_TOKEN` environment variable. MCP-based workflows authenticate via **OAuth** and require no additional configuration.
 
 ## Included
 
@@ -20,14 +20,18 @@ Authentication is handled automatically — **OAuth** for MCP-based workflows, *
 | **MCP** | `mcp.json` | Remote JFrog MCP server (OAuth, no API keys) |
 | **Rule** | `rules/jfrog-security.mdc` | Supply-chain security practices for dependency files |
 | **Agent** | `agents/supply-chain-security.md` | Dependency audit for CVEs, licenses, and curation |
+| **Hook** | `hooks/hooks.json` | Agent Guard — MCP server governance via JFrog AI Catalog |
 
 ### Skills
 
 | Skill | Triggers when you mention... |
 |-------|------------------------------|
-| **jfrog** | any JFrog product, artifactory, xray, security, access token, curation, distribution, release bundle, apptrust, runtime, mission control, worker, jf command, pattern, best practice |
+| **jfrog** | any JFrog product, artifactory, xray, security, access token, curation, distribution, release bundle, apptrust, runtime, mission control, worker, jf command, or best practice |
+| **jfrog-package-safety-and-download** | package safety, curation, allowed/blocked packages, downloading packages via JFrog |
 
-Single unified skill (`skills/jfrog/`) with a router (`SKILL.md`) and 22 supporting reference and pattern files covering Artifactory, Security/Xray, Access, Distribution, Curation, AppTrust, Runtime, Mission Control, Workers, CLI, and architectural patterns.
+The **jfrog** skill (`skills/jfrog/`) provides platform-wide coverage via MCP tools, JFrog CLI commands, and `jf api` REST/GraphQL. It includes 24 reference files under `references/` and 3 automation scripts under `scripts/` covering Artifactory, Security/Xray, Access, Distribution, Curation, AppTrust, Mission Control, Workers, and architectural patterns.
+
+The **jfrog-package-safety-and-download** skill (`skills/jfrog-package-safety-and-download/`) handles package safety checks — querying the JFrog Public Catalog, interpreting security signals, checking curation policies, and downloading packages through Artifactory remote caches.
 
 ## MCP Capabilities
 

diff --git a/plugins/jfrog/skills/VENDOR.md b/plugins/jfrog/skills/VENDOR.md
@@ -0,0 +1,13 @@
+# Vendored skills
+
+The skill packages in this directory are vendored from **[jfrog/jfrog-skills](https://github.com/jfrog/jfrog-skills)**.
+
+| | |
+| --- | --- |
+| **Repository** | https://github.com/jfrog/jfrog-skills |
+| **Release** | [v0.11.0](https://github.com/jfrog/jfrog-skills/releases/tag/v0.11.0) |
+| **Source commit** | `66e7d1d1e7b762bbf9e356d680511c4fb4ce231c` |
+
+Included directories: `jfrog/`, `jfrog-package-safety-and-download/`.
+
+To refresh: take the [latest release tarball](https://github.com/jfrog/jfrog-skills/releases/latest), replace those skill trees under `skills/`, and update this file with the new tag and commit SHA.