Summary

Describe the problem and fix in 2–5 bullets:

• Problem: Skills onboarding can list a keyless local dependency, such as openai-whisper, and then immediately ask for API keys required by separate API-backed skills.
• Why it matters: The flow makes the later credential prompts look like they contradict the keyless local install hint.
• What changed: Added a short Skill API credentials note before env-gated skill prompts and covered the mixed openai-whisper / openai-whisper-api / sag scenario.
• What did NOT change (scope boundary): No installer behavior, credential storage semantics, skill metadata, or dependency detection changed.

AI-assisted: yes.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Asks for OpenAI Whisper/ElevenLabs API key even though initial list says KEY not needed #74382
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: Dependency installs and credential prompts were separate code paths, but the credential phase had no framing to distinguish API-backed skills from the earlier keyless local dependency list.
• Missing detection / guardrail: No test covered mixed keyless local and API-backed missing skills in one onboarding run.
• Contributing context (if known): The local openai-whisper skill has no primaryEnv, while openai-whisper-api and sag require API key env vars.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/commands/onboard-skills.test.ts
• Scenario the test should lock in: a keyless local install option is shown separately from API credential prompts for openai-whisper-api and sag.
• Why this is the smallest reliable guardrail: setupSkills owns both the install selection prompt and the credential prompt loop.
• Existing test that already covers this (if any): none for the mixed keyless/keyed prompt sequence.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Onboarding now shows a short note before skill API credential prompts, clarifying that those prompts are separate from local dependency installation.

Diagram (if applicable)

Before:
[missing local dependency list] -> [API key prompt with no framing]

After:
[missing local dependency list] -> [Skill API credentials note] -> [API key prompt for env-gated skill]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 24.14.0, pnpm 10.33.0
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): N/A

Steps

1. Run skill onboarding with missing openai-whisper, openai-whisper-api, and sag requirements.
2. Observe the missing dependency prompt for the keyless local skill.
3. Continue to the credential prompt phase.

Expected

• API key prompts are framed as credential setup for API-backed skills only.

Actual

• Previously, API key prompts followed the keyless dependency list without a separating explanation.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: mixed keyless local and API-backed skills through setupSkills unit coverage.
• Edge cases checked: credential prompts remain limited to skills with primaryEnv and missing env requirements; install prompt still shows the keyless local skill hint.
• What you did not verify: manual interactive onboarding in a terminal.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: The extra note adds one more onboarding text block for users with missing skill credentials.
  • Mitigation: It appears only when credential prompts are actually needed and lists only the affected skills.

Validation

pnpm test src/commands/onboard-skills.test.ts
pnpm test src/agents/skills.buildworkspaceskillstatus.test.ts
pnpm exec oxfmt --check --threads=1 src/commands/onboard-skills.ts src/commands/onboard-skills.test.ts CHANGELOG.md
pnpm check:changed
git diff --check
codex review --base origin/main