Address PR review feedback

- Align documented slash-command names with plugin manifest:
  /acreadiness-assess, /acreadiness-generate-instructions,
  /acreadiness-policy (was /assess, /generate-instructions, /policy
  inside SKILL bodies and argument-hints).
- Move the literal % from the report template into the substituted
  values for {{passRate}} and {{threshold}} so an N/A value of '—'
  no longer renders as '—%'. Updated the agent placeholder contract
  accordingly.
- Point the report footer at the canonical plugin folder under
  github/awesome-copilot instead of the personal source fork.
- Add explicit HTML-escaping rules to the agent: HTML-escape every
  {{placeholder}} substitution, and replace </script with <\/script
  inside the embedded JSON block so untrusted repo content cannot
  break the markup or inject scripts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: mvanderbend-msoft

agents/ai-readiness-reporter.agent.md

@@ -173,6 +173,10 @@ Hard rules — do **not** deviate:
 - Do not add tabs, toggles, theme switches, dark/light variants, or extra navigation. The report is a single, unified view.
 - Do not add external CSS, fonts, JS frameworks, or analytics. The file must open with `file://` and have zero network dependencies.
 - Preserve the embedded `<script type="application/json" id="raw-data">…</script>` block so the report is self-describing.
+- **Escape every substituted value** before inserting it into the template:
+  - HTML-escape `&`, `<`, `>`, `"`, and `'` in all `{{placeholder}}` substitutions destined for HTML body content or attribute values (e.g. `{{repoName}}`, `{{pillarCurrent}}`, `{{pillarRecommendation}}`, `{{policySummary}}`, `{{rawJsonPretty}}`).
+  - For `{{rawJsonCompact}}` (which lives inside the `<script type="application/json">` block), replace any `</script` substring with `<\/script` to prevent the script tag from being closed early. Do NOT HTML-escape inside this block — the JSON must remain valid.
+  - Never substitute raw user-controlled strings (filenames, commit messages, recommendations) without escaping. A repo with `<img onerror=…>` in a filename must NOT produce executable HTML in the report.
 
 Placeholders the template uses (all required unless marked optional):
 
@@ -182,7 +186,7 @@ Placeholders the template uses (all required unless marked optional):
 | `{{date}}` | ISO date the report was generated |
 | `{{level}}` / `{{levelName}}` | AgentRC maturity level number + name |
 | `{{overallPct}}` / `{{grade}}` | overall score as integer percent + letter grade |
-| `{{passRatePct}}` / `{{thresholdPct}}` | pass rate vs policy threshold (use `—` if N/A) |
+| `{{passRate}}` / `{{threshold}}` | pass rate vs policy threshold, fully-formatted (e.g. `85%` or `—` if N/A). The literal `%` is part of the substituted value, not the template. |
 | `{{policyName}}` / `{{policySummary}}` | only if a policy is active; otherwise omit the policy section |
 | `{{rawJsonCompact}}` / `{{rawJsonPretty}}` | embed the AgentRC JSON envelope |
 

skills/acreadiness-assess/SKILL.md

@@ -1,10 +1,10 @@
 ---
 name: acreadiness-assess
 description: 'Run the AgentRC readiness assessment on the current repository and produce a static HTML dashboard at reports/index.html. Wraps `npx github:microsoft/agentrc readiness` and hands off rendering to the @ai-readiness-reporter custom agent. Supports policies (--policy) for org-specific scoring. Use when asked to assess, audit, or score the AI readiness of a repo.'
-argument-hint: "[--policy <path-or-pkg>] [--per-area] — e.g. /assess, /assess --policy ./policies/strict.json"
+argument-hint: "[--policy <path-or-pkg>] [--per-area] — e.g. /acreadiness-assess, /acreadiness-assess --policy ./policies/strict.json"
 ---
 
-# /assess — AI-readiness assessment
+# /acreadiness-assess — AI-readiness assessment
 
 Use this skill whenever the user asks for an **AI-readiness assessment**, a **readiness check**, an **audit**, or wants to **see how AI-ready** their repository is.
 
@@ -18,7 +18,7 @@ This skill is the *Measure* step in AgentRC's **Measure → Generate → Maintai
    - If the user provided `--policy <source>`, capture it.
    - Otherwise check `agentrc.config.json` for a `policies` array.
    - If neither, run with no policy (built-in defaults).
-   - For a primer on policies, suggest the `policy` skill.
+   - For a primer on policies, suggest the `acreadiness-policy` skill.
 
 3. **Run the readiness scan** in the repo root with structured output:
    ```bash
@@ -37,7 +37,7 @@ This skill is the *Measure* step in AgentRC's **Measure → Generate → Maintai
    - Produces a **Prioritised Remediation Plan** (🔴 Fix First / 🟡 Fix Next / 🔵 Plan).
    - Embeds the raw AgentRC JSON for reuse.
 
-5. **Tell the user where the report lives** (`reports/index.html`) and how to open it. Summarise in chat: maturity level, overall score, top three lowest pillars, and the single highest-leverage next action (almost always: run the `generate-instructions` skill).
+5. **Tell the user where the report lives** (`reports/index.html`) and how to open it. Summarise in chat: maturity level, overall score, top three lowest pillars, and the single highest-leverage next action (almost always: run the `acreadiness-generate-instructions` skill).
 
 ## Notes
 

skills/acreadiness-assess/report-template.html

@@ -123,7 +123,7 @@ <h2>What is AI Readiness?</h2>
     <section class="grid cols-3">
       <div class="panel kpi"><span class="lbl">Maturity</span><div class="num"><span class="badge lvl-{{level}}">L{{level}} — {{levelName}}</span></div></div>
       <div class="panel kpi"><span class="lbl">Overall Score</span><div class="num">{{overallPct}}%</div><div style="color:var(--muted);font-size:12px">Grade {{grade}}</div></div>
-      <div class="panel kpi"><span class="lbl">Pass rate</span><div class="num">{{passRatePct}}%</div><div style="color:var(--muted);font-size:12px">Threshold {{thresholdPct}}%</div></div>
+      <div class="panel kpi"><span class="lbl">Pass rate</span><div class="num">{{passRate}}</div><div style="color:var(--muted);font-size:12px">Threshold {{threshold}}</div></div>
     </section>
 
     <!-- 3. Maturity progression -->
@@ -220,7 +220,7 @@ <h2>Next Steps</h2>
   </main>
 
   <footer>
-    Generated by <a href="https://github.com/mvanderbend-msoft/acreadiness-cockpit">acreadiness-cockpit</a>
+    Generated by <a href="https://github.com/github/awesome-copilot/tree/main/plugins/acreadiness-cockpit">acreadiness-cockpit</a>
     · powered by <a href="https://github.com/microsoft/agentrc">microsoft/agentrc</a>.
   </footer>
 </body>

skills/acreadiness-generate-instructions/SKILL.md

@@ -4,7 +4,7 @@ description: 'Generate tailored AI agent instruction files via AgentRC instructi
 argument-hint: "[--output .github/copilot-instructions.md|AGENTS.md] [--strategy flat|nested] [--areas | --area <name>] [--apply-to <glob>] [--claude-md] [--dry-run]"
 ---
 
-# /generate-instructions — write AI agent instructions
+# /acreadiness-generate-instructions — write AI agent instructions
 
 Use this skill whenever the user wants to **create**, **regenerate**, or **refresh** their custom instructions for AI coding agents (Copilot, Claude, etc.). This is the *Generate* step in AgentRC's **Measure → Generate → Maintain** loop and the single highest-leverage action for the **AI Tooling** pillar.
 

skills/acreadiness-policy/SKILL.md

@@ -1,10 +1,10 @@
 ---
 name: acreadiness-policy
 description: 'Help the user pick, write, or apply an AgentRC policy. Policies customise readiness scoring by disabling irrelevant checks, overriding impact/level, setting pass-rate thresholds, or chaining org baselines with team overrides. Use when the user asks about strict mode, AI-only scoring, custom weights, CI gating, or wants org-wide standardisation.'
-argument-hint: "[show | new <name> | apply <path-or-pkg>] — e.g. /policy show, /policy new strict-frontend"
+argument-hint: "[show | new <name> | apply <path-or-pkg>] — e.g. /acreadiness-policy show, /acreadiness-policy new strict-frontend"
 ---
 
-# /policy — AgentRC policies
+# /acreadiness-policy — AgentRC policies
 
 Use this skill when the user asks about **policies**, **strict mode**, **custom scoring**, **disabling checks**, **org standards**, or **CI gating** of readiness.