diff --git a/.claude/skills/recipe-upgrade/SKILL.md b/.claude/skills/recipe-upgrade/SKILL.md
index be9fed9..1af482b 100644
--- a/.claude/skills/recipe-upgrade/SKILL.md
+++ b/.claude/skills/recipe-upgrade/SKILL.md
@@ -82,7 +82,24 @@ the real current recipe, not a stale mirror.
   ```
   Skip a recipe as `SKIPPED — dirty-worktree` **only if it is still dirty with TRACKED changes after the
   stash** (real local edits), not for the untracked overlay.
-- **No upgrades available → stop** (status `SKIPPED — up-to-date`) — after the reconcile above.
+- **abra says no upgrades → do NOT conclude `up-to-date` yet; cross-check upstream directly first.**
+  `abra recipe upgrade` is the **first** approach, but it is **blind to images abra can't evaluate** —
+  most importantly **tag+digest pins** (`image:tag@sha256:…`), where abra FATAs `Docker references with
+  both a tag and digest are currently not supported` and silently contributes **no** candidate (this is
+  exactly how **immich** kept getting skipped). A digest-only pin or a non-semver tag can likewise yield
+  nothing. So **before** writing `SKIPPED — up-to-date`, do a **direct upstream check** for every service
+  whose image abra did **not** produce a clean upgrade decision for (any tag+digest / digest-only /
+  abra-FATA / abra-returned-nothing image):
+  1. Read `cc-ci-plan/upstream/<recipe>.md` (per-image releases/changelog URLs; discover + write it per
+     the registry bullet below if missing).
+  2. For each such image, list the **upstream registry tags** and pick the newest tag the app version
+     supports (the §2 "list the registry tags, pick the newest one the app supports — don't blindly take
+     the max" method), and compare it to the **currently pinned** tag.
+  3. If any service has a newer supported upstream tag than what's pinned → there **is** an upgrade:
+     proceed to plan/implement it (per §2, preserving any digest pin).
+  - **Only conclude `SKIPPED — up-to-date` when BOTH agree** there is nothing newer: abra found no bump
+    **and** the direct upstream check finds no newer supported tag for any abra-blind image. A
+    `tag and digest … not supported` FATA is a **trigger for the upstream check, never a skip on its own.**
 - Check `git log HEAD..origin/main` and upstream PRs (`git.coopcloud.tech/coop-cloud/<recipe>/pulls`)
   — if someone already started the bump, **re-plan from the tip of `origin/main`**, not from scratch.
 - **Release-notes registry (discover once, reuse — parity with recipe-maintainer's `upstream.md`).**