{"id":46148353,"url":"https://github.com/nklisch/skilltap","last_synced_at":"2026-05-08T03:24:15.562Z","repository":{"id":341449066,"uuid":"1170141372","full_name":"nklisch/skilltap","owner":"nklisch","description":"Homebrew taps for AI agent skills. Agent-agnostic. Install from any git host or npm registry, search across taps and searchable registries like skill.sh, find, static and semantic security scanning before anything touches disk.","archived":false,"fork":false,"pushed_at":"2026-03-17T02:52:02.000Z","size":1666,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-17T14:58:07.150Z","etag":null,"topics":["agent-skills","ai-agents","bun","claude","cli","codex","cursor","devtools","homebrew-tap","npm","package-manager","security","skill-md","typescript"],"latest_commit_sha":null,"homepage":"https://skilltap.dev/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nklisch.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY-EVAL.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-01T19:01:28.000Z","updated_at":"2026-03-17T02:52:04.000Z","dependencies_parsed_at":"2026-03-08T01:02:28.598Z","dependency_job_id":null,"html_url":"https://github.com/nklisch/skilltap","commit_stats":null,"previous_names":["nklisch/skilltap"],"tags_count":65,"template":false,"template_full_name":null,"purl":"pkg:github/nklisch/skilltap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nklisch%2Fskilltap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nklisch%2Fskilltap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nklisch%2Fskilltap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nklisch%2Fskilltap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nklisch","download_url":"https://codeload.github.com/nklisch/skilltap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nklisch%2Fskilltap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292642,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-skills","ai-agents","bun","claude","cli","codex","cursor","devtools","homebrew-tap","npm","package-manager","security","skill-md","typescript"],"created_at":"2026-03-02T08:12:12.447Z","updated_at":"2026-05-08T03:24:15.555Z","avatar_url":"https://github.com/nklisch.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# skilltap\n\n**Homebrew taps for agent skills.** Install, manage, and share AI agent skills from any git host — agent-agnostic, multi-source, secure.\n\n**[skilltap.dev](https://skilltap.dev)** — docs, guides, and skill discovery.\n\n```bash\ncurl -fsSL https://skilltap.dev/install.sh | sh\n```\n\n## Why skilltap?\n\nThe [SKILL.md format](https://agentskills.io/specification) is supported by 40+ agents — Claude Code, Cursor, Codex CLI, Gemini CLI, and more. Writing skills is easy. Distributing them is not.\n\nskilltap fills that gap:\n\n- **Host your own tap.** A tap is just a git repo with a JSON index — like a Homebrew formula tap. Stand one up in minutes for your team, your friends, or yourself. No registry account, no upload portal.\n- **Any git host.** Install from GitHub, GitLab, Gitea, Bitbucket, or a private server. Your SSH keys and credential helpers just work.\n- **Agent-agnostic.** One install lands in `~/.agents/skills/`. Opt in to symlinking to Claude Code, Cursor, Codex, Gemini, or Windsurf with `--also`.\n- **Source-tracked updates.** skilltap remembers where every skill came from. `skilltap update` fetches upstream changes, shows a diff, re-scans changed lines, and asks before applying.\n- **Security scanning.** Every install runs a static scan (invisible Unicode, hidden HTML, obfuscated code, suspicious URLs, tag injection) before anything lands on disk.\n- **Standalone binary.** One file, no runtime dependencies.\n\n## Install\n\n**curl (recommended):**\n\n```bash\ncurl -fsSL https://skilltap.dev/install.sh | sh\n```\n\nInstalls to `~/.local/bin/skilltap`. Override the install directory:\n\n```bash\ncurl -fsSL https://skilltap.dev/install.sh | SKILLTAP_INSTALL=/usr/local/bin sh\n```\n\n**Homebrew:**\n\n```bash\nbrew install nklisch/skilltap/skilltap\n```\n\n**Without installing:**\n\n```bash\nbunx skilltap --help   # requires Bun\nnpx skilltap --help    # requires Bun on PATH\n```\n\nOr download a binary directly from [GitHub Releases](https://github.com/nklisch/skilltap/releases).\n\n## Quickstart\n\n```bash\n# See what's installed (skills, plugins, taps, drift)\nskilltap\n\n# Browse skills from the built-in community tap\nskilltap find\n\n# Install a skill into the current project (auto-defaults to project scope inside a git repo)\nskilltap install commit-helper --also claude-code\n\n# Install from any git URL\nskilltap install https://github.com/you/my-skill --global\n\n# Preview a source without installing\nskilltap try someone/their-skill\n\n# View all skills (managed + unmanaged)\nskilltap list\n\n# Update all skills\nskilltap update\n```\n\n## Project manifests (v2.0)\n\nDeclare your project's skill + plugin dependencies in `skilltap.toml`, commit it,\nand have teammates run `skilltap sync` to bring their machines to parity. Like\n`Cargo.toml` for AI agent skills.\n\n```toml\n# skilltap.toml — at your project root\n[targets]\nalso  = [\"claude-code\", \"cursor\"]\nscope = \"project\"\n\n[skills]\n\"github:nathan/commit-helper\" = \"*\"\n\"npm:@corp/code-review\"       = \"*\"\n\n[plugins]\n\"github:corp/dev-toolkit\"     = \"*\"\n\n[taps]\nhome = \"https://gitea.example.com/nathan/my-tap\"\n```\n\nWhen `skilltap.toml` is present, `skilltap install` and `skilltap remove` keep\nthe manifest and `skilltap.lock` in sync automatically. Run `skilltap sync`\nto see drift and `skilltap sync --apply` to bring installed state in line.\n\n```bash\nskilltap install nathan/commit-helper   # adds to skilltap.toml + skilltap.lock\nskilltap remove commit-helper            # drops from manifest + lockfile\nskilltap sync                            # show drift between manifest, lockfile, state\nskilltap sync --apply                    # execute the plan\nskilltap status                          # rich snapshot: skills, plugins, MCPs, drift\n```\n\nTo publish a repo as a plugin (skills + MCP servers + agent definitions),\nadd `.skilltap/\u003cplugin-name\u003e.toml` with `publish = true`. See\n[the v2.0 spec](docs/SPEC.md#v20--tooling-surface-redesign) for the full\nmanifest format.\n\nIf you've been on v0.x, run `skilltap migrate` to upgrade your global state\n(`installed.json` + `plugins.json` → `state.json`) without losing anything.\n\n## Taps\n\nA **tap** is a git repo containing a `tap.json` index of skills. Taps make discovery and curation easy — and anyone can create one.\n\n```bash\n# Create your own tap (a git repo + tap.json index)\nskilltap tap init my-skills\n# push to any git host, then share the URL\n\n# Subscribe to any tap\nskilltap tap add acme https://gitea.acme.com/eng/acme-skills\n\n# Search across all your taps\nskilltap find review\n\n# Install by name from a tap\nskilltap install code-reviewer\n\n# Update all taps\nskilltap tap update\n```\n\nThe built-in `skilltap-skills` tap is always available — no setup required.\n\n## Host Your Own Tap\n\nWhether you're managing skills for a company, a group of friends, or just yourself, a tap is all you need. It's a git repo — host it anywhere you already have git.\n\n```bash\n# Create the tap once (engineering lead, project owner, whoever)\nskilltap tap init acme-skills\n# add skills to tap.json, push to your git host\n\n# Everyone else adds it once\nskilltap tap add acme https://gitea.acme.com/eng/acme-skills\n\n# Install and update by name from then on — no URLs to copy-paste\nskilltap install code-reviewer --global --also claude-code\nskilltap update --all\n```\n\nWhen you update a skill in the tap, every subscriber sees the diff and confirms before it applies. Your existing SSH keys and credential helpers handle authentication. See [Host Your Own Tap](https://skilltap.dev/guide/teams) for the full setup guide and config options.\n\n## Commands\n\n| Command | Description |\n|---|---|\n| `(no args)` | Status dashboard — installed skills, plugins, MCPs, drift |\n| `status` | Same as bare invocation, with `--json` for scripting |\n| `install \u003csource\u003e` | Install a skill from a URL, GitHub shorthand, npm package, or tap name |\n| `remove \u003cname\u003e` | Remove an installed skill |\n| `update [name]` | Update one or all installed skills |\n| `list` | List installed skills |\n| `info \u003cname\u003e` | Show details about a skill (installed or available in taps) |\n| `find [query]` | Search skills across configured taps |\n| `try \u003csource\u003e` | Preview a source (clone, parse, scan) without installing |\n| `sync` | Show drift between `skilltap.toml`, `skilltap.lock`, and installed state |\n| `sync --apply` | Execute the sync plan via install/remove |\n| `migrate` | One-shot upgrade from v0.x state to v2.0 |\n| `link \u003cpath\u003e` | Link a local skill directory |\n| `unlink \u003cname\u003e` | Remove a linked skill |\n| `toggle \u003cplugin\u003e[:component]` | Toggle a plugin component (or open picker) |\n| `enable \u003cplugin\u003e[:component]` | Activate a plugin component (or all inactive) |\n| `disable \u003cplugin\u003e[:component]` | Deactivate a plugin component (or all active) |\n| `create [name]` | Scaffold a new skill from a template |\n| `verify [path]` | Validate a skill before sharing (CI-friendly) |\n| `doctor` | Check environment, config, manifest/lockfile drift, MCP consistency |\n| `completions \u003cshell\u003e` | Generate shell tab-completion script |\n| `tap add \u003cname\u003e \u003curl\u003e` | Add a git tap |\n| `tap remove \u003cname\u003e` | Remove a tap |\n| `tap update [name]` | Update one or all taps |\n| `tap list` | List configured taps |\n| `tap init \u003cname\u003e` | Initialize a new tap directory |\n| `config` | Interactive configuration wizard |\n| `config agent-mode` | Enable/disable agent mode (legacy; see Agent flag below) |\n\nMost commands accept `--global` / `--project` for scope, `--yes` to skip prompts,\nand `--agent` for non-interactive use. **Smart scope default**: inside a git repo,\n`install` defaults to `--project`; outside, `--global`. Override explicitly with\n`--global` / `--project` whenever you need to.\n\n## How it works\n\nSkills are directories containing a `SKILL.md` file. skilltap installs them to `~/.agents/skills/\u003cname\u003e/` (global) or `.agents/skills/\u003cname\u003e/` (project), then creates symlinks at each agent's expected location (`.claude/skills/`, `.cursor/skills/`, etc.) so every agent picks them up automatically.\n\n## Security\n\nEvery install and update runs a two-layer security scan before anything lands on disk.\n\n**Static scan** (always on by default): checks for invisible Unicode, hidden HTML/CSS, markdown injection, obfuscated code, suspicious URLs, dangerous shell patterns, and tag injection.\n\n**Semantic scan** (optional, `--semantic`): sends skill content to your local AI agent in bounded 2000-char chunks. The agent is invoked with tools disabled (`--no-tools`), so even a skill that tricks the reviewer can't cause it to take actions. Content is wrapped in a randomly-suffixed untrusted block so the agent can't be hijacked by the skill it's reviewing. Closing tags that could escape the wrapper are detected and escaped before the chunk is sent. Up to 4 chunks are evaluated in parallel; agent failures are fail-open (scan continues).\n\n```bash\nskilltap install my-skill --semantic   # enable semantic scan\nskilltap install my-skill --strict     # block on any warning\nskilltap install my-skill --skip-scan  # bypass scanning (trusted sources)\n```\n\nSee [docs/SECURITY.md](docs/SECURITY.md) for the full threat model, detector reference, and configuration options.\n\n## Agent mode\n\nFor non-interactive use (AI agents, CI, scripts), three options that compose:\n\n```bash\nskilltap install foo --agent             # one-off flag (v2.0)\nSKILLTAP_AGENT=1 skilltap install foo    # env var (v2.0)\nskilltap config agent-mode               # interactive wizard, sticky (v0.x; still works)\n```\n\n`--agent` (or `SKILLTAP_AGENT=1`) suppresses all prompts, implies `--yes`,\nturns security warnings into hard failures, and emits plain text output. Agents\nshould set the flag or env var on every invocation.\n\n## Configuration\n\nConfig is stored at `~/.config/skilltap/config.toml`. Run the interactive wizard:\n\n```bash\nskilltap config\n```\n\nKey settings: default scope (`global`/`project`), additional agent symlinks (`--also`), security scan mode (`static`/`semantic`/`off`), and `on_warn` behavior (`prompt`/`fail`).\n\n## Authoring Skills\n\n```bash\n# Scaffold a new skill interactively\nskilltap create my-skill\n\n# Edit SKILL.md, then test locally\nskilltap link ./my-skill --also claude-code\n\n# Validate before sharing\nskilltap verify my-skill/\n\n# Push to git and share\ngit push -u origin main\n```\n\nOthers can install with: `skilltap install you/my-skill`\n\nTo publish to npm (with provenance), use `--template npm`. The generated GitHub Actions workflow handles publishing automatically on release.\n\n## Trust Signals\n\nSkills from npm show provenance status when installed:\n\n```\n$ skilltap skills\n\nGlobal (.agents/skills/) — 2 skills\n  Name           Status   Agents       Source\n  my-npm-skill   managed  claude-code  npm:@user/my-npm-skill\n  git-skill      managed  claude-code  home\n```\n\nTrust tiers: `provenance` (Sigstore/SLSA verified), `publisher` (npm identity verified), `curated` (tap-verified), `unverified`.\n\n## Shell Completions\n\n```bash\nskilltap completions bash --install\nskilltap completions zsh --install    # then: fpath=(~/.zfunc $fpath) \u0026\u0026 autoload -Uz compinit \u0026\u0026 compinit\nskilltap completions fish --install\n```\n\n## Troubleshooting\n\n```bash\nskilltap doctor        # check environment, config, and installed state\nskilltap doctor --fix  # auto-repair common issues (broken symlinks, orphan records)\nskilltap doctor --json # machine-readable output for CI\n```\n\n## Gotchas\n\n- **`--yes` does not skip the scope prompt.** Pass `--global` or `--project` explicitly for a fully non-interactive install.\n- **`--yes` does not bypass security warnings.** Use `--strict` to turn warnings into hard failures, or `--skip-scan` to bypass entirely (blocked if `require_scan = true`).\n- **Agent mode must be enabled before invoking from an AI agent.** Run `skilltap config agent-mode` interactively once. Without it, skilltap will prompt and hang in non-TTY environments.\n- **Agent symlinks are not automatic.** Pass `--also \u003cagent\u003e` or set defaults in config. The skill always lands in `.agents/skills/` — symlinks are opt-in.\n- **Multi-skill repos require selection.** If a repo contains multiple `SKILL.md` files, skilltap prompts you to choose. With `--yes`, all are auto-selected.\n- **npm installs require the `npm:` prefix.** `skilltap install vibe-rules` searches your taps. `skilltap install npm:vibe-rules` hits the npm registry.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnklisch%2Fskilltap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnklisch%2Fskilltap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnklisch%2Fskilltap/lists"}