https://github.com/anton-abyzov/vskill

Secure multi-platform AI skill installer — scan before you install. 49 agents, 12 plugins, 41 expert skills.
https://github.com/anton-abyzov/vskill

ai ai-agents claude-code cli copilot cursor developer-tools npm-package plugin-marketplace security skills windsurf

Last synced: 18 days ago
JSON representation

Secure multi-platform AI skill installer — scan before you install. 49 agents, 12 plugins, 41 expert skills.

• Host: GitHub
• URL: https://github.com/anton-abyzov/vskill
• Owner: anton-abyzov
• License: mit
• Created: 2026-02-16T01:37:46.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2026-05-25T06:17:55.000Z (24 days ago)
• Last Synced: 2026-05-25T07:27:00.428Z (24 days ago)
• Topics: ai, ai-agents, claude-code, cli, copilot, cursor, developer-tools, npm-package, plugin-marketplace, security, skills, windsurf
• Language: TypeScript
• Homepage: https://verified-skill.com
• Size: 7.31 MB
• Stars: 35
• Watchers: 0
• Forks: 6
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          
vskill




  The package manager for AI skills.


  Author. Eval. Publish. Install — across 53 agent platforms.





  

  

  

  

  

  

  

  

  





  Download Skill Studio:



  

  

  





  All releases: github.com/anton-abyzov/vskill/releases






```bash

# Browser studio — zero install

npx vskill@latest studio        # open the local IDE for AI skills

npx vskill@latest install remotion-best-practices

```

Native Mac, Windows, and Linux desktop apps available at

**[GitHub Releases](https://github.com/anton-abyzov/vskill/releases/latest)** — 1.5 s cold launch,

no telemetry. macOS Apple Silicon is signed by `Developer ID Application: EasyChamp, Inc.`

and notarized + stapled by Apple — no Gatekeeper warning.

The desktop app wraps the same studio runtime as `npx vskill studio` in a Tauri 2 shell:

native menu bar, global `⌘K` find-skill palette, `⌘,` Preferences with General / Updates /

Privacy / Advanced tabs, settings persisted to `~/.vskill/settings.json` (atomic, 0600 perms),

and signed auto-update via `tauri-plugin-updater` against minisign-signed manifests.




## Why vskill

**36.82% of AI skills have security flaws** ([Snyk ToxicSkills](https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/)).

And the ones that aren't malicious often *don't even improve the model* — they just feel like they should.

vskill is built around three problems:

- **Trust** — every install runs a 3-tier scan (52 patterns → blocklist → LLM intent). No `--skip-scan`.

- **Proof** — Skill Studio runs A/B evals so you can *show* a skill makes a model better, not assume it.

- **Reach** — one skill, 53 agents (Claude Code, Cursor, Copilot, Codex, Windsurf, Zed, Gemini CLI, Ollama, …).




## Skill Studio — the local IDE for skills

```bash

npx vskill@latest studio

```

A localhost workbench opens at a deterministic per-project port. You can:

- **Author** new skills with an AI-assisted generator (Anthropic skill-creator engine *or* vskill native — first-class peers, you pick).

- **Edit** SKILL.md live with a Linear/Raycast-grade UI.

- **Run benchmarks** with SSE-streamed pass/fail across Claude, GPT, Llama, Gemini, local Ollama / LM Studio.

- **A/B compare** with vs. without your skill — blind LLM judge ranks outputs as EFFECTIVE / MARGINAL / INEFFECTIVE / DEGRADING.

- **Cross-model sweep** the same skill across providers (Anthropic Batch API supported — 50% cheaper).

- **Find skills** from the verified-skill.com registry with a `⌘⇧K` palette, install with consent + provenance.

- **Publish** with one click — `git push` from the UI, then opens the submit form on verified-skill.com pre-filled.

CORS-free by design: the browser only ever talks to localhost. The server proxies to verified-skill.com and to provider APIs. Every mutation is logged to `~/.vskill/studio-ops.jsonl` for audit.




## How install works

```

  ┌──────────┐     ┌──────────┐     ┌──────────┐     ┌──────────┐

  │  Source  │────>│   Scan   │────>│  Verify  │────>│ Install  │

  │          │     │          │     │          │     │          │

  │ GitHub   │     │ 52 rules │     │ LLM      │     │ Pin SHA  │

  │ Registry │     │ Blocklist│     │ intent   │     │ Lock ver │

  │ Local    │     │ Patterns │     │ analysis │     │ Symlink  │

  └──────────┘     └──────────┘     └──────────┘     └──────────┘

```

Every install runs the full pipeline. SARIF v2.1.0 output is available for CI (`vskill audit --ci`).




## Quick Start

```bash

# Install one skill

npx vskill@latest install remotion-dev/skills/remotion-best-practices

# Browse a repo, pick interactively

npx vskill@latest install remotion-dev/skills

# Install a Claude Code plugin (full domain bundle)

npx vskill@latest install --repo anton-abyzov/vskill --plugin frontend

```

Install globally for repeat use: `npm i -g vskill`

Behind a private npm registry? See Getting Started for the E401 workaround.




## What ships today

| Surface | Count | Notes |

|---|---|---|

| **Agent platforms** | **53** | Claude Code, Cursor, Copilot, Windsurf, Codex, Gemini CLI, Zed, Ollama, LM Studio, … |

| **Plugins** | **8** | Multi-skill bundles for Claude Code |

| **Skills** | **14** | Individual SKILL.md files inside plugins |

| **Top-level CLI commands** | **22** | `install`, `studio`, `eval`, `find`, `scan`, `audit`, `submit`, `skill`, `keys`, … |

| **Tests** | **307 test files** | More tests than source files |

### Plugins (Claude Code)

| Plugin | Skills |

|---|---|

| **frontend** | figma-connect, frontend-design, task-skill-announcer |

| **personal** | obsidian-brain, greet-anton, tax-filing |

| **marketing** | slack-messaging, social-media-posting |

| **skills** | skill-builder, scout |

| **mobile** | appstore |

| **google-workspace** | gws |

| **easychamp** | tournament-manager |

| **productivity** | survey-passing |

Install all eight: `npx vskill@latest install --repo anton-abyzov/vskill --all`

Browse the full catalog → [verified-skill.com/docs/plugins](https://verified-skill.com/docs/plugins)




## Commands you'll actually use

```bash

npx vskill@latest studio               # open local IDE

npx vskill@latest install       # install with full security scan

npx vskill@latest find          # search verified-skill.com registry

npx vskill@latest list --installed     # what's installed where

npx vskill@latest diff  v1 v2   # compare versions before upgrading

npx vskill@latest skill new            # create a new skill (AI-assisted)

npx vskill@latest eval sweep    # benchmark across models

npx vskill@latest audit --ci           # SARIF v2.1.0 for CI

npx vskill@latest keys set anthropic   # store API keys in ~/.vskill/keys.env

npx vskill@latest auth login           # sign in to GitHub for private skills

```

Full reference → [verified-skill.com/docs/cli-reference](https://verified-skill.com/docs/cli-reference)




## Authentication (GitHub, for private skills)

`vskill auth` signs you in to GitHub using the official Device Flow so the CLI

can install skills from private repos and the local Studio can list your org's

private catalog.

```bash

npx vskill@latest auth login    # interactive Device Flow — copy code, visit URL

npx vskill@latest auth status   # show the current GitHub identity

npx vskill@latest auth logout   # forget the GitHub token

```

How it works:

1. `vskill auth login` requests a device + user code from `github.com/login/device/code`.

2. You visit `https://github.com/login/device` and enter the 8-character code (rendered as `XXXX-XXXX`).

3. The CLI polls `github.com/login/oauth/access_token` until you authorize, then validates against `api.github.com/user`.

4. The resulting token is stored in your **OS keychain** (macOS Keychain / Windows DPAPI / libsecret).

   On systems without a keyring daemon, the token falls back to `~/.vskill/keys.env` with mode `0600` and a startup warning.

Where the token is used:

- **`vskill install `** — added as `Authorization: Bearer …` on every fetch to `api.github.com` and `raw.githubusercontent.com`. Public skills still install anonymously.

- **`vskill studio`** — the local eval-server proxies private routes (`/api/v1/private/*`, `/api/v1/tenants/*`) to verified-skill.com with the bearer header injected at the proxy boundary. Your browser never holds the token.

Configuration:

- `VSKILL_GITHUB_CLIENT_ID` — the OAuth/App `client_id` used during Device Flow. Defaults are baked in for the public Skill Studio App; set this only if you are running a self-hosted variant.

Inspect status of all credentials in one place:

```bash

npx vskill@latest keys list      # shows AI provider keys + the github slot

```

### Private skill workflow

Once authenticated, installing a private org skill is identical to a public one — the CLI silently attaches the keychain token to every `api.github.com` and `raw.githubusercontent.com` request:

```bash

npx vskill@latest auth login                                # one-time setup

npx vskill@latest add https://github.com//       # private skill installs same as public

```

The local skill bundle on disk **never contains** your GitHub token — the token is used only at fetch time. Your project's `vskill.lock` records `source: "private"` and the org name so future updates re-authenticate correctly.

Customer-facing setup walkthrough → [`.specweave/docs/external/private-repos-quickstart.md`](../../../.specweave/docs/external/private-repos-quickstart.md) (in the umbrella repo).

## Security & Compliance

Skill Studio private-repo support (increment 0826) ships with documented threat model, verification checklist, SOC 2 evidence map, and operational runbooks — all in the umbrella repo under `.specweave/docs/`:

- **Customer quickstart** — `.specweave/docs/external/private-repos-quickstart.md`

- **Vendor security questionnaire** — `.specweave/docs/external/security-questionnaire-template.md`

- **Threat model & verification checklist** — `.specweave/docs/internal/security/0826-*.md`

- **SOC 2 evidence map** — `.specweave/docs/internal/compliance/0826-soc2-evidence-map.md`

- **Operations + rotation runbooks** — `.specweave/docs/internal/runbooks/0826-*.md`




## Recent highlights (0.5.x)

- **0.5.129** — Studio Publish: one-click `git push` + open verified-skill.com submit pre-filled

- **0.5.12x** — Studio Find palette (`⌘⇧K`): search the registry from inside Studio

- **0.5.11x** — Engine selector in Create flow: choose Anthropic skill-creator *or* vskill native

- **0.5.10x** — Multi-project tabs, deterministic per-project port (3077–3177), bookmarkable URLs

- **0.5.0x** — A/B comparison with blind LLM judge, cross-model sweep, MCP-skill simulation mode

Full changelog → [github.com/anton-abyzov/vskill/releases](https://github.com/anton-abyzov/vskill/releases)




## Learn more

| Topic | Where |

|---|---|

| Quick start & first install | [verified-skill.com/docs/getting-started](https://verified-skill.com/docs/getting-started) |

| Full CLI reference | [verified-skill.com/docs/cli-reference](https://verified-skill.com/docs/cli-reference) |

| Security model & 3-tier verification | [verified-skill.com/docs/security-guidelines](https://verified-skill.com/docs/security-guidelines) |

| Plugin marketplace | [verified-skill.com/docs/plugins](https://verified-skill.com/docs/plugins) |

| Submit a skill for verification | [verified-skill.com/docs/submitting](https://verified-skill.com/docs/submitting) |

| FAQ | [verified-skill.com/docs/faq](https://verified-skill.com/docs/faq) |

| Browse the registry | [verified-skill.com](https://verified-skill.com) |




## Contributing

Issues and PRs welcome at [github.com/anton-abyzov/vskill](https://github.com/anton-abyzov/vskill). To submit a skill to the registry, see [verified-skill.com/docs/submitting](https://verified-skill.com/docs/submitting).

## License

MIT