https://github.com/tankpkg/tank

Security-first package manager for AI agent skills
https://github.com/tankpkg/tank

ai-agents ai-coding-agent claude-code cli cursor developer-tools npm-alternative package-manager registry security semver skills static-analysis supply-chain-security

Last synced: 26 days ago
JSON representation

Security-first package manager for AI agent skills

• Host: GitHub
• URL: https://github.com/tankpkg/tank
• Owner: tankpkg
• License: mit
• Created: 2026-02-13T22:42:27.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2026-05-20T13:06:33.000Z (27 days ago)
• Last Synced: 2026-05-20T16:58:17.297Z (26 days ago)
• Topics: ai-agents, ai-coding-agent, claude-code, cli, cursor, developer-tools, npm-alternative, package-manager, registry, security, semver, skills, static-analysis, supply-chain-security
• Language: TypeScript
• Homepage: https://tankpkg.dev
• Size: 65.6 MB
• Stars: 28
• Watchers: 0
• Forks: 4
• Open Issues: 14
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Security: docs/security.md
  • Roadmap: docs/roadmap-ranking.md
  • Agents: AGENTS.md

Awesome Lists containing this project

README

          


  





  



Tank




  Security-first package manager for AI agent skills.

  


  "I know Kung Fu." — but verified, locked, and scanned.





  

  

  

  



---

## The Problem

AI coding agents (Claude Code, Codex, Cursor) can be extended with **skills** — reusable packages that teach agents how to perform tasks. The ecosystem is growing fast: 110,000+ installs in 4 days on one registry alone.

But today's skill registries have **no versioning, no lockfiles, no permissions, and no security scanning**. In February 2026, the ClawHavoc incident revealed that 341 malicious skills (12% of a major marketplace) were distributing credential-stealing malware.

Agent skills are more dangerous than npm packages because they execute with the **agent's full authority** — reading files, making API calls, running shell commands. The attack surface is fundamentally larger.

## What Tank Does

Tank is the **npm for agent skills**, with security built into the foundation:

| Feature         | npm (2012)              | Current Registries | Tank                                 |

| --------------- | ----------------------- | ------------------ | ------------------------------------ |

| Versioning      | Social contract         | Git tags / none    | **Semver with escalation detection** |

| Lockfile        | `package-lock.json`     | None               | **`skills.lock` with SHA-512**       |

| Permissions     | None                    | None               | **Declared + enforced at install**   |

| Static analysis | None built-in           | Basic / none       | **6-stage security pipeline**        |

| Audit score     | `npm audit` (deps only) | None               | **Transparent 0-10 score**           |

| Code signing    | npm provenance (2023)   | None               | Planned (Sigstore)                   |

| Sandbox         | None                    | None               | Planned (Phase 3)                    |

## Quick Look

### All CLI Commands

```bash

# Authentication

tank login                          # Authenticate via GitHub OAuth

tank whoami                         # Show current user info

tank logout                         # Clear credentials

# Project setup

tank init                           # Create skills.json interactively

# Publishing

tank publish                        # Pack and publish a skill

tank publish --dry-run              # Validate without uploading

# Installation & management

tank install @org/skill             # Install a specific skill

tank install                        # Install all from lockfile (like npm ci)

tank install --yes                  # Auto-accept permission budget expansions

tank update @org/skill              # Update within semver range

tank update                         # Update all skills

tank remove @org/skill              # Remove a skill

# Verification & security

tank verify                         # Verify lockfile integrity

tank permissions                    # Display resolved permission summary

tank audit                          # Show security analysis results

tank audit @org/skill               # Audit a specific skill

# Discovery

tank search "query"                 # Search the registry

tank info @org/skill                # Show skill metadata

```

**`skills.json`** — declare what your agent is allowed to do:

```json

{

  "skills": {

    "@vercel/next-skill": "^2.1.0",

    "@community/seo-audit": "3.0.0"

  },

  "permissions": {

    "network": { "outbound": ["*.anthropic.com"] },

    "filesystem": { "read": ["./src/**"], "write": ["./output/**"] },

    "subprocess": false

  }

}

```

If any skill exceeds the permission budget, Tank prompts you to review and approve the expansion — or auto-accept with `--yes` in CI. No silent escalation. This single feature would have prevented ClawHavoc.

## Development

### Prerequisites

- Node.js 24+

- Bun 1.x+

- Python 3.14+ (for security analysis functions)

### Setup

```bash

git clone https://github.com/tankpkg/tank.git

cd tank

bun install

cp .env.example .env  # fill in credentials

just db admin                # promotes FIRST_ADMIN_EMAIL to admin

```

### Commands

```bash

just dev                    # Start all workspaces in dev mode

just build                  # Build all packages

just test                   # Run all unit tests

just test scanner           # Run Python scanner tests

just test perf              # Run performance tests

just check                  # Biome lint + format validation

just fmt                    # Auto-format code

just verify                 # Validation-only pipeline

just --list                 # See all available commands

```

## Project Structure

```

tank/

├── apps/

│   ├── registry/        # TanStack Start registry app

│   └── python-api/   # Python security scanner (FastAPI)

├── packages/

│   ├── cli/          # Tank CLI (TypeScript)

│   ├── internals-helpers/ # Shared pure helpers

│   ├── internals-schemas/ # Shared schemas, types, constants

│   ├── mcp-server/   # MCP server for editor integration

│   └── ...

├── infra/            # Docker Compose, Helm charts

├── docs/             # Reference, process, product, ops

├── idd/              # Intent-driven development artifacts

├── bdd/              # Executable behavior specs

└── e2e/              # Full-stack regression tests

```

## Project Status

> **Tank MVP is code-complete.** We're building in the open from day one.

## Documentation

| Document                                   | Description                                          |

| ------------------------------------------ | ---------------------------------------------------- |

| [Docs Index](docs/README.md)               | Start here for architecture, process, and references |

| [Architecture](docs/core/architecture.md)  | Technical design and current app state               |

| [Methodology](docs/process/methodology.md) | IDD → BDD → TDD → E2E workflow                       |

| [Contributing](CONTRIBUTING.md)            | How to get involved                                  |

## Why "Tank"?



In The Matrix, **Tank is the operator** — the person who loads skills into people's minds. He's the one who makes "I know Kung Fu" possible. But he doesn't just load anything blindly. He verifies, he monitors, he's the last line of defense.

That's what this project does for AI agent skills.

## Contributing

Tank is open source under the [MIT License](LICENSE). We welcome contributions of all kinds — see [CONTRIBUTING.md](CONTRIBUTING.md) to get started.

## License

[MIT](LICENSE) — do what you want, just include the license.