Self-contained recipes for common skillpm workflows. Each recipe includes concrete commands you can copy and adapt.
Share a curated set of skills across your team using a project manifest committed to version control.
cd ~/myproject
skillpm init
skillpm install clawhub/steipete/code-review
skillpm install clawhub/testingshop/auto-test-gen
skillpm install community/secops/secret-scanner
# Commit the manifest and lockfile
git add .skillpm/skills.toml .skillpm/skills.lock
git commit -m "add skillpm project config"Add to .gitignore:
.skillpm/installed/
.skillpm/state.toml
.skillpm/staging/
.skillpm/snapshots/
git clone <repo> && cd <repo>
skillpm sync
skillpm inject --allsync reads the manifest and lockfile, installs the exact pinned versions, and re-injects into all configured agents.
skillpm upgrade
git add .skillpm/skills.toml .skillpm/skills.lock
git commit -m "upgrade skills to latest"Teammates pull the commit and run skillpm sync to get the updated versions.
Use skillpm as a gate in your CI pipeline to enforce skill policies and verify reproducible installs.
# Install skillpm in CI
go build -o ./bin/skillpm ./cmd/skillpm
# Bootstrap environment
./bin/skillpm doctor --json
# Sync and verify — strict mode exits 2 on policy violations
./bin/skillpm sync --strict --json > sync-result.json| Exit Code | Meaning | CI Action |
|---|---|---|
0 |
Success, acceptable risk posture | Pass |
2 |
Strict policy failure | Fail the build |
| other non-zero | Runtime/validation error | Fail the build |
- name: Sync skills (strict)
run: |
skillpm doctor --json
skillpm sync --strict --json > sync-result.json
- name: Upload sync report
if: always()
uses: actions/upload-artifact@v4
with:
name: sync-result
path: sync-result.jsonRun a non-mutating dry-run on PRs to preview what would change:
skillpm sync --dry-run --strict --json > sync-plan.jsonIf exit code is 2, the PR introduces a policy violation. The JSON output includes recommendedCommand fields for resolution.
Inject skills into every AI agent you use with a single command.
# Doctor auto-detects installed agents
skillpm doctor
# Inject all installed skills into every enabled agent
skillpm inject --all# Code-review skill to Claude, linter to Codex
skillpm inject --agent claude my-repo/code-review
skillpm inject --agent codex my-repo/linter# Check which agents are detected and enabled
skillpm doctor --json | grep -A2 '"name": "config"'
# List skills with scope info
skillpm list| Agent | Global Injection Path |
|---|---|
| Claude Code | ~/.claude/skills/{name}/ |
| Codex | ~/.agents/skills/{name}/ |
| Gemini CLI | ~/.gemini/skills/{name}/ |
| Copilot | ~/.copilot/skills/{name}/ |
| Cursor | ~/.cursor/skills/{name}/ |
See Supported Agents for the full list including IDE agents and project-scoped paths.
Discover skills through registered sources, direct Git URLs, and the bundled official examples in this repository.
# Search all registered sources
skillpm search "code-review"
# Search a specific source
skillpm search "testing" --source hubskillpm install https://github.com/anthropics/skills/tree/main/skills/skill-creator --forceThe first install auto-registers a reusable source name for the backing repository. After that, you can treat it like any other source.
ls skills
find skills -maxdepth 2 -name SKILL.md | sortUse sync --dry-run and sync --strict to preview changes before mutating the
workspace or CI environment.
skillpm sync --dry-run --json > sync-plan.jsonThe JSON output includes:
recommendedCommandrecommendedCommandsriskStatusnextStepHint
skillpm sync --strict --json > sync-result.json
echo $?Exit code 2 means sync completed or planned with risk items that strict mode
does not allow through.
Audit your skills for security issues and enforce scan policies.
Security scanning is automatic. Every install, upgrade, and sync operation scans skill content:
# This will be blocked if the skill contains dangerous patterns
skillpm install my-repo/untrusted-skillWhen an install is blocked:
SEC_SCAN_BLOCKED: [HIGH] SCAN_DANGEROUS_PATTERN (SKILL.md: Code execution via subprocess.run); use --force to proceed
- Read the error to identify the rule and pattern.
- Inspect the skill content manually.
- If you trust the content, bypass with
--force:
skillpm install my-repo/admin-tool --forceCritical findings cannot be bypassed, even with --force.
In ~/.skillpm/config.toml:
[security.scan]
enabled = true
block_severity = "high" # block high and critical (default)
disabled_rules = [] # e.g. ["SCAN_PROMPT_INJECTION"]Use --strict in CI pipelines to fail on any risk items:
skillpm sync --strict --json > audit.json
echo "Exit code: $?"Exit code 2 means the strict policy was violated. Parse the JSON output for details.
v4.x removed the built-in scheduler. The supported workflow is to run sync
manually or wrap it in your own cron, CI, or task runner.
# Preview what would change
skillpm sync --dry-run
# Apply changes
skillpm sync# Cron, CI, or task runner command
skillpm sync --strict --json > sync-result.json# Step 1: Verify the skill is installed
skillpm list
# Step 2: Check that the agent adapter is enabled
skillpm doctor
# Step 3: Re-inject
skillpm inject --agent claude# Doctor detects and auto-fixes most issues
skillpm doctorDoctor runs 7 checks in dependency order: config, state, installed-dirs, injections, adapter-state, agent-skills, and lockfile. It is idempotent -- safe to run repeatedly.
# Read the error message for the specific rule
skillpm install my-repo/suspicious-skill
# If you trust it, bypass medium/high findings
skillpm install my-repo/suspicious-skill --forceCritical findings (destructive commands, reverse shells, crypto mining) cannot be bypassed.
# Ensure you're inside a directory with .skillpm/skills.toml
ls .skillpm/skills.toml
# If not found, initialize the project
skillpm initexport CLAWHUB_TOKEN="your-token"
skillpm publish ./my-skill --version 1.0.0# CLI help
skillpm --help
skillpm <command> --help
# JSON output for debugging
skillpm list --json
skillpm doctor --json
skillpm sync --dry-run --jsonGroup related skills into bundles for easy batch installation.
# Create a bundle in the project manifest
skillpm bundle create web-dev clawhub/react clawhub/typescript clawhub/eslint
# Create a security bundle
skillpm bundle create security community/secops/secret-scanner community/secops/api-fuzzer# See all defined bundles
skillpm bundle list
# Install all skills in a bundle
skillpm bundle install web-dev
# Force-install if scan blocks
skillpm bundle install security --forceBundles are stored in .skillpm/skills.toml. Commit and share:
git add .skillpm/skills.toml
git commit -m "add web-dev and security bundles"Teammates run skillpm bundle install web-dev after pulling.
Build a skill from scratch and publish it to the ClawHub registry.
skillpm create my-linter --template default
cd my-linterOpen SKILL.md and customize the frontmatter and instructions:
---
name: my-linter
version: 1.0.0
deps: [clawhub/eslint-config]
---
# My Linter
Instructions for the AI agent...# Install from local directory
skillpm install ./my-linter
# Inject and verify
skillpm inject --agent claudeexport CLAWHUB_TOKEN="your-token"
skillpm publish ./my-linter --version 1.0.0Others can now install it:
skillpm install clawhub/my-linter- CLI Reference -- full command documentation
- Security Scanning -- scan rules and enforcement details
- Project-Scoped Skills -- team manifest workflow
- Sync Contract v1 -- JSON output schema for automation
- Troubleshooting -- extended error reference