Package Exports
- vskill
- vskill/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (vskill) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
vskill
The package manager for AI skills.
Scan. Verify. Install. Across 49 agent platforms.
npx vskill install remotion-best-practicesThe Problem
36.82% of AI skills have security flaws (Snyk ToxicSkills).
When you install a skill today, you're trusting blindly:
- No scanning — malicious prompts execute with full system access
- No versioning — silent updates can inject anything, anytime
- No deduplication — the same skill lives in 3 repos, all diverging
- No blocklist — known-bad skills install just fine
vskill fixes all of this.
How It Works
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Source │────>│ Scan │────>│ Verify │────>│ Install │
│ │ │ │ │ │ │ │
│ GitHub │ │ 38 rules │ │ LLM │ │ Pin SHA │
│ Registry │ │ Blocklist│ │ analysis │ │ Lock ver │
│ Local │ │ Patterns │ │ Intent │ │ Symlink │
└──────────┘ └──────────┘ └──────────┘ └──────────┘Every install goes through the security pipeline. No exceptions. No --skip-scan.
Quick Start
# Install from any GitHub repo
npx vskill install remotion-dev/skills/remotion-best-practices
# Install by name (registry lookup)
npx vskill install remotion-best-practices
# Browse a repo and pick interactively
npx vskill install remotion-dev/skills
# Install a plugin (Claude Code)
npx vskill install --repo anton-abyzov/vskill --plugin frontendOr install globally: npm install -g vskill
Three-Tier Verification
| Tier | How | Trust Level |
|---|---|---|
| Scanned | 38 deterministic pattern checks against known attack vectors | Baseline |
| Verified | Pattern scan + LLM-based intent analysis for subtle threats | Recommended |
| Certified | Full manual security review by the vskill team | Highest |
Every install is at minimum Scanned. The vskill.lock file tracks the SHA-256 hash, scan date, and tier for every installed skill. Running vskill update diffs against the locked version and re-scans before applying.
49 Agent Platforms
vskill auto-detects your installed agents and installs skills to all of them at once.
CLI & Terminal — Claude Code, Cursor, GitHub Copilot, Windsurf, Codex, Gemini CLI, Amp, Cline, Roo Code, Goose, Aider, Kilo, Devin, OpenHands, Qwen Code, Trae, and more
IDE Extensions — VS Code, JetBrains, Zed, Neovim, Emacs, Sublime Text, Xcode
Cloud & Hosted — Replit, Bolt, v0, GPT Pilot, Plandex, Sweep
Plugin Marketplace
vskill ships 41 expert skills organized into 12 domain plugins. Each plugin has its own namespace — install only what you need.
npx vskill install --repo anton-abyzov/vskill --plugin frontend
npx vskill install --repo anton-abyzov/vskill --plugin infraThen invoke as /plugin:skill in your agent:
/frontend:nextjs /infra:aws /mobile:flutter
/ml:rag /testing:mutation /security:patternsAvailable Plugins
|
frontend — React 19, Next.js, Figma, i18n, design systems
backend — Java Spring Boot, Rust
infra — AWS, Azure, GCP, CI/CD, secrets, observability
mobile — React Native, Flutter, SwiftUI, Jetpack, app store
ml — RAG, LangChain, Hugging Face, fine-tuning, edge ML
testing — Performance, accessibility, mutation testing
|
kafka — Kafka Streams, n8n workflows
confluent — Kafka Connect, ksqlDB, Schema Registry
payments — Billing, subscriptions, PCI compliance
security — Vulnerability pattern detection
blockchain — Solidity, Foundry, smart contracts
skills — Skill discovery and recommendations
|
Commands
vskill install <source> Install skill after security scan
vskill find <query> Search the verified-skill.com registry
vskill scan <path> Run security scan without installing
vskill list Show installed skills with status
vskill remove <skill> Remove an installed skill
vskill update [skill] Update with diff scanning (--all for everything)
vskill audit [path] Full project security audit with LLM analysis
vskill info <skill> Show detailed skill information
vskill submit <source> Submit a skill for verification
vskill blocklist Manage blocked malicious skills
vskill init Initialize vskill in a projectInstall flags
| Flag | Description |
|---|---|
--yes -y |
Accept defaults, no prompts |
--global -g |
Install to global scope |
--copy |
Copy files instead of symlinking |
--skill <name> |
Pick a specific skill from a multi-skill repo |
--plugin <name> |
Pick a plugin from a marketplace repo |
--plugin-dir <path> |
Local directory as plugin source |
--repo <owner/repo> |
Remote GitHub repo as plugin source |
--agent <id> |
Target a specific agent (e.g., cursor) |
--force |
Install even if blocklisted |
--cwd <path> |
Override project root |
--all |
Install all skills from a repo |
Security Audit
Scan entire projects for security issues — not just skills:
vskill audit # scan current directory
vskill audit --ci --report sarif # CI-friendly SARIF output
vskill audit --severity high,critical # filter by severitySkills vs Plugins
Skills are single SKILL.md files that work with any of the 49 supported agents. They follow the Agent Skills Standard — drop a SKILL.md into the agent's commands directory.
Plugins are multi-component containers for Claude Code. They bundle skills, hooks, commands, and agents under a single namespace with enable/disable support and marketplace integration.
Why Deduplication Matters
Even Anthropic ships the same skill in two places:
anthropics/skills/frontend-design(standalone)anthropics/claude-code/.../frontend-design(plugin)
Install both? Duplicates. They diverge? Inconsistencies. vskill gives you one install path with version pinning and dedup, regardless of source.
Skill Evals
Every skill can include evaluations — standardized test cases that verify the skill actually improves LLM output. Skills with evals get quality scores on verified-skill.com and regression tracking across versions.
Directory structure
your-skill/
├── SKILL.md # The skill definition
└── evals/
└── evals.json # Test cases + assertionsevals.json format
{
"skill_name": "your-skill",
"evals": [
{
"id": 1,
"name": "Descriptive test name",
"prompt": "Realistic user prompt that tests the skill",
"expected_output": "Reference output (not graded, for human context)",
"files": [],
"assertions": [
{ "id": "a1", "text": "Output includes specific technique X", "type": "boolean" },
{ "id": "a2", "text": "Code example compiles without errors", "type": "boolean" }
]
}
]
}Writing good evals
- Prompts should be realistic user requests, not synthetic test inputs
- Assertions must be objectively verifiable — avoid subjective criteria like "well-written"
- Each eval case should test a distinct capability of the skill
- 3-5 eval cases with 2-4 assertions each is a good starting point
CLI commands
npx vskill eval init <skill-dir> # Scaffold evals.json from SKILL.md via LLM
npx vskill eval run <skill-dir> # Run evals and grade assertions
npx vskill eval coverage # Show eval status for all skills
npx vskill eval generate-all # Batch-generate for all skillsPlatform integration
Skills with evals/evals.json get:
- Quality evaluation results displayed at
/skills/[name]/evals - Admin editing at
/admin/evals(admin-only) - Regression tracking across eval runs
Registry
Browse and search verified skills at verified-skill.com.
vskill find "react native" # search from CLI
vskill info remotion-best-practices # skill detailsContributing
Submit your skill for verification:
vskill submit your-org/your-repo/your-skill