npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@thirdchimp/skills-manager

v1.0.3

Published

Dynamic skill discovery, install, evaluate and cleanup from skills.sh for AI agent orchestrators

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

thirdchimpthirdchimp

Keywords

skillsskills.shclaudeaiorchestrationagents

Readme

skills-manager

Dynamic skill discovery, install, evaluate and cleanup from skills.sh for AI agent orchestrators.

Designed to be used inside orchestration workflows (e.g. Claude Code /orchestrate) to automatically find and install relevant skills per task, collect feedback via Skills Reports, and remove unused skills after the run.

Install

# Add to your project
bun add -d @thirdchimp/skills-manager

# Or run without installing
npx @thirdchimp/skills-manager --help

Commands

skills-manager <command> [args]

Commands:
  search <query>                    Search skills (local registry → skills.sh)
  install <owner/repo> <name>       Install a skill with security scanning
  evaluate <response-file> <id>     Parse Skills Report from subagent response
  cleanup                           Remove unused skills
  list                              Show local registry
  help, --help, -h                  Show this help

search

Searches the local registry first. Falls back to skills.sh if no useful results are cached.

skills-manager search vitest
skills-manager search security

Output includes a ---JSON--- separator followed by machine-readable JSON — useful for orchestrators that need to parse results.

install

Installs a skill from a GitHub repo with a three-tier security check:

  1. Trusted owners (anthropics, vercel-labs, github, firebase, trailofbits) — installed without scanning
  2. Content scan — checks SKILL.md for prompt injection, dangerous shell commands, secret access patterns
  3. Quarantine — removes the skill and reports if flags are found
skills-manager install bobmatnyc/claude-mpm-skills vitest

Returns JSON: { installed, skillName, reason }.

evaluate

Parses a ### Skills Report section from a subagent response file and updates the local registry.

skills-manager evaluate /tmp/worker-response.txt orch-2026-03-28

Expected format in subagent response:

### Skills Report
- used: vitest, supabase-nextjs
- ignored: owasp-security (not relevant for this UI task)

cleanup

Removes skills marked as useful: false or never evaluated (useful: null). Project skills in .claude/skills/ are never removed.

skills-manager cleanup

list

Shows all skills in the local registry with their status.

skills-manager list
# ✅ vitest (bobmatnyc/claude-mpm-skills) — last used: 2026-03-28
# ❌ owasp-security (hoodini/ai-agents-skills) — last used: never
# ❓ unknown-skill (x/y) — last used: never

Registry

Skills usage history is stored in .claude/skills-registry.json in your project root:

{
  "skills": {
    "vitest": {
      "repo": "bobmatnyc/claude-mpm-skills",
      "skill": "vitest",
      "usedIn": ["orch-001", "orch-002"],
      "useful": true,
      "lastUsed": "2026-03-28",
      "installedAt": "2026-03-25",
      "trusted": false
    }
  },
  "lastSearched": null
}

Orchestrator Integration

Phase 1.5 — Skills Discovery (after planning, before task loop)

const keywords = ["testing", "security", "database"]
let installed = 0

for (const keyword of keywords) {
  if (installed >= 2) break  // max 2 external skills per orchestration

  const output = execSync(`skills-manager search "${keyword}"`).toString()
  const json = JSON.parse(output.split("---JSON---")[1])

  // Already have a useful skill in registry — skip
  if (json.fromRegistry.some(s => s.useful === true)) continue

  // Top result from skills.sh — install it
  if (json.fromWeb.length > 0) {
    const top = json.fromWeb[0]
    execSync(`skills-manager install "${top.repo}" "${top.skill}"`)
    installed++
  }
}

Step 1 — Tell the subagent which skills to use

Add to worker/reviewer prompt:

Available skills for this task:
- [project] supabase-nextjs — Skill("supabase-nextjs")
- [external] vitest — Skill("vitest")

Use relevant skills before implementing.

At the end of your response, add:
### Skills Report
- used: [list of skills you used]
- ignored: [list of skills you skipped, with reason]

Step 1.5 — Evaluate Skills Report after subagent response

const tmpFile = `${workspaceDir}/tmp-response.txt`
writeFileSync(tmpFile, workerResponse)
execSync(`skills-manager evaluate "${tmpFile}" "${orchestrationId}"`)
unlinkSync(tmpFile)

Phase 4.5 — Cleanup after all tasks complete

execSync("skills-manager cleanup")

Security

Scanned patterns include:

| Category | Examples | |----------|----------| | Prompt injection | ignore previous instructions, you are now, do not follow | | Dangerous shell | curl ... \| sh, wget ... \| bash, rm -rf / | | Secret access | process.env.*SECRET, process.env.*TOKEN, process.env.*KEY | | Exfiltration | send it to the API, reads .env.local |

License

MIT