npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

octoflow-skill-runner

v1.0.0

Published

Framework-agnostic SKILL.md and agentskills.io runner for agent runtimes.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

bgauryybgauryy

Keywords

agent-skillsagentskills.ioai-agentsskill-mdskillsoctoflow

Readme

octoflow-skill-runner

agentskills.io compatible LLM agnostic

Framework-agnostic SKILL.md loader, validator, catalog renderer, and activation runner for agent runtimes.

octoflow-skill-runner implements the agentskills.io open standard for portable agent skills — without requiring octoflow-core. Use it directly in your own runtime, or let octoflow-core adapt it into Bridge actions and prompt context.

Install

npm install octoflow-skill-runner

Node.js >=20 is required.

Use It When

  • You are integrating SKILL.md bundles into a custom runtime that does not use octoflow-core.
  • You want to load, validate, and catalog skills from disk or parent directories.
  • You need the read_skill / activate_skill tool definitions as plain objects you can map into any tool API.
  • You are building a standalone CLI or script that reads and renders skill catalogs without a full agent runtime.

Most octoflow-core users do not need this package directly — skills are activated through createAgent({ skills: [...] }) in that runtime.

What Is Supported

  • SKILL.md bundle loading from direct directories or parent directories.
  • Full YAML frontmatter parsing for the core protocol fields: name, description, license, compatibility, metadata, and allowed-tools.
  • Supported extension fields: disable-model-invocation, user-invocable, and argument-hint.
  • Validation, progressive disclosure catalogs that expose each skill's name, description, folder path, and SKILL.md location.
  • read_skill / activate_skill tool definitions, resource manifests, and safe resource reads.

Standalone Usage

import { createSkillRunner, loadSkillPaths } from 'octoflow-skill-runner';

const skills = await loadSkillPaths(['./skills', './vendor/skills']);
const runner = createSkillRunner({ skills });

const catalog = runner.buildCatalog();
const tools = runner.createTools();

console.log(catalog?.content);
const overview = await tools[0]!.execute({ name: 'code-review' });

Runnable Example

octoflow-skill-runner does not ship its own CLI binary; the CLI smoke path lives in the examples workspace and imports the package API directly:

yarn workspace octoflow-examples run skill-runner-standalone

That example creates a temporary skill bundle, loads it from a parent directory, renders the catalog, executes the framework-agnostic read_skill tool, and reads an adjacent resource with readSkill().

Runtime Adapter Shape

createSkillRunner() returns plain tool definitions. Any runtime can map them into its own tool API:

const runtimeTools = runner.createTools().map((tool) => ({
  name: tool.name,
  description: tool.description,
  inputSchema: tool.parameters,
  call: tool.execute,
}));

The agent prompt should include runner.buildCatalog()?.content. That catalog lists each skill by name, description, folder path, and SKILL.md location, then instructs the agent to choose a matching skill and call read_skill before acting.

Security Model

Resource reads are resolved inside the selected skill directory. ../ traversal and absolute-path escapes are rejected before the file is read.

Learn More

agentskills.io Compatibility

This package implements the agentskills.io specification and is LLM-agnostic — the same SKILL.md bundle works on any backend. Live-tested on Anthropic API, OpenAI API, and Ollama.

| Spec rule | Status | |---|---| | name — required, max 64 chars, [a-z0-9-], matches parent dir | ✅ enforced (error) | | description — required, max 1024 chars | ✅ enforced (error) | | license — optional string | ✅ loaded | | compatibility — max 500 chars if provided | ✅ reported (warning) | | metadata — key/value mapping | ✅ loaded (non-string values warned) | | allowed-tools — space-separated string | ✅ loaded (YAML arrays also accepted) | | Progressive disclosure — catalog = name + description only | ✅ | | Activation — full SKILL.md body loaded on demand | ✅ | | Resources — loaded individually via readSkill({ resource }) | ✅ | | Path traversal protection | ✅ PathTraversalError | | Prototype-pollution-safe YAML parsing | ✅ blocks __proto__, constructor |

Note on compatibility severity: the agentskills.io spec table marks > 500 chars as a hard constraint. This package currently reports it as a warning (not error) so skills are still loadable. Use strict: true in loadSkillBundle options if you want to reject such skills.

Validate

npm run -w octoflow-skill-runner lint
npm run -w octoflow-skill-runner typecheck
npm run -w octoflow-skill-runner test

Status

Preview. Pin versions and read ../../CHANGELOG.md before depending on it in production.