npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pi-autoskills

v0.2.0

Published

Audited autoskills-style installer for pi. Detect stack, discover vetted skills, audit upstream bundles, cache locally, install safely.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

denismrvoljakdenismrvoljak

Keywords

pi-packagepiskillsautoskillssecuritycli

Readme

pi-autoskills

Audited autoskills-style skill installer for pi.

pi-autoskills detects stack from project files, matches skills from Claude/Codex/pi registries, prefers bundled audited local copies, and when needed fetches upstream bundles, audits + rewrites them into local cache, then installs only audited copies into .pi/skills/.

Why

  • detect stack fast
  • install useful pi skills with near-zero setup
  • never install live upstream skill content without local audit + rewrite first
  • keep bundled and cached registries hash-pinned and reproducible
  • support both CLI usage and /autoskills inside pi

Features

  • pi-autoskills CLI
  • /autoskills pi command
  • bundled audited registry under registry/
  • dynamic cache registry under .pi/autoskills-registry/
  • dynamic fetch + audit fallback for missing upstream skills
  • autoskills catalog adapter with GitHub-tree fallback discovery
  • policy file for allow/deny repos and discovery thresholds
  • per-skill audit artifacts under .pi/autoskills-registry/.audit/
  • manifest verification with file sha256 + bundle hash
  • strict install of manifest-listed files only
  • static security scan for prompt-injection and risky shell patterns
  • pi reviewer mode for model-based audits
  • install target: .pi/skills/
  • lockfile: .pi/autoskills-lock.json

Requirements

  • Node.js >= 22
  • pnpm >= 10 for development
  • pi installed for /autoskills command and pi-based review mode

Install

Use CLI from source

pnpm install
node --experimental-strip-types ./bin/pi-autoskills.ts --dry-run

Install into pi from local checkout

pi install /absolute/path/to/pi-autoskills

Project-local install:

pi install -l /absolute/path/to/pi-autoskills

Then inside pi:

/autoskills

After npm publish

Global CLI:

npm install -g pi-autoskills
pi-autoskills --dry-run

Or one-shot:

npx pi-autoskills --dry-run

Install package into pi from npm:

pi install pi-autoskills

Project-local package install into pi:

pi install -l pi-autoskills

Quick start

1. Preview matches in project

pi-autoskills --project /path/to/project --dry-run

2. Install skills

pi-autoskills --project /path/to/project

3. Use inside pi

/autoskills detect
/autoskills
/autoskills install

CLI usage

pi-autoskills --dry-run
pi-autoskills --project /path/to/project
pi-autoskills --registry-dir /path/to/registry
pi-autoskills --cache-registry-dir /path/to/cache-registry
pi-autoskills --reviewer auto|static|pi|none

Reviewer modes

  • static — static checks only. Default for plain CLI.
  • pi — static checks + model audit through pi harness.
  • auto — try pi review, fall back to static.
  • none — skip model review and keep static checks only.

Examples:

pi-autoskills --reviewer static
pi-autoskills --reviewer pi
pi-autoskills --reviewer auto

What gets written

Bundled registry lives in registry/.

Dynamic cache registry lives in .pi/autoskills-registry/ inside target project by default.

Policy file lives at .pi/autoskills-policy.json inside target project by default.

Installed skills go to:

.pi/skills/

Lockfile:

.pi/autoskills-lock.json

Audit artifacts:

.pi/autoskills-registry/.audit/

Install flow

  1. detect stack
  2. match mapped skills
  3. discover extra candidates from autoskills catalog adapter, with GitHub-tree fallback
  4. apply policy filters and ranking
  5. check bundled registry + local cache registry
  6. if skill missing locally, fetch upstream bundle by pinned source repo/path
  7. normalize markdown bundle for pi
  8. run static review and optional pi-based model review
  9. write audited result into local cache registry with hashes + provenance
  10. write audit artifact JSON
  11. reject blocked skills
  12. copy verified bundle into .pi/skills/<skill-id>/
  13. write .pi/autoskills-lock.json

Policy config

Default path:

.pi/autoskills-policy.json

Example:

{
  "allowRepos": ["clerk/*", "vercel-labs/*", "supabase/*"],
  "denyRepos": ["random/*"],
  "minDiscoveryScore": 9,
  "maxDiscoveredSkills": 6
}

Environment override:

export PI_AUTOSKILLS_POLICY=/absolute/path/to/policy.json

Catalog config

Default catalog path in this project points at local autoskills registry clone.

Override with:

export PI_AUTOSKILLS_CATALOG_INDEX=/absolute/path/to/index.json

If catalog missing, discovery falls back to GitHub repo tree scans.

Development

pnpm install
pnpm check
node --experimental-strip-types ./src/commands/validate-registry.ts

Maintainer workflow

Refresh local mirrored bundles

pnpm sync
pnpm validate-registry

Sync upstream bundles into bundled registry

pnpm sync:upstream
pnpm validate-registry

Useful flags:

node --experimental-strip-types ./src/commands/sync.ts --only react-best-practices --no-review
node --experimental-strip-types ./src/commands/sync.ts --only vue --verbose --keep-temp

Release checklist

Before npm publish

pnpm check
node --experimental-strip-types ./src/commands/validate-registry.ts

Then:

  • bump package.json version
  • review README.md
  • verify files list in package.json
  • publish package
  • test:
    • npx pi-autoskills --dry-run
    • pi install pi-autoskills
    • /autoskills detect

Layout

pi-autoskills/
├── bin/
│   └── pi-autoskills.ts
├── extensions/
│   └── autoskills.ts
├── registry/
│   ├── index.json
│   ├── next-playwright-testing/
│   └── react-tailwind-ui-patterns/
├── src/
│   ├── commands/
│   ├── detect.ts
│   ├── discovery.ts
│   ├── install.ts
│   ├── maps.ts
│   ├── match.ts
│   ├── policy.ts
│   ├── registry.ts
│   ├── security.ts
│   ├── sync.ts
│   └── types.ts
└── test/

Next steps

Still worth improving:

  • stronger source-specific adapters for Claude and Codex registry quirks
  • richer normalization for linked references and multi-file source bundles
  • native pi SDK reviewer instead of subprocess reviewer
  • explicit update command for refreshing installed skills
  • optional shared .agents/skills/ mode

License

MIT