npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vskill

v1.0.15

Published

Secure multi-platform AI skill installer — scan before you install

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

aabyzovaabyzov

Keywords

aiskillssecurityagentcliclaudecursorcopilotverified-skill

Readme

npx vskill@latest studio        # open the local IDE for AI skills
npx vskill@latest install remotion-best-practices

Why vskill

36.82% of AI skills have security flaws (Snyk ToxicSkills). And the ones that aren't malicious often don't even improve the model — they just feel like they should.

vskill is built around three problems:

  • Trust — every install runs a 3-tier scan (52 patterns → blocklist → LLM intent). No --skip-scan.
  • Proof — Skill Studio runs A/B evals so you can show a skill makes a model better, not assume it.
  • Reach — one skill, 53 agents (Claude Code, Cursor, Copilot, Codex, Windsurf, Zed, Gemini CLI, Ollama, …).

Skill Studio — the local IDE for skills

npx vskill@latest studio

A localhost workbench opens at a deterministic per-project port. You can:

  • Author new skills with an AI-assisted generator (Anthropic skill-creator engine or vskill native — first-class peers, you pick).
  • Edit SKILL.md live with a Linear/Raycast-grade UI.
  • Run benchmarks with SSE-streamed pass/fail across Claude, GPT, Llama, Gemini, local Ollama / LM Studio.
  • A/B compare with vs. without your skill — blind LLM judge ranks outputs as EFFECTIVE / MARGINAL / INEFFECTIVE / DEGRADING.
  • Cross-model sweep the same skill across providers (Anthropic Batch API supported — 50% cheaper).
  • Find skills from the verified-skill.com registry with a ⌘⇧K palette, install with consent + provenance.
  • Publish with one click — git push from the UI, then opens the submit form on verified-skill.com pre-filled.

CORS-free by design: the browser only ever talks to localhost. The server proxies to verified-skill.com and to provider APIs. Every mutation is logged to ~/.vskill/studio-ops.jsonl for audit.

How install works

  ┌──────────┐     ┌──────────┐     ┌──────────┐     ┌──────────┐
  │  Source  │────>│   Scan   │────>│  Verify  │────>│ Install  │
  │          │     │          │     │          │     │          │
  │ GitHub   │     │ 52 rules │     │ LLM      │     │ Pin SHA  │
  │ Registry │     │ Blocklist│     │ intent   │     │ Lock ver │
  │ Local    │     │ Patterns │     │ analysis │     │ Symlink  │
  └──────────┘     └──────────┘     └──────────┘     └──────────┘

Every install runs the full pipeline. SARIF v2.1.0 output is available for CI (vskill audit --ci).

Quick Start

# Install one skill
npx vskill@latest install remotion-dev/skills/remotion-best-practices

# Browse a repo, pick interactively
npx vskill@latest install remotion-dev/skills

# Install a Claude Code plugin (full domain bundle)
npx vskill@latest install --repo anton-abyzov/vskill --plugin frontend

Install globally for repeat use: npm i -g vskill

Behind a private npm registry? See Getting Started for the E401 workaround.

What ships today

| Surface | Count | Notes | |---|---|---| | Agent platforms | 53 | Claude Code, Cursor, Copilot, Windsurf, Codex, Gemini CLI, Zed, Ollama, LM Studio, … | | Plugins | 8 | Multi-skill bundles for Claude Code | | Skills | 14 | Individual SKILL.md files inside plugins | | Top-level CLI commands | 22 | install, studio, eval, find, scan, audit, submit, skill, keys, … | | Tests | 307 test files | More tests than source files |

Plugins (Claude Code)

| Plugin | Skills | |---|---| | frontend | figma-connect, frontend-design, task-skill-announcer | | personal | obsidian-brain, greet-anton, tax-filing | | marketing | slack-messaging, social-media-posting | | skills | skill-builder, scout | | mobile | appstore | | google-workspace | gws | | easychamp | tournament-manager | | productivity | survey-passing |

Install all eight: npx vskill@latest install --repo anton-abyzov/vskill --all

Browse the full catalog → verified-skill.com/docs/plugins

Commands you'll actually use

npx vskill@latest studio               # open local IDE
npx vskill@latest install <skill>      # install with full security scan
npx vskill@latest find <query>         # search verified-skill.com registry
npx vskill@latest list --installed     # what's installed where
npx vskill@latest diff <skill> v1 v2   # compare versions before upgrading
npx vskill@latest skill new            # create a new skill (AI-assisted)
npx vskill@latest eval sweep <skill>   # benchmark across models
npx vskill@latest audit --ci           # SARIF v2.1.0 for CI
npx vskill@latest keys set anthropic   # store API keys in ~/.vskill/keys.env
npx vskill@latest auth login           # sign in to GitHub for private skills

Full reference → verified-skill.com/docs/cli-reference

Authentication (GitHub, for private skills)

vskill auth signs you in to GitHub using the official Device Flow so the CLI can install skills from private repos and the local Studio can list your org's private catalog.

npx vskill@latest auth login    # interactive Device Flow — copy code, visit URL
npx vskill@latest auth status   # show the current GitHub identity
npx vskill@latest auth logout   # forget the GitHub token

How it works:

  1. vskill auth login requests a device + user code from github.com/login/device/code.
  2. You visit https://github.com/login/device and enter the 8-character code (rendered as XXXX-XXXX).
  3. The CLI polls github.com/login/oauth/access_token until you authorize, then validates against api.github.com/user.
  4. The resulting token is stored in your OS keychain (macOS Keychain / Windows DPAPI / libsecret). On systems without a keyring daemon, the token falls back to ~/.vskill/keys.env with mode 0600 and a startup warning.

Where the token is used:

  • vskill install <github-url> — added as Authorization: Bearer … on every fetch to api.github.com and raw.githubusercontent.com. Public skills still install anonymously.
  • vskill studio — the local eval-server proxies private routes (/api/v1/private/*, /api/v1/tenants/*) to verified-skill.com with the bearer header injected at the proxy boundary. Your browser never holds the token.

Configuration:

  • VSKILL_GITHUB_CLIENT_ID — the OAuth/App client_id used during Device Flow. Defaults are baked in for the public Skill Studio App; set this only if you are running a self-hosted variant.

Inspect status of all credentials in one place:

npx vskill@latest keys list      # shows AI provider keys + the github slot

Private skill workflow

Once authenticated, installing a private org skill is identical to a public one — the CLI silently attaches the keychain token to every api.github.com and raw.githubusercontent.com request:

npx vskill@latest auth login                                # one-time setup
npx vskill@latest add https://github.com/<org>/<repo>       # private skill installs same as public

The local skill bundle on disk never contains your GitHub token — the token is used only at fetch time. Your project's vskill.lock records source: "private" and the org name so future updates re-authenticate correctly.

Customer-facing setup walkthrough → .specweave/docs/external/private-repos-quickstart.md (in the umbrella repo).

Security & Compliance

Skill Studio private-repo support (increment 0826) ships with documented threat model, verification checklist, SOC 2 evidence map, and operational runbooks — all in the umbrella repo under .specweave/docs/:

  • Customer quickstart.specweave/docs/external/private-repos-quickstart.md
  • Vendor security questionnaire.specweave/docs/external/security-questionnaire-template.md
  • Threat model & verification checklist.specweave/docs/internal/security/0826-*.md
  • SOC 2 evidence map.specweave/docs/internal/compliance/0826-soc2-evidence-map.md
  • Operations + rotation runbooks.specweave/docs/internal/runbooks/0826-*.md

Recent highlights (0.5.x)

  • 0.5.129 — Studio Publish: one-click git push + open verified-skill.com submit pre-filled
  • 0.5.12x — Studio Find palette (⌘⇧K): search the registry from inside Studio
  • 0.5.11x — Engine selector in Create flow: choose Anthropic skill-creator or vskill native
  • 0.5.10x — Multi-project tabs, deterministic per-project port (3077–3177), bookmarkable URLs
  • 0.5.0x — A/B comparison with blind LLM judge, cross-model sweep, MCP-skill simulation mode

Full changelog → github.com/anton-abyzov/vskill/releases

Learn more

| Topic | Where | |---|---| | Quick start & first install | verified-skill.com/docs/getting-started | | Full CLI reference | verified-skill.com/docs/cli-reference | | Security model & 3-tier verification | verified-skill.com/docs/security-guidelines | | Plugin marketplace | verified-skill.com/docs/plugins | | Submit a skill for verification | verified-skill.com/docs/submitting | | FAQ | verified-skill.com/docs/faq | | Browse the registry | verified-skill.com |

Contributing

Issues and PRs welcome at github.com/anton-abyzov/vskill. To submit a skill to the registry, see verified-skill.com/docs/submitting.

License

MIT