vskill
v0.2.21
Published
Secure multi-platform AI skill installer — scan before you install
Maintainers
aabyzovReadme
npx vskill install remotion-best-practicesThe Problem
36.82% of AI skills have security flaws (Snyk ToxicSkills).
When you install a skill today, you're trusting blindly:
- No scanning — malicious prompts execute with full system access
- No versioning — silent updates can inject anything, anytime
- No deduplication — the same skill lives in 3 repos, all diverging
- No blocklist — known-bad skills install just fine
vskill fixes all of this.
How It Works
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Source │────>│ Scan │────>│ Verify │────>│ Install │
│ │ │ │ │ │ │ │
│ GitHub │ │ 38 rules │ │ LLM │ │ Pin SHA │
│ Registry │ │ Blocklist│ │ analysis │ │ Lock ver │
│ Local │ │ Patterns │ │ Intent │ │ Symlink │
└──────────┘ └──────────┘ └──────────┘ └──────────┘Every install goes through the security pipeline. No exceptions. No --skip-scan.
Quick Start
# Install from any GitHub repo
npx vskill install remotion-dev/skills/remotion-best-practices
# Install by name (registry lookup)
npx vskill install remotion-best-practices
# Browse a repo and pick interactively
npx vskill install remotion-dev/skills
# Install a plugin (Claude Code)
npx vskill install --repo anton-abyzov/vskill --plugin frontendOr install globally: npm install -g vskill
Three-Tier Verification
| Tier | How | Trust Level | |:-----|:----|:------------| | Scanned | 38 deterministic pattern checks against known attack vectors | Baseline | | Verified | Pattern scan + LLM-based intent analysis for subtle threats | Recommended | | Certified | Full manual security review by the vskill team | Highest |
Every install is at minimum Scanned. The vskill.lock file tracks the SHA-256 hash, scan date, and tier for every installed skill. Running vskill update diffs against the locked version and re-scans before applying.
49 Agent Platforms
vskill auto-detects your installed agents and installs skills to all of them at once.
CLI & Terminal — Claude Code, Cursor, GitHub Copilot, Windsurf, Codex, Gemini CLI, Amp, Cline, Roo Code, Goose, Aider, Kilo, Devin, OpenHands, Qwen Code, Trae, and more
IDE Extensions — VS Code, JetBrains, Zed, Neovim, Emacs, Sublime Text, Xcode
Cloud & Hosted — Replit, Bolt, v0, GPT Pilot, Plandex, Sweep
Plugin Marketplace
vskill ships 41 expert skills organized into 12 domain plugins. Each plugin has its own namespace — install only what you need.
npx vskill install --repo anton-abyzov/vskill --plugin frontend
npx vskill install --repo anton-abyzov/vskill --plugin infraThen invoke as /plugin:skill in your agent:
/frontend:nextjs /infra:aws /mobile:flutter
/ml:rag /testing:mutation /security:patternsAvailable Plugins
frontend — React 19, Next.js, Figma, i18n, design systems
frontend-coredesignfigmai18nnextjs
backend — Java Spring Boot, Rust
java-springrust
infra — AWS, Azure, GCP, CI/CD, secrets, observability
awsazuregcpgithub-actionsdevsecopsopentelemetrysecrets
mobile — React Native, Flutter, SwiftUI, Jetpack, app store
react-nativeexpoflutterswiftuijetpackcapacitordeep-linkingtestingappstore
ml — RAG, LangChain, Hugging Face, fine-tuning, edge ML
raglangchainhuggingfacefine-tuningedge
testing — Performance, accessibility, mutation testing
performanceaccessibilitymutation
kafka — Kafka Streams, n8n workflows
streams-topologyn8n
confluent — Kafka Connect, ksqlDB, Schema Registry
kafka-connectksqldbschema-registry
payments — Billing, subscriptions, PCI compliance
billingpci
security — Vulnerability pattern detection
patterns
blockchain — Solidity, Foundry, smart contracts
blockchain-core
skills — Skill discovery and recommendations
scout
Commands
vskill install <source> Install skill after security scan
vskill find <query> Search the verified-skill.com registry
vskill scan <path> Run security scan without installing
vskill list Show installed skills with status
vskill remove <skill> Remove an installed skill
vskill update [skill] Update with diff scanning (--all for everything)
vskill audit [path] Full project security audit with LLM analysis
vskill info <skill> Show detailed skill information
vskill submit <source> Submit a skill for verification
vskill blocklist Manage blocked malicious skills
vskill init Initialize vskill in a project| Flag | Description |
|:-----|:------------|
| --yes -y | Accept defaults, no prompts |
| --global -g | Install to global scope |
| --copy | Copy files instead of symlinking |
| --skill <name> | Pick a specific skill from a multi-skill repo |
| --plugin <name> | Pick a plugin from a marketplace repo |
| --plugin-dir <path> | Local directory as plugin source |
| --repo <owner/repo> | Remote GitHub repo as plugin source |
| --agent <id> | Target a specific agent (e.g., cursor) |
| --force | Install even if blocklisted |
| --cwd <path> | Override project root |
| --all | Install all skills from a repo |
Security Audit
Scan entire projects for security issues — not just skills:
vskill audit # scan current directory
vskill audit --ci --report sarif # CI-friendly SARIF output
vskill audit --severity high,critical # filter by severitySkills vs Plugins
Skills are single SKILL.md files that work with any of the 49 supported agents. They follow the Agent Skills Standard — drop a SKILL.md into the agent's commands directory.
Plugins are multi-component containers for Claude Code. They bundle skills, hooks, commands, and agents under a single namespace with enable/disable support and marketplace integration.
Why Deduplication Matters
Even Anthropic ships the same skill in two places:
anthropics/skills/frontend-design(standalone)anthropics/claude-code/.../frontend-design(plugin)
Install both? Duplicates. They diverge? Inconsistencies. vskill gives you one install path with version pinning and dedup, regardless of source.
Registry
Browse and search verified skills at verified-skill.com.
vskill find "react native" # search from CLI
vskill info remotion-best-practices # skill detailsContributing
Submit your skill for verification:
vskill submit your-org/your-repo/your-skill