Agent skills, on tap.
Homebrew for AI agent skills. Host your own skill tap, install from any git source, and stay in sync as skills update — for yourself, your team, or your friends.
A git repo is all it takes. Create a tap for your team, your friends, or just yourself. No registry account, no vendor lock-in — just a JSON index on any git host you already use.
skilltap tap init my-skillsGitHub, GitLab, Gitea, Forgejo, your own server. Your existing SSH keys and credential helpers just work — no new accounts, no tokens to manage.
skilltap install user/skill-nameskilltap tracks every skill back to its source. Fetch, diff, re-scan changed lines, then apply — you see exactly what changed before it touches your system.
skilltap update --allcurl -fsSL https://skilltap.dev/install.sh | shClone from Gitea, GitLab, GitHub, Forgejo — any git host. Your SSH keys and credential helpers just work.
Installs to .agents/skills/. Symlinks to Claude, Cursor, Codex, Gemini, Windsurf automatically.
A tap is a git repo with a JSON index — like a Homebrew formula tap. Stand up your own in minutes, share the URL, and anyone can subscribe. Search across all your taps at once.
Static analysis on every install. Optional LLM-powered semantic scan using your own agent. Nothing hidden.
skilltap tracks every installed skill back to its source. Run `skilltap update` to fetch upstream changes, diff what changed, re-scan, and confirm — before anything touches your system.
View all skills — managed and unmanaged — with `skilltap skills`. Adopt orphaned skills into management with `skills adopt`. Move between global and project scopes with `skills move`. Update, health-check with `doctor`, and remove with one command.
Safe headless operation from inside AI agents. All prompts suppressed, security issues block with machine-readable stop directives, output is plain text.
Scaffold a new skill with `skilltap create`, link it locally for testing, validate with `skilltap verify`, then push to git. Others install with one command.
A tap is just a git repo with a JSON index. Stand one up in minutes — for a group of friends, your whole engineering org, or anything in between. No hosted service required.
Create a tap.json index, push to any git host, and share the URL. Anyone can add it with one command. No account approval, no upload portal — just git.
When you update a skill in your tap, every subscriber gets the diff on their next `skilltap update`. They see what changed, re-scan, and confirm before applying.
Pin to your tap only by disabling public registries with one config line — useful for orgs who want a curated-only catalog. Or leave it open so anyone can pull from anywhere. It's just config.
Skills flow from any source through security scanning to your agent's skill directory.
# Add a tap (registry of skills)
$ skilltap tap add community https://github.com/example/skills-tap
# Search for skills
$ skilltap find review
community/code-reviewer Review code for bugs and style issues
community/pr-review Generate PR review comments
# Install with agent symlink
$ skilltap install code-reviewer --global --also claude-code
◆ Installed code-reviewer
# See everything installed — managed and unmanaged
$ skilltap skills
code-reviewer managed claude-code https://github.com/example/skills-tap
commit-helper managed claude-code https://github.com/user/commit-helper
# Pull updates from the source and review what changed
$ skilltap update --all
◆ Updated code-reviewer (2 files changed)Static patterns catch hidden Unicode, obfuscated URLs, and injection attempts. Semantic scan sends each chunk to your local agent for a second opinion.
With --strict, any warning aborts immediately. In agent mode, security issues emit a machine-readable stop directive. Learn more →