skill-manager

中文说明

Why it exists

AI extensions are scattered across harness-specific folders, MCP config files, slash command locations, and marketplace sources. Skill Manager gives those pieces one local control surface:

What you can do

• See what is in use, what needs review, and where extensions are active.
• Adopt local Skills into one shared inventory, then enable or disable them per harness.
• Scan Skills with a saved LLM provider configuration and review findings before use.
• Install or adopt MCP server configs, resolve differences, and enable them where supported.
• Manage reusable slash commands once, then sync them to supported harnesses.
• Discover Skills, MCP servers, and preview-only CLI tools from marketplace sources.

Product tour

Overview

Start with the whole extension portfolio: what is in use, what needs review, what can be discovered, and where extensions are active.

Skills

Use Skills as shared local packages instead of maintaining separate copies per harness.

Typical flow:

1. Review a Skill found in a harness or install one from the marketplace.
2. Adopt it into the Skill Manager inventory.
3. Enable it only where it should be available.
4. Update, remove, or delete it from one place.

Skill scanning

Scan Skills with an LLM-backed security review before you rely on them.

Typical flow:

1. Add and validate an LLM scan configuration.
2. Switch Skills in use to the Scan view.
3. Run a scan for one Skill, selected Skills, or the full visible list.
4. Review severity, findings, snippets, and remediation guidance.

Scan configurations are managed separately so you can save multiple providers, choose one active configuration, and keep API keys masked in list views.

MCP servers

Use MCP servers as one normalized config that can be written into each harness shape.

Typical flow:

1. Review an MCP server found in a harness or install one from the marketplace.
2. Adopt it into the Skill Manager inventory.
3. Enable it where the server should be available.
4. Resolve config differences, disable harness bindings, or uninstall it from one place.

Slash commands

Use slash commands as one shared prompt library instead of rewriting the same command in each harness-specific format.

Typical flow:

1. Create a slash command with a name, description, and prompt.
2. Use $ARGUMENTS where runtime input should be inserted.
3. Sync it to supported harnesses.
4. Review existing harness command files and adopt them into the shared library when needed.

Marketplace

Marketplace is the discovery surface:

• Skills Marketplace: browse and install Skills.
• MCP Marketplace: browse and install MCP servers.
• CLI Marketplace: preview external CLI tools from CLIs.dev. This is display-only; Skill Manager does not install or manage CLIs.

Install

Homebrew (macOS recommended)

brew tap mode-io/tap
brew install skill-manager
skill-manager start

npm (macOS ARM64/x64 and Linux x64/ARM64)

npm install -g @mode-io/skill-manager
skill-manager start

The npm wrapper downloads the native release artifact for the current platform and CPU architecture.

Supported harnesses

Local-first safety

Skill Manager is a local configuration-management tool. It runs on your machine and reads or writes local harness extension state.

Actions that can change local state include:

• adopting a local skill folder
• enabling or disabling a skill for a harness
• updating a source-backed skill
• removing or deleting a skill
• creating, updating, validating, activating, or deleting an LLM scan configuration
• running a Skill scan, which sends selected Skill context to the configured LLM provider
• installing an MCP server into a source harness
• adopting an existing MCP config
• enabling, disabling, resolving, or uninstalling an MCP server
• creating, updating, syncing, importing, or deleting a slash command
• changing harness support settings

App-owned files live under ~/Library/Application Support/skill-manager on macOS and XDG base directories on Linux.

How it works

Skills

Before adoption, each harness points at its own local skill folder. After adoption, Skill Manager keeps one canonical package in its shared local store and exposes it to selected harnesses with local links. Disabling a harness removes that harness binding without deleting the package.

Skill scans

Skill scans build a bounded prompt context from SKILL.md, manifest metadata, script and config files, and files referenced by the Skill instructions. Secret-bearing files such as .env, private keys, certificates, and credential files are excluded from the prompt context, and large files are skipped when they exceed scanner limits.

The scanner uses the active saved LLM configuration first. If none is active, it can fall back to supported environment variables such as ANTHROPIC_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY, GEMINI_API_KEY, GOOGLE_API_KEY, AZURE_OPENAI_API_KEY, AWS_BEDROCK_MODEL, or OLLAMA_HOST.

Scan reports show whether the Skill is safe, the maximum severity, findings, locations, snippets, and remediation text. The frontend caches completed reports in browser local storage so recent results remain visible after navigation.

MCP servers

MCP servers are stored as normalized Skill Manager records, then translated into the config shape each harness expects:

• Codex uses TOML under mcp_servers.
• Claude Code and Cursor use mcpServers JSON entries.
• OpenCode uses typed local/remote MCP entries.
• OpenClaw MCP writes are not yet supported.

When Skill Manager finds different configs for the same MCP server, it asks you to resolve the source of truth first.

Slash commands

Slash commands are stored as TOML records under Skill Manager app storage, then rendered into each supported harness format:

• OpenCode writes Markdown command files under ~/.config/opencode/commands and invokes