what it does
ai skills are starting to look like real software artifacts: instructions, workflow rules, permissions, tool assumptions, and setup requirements packaged for agents like Codex, Claude Code, Cursor, and similar tools.
the directory is the public surface for finding and inspecting those skills:
- browse skills by tool, category, risk, status, and maintainer
- submit a github url or zip into a draft flow instead of emailing files
- validate the package before it becomes a trusted listing
- show a skill passport with schema, permissions, findings, risk, and source
- teach skepticism so a green checkmark never pretends to mean “safe”
why i built it
the useful part of an agent skill is also the risky part. a skill can ask the agent to read files, run shell commands, use connectors, send data elsewhere, or make changes in a repo. that should not be copied around as random markdown with no inspection layer.
i wanted a place where skills can be shared, but the default posture is still skeptical. every skill starts untrusted. the directory earns confidence by showing what was checked, what was declared, what was detected, and what still needs human judgment.
how it’s built
a quick tour:
- astro + react islands: static directory pages by default, interactive islands for submission and validation flows
- hono api: github sign-in, authenticated submissions, ownership rules, and draft records
- drizzle + neon: users, submissions, validation jobs, versions, and public listing data
- cloudflare r2: content-addressed snapshots and uploaded zip archives
- skill schema package: shared zod contracts for manifests, reports, passports, submission enums, and wire types
- validator package: loads a package, computes a source hash, checks structure, secrets, risky instructions, and undeclared permissions
- bullmq worker path: queued validation is the next backend layer, with the api and worker split cleanly
what’s next
the current push is the validation pipeline: queue the draft submissions, run the validator against pinned snapshots, write job progress, and turn the result into the first real passport flow.
after that, the directory needs the publish path, source-file viewer, download preflight, and admin review lane. the public URL and screenshots will come once there is enough real product to show without explaining the scaffolding.
discovery is useful only if the install step gets more skeptical, not less.