
Security News
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.
pi-autoskills
Advanced tools
Audited autoskills-style installer for pi. Detect stack, discover vetted skills, audit upstream bundles, cache locally, install safely.
Audited autoskills-style skill installer for pi.
pi-autoskills detects stack from project files, matches skills from Claude/Codex/pi registries, prefers bundled audited local copies, and when needed fetches upstream bundles, audits + rewrites them into local cache, then installs only audited copies into .pi/skills/.
/autoskills inside pipi-autoskills CLI/autoskills pi commandregistry/.pi/autoskills-registry/.pi/autoskills-registry/.audit/.pi/skills/.pi/autoskills-lock.json>= 22>= 10 for development/autoskills command and pi-based review modepnpm install
node --experimental-strip-types ./bin/pi-autoskills.ts --dry-run
pi install /absolute/path/to/pi-autoskills
Project-local install:
pi install -l /absolute/path/to/pi-autoskills
Then inside pi:
/autoskills
Global CLI:
npm install -g pi-autoskills
pi-autoskills --dry-run
Or one-shot:
npx pi-autoskills --dry-run
Install package into pi from npm:
pi install pi-autoskills
Project-local package install into pi:
pi install -l pi-autoskills
pi-autoskills --project /path/to/project --dry-run
pi-autoskills --project /path/to/project
/autoskills detect
/autoskills
/autoskills install
pi-autoskills --dry-run
pi-autoskills --project /path/to/project
pi-autoskills --registry-dir /path/to/registry
pi-autoskills --cache-registry-dir /path/to/cache-registry
pi-autoskills --reviewer auto|static|pi|none
static — static checks only. Default for plain CLI.pi — static checks + model audit through pi harness.auto — try pi review, fall back to static.none — skip model review and keep static checks only.Examples:
pi-autoskills --reviewer static
pi-autoskills --reviewer pi
pi-autoskills --reviewer auto
Bundled registry lives in registry/.
Dynamic cache registry lives in .pi/autoskills-registry/ inside target project by default.
Policy file lives at .pi/autoskills-policy.json inside target project by default.
Installed skills go to:
.pi/skills/
Lockfile:
.pi/autoskills-lock.json
Audit artifacts:
.pi/autoskills-registry/.audit/
.pi/skills/<skill-id>/.pi/autoskills-lock.jsonDefault path:
.pi/autoskills-policy.json
Example:
{
"allowRepos": ["clerk/*", "vercel-labs/*", "supabase/*"],
"denyRepos": ["random/*"],
"minDiscoveryScore": 9,
"maxDiscoveredSkills": 6
}
Environment override:
export PI_AUTOSKILLS_POLICY=/absolute/path/to/policy.json
Default catalog path in this project points at local autoskills registry clone.
Override with:
export PI_AUTOSKILLS_CATALOG_INDEX=/absolute/path/to/index.json
If catalog missing, discovery falls back to GitHub repo tree scans.
pnpm install
pnpm check
node --experimental-strip-types ./src/commands/validate-registry.ts
pnpm sync
pnpm validate-registry
pnpm sync:upstream
pnpm validate-registry
Useful flags:
node --experimental-strip-types ./src/commands/sync.ts --only react-best-practices --no-review
node --experimental-strip-types ./src/commands/sync.ts --only vue --verbose --keep-temp
pnpm check
node --experimental-strip-types ./src/commands/validate-registry.ts
Then:
package.json versionREADME.mdfiles list in package.jsonnpx pi-autoskills --dry-runpi install pi-autoskills/autoskills detectpi-autoskills/
├── bin/
│ └── pi-autoskills.ts
├── extensions/
│ └── autoskills.ts
├── registry/
│ ├── index.json
│ ├── next-playwright-testing/
│ └── react-tailwind-ui-patterns/
├── src/
│ ├── commands/
│ ├── detect.ts
│ ├── discovery.ts
│ ├── install.ts
│ ├── maps.ts
│ ├── match.ts
│ ├── policy.ts
│ ├── registry.ts
│ ├── security.ts
│ ├── sync.ts
│ └── types.ts
└── test/
Still worth improving:
update command for refreshing installed skills.agents/skills/ modeMIT
FAQs
Audited autoskills-style installer for pi. Detect stack, discover vetted skills, audit upstream bundles, cache locally, install safely.
The npm package pi-autoskills receives a total of 5 weekly downloads. As such, pi-autoskills popularity was classified as not popular.
We found that pi-autoskills demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.