A CLI that discovers agent skills shipped inside npm packages and creates symlinks for coding agents to consume.
[!IMPORTANT] This project is a work in progress.
Current skill distribution approaches (e.g. @vercel-labs/skills) have friction:
This project proposes a convention: ship skills inside npm packages. When you npm install a tool, its skills come bundled. Run skills-npm to symlink them for your agent.
Read the full proposal: PROPOSAL.md
npm i -D skills-npm
Add a prepare script to your package.json so the skills are symlinked automatically for your agent whenever you install dependencies:
{
"private": true,
"scripts": {
"prepare": "skills-npm"
}
}
skills-npm will symbol links the skills from node_modules to skills/npm-<package-name>-<skill-name> for your agent. It's recommend to add the following to your .gitignore:
skills/npm-*
You can create a skills-npm.config.ts file in your project root to configure the behavior:
// skills-npm.config.ts
import { defineConfig } from 'skills-npm'
export default defineConfig({
// Source to discover skills from: 'node_modules' or 'package.json'
source: 'package.json',
// Target specific agents (defaults to all detected agents)
agents: ['cursor', 'windsurf'],
// Scan recursively for monorepo packages (default: false)
recursive: false,
// Whether to update .gitignore (default: true)
gitignore: true,
// Skip confirmation prompts (default: false)
yes: false,
// Dry run mode (default: false)
dryRun: false,
// Include specific packages or skills
include: [
// Include all skills from a package
'@some/package',
// Include all skills from packages matching a wildcard pattern
'@some/*',
// Include specific skills from packages matching a wildcard pattern
{ package: '@some/*', skills: ['integration'] },
// Include specific skills from a package
{ package: '@slidev/cli', skills: ['presenter-mode'] },
],
// Exclude specific packages or skills
exclude: [
// Exclude all skills from a package
'@some/package',
// Exclude all skills from packages matching a wildcard pattern
'@some/*',
// Exclude specific skills from packages matching a wildcard pattern
{ package: '@some/*', skills: ['integration'] },
// Exclude specific skills from a package
{ package: '@slidev/cli', skills: ['presenter-mode'] },
],
})
include and exclude support package wildcard patterns such as @some/*. These filters only apply to packages that were already discovered from node_modules or package.json.
| Option | Type | Default | Description |
|---|---|---|---|
cwd | string | Workspace root | Current working directory |
source | 'node_modules' | 'package.json' | 'package.json' | Source to discover skills from |
agents | string | string[] | All detected | Target agents to install to |
recursive | boolean | false | Scan recursively for monorepo packages |
gitignore | boolean | true | Whether to update .gitignore |
yes | boolean | false | Skip confirmation prompts |
dryRun | boolean | false | Show what would be done without making changes |
include | (string | { package: string, skills: string[] })[] | undefined | Packages or skills to include. Supports package wildcard patterns like @some/* |
exclude | (string | { package: string, skills: string[] })[] | [] | Packages or skills to exclude. Supports package wildcard patterns like @some/* |
The
cwddefaults to the workspace root, which is detected by searching up forpnpm-workspace.yaml,lerna.json, or apackage.jsonwithworkspacesfield. Falls back to the nearestpackage.json.
skills-npm [options]
Options:
--cwd <cwd> Current working directory
-s, --source <source> Source to discover skills from (default: 'package.json')
-a, --agents Comma-separated list of agents to install to
-r, --recursive Scan recursively for monorepo packages
--ignore-paths <paths> Ignore paths for searching package.json
--gitignore Whether to update .gitignore (default: true)
--yes Skip confirmation prompts
--dry-run Show what would be done without making changes
-h, --help Display help
-v, --version Display version
Include a skills/ directory in your package:
my-tool/
├── package.json
├── dist/
└── skills/
└── my-skill/
└── SKILL.md
See PROPOSAL.md for detailed instructions.
Packages that ships their built-in skills:
[!NOTE] PR are welcome to add more packages that ships their built-in skills.
MIT License © Anthony Fu
FAQs
CLI to install agents skills that shipped with your installed npm packages
We found that skills-npm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Published late February to early March 2026, these crates impersonate timeapi.io and POST .env secrets to a threat actor-controlled lookalike domain.
Security News
A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems.
Research
/Security News
Mixed-script homoglyphs and a lookalike domain mimic imToken’s import flow to capture mnemonics and private keys.