Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

Skills CLI

MIT-licensed `skills` CLI from Vercel Labs for installing, using, finding, listing, updating, removing, and initializing Agent Skills across Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, and dozens of other agent hosts.

by Vercel Labs·added 2026-06-18·
CursorCodexCLI
HarnessCursorCodexCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Agent Skills are executable instructions for coding agents. Inspect `SKILL.md` and supporting files before installing or using skills from unknown repositories.
  • `skills add`, `skills update`, `skills remove`, and `experimental_sync` can write, replace, symlink, copy, or remove skill folders across many local agent directories. Review `--agent`, `--skill`, `--all`, `--global`, and `--yes` flags before running broad operations.
  • `skills use` can materialize a skill into a temporary directory and print the generated prompt, or start a supported agent interactively with that prompt. Treat untrusted skill text as prompt-bearing code.
  • Symlink install mode keeps a canonical copy and links agent directories to it. Copy mode creates independent copies. Choose deliberately when working across shared repos, Windows environments, containers, or synchronized directories.
  • The CLI includes explicit warnings for OpenClaw community skills in `skills use`; do not bypass those warnings unless you understand the trust model for the selected source.
  • The security audit lookup is best-effort and never blocks installation. A missing or safe-looking audit result is not a substitute for reviewing the skill source.

Privacy notes

  • By default, the CLI can send telemetry to `add-skill.vercel.sh` unless `DISABLE_TELEMETRY` or `DO_NOT_TRACK` is set.
  • Telemetry fields in source include CLI version, CI flag, detected agent name, event type, source, selected skills, selected agents, global flag, source type, update counts, find query, and result counts.
  • Security-audit lookup requests can send the skill source and selected skill slugs to the audit endpoint.
  • Local project and global installs can persist source names, selected skills, agent targets, canonical paths, lock data, symlinks, and copied skill contents on disk.
  • Skill contents used through `skills use` are embedded into the generated prompt and may be sent to the downstream model provider or interactive agent process.

Prerequisites

  • Node.js 18 or newer for the published `skills` npm package.
  • At least one supported agent host installed if using auto-detected targets, such as Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, or another supported agent.
  • A reviewed skill source from GitHub, GitLab, a git URL, a local path, a direct skill folder, or another supported provider.
  • A decision between project-scoped skills that live under the current repository and global skills that live under the user's home/config directories.
  • A policy for whether installed skills are symlinked from one canonical copy or copied independently into each agent directory.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
10 minutes
Difficulty
intermediate
Tool listing metadata
Pricing
free
Disclosure
editorial
Application category
DeveloperApplication
Operating system
Cross-platform
Full copyable content
npx skills add vercel-labs/agent-skills
npx skills add vercel-labs/agent-skills --list
npx skills add vercel-labs/agent-skills --skill frontend-design -a claude-code
npx skills use vercel-labs/agent-skills@web-design-guidelines | claude
npx skills list
npx skills update -g
npx skills init my-skill

About this resource

Overview

Skills CLI is the Vercel Labs command-line tool behind the open Agent Skills ecosystem. It installs SKILL.md-based skill packages into project or global agent directories, resolves skills from several source formats, and can target Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, and many other agent hosts.

Use it when you want one command surface for installing, testing, updating, or removing reusable Agent Skills instead of manually copying folders between agent-specific skill directories.

Install

For one-off use, run through npx:

npx skills add vercel-labs/agent-skills

For a persistent local command:

npm install -g skills
skills --help

The package exposes both skills and add-skill binaries.

Capability Map

Command Purpose
skills add <source> Install one or more skills from GitHub shorthand, GitHub URL, direct skill path, GitLab URL, git URL, or local path
skills use <source> Generate a one-skill prompt without installing, or launch a supported agent interactively with that prompt
skills list / skills ls List installed project or global skills, optionally filtered by agent or emitted as JSON
skills find [query] Search skills interactively or by keyword
skills update [skills...] Update project, global, or named skills using lock/source metadata where available
skills remove [skills...] Remove skills from global or project scope and selected agent directories
skills init [name] Create a new SKILL.md template in the current directory or a named subdirectory
experimental_install Restore from skills-lock.json
experimental_sync Sync skills from node_modules into agent directories

Source Formats

The README documents these install inputs:

  • GitHub shorthand such as vercel-labs/agent-skills.
  • Full GitHub URLs.
  • Direct paths to a skill folder inside a repository.
  • GitLab URLs.
  • Generic git URLs.
  • Local paths.

Install can target all skills, named skills, all agents, named agents, project scope, global scope, symlink mode, or copy mode. Noninteractive flags are useful for automation, but they should be reserved for reviewed sources.

Supported Agents

The README says the CLI supports OpenCode, Claude Code, Codex, Cursor, and 68 more agents. The source defines per-agent project and global skill directories, including support for Claude Code, OpenClaw, Codex, Cursor, Continue, Gemini CLI, GitHub Copilot, Goose, Hermes Agent, Kiro, OpenCode, Roo, Windsurf, Zed, and many other hosts.

Universal agents share the canonical .agents/skills style directory, while other agents receive symlinks or copies into their own discovery paths.

Safety Boundary

Skills CLI manages files that coding agents will later read as instructions. That gives it a higher trust bar than a normal package installer:

  • Review each source repository and SKILL.md before installing.
  • Prefer project installs when a skill should be reviewed and versioned with a team repository.
  • Prefer global installs only for skills you trust across projects.
  • Use --list before installing from unfamiliar repositories.
  • Avoid --all, --agent '*', --skill '*', and -y until the target source and agent directories are clear.
  • Use DISABLE_TELEMETRY=1 or DO_NOT_TRACK=1 when telemetry is not allowed.

Use Cases

  • Install a shared frontend, security, release, or MCP-authoring skill into Claude Code and Codex from one command.
  • Preview available skills in a repository before deciding which one to install.
  • Generate a temporary skill prompt for a single task without changing local agent directories.
  • Keep project skill installs in a repository so the team gets the same agent instructions.
  • Update or remove global skills that were installed across several agent hosts.
  • Bootstrap a new SKILL.md file when authoring a reusable agent skill.

Source Review

Verified on 2026-06-18:

  • GitHub metadata reported vercel-labs/skills as a TypeScript repository with the description The open agent skills tool - npx skills, homepage skills.sh, active updates on 2026-06-18, latest release v1.5.12 published on 2026-06-18, and more than 22,000 stars.
  • npm metadata for skills reported version 1.5.12, description The open agent skills ecosystem, MIT license, Node.js >=18, and binaries skills and add-skill.
  • The README documents skills add, skills use, skills list, skills find, skills remove, skills update, skills init, source formats, project/global scopes, symlink/copy install methods, and supported agents.
  • The public skills.sh page for vercel-labs/skills reported one listed skill, find-skills, and the install command npx skills add vercel-labs/skills.
  • src/cli.ts wires the main command surface, help output, version handling, and command dispatch for add, use, find, list, remove, sync, update, and install-from-lock flows.
  • src/add.ts handles source parsing, private-repo detection, security audit display, agent detection, selected skills, selected agents, universal-agent handling, and OpenClaw community-skill warnings.
  • src/installer.ts sanitizes skill names, validates install paths, manages canonical skill directories, creates symlinks or copies, and handles project/global target directories.
  • src/telemetry.ts shows telemetry and audit endpoints, opt-out environment variables, event fields, CI detection, detected-agent inclusion, and best-effort audit data fetch behavior.
  • Release v1.5.12 lists improvements for Eve support, local skill overwrite behavior during all-agent installs, and manifest creation.
#skills-cli#agent-skills#skill-manager#claude-code#codex#cursor#openclaw#cli

Source citations

Add this badge to your README

Show that Skills CLI is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/skills-cli.svg)](https://heyclau.de/entry/tools/skills-cli)

How it compares

Skills CLI side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

FieldSkills CLI

MIT-licensed `skills` CLI from Vercel Labs for installing, using, finding, listing, updating, removing, and initializing Agent Skills across Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, and dozens of other agent hosts.

Open dossier 		Browser Harness

MIT-licensed CDP browser-control harness from Browser Use that lets Claude Code, Codex, and other coding agents connect to a real or cloud Chrome browser, use screenshots and coordinate clicks, edit task-specific helpers, and optionally learn reusable domain skills for web automation workflows.

Open dossier 		Skillshare

MIT-licensed Go CLI for syncing AI agent skills, agents, rules, commands, prompts, and other file-based resources across Codex, Claude Code, OpenClaw, Cursor, Windsurf, Gemini-style targets, and dozens of other AI CLI tools.

Open dossier 		ClawHub

MIT-licensed OpenClaw skill and plugin registry with a hosted catalog, `clawhub` CLI, npm package, native OpenClaw install flows, SKILL.md publishing, plugin package publishing, vector search, scan status, moderation controls, install lockfiles, and opt-out install telemetry.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorVercel LabsBrowser UserunkidsOpenClaw
Added2026-06-182026-06-182026-06-182026-06-18
Platforms
CursorCodexCLI
CodexCLI
CursorCodexCLI
CLI
Source repo
Safety notesAgent Skills are executable instructions for coding agents. Inspect `SKILL.md` and supporting files before installing or using skills from unknown repositories. `skills add`, `skills update`, `skills remove`, and `experimental_sync` can write, replace, symlink, copy, or remove skill folders across many local agent directories. Review `--agent`, `--skill`, `--all`, `--global`, and `--yes` flags before running broad operations. `skills use` can materialize a skill into a temporary directory and print the generated prompt, or start a supported agent interactively with that prompt. Treat untrusted skill text as prompt-bearing code. Symlink install mode keeps a canonical copy and links agent directories to it. Copy mode creates independent copies. Choose deliberately when working across shared repos, Windows environments, containers, or synchronized directories. The CLI includes explicit warnings for OpenClaw community skills in `skills use`; do not bypass those warnings unless you understand the trust model for the selected source. The security audit lookup is best-effort and never blocks installation. A missing or safe-looking audit result is not a substitute for reviewing the skill source.Browser Harness can connect agents to a real logged-in Chrome profile. Remote debugging may expose active sessions, extensions, bookmarks, history, page content, downloads, uploads, and account actions to the agent. The documented Way 1 setup uses the user's everyday Chrome profile through `chrome://inspect/#remote-debugging`; require explicit user consent before attaching to sensitive accounts. The documented Way 2 setup launches Chrome with a non-default `--user-data-dir` and remote debugging port; keep that isolated profile separate from everyday browser data. Remote Browser Use Cloud sessions require `BROWSER_USE_API_KEY`, may use proxies, can persist profile state, and can continue billing until timeout or shutdown. Agents using Browser Harness can edit `agent-workspace/agent_helpers.py` and optional domain-skill files; review generated helper code and public skill contributions before reuse. Browser automation can submit forms, send messages, purchase items, scrape websites, change account settings, and upload files. Keep destructive or account-writing tasks behind confirmation.Skillshare writes into multiple agent skill directories. A bad sync can propagate unsafe, stale, or target-incompatible instructions across every configured AI CLI. Run `skillshare sync --dry-run` before the first sync, after target changes, and before `--force`, especially when local skills already exist in target directories. The README documents shell and PowerShell installers that download and execute release artifacts from GitHub. Inspect installer scripts or use a pinned release/Homebrew path when supply-chain control matters. The Unix installer may use `sudo` when installing to `/usr/local/bin`; review `INSTALL_DIR` and PATH behavior before running in managed environments. The audit engine is a useful gate for prompt injection, hidden Unicode, credential access, data exfiltration, destructive commands, hardcoded secrets, and tamper checks, but it is pattern-based and does not prove a skill is safe. Avoid `--force` and broad include patterns until target filters, `.skillignore`, copy/symlink behavior, and backups have been reviewed.ClawHub installs agent skills and OpenClaw plugins. Inspect source links, files, changelogs, declared runtime metadata, scan state, and plugin compatibility before installing or updating. `clawhub install`, `openclaw skills install`, and update commands write local skill files and metadata such as `.clawhub/lock.json` and per-skill origin records. Pin important local installs before updating shared workspaces. `clawhub token` prints the stored API token to stdout. Avoid exposing tokens through shell history, CI logs, support transcripts, screenshots, or model prompts. Publishing a skill to ClawHub releases it under MIT-0 according to the skill-format docs; do not publish proprietary, private, customer, or conflicting-license content. Plugin publishing resolves local folders, GitHub repositories, GitHub refs, or archives and checks OpenClaw compatibility metadata. Use `--dry-run`, verify artifacts, and review ClawPack digest/scan output before public release. Scan-held or blocked releases can be hidden from public catalog and install surfaces while remaining visible to owners; do not assume search visibility proves a release is safe or accepted.
Privacy notesBy default, the CLI can send telemetry to `add-skill.vercel.sh` unless `DISABLE_TELEMETRY` or `DO_NOT_TRACK` is set. Telemetry fields in source include CLI version, CI flag, detected agent name, event type, source, selected skills, selected agents, global flag, source type, update counts, find query, and result counts. Security-audit lookup requests can send the skill source and selected skill slugs to the audit endpoint. Local project and global installs can persist source names, selected skills, agent targets, canonical paths, lock data, symlinks, and copied skill contents on disk. Skill contents used through `skills use` are embedded into the generated prompt and may be sent to the downstream model provider or interactive agent process.Browser Harness workflows can expose page screenshots, DOM text, URLs, cookies-backed login state, account data, downloads, uploads, form inputs, and extracted website data to the agent and configured model providers. Profile sync for Browser Use Cloud is documented as cookies-only, but it still moves browser authentication material into a remote browser environment. Cloud browser live URLs, proxy settings, profile identifiers, daemon logs, `/tmp` socket or pid files, and copied support artifacts may reveal browsing activity or account context. Public domain-skill PRs should not include secrets, private selectors tied to confidential apps, customer data, screenshots, credentials, tokens, or personal browsing history.Skillshare can read, copy, symlink, collect, audit, back up, commit, push, and pull local skill, agent, rule, command, prompt, and extra files. Skills can contain prompts, workflow instructions, local paths, target-specific rules, credentials by mistake, internal URLs, repository conventions, customer context, or model-provider guidance. Audit reports, backups, UI views, logs, git commits, and synced target directories can reveal the contents of private skills and agent instructions. Remote installs from GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted Git expose repository URLs and may fetch untrusted content into the local source directory before sync. The README describes Skillshare as local, lightweight, offline-capable, and without telemetry; still treat any configured remotes, git pushes, setup actions, and hosted documentation links as external data flows.The CLI stores API token and registry configuration in the operating-system config directory or the path set by `CLAWHUB_CONFIG_PATH`. Logged-in `clawhub install` may send best-effort install telemetry containing the skill slug and version only; set `CLAWHUB_DISABLE_TELEMETRY=1` to opt out. ClawHub public listings can expose skill files, source links, versions, changelogs, install counts, stars, comments, publisher identity, and scan summaries. Publishing uploads `SKILL.md` plus supporting text files to the hosted registry. Keep secrets, private prompts, customer data, proprietary code, and credentials out of published bundles. Self-hosting ClawHub involves Convex, GitHub OAuth, JWT/JWKS keys, OpenAI embeddings for vector search, file storage, moderation data, and report handling.
Prerequisites
  • Node.js 18 or newer for the published `skills` npm package.
  • At least one supported agent host installed if using auto-detected targets, such as Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, or another supported agent.
  • A reviewed skill source from GitHub, GitLab, a git URL, a local path, a direct skill folder, or another supported provider.
  • A decision between project-scoped skills that live under the current repository and global skills that live under the user's home/config directories.
  • Python 3.11 or newer, uv, git, and a durable local checkout for editable installation.
  • A Chrome or Chromium-based browser that can be attached through Chrome remote debugging, or a Browser Use Cloud API key for cloud browsers.
  • Codex, Claude Code, or another agent host that can read the Browser Harness `SKILL.md` instructions.
  • A clear boundary for which browser profile, logged-in sites, cloud browser sessions, downloads, uploads, and account actions the agent may access.
  • A supported install path: Homebrew, GitHub release archive, shell installer, PowerShell installer, or GitHub Actions setup action.
  • One or more local AI CLI tools with skill directories, such as Codex, Claude Code, OpenClaw, Cursor, OpenCode, Windsurf, Qwen, Goose, or a custom target.
  • A source directory for reviewed skills, agents, and extras, or a project-level `.skillshare/` configuration for repo-local skills.
  • A policy for symlink, copy, or merge mode per target, especially on Windows or tools that cannot follow symlinks.
  • Node.js 22 or newer for the published `clawhub` npm CLI.
  • OpenClaw installed and configured when using native `openclaw skills` or `openclaw plugins` install/update commands.
  • A GitHub-backed ClawHub account or API token for publishing, delete/undelete, scan, and other authenticated registry workflows.
  • A valid skill folder with `SKILL.md` when publishing skills, or an OpenClaw-compatible plugin package/source when publishing plugins.
Install
npm install -g skills
git clone https://github.com/browser-use/browser-harness && cd browser-harness && uv tool install -e .
brew install skillshare
npm install -g clawhub
Config
{
  "projectInstall": "npx skills add vercel-labs/agent-skills --skill frontend-design -a claude-code",
  "globalInstall": "npx skills add vercel-labs/agent-skills --skill frontend-design -g -a claude-code -y",
  "temporaryUse": "npx skills use vercel-labs/agent-skills@web-design-guidelines | claude",
  "disableTelemetry": "DISABLE_TELEMETRY=1 npx skills list"
}
source: ~/.config/skillshare/skills
mode: merge
targets:
  claude:
    path: ~/.claude/skills
  codex:
    path: ~/.codex/skills
    mode: symlink
  openclaw:
    path: ~/.openclaw/skills
  cursor:
    path: ~/.cursor/skills
    mode: copy
ignore:
  - "**/.git/**"
  - "**/node_modules/**"
{
  "openclawSkills": {
    "search": "openclaw skills search \"calendar\"",
    "install": "openclaw skills install @openclaw/demo",
    "update": "openclaw skills update --all"
  },
  "openclawPlugins": {
    "search": "openclaw plugins search \"calendar\"",
    "install": "openclaw plugins install clawhub:<package>",
    "update": "openclaw plugins update --all"
  },
  "clawhubCli": {
    "login": "clawhub login",
    "publishSkill": "clawhub skill publish ./my-skill --dry-run",
    "publishPlugin": "clawhub package publish <source> --family code-plugin --dry-run"
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.