Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

Skillshare

MIT-licensed Go CLI for syncing AI agent skills, agents, rules, commands, prompts, and other file-based resources across Codex, Claude Code, OpenClaw, Cursor, Windsurf, Gemini-style targets, and dozens of other AI CLI tools.

by runkids·added 2026-06-18·
CursorCodexCLI
HarnessCursorCodexCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Skillshare writes into multiple agent skill directories. A bad sync can propagate unsafe, stale, or target-incompatible instructions across every configured AI CLI.
  • Run `skillshare sync --dry-run` before the first sync, after target changes, and before `--force`, especially when local skills already exist in target directories.
  • The README documents shell and PowerShell installers that download and execute release artifacts from GitHub. Inspect installer scripts or use a pinned release/Homebrew path when supply-chain control matters.
  • The Unix installer may use `sudo` when installing to `/usr/local/bin`; review `INSTALL_DIR` and PATH behavior before running in managed environments.
  • The audit engine is a useful gate for prompt injection, hidden Unicode, credential access, data exfiltration, destructive commands, hardcoded secrets, and tamper checks, but it is pattern-based and does not prove a skill is safe.
  • Avoid `--force` and broad include patterns until target filters, `.skillignore`, copy/symlink behavior, and backups have been reviewed.

Privacy notes

  • Skillshare can read, copy, symlink, collect, audit, back up, commit, push, and pull local skill, agent, rule, command, prompt, and extra files.
  • Skills can contain prompts, workflow instructions, local paths, target-specific rules, credentials by mistake, internal URLs, repository conventions, customer context, or model-provider guidance.
  • Audit reports, backups, UI views, logs, git commits, and synced target directories can reveal the contents of private skills and agent instructions.
  • Remote installs from GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted Git expose repository URLs and may fetch untrusted content into the local source directory before sync.
  • The README describes Skillshare as local, lightweight, offline-capable, and without telemetry; still treat any configured remotes, git pushes, setup actions, and hosted documentation links as external data flows.

Prerequisites

  • A supported install path: Homebrew, GitHub release archive, shell installer, PowerShell installer, or GitHub Actions setup action.
  • One or more local AI CLI tools with skill directories, such as Codex, Claude Code, OpenClaw, Cursor, OpenCode, Windsurf, Qwen, Goose, or a custom target.
  • A source directory for reviewed skills, agents, and extras, or a project-level `.skillshare/` configuration for repo-local skills.
  • A policy for symlink, copy, or merge mode per target, especially on Windows or tools that cannot follow symlinks.
  • A review and audit process for remote skill repositories before syncing them into agent runtimes.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
20 minutes
Difficulty
intermediate
Tool listing metadata
Pricing
free
Disclosure
editorial
Application category
DeveloperApplication
Operating system
macOS, Windows, Linux
Full copyable content
brew install skillshare
skillshare init
skillshare sync --dry-run
skillshare audit
skillshare sync

About this resource

Overview

Skillshare is a local-first CLI for managing AI agent skills and related file-based resources from one source directory. Instead of copying skill folders manually between Codex, Claude Code, OpenClaw, Cursor, OpenCode, Windsurf, and other tools, Skillshare keeps a source tree and syncs it into configured target directories with merge, copy, or symlink modes.

Use it when a team or power user needs consistent Agent Skills, custom agents, rules, commands, prompts, or other extras across multiple agent hosts, machines, or repositories. It is especially relevant when the same SKILL.md library needs to work in Codex and Claude Code while also staying available to OpenClaw or Cursor.

Install

The README documents Homebrew:

brew install skillshare
skillshare init
skillshare sync --dry-run
skillshare sync

It also documents shell and PowerShell installers plus GitHub Actions setup. Review installer scripts before using the pipe-to-shell path in managed or security-sensitive environments.

For a first sync, start with a dry run:

skillshare init
skillshare sync --dry-run
skillshare audit
skillshare sync

Capabilities

Area Skillshare Coverage
Source of truth Stores reviewed skills under ~/.config/skillshare/skills/ by default, with project mode under .skillshare/
Targets Auto-detects and syncs to Codex, Claude, OpenClaw, Cursor, OpenCode, Windsurf, Qwen, Goose, Copilot, Gemini-style aliases, and many more targets
Sync modes Supports merge, copy, and symlink modes so targets can preserve local files or receive real copies when symlinks are not supported
Agents and extras Syncs custom agents plus extras such as rules, commands, prompts, and other file-based resources
Filtering Uses .skillignore, SKILL.md target metadata, and per-target include/exclude filters to control what reaches each runtime
Team workflows Supports tracked repositories, project skills, git-backed commit/push/pull flows, and GitHub Actions setup
Audit engine Scans skills for prompt injection, hidden Unicode, data exfiltration, credential access, destructive commands, hardcoded secrets, tampering, and metadata trust issues
UI Includes terminal/UI workflows such as skillshare tui and skillshare ui for managing skills and audit state

Use Cases

  • Keep the same skill library synchronized between Codex, Claude Code, OpenClaw, Cursor, and OpenCode.
  • Maintain project-specific .skillshare/ skills inside a repository while leaving global personal skills separate.
  • Share a reviewed team skill repository across machines with pull, sync, and tracked repos.
  • Audit a third-party skill folder before it reaches a live agent runtime.
  • Sync rules, commands, prompts, and custom agents alongside normal skills.
  • Use copy mode for targets that cannot follow symlinks while preserving merge mode for tools that can.

Source Review

Verified on 2026-06-18:

  • GitHub metadata reported runkids/skillshare as an MIT-licensed Go repository with topics including skills, codex, claude-code, openclaw, cursor, skills-management, skills-audit, cross-machine-sync, gemini, copilot, gui, and agenthub.
  • GitHub metadata reported latest release v0.20.20, published on 2026-06-18, with macOS, Linux, Windows, UI, and checksum assets.
  • The README describes Skillshare as one source of truth for AI CLI skills, agents, rules, commands, and more, syncing to Codex, Claude Code, OpenClaw, OpenCode, and 60+ more tools.
  • The README states that Skillshare supports skills, custom agents, rules, commands, prompts, extras, GitHub/GitLab/Bitbucket/Azure/self-hosted Git installs, security audit, project skills, team repositories, offline-capable local operation, and no telemetry.
  • The README documents Homebrew, shell installer, PowerShell installer, GitHub Actions setup, skillshare init, skillshare sync, skillshare audit, project mode, agent sync, extras sync, commit, upgrade, and UI commands.
  • install.sh detects OS/architecture, resolves the latest GitHub Release, downloads the matching tarball, extracts skillshare, installs it into INSTALL_DIR or uses sudo, and prints next-step commands.
  • install.ps1 resolves the latest GitHub Release, downloads the matching Windows zip, extracts skillshare.exe, installs under the user local app data programs path, and adds that directory to the user PATH if needed.
  • The supported-targets docs list built-in targets including Claude, Codex, Cursor, OpenClaw, OpenCode, Goose, Copilot, Qwen, Windsurf, Warp, Zed, and many others, with global and project paths.
  • The configuration docs document source, mode, targets, target_naming, include/exclude filters, skills, agents_source, extras_source, extras, ignore patterns, and YAML schema comments.
  • The audit-engine docs describe automatic audit during install, manual skillshare audit, 100+ built-in rules, severity tiers, prompt injection, hidden Unicode, data exfiltration, credential access, destructive commands, hardcoded secrets, content integrity, and metadata trust verification.

Safety and Privacy

Skillshare is helpful precisely because it touches many agent runtimes. Treat a sync as a deployment step. Dry-run first, audit untrusted skills, and keep target filters tight until you know which skills belong in Codex, Claude Code, OpenClaw, Cursor, and other configured tools.

The install scripts are convenient but still execute downloaded release artifacts. Prefer pinned versions, Homebrew, or manual release verification when operating in a managed environment. The latest release includes a checksums.txt asset, but the shell and PowerShell installer snippets should still be reviewed before execution.

Do not sync private prompts, customer-specific workflows, internal URLs, credentials, or sensitive local-path assumptions into shared repositories or team targets unless that distribution is intentional.

Duplicate Check

Checked current content/tools/, content/mcp/, content/agents/, content/skills/, guides, README entries, open pull requests, and repository-wide content for Skillshare, runkids/skillshare, skillshare AI skills manager, Codex skills sync, Claude Code skills sync, OpenClaw skills sync, and matching source URLs. No dedicated Skillshare entry, exact source URL duplicate, target file, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used. Skillshare is MIT-licensed open-source software; GitHub Releases, Homebrew, GitHub Actions, remote Git hosts, target AI CLI tools, and any synced third-party skill repositories may have separate licenses, terms, billing, privacy controls, and operational requirements.

#skillshare#agent-skills#codex#claude-code#openclaw#cursor#skill-sync#audit

Source citations

Add this badge to your README

Show that Skillshare is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/skillshare.svg)](https://heyclau.de/entry/tools/skillshare)

How it compares

Skillshare side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

FieldSkillshare

MIT-licensed Go CLI for syncing AI agent skills, agents, rules, commands, prompts, and other file-based resources across Codex, Claude Code, OpenClaw, Cursor, Windsurf, Gemini-style targets, and dozens of other AI CLI tools.

Open dossier 		Skills CLI

MIT-licensed `skills` CLI from Vercel Labs for installing, using, finding, listing, updating, removing, and initializing Agent Skills across Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, and dozens of other agent hosts.

Open dossier 		Hermes Agent

Nous Research AI agent with terminal UI, messaging gateway, skills, memory, MCP integration, scheduled automations, subagents, terminal backends, OpenClaw migration, model switching, and persistent cross-session workflows.

Open dossier 		Browser Harness

MIT-licensed CDP browser-control harness from Browser Use that lets Claude Code, Codex, and other coding agents connect to a real or cloud Chrome browser, use screenshots and coordinate clicks, edit task-specific helpers, and optionally learn reusable domain skills for web automation workflows.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorrunkidsVercel LabsNous ResearchBrowser Use
Added2026-06-182026-06-182026-06-182026-06-18
Platforms
CursorCodexCLI
CursorCodexCLI
CodexCLI
CodexCLI
Source repo
Safety notesSkillshare writes into multiple agent skill directories. A bad sync can propagate unsafe, stale, or target-incompatible instructions across every configured AI CLI. Run `skillshare sync --dry-run` before the first sync, after target changes, and before `--force`, especially when local skills already exist in target directories. The README documents shell and PowerShell installers that download and execute release artifacts from GitHub. Inspect installer scripts or use a pinned release/Homebrew path when supply-chain control matters. The Unix installer may use `sudo` when installing to `/usr/local/bin`; review `INSTALL_DIR` and PATH behavior before running in managed environments. The audit engine is a useful gate for prompt injection, hidden Unicode, credential access, data exfiltration, destructive commands, hardcoded secrets, and tamper checks, but it is pattern-based and does not prove a skill is safe. Avoid `--force` and broad include patterns until target filters, `.skillignore`, copy/symlink behavior, and backups have been reviewed.Agent Skills are executable instructions for coding agents. Inspect `SKILL.md` and supporting files before installing or using skills from unknown repositories. `skills add`, `skills update`, `skills remove`, and `experimental_sync` can write, replace, symlink, copy, or remove skill folders across many local agent directories. Review `--agent`, `--skill`, `--all`, `--global`, and `--yes` flags before running broad operations. `skills use` can materialize a skill into a temporary directory and print the generated prompt, or start a supported agent interactively with that prompt. Treat untrusted skill text as prompt-bearing code. Symlink install mode keeps a canonical copy and links agent directories to it. Copy mode creates independent copies. Choose deliberately when working across shared repos, Windows environments, containers, or synchronized directories. The CLI includes explicit warnings for OpenClaw community skills in `skills use`; do not bypass those warnings unless you understand the trust model for the selected source. The security audit lookup is best-effort and never blocks installation. A missing or safe-looking audit result is not a substitute for reviewing the skill source.Hermes Agent can run tools, shell commands, terminal sessions, scheduled jobs, subagents, skills, MCP servers, messaging gateways, and remote backends; review permissions before using it on sensitive systems. The README documents one-line shell installers for some platforms. Inspect installer scripts and prefer isolated package installs or disposable environments when evaluating the agent. OpenClaw migration can import settings, memories, skills, command allowlists, messaging settings, API keys, audio assets, and workspace instructions; use dry-run and non-secret presets before migrating real profiles. Scheduled automations and messaging gateways can run unattended and deliver results to external chat systems, so restrict allowed users, home directories, credentials, and write-capable tools. Terminal backends such as local shell, Docker, SSH, Singularity, Modal, and Daytona can touch local files, containers, remote hosts, cloud sandboxes, and GPU infrastructure.Browser Harness can connect agents to a real logged-in Chrome profile. Remote debugging may expose active sessions, extensions, bookmarks, history, page content, downloads, uploads, and account actions to the agent. The documented Way 1 setup uses the user's everyday Chrome profile through `chrome://inspect/#remote-debugging`; require explicit user consent before attaching to sensitive accounts. The documented Way 2 setup launches Chrome with a non-default `--user-data-dir` and remote debugging port; keep that isolated profile separate from everyday browser data. Remote Browser Use Cloud sessions require `BROWSER_USE_API_KEY`, may use proxies, can persist profile state, and can continue billing until timeout or shutdown. Agents using Browser Harness can edit `agent-workspace/agent_helpers.py` and optional domain-skill files; review generated helper code and public skill contributions before reuse. Browser automation can submit forms, send messages, purchase items, scrape websites, change account settings, and upload files. Keep destructive or account-writing tasks behind confirmation.
Privacy notesSkillshare can read, copy, symlink, collect, audit, back up, commit, push, and pull local skill, agent, rule, command, prompt, and extra files. Skills can contain prompts, workflow instructions, local paths, target-specific rules, credentials by mistake, internal URLs, repository conventions, customer context, or model-provider guidance. Audit reports, backups, UI views, logs, git commits, and synced target directories can reveal the contents of private skills and agent instructions. Remote installs from GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted Git expose repository URLs and may fetch untrusted content into the local source directory before sync. The README describes Skillshare as local, lightweight, offline-capable, and without telemetry; still treat any configured remotes, git pushes, setup actions, and hosted documentation links as external data flows.By default, the CLI can send telemetry to `add-skill.vercel.sh` unless `DISABLE_TELEMETRY` or `DO_NOT_TRACK` is set. Telemetry fields in source include CLI version, CI flag, detected agent name, event type, source, selected skills, selected agents, global flag, source type, update counts, find query, and result counts. Security-audit lookup requests can send the skill source and selected skill slugs to the audit endpoint. Local project and global installs can persist source names, selected skills, agent targets, canonical paths, lock data, symlinks, and copied skill contents on disk. Skill contents used through `skills use` are embedded into the generated prompt and may be sent to the downstream model provider or interactive agent process.Conversation history, memory files, user profiles, skill outputs, session search indexes, tool arguments, tool results, model responses, gateway messages, audio transcripts, and logs may contain sensitive data. Model providers, messaging platforms, search/image/TTS/browser tool gateways, MCP servers, and remote terminal backends may receive prompts, files, commands, account identifiers, or generated outputs depending on configuration. OpenClaw migration may copy memories, persona files, skills, API keys, messaging settings, command allowlists, TTS assets, and workspace instructions into the Hermes profile. Keep provider keys, bot tokens, OAuth grants, migrated secrets, workspace paths, generated summaries, and session search data out of public prompts, screenshots, issues, and examples.Browser Harness workflows can expose page screenshots, DOM text, URLs, cookies-backed login state, account data, downloads, uploads, form inputs, and extracted website data to the agent and configured model providers. Profile sync for Browser Use Cloud is documented as cookies-only, but it still moves browser authentication material into a remote browser environment. Cloud browser live URLs, proxy settings, profile identifiers, daemon logs, `/tmp` socket or pid files, and copied support artifacts may reveal browsing activity or account context. Public domain-skill PRs should not include secrets, private selectors tied to confidential apps, customer data, screenshots, credentials, tokens, or personal browsing history.
Prerequisites
  • A supported install path: Homebrew, GitHub release archive, shell installer, PowerShell installer, or GitHub Actions setup action.
  • One or more local AI CLI tools with skill directories, such as Codex, Claude Code, OpenClaw, Cursor, OpenCode, Windsurf, Qwen, Goose, or a custom target.
  • A source directory for reviewed skills, agents, and extras, or a project-level `.skillshare/` configuration for repo-local skills.
  • A policy for symlink, copy, or merge mode per target, especially on Windows or tools that cannot follow symlinks.
  • Node.js 18 or newer for the published `skills` npm package.
  • At least one supported agent host installed if using auto-detected targets, such as Claude Code, Codex, Cursor, OpenCode, OpenClaw, Gemini CLI, GitHub Copilot, Windsurf, Zed, or another supported agent.
  • A reviewed skill source from GitHub, GitLab, a git URL, a local path, a direct skill folder, or another supported provider.
  • A decision between project-scoped skills that live under the current repository and global skills that live under the user's home/config directories.
  • Python 3.11 through 3.13 for the packaged Python project.
  • uv, pipx, or another isolated Python application installer.
  • Model provider credentials for Nous Portal, OpenRouter, NovitaAI, NVIDIA NIM, OpenAI-compatible endpoints, or another configured provider.
  • A clear tool and terminal-backend policy before enabling local shell, Docker, SSH, Singularity, Modal, Daytona, browser, search, messaging, or MCP features.
  • Python 3.11 or newer, uv, git, and a durable local checkout for editable installation.
  • A Chrome or Chromium-based browser that can be attached through Chrome remote debugging, or a Browser Use Cloud API key for cloud browsers.
  • Codex, Claude Code, or another agent host that can read the Browser Harness `SKILL.md` instructions.
  • A clear boundary for which browser profile, logged-in sites, cloud browser sessions, downloads, uploads, and account actions the agent may access.
Install
brew install skillshare
npm install -g skills
uv tool install hermes-agent
git clone https://github.com/browser-use/browser-harness && cd browser-harness && uv tool install -e .
Config
source: ~/.config/skillshare/skills
mode: merge
targets:
  claude:
    path: ~/.claude/skills
  codex:
    path: ~/.codex/skills
    mode: symlink
  openclaw:
    path: ~/.openclaw/skills
  cursor:
    path: ~/.cursor/skills
    mode: copy
ignore:
  - "**/.git/**"
  - "**/node_modules/**"
{
  "projectInstall": "npx skills add vercel-labs/agent-skills --skill frontend-design -a claude-code",
  "globalInstall": "npx skills add vercel-labs/agent-skills --skill frontend-design -g -a claude-code -y",
  "temporaryUse": "npx skills use vercel-labs/agent-skills@web-design-guidelines | claude",
  "disableTelemetry": "DISABLE_TELEMETRY=1 npx skills list"
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.