skillgrab
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Warn
- network request — Outbound network request in scripts/og.mjs
- process.env — Environment variable access in src/cli.ts
Permissions Pass
- Permissions — No dangerous permissions requested
This agent scans your project to detect your technology stack and automatically downloads and installs matching AI agent skills from the skills.sh registry. It is designed to work with tools like Claude Code and Cursor without requiring manual configuration.
Security Assessment
Overall risk: Medium. The tool makes outbound network requests to fetch skills from external registries, which is its core functionality. It accesses environment variables (likely for API keys or agent configurations) in the CLI script. No hardcoded secrets or dangerous permission requests were found. However, because it automatically downloads and installs external files into your development environment, there is an inherent supply-chain risk. You are ultimately trusting both this tool and the third-party skills it downloads.
Quality Assessment
The project is very new and has extremely low visibility, with only 5 GitHub stars. However, it is actively maintained (last updated today) and uses a standard, permissive MIT license. The README is well-documented, provides clear usage instructions, and includes a `--dry-run` flag, which is a good security practice that allows you to preview exactly what it plans to do before making any changes.
Verdict
Use with caution — the tool itself appears safe, but its low community adoption and the inherent risks of automatically downloading external code warrant a careful review of the skills it installs.
One command. Scan any project and auto-install matching AI agent skills from skills.sh. Zero config. Detects JS, Python, Go, mobile, infra + non-code needs.
skillgrab
One command. The right AI skills for your project.
npx skillgrab
skillgrab scans your project, detects your stack — frontend, backend, mobile, infra, marketing — and installs the right AI agent skills from skills.sh in one command. Works with Claude Code, Cursor, Cline, Codex, and 40+ other agents.
🌐 Landing page
·
📦 npm
·
📋 Changelog
What it does
$ npx skillgrab
skillgrab v0.5.0
▸ Tech signals
next.js package.json → next
tailwind package.json → tailwindcss
supabase package.json → @supabase/supabase-js
stripe package.json → stripe
clerk package.json → @clerk/nextjs
▸ Install plan
★ vercel-labs/agent-skills/find-skills ← next.js 12.9k installs
★ supabase/agent-skills/supabase-best-practices ← supabase 30.2k installs
★ stripe/ai/stripe-best-practices ← stripe 5.1k installs
★ clerk/skills/clerk-nextjs-patterns ← clerk 8.4k installs
▸ Detected agents: claude-code, cursor
Installing to: claude-code, cursor
✔ Installed 4 skills.
skills.sh has 90,000+ skills. Picking the right ones manually is tedious. skillgrab reads your package.json, requirements.txt, Dockerfile, and README, ranks by trust + popularity, validates against GitHub, and installs — all without any setup.
Commands
npx skillgrab — install skills for your project
npx skillgrab # scan, confirm, install
npx skillgrab --dry-run # preview, don't install
npx skillgrab --only-trusted # trusted owners only (anthropics, vercel, supabase…)
npx skillgrab --agent cursor # target a specific agent
npx skillgrab --agent claude-code,cursor,cline # multi-agent
npx skillgrab --yes # skip prompts
npx skillgrab --json # output plan as JSON
npx skillgrab status — see what you have installed
$ npx skillgrab status
▸ Installed skills (claude-code, cursor)
skill agents registry installs
─────────────────────────────────────────────────────────────────
find-skills claude-code ✔ found 12.9k
supabase-best-practices claude-code ✔ found 30.2k
stripe-best-practices claude-code ✔ found 5.1k
my-custom-workflow claude-code – missing –
✔ 3 of 4 skills found in registry.
Run `npx skillgrab update` to reinstall / refresh all skills.
Cross-references every installed skill against the live registry. Shows which are outdated or custom-only.
npx skillgrab update — refresh installed skills
npx skillgrab update # reinstall all registry-tracked skills
npx skillgrab update --only-trusted # restrict to trusted owners
npx skillgrab update --agent cursor # update for a specific agent
npx skillgrab update --yes # skip confirmation
Pulls the latest version of every skill from GitHub. Supports all the same flags as install.
How it works
project dir
│
▼
scan files ──── package.json, requirements.txt,
pubspec.yaml, go.mod, Dockerfile,
Gemfile, composer.json, README…
│
▼
detect signals (35+ stack detectors)
│
▼
query skills.sh /api/search (live)
│
▼
rank: trusted-owner boost + log₁₀(installs)
│
▼
validate: GitHub Trees API (drop stale slugs)
│
▼
interactive multi-select
│
▼
npx skills add — grouped by repo, --skill flags,
one clone per repo, installs to all detected agents
Multi-agent
skillgrab auto-detects installed agents by probing their config dirs (~/.claude, ~/.cursor, ~/.cline, etc.) and installs skills to all of them at once.
| Claude Code | Cursor | Cline | Codex |
| Continue | Gemini CLI | Warp | Windsurf |
| GitHub Copilot | Roo | OpenCode | Goose |
| Aider | Amp | Qwen Code | Kilo · Replit · Trae · … |
Override with --agent <list> or SKILLGRAB_AGENT env var.
Supported stacks
JavaScript / TypeScriptReact · Next.js · Vue · Nuxt · Angular · Svelte · SvelteKit · Astro · Remix · Solid
· Tailwind · Chakra · MUI · styled-components
· TypeScript · Express · Fastify · Hono · tRPC
· Prisma · Drizzle · Supabase · Firebase · MongoDB · Redis
· Clerk · Auth.js / NextAuth · Stripe
· OpenAI · Anthropic · Vercel AI SDK · LangChain
· React Native · Expo · Electron
· Vitest · Jest · Playwright · Cypress
Django · Flask · FastAPI · Starlette · Pandas · NumPy · PyTorch · TensorFlow · LangChain · OpenAI · Anthropic · Celery · SQLAlchemy · pytest
MobileFlutter (pubspec.yaml) · Swift (Package.swift, .xcodeproj) · Android / Kotlin (Gradle)
BackendGo (go.mod) · Rust (Cargo.toml) · Ruby + Rails (Gemfile) · PHP + Laravel (composer.json) · Java / JVM (pom.xml, build.gradle) · Elixir / Phoenix (mix.exs)
Infra / CIDocker · docker-compose · Vercel · Netlify · Fly.io · Render · Cloudflare Workers · Serverless · Terraform · GitHub Actions
Non-code (detected from README)Marketing · Copywriting · SEO · Design · Figma · Branding · Product management · Sales · Outreach · Operations · Analytics · Content strategy · Social
Security
Skills are SKILL.md files that execute with full agent tool permissions — they can read/write files, run shell commands, and make network calls. Treat a skill like an npm dependency: vet before you install.
| What skillgrab does | |
|---|---|
| Trusted-owner ranking (★) | Skills from anthropics, vercel, vercel-labs, supabase, stripe, clerk, openai, microsoft, github, google, cloudflare, apify, openclaudia are boosted and marked ★ |
--only-trusted flag |
Restricts the plan to the allowlist above, drops everything else |
| GitHub validation | Every candidate's skillId/SKILL.md verified to exist before presenting — no stale or typosquatted entries |
| Interactive multi-select | Nothing installs until you confirm each skill |
--dry-run |
Full plan preview, zero side effects |
# Recommended for production / untrusted projects
npx skillgrab --only-trusted --dry-run # preview trusted skills only
npx skillgrab --only-trusted # install trusted skills only
vs. the alternatives
| skillgrab | npx skills find |
npx skills add manually |
|
|---|---|---|---|
| Auto-detects your stack | ✅ | ❌ | ❌ |
| Reads README for non-code needs | ✅ | ❌ | ❌ |
| Validates against GitHub | ✅ | ❌ | ❌ |
| Dedupes by skill name | ✅ | ❌ | ❌ |
| Installs to all agents at once | ✅ | ❌ | ❌ |
status + update subcommands |
✅ | ❌ | ❌ |
| Zero config | ✅ | partial | ❌ |
Environment
| Var | Purpose |
|---|---|
SKILLGRAB_AGENT |
Default agent(s), comma-separated. Overridden by --agent. |
AUTOSKILLS_REGISTRY |
Override skills.sh base URL (for testing) |
GITHUB_TOKEN |
Bypass the 60/hr unauth GitHub API rate limit on validation |
Development
git clone https://github.com/briascoi/skillgrab
cd skillgrab
npm install
npm run build
node dist/cli.js --dry-run
Stack detectors live in src/detect/. Add a file there and wire it into src/detect/index.ts to add a new stack.
Contributing
PRs welcome — especially new stack detectors. Open an issue first for anything substantial.
MIT · built by Ismael Briasco · @briascoi
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found