capa
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 8 GitHub stars
Code Fail
- execSync — Synchronous shell command execution in scripts/generate-version.ts
- process.env — Environment variable access in scripts/generate-version.ts
- execSync — Synchronous shell command execution in scripts/update-install-scripts.ts
- process.env — Environment variable access in scripts/update-install-scripts.ts
- network request — Outbound network request in src/cli/commands/auth.ts
Permissions Pass
- Permissions — No dangerous permissions requested
This package manager for AI agents lets you define skills, manage credentials, and proxy executable tools via a single MCP server for clients like Cursor and Claude.
Security Assessment
Overall risk: Medium. The tool is designed to expose shell commands as MCP tools, which inherently requires careful handling. The audit found synchronous shell command execution (`execSync`) in build scripts (`generate-version.ts` and `update-install-scripts.ts`). While these are likely build-time utilities rather than runtime threats, they still warrant attention. The codebase accesses environment variables to handle configurations and credentials. Additionally, it makes outbound network requests within the authentication module (`auth.ts`), which is expected for a credential manager. No hardcoded secrets or dangerous system permissions were detected. However, the README indicates installation via piped curl scripts, which is a common attack vector if the hosting server is ever compromised.
Quality Assessment
Quality and maintenance appear to be actively in progress. The repository saw its last push today, indicating active development. However, community trust and visibility are currently very low, with only 8 GitHub stars. While the README displays an MIT license badge, the automated scan failed to find a formal license file in the repository. The lack of a verified license means you should confirm the legal terms before adopting it in a commercial project.
Verdict
Use with caution — the core functionality of proxying shell commands and managing credentials carries inherent risks, and the project currently lacks the maturity and community adoption to be considered highly trusted.
CAPA is a powerful package manager for AI agents that allows you to define skills and tools, manage credentials, and seamlessly integrate with MCP clients like Cursor and Claude
CAPA: Agentic Capabilities Manager
CAPA is a powerful capabilities manager for AI agents that allows you to define skills and tools, manage credentials, and seamlessly integrate with agents like Cursor and Claude.
Why CAPA?
AI agents need two things to be useful: knowledge of when and how to act, and the ability to actually do it. Most setups treat these separately — tools are wired up in one place, instructions scattered somewhere else. CAPA brings them together as a single unit called a capability.
- Skills provide the knowledge — markdown documents that give an agent context, instructions, and decision-making guidance for a specific task.
- Tools provide the ability — executable functions the agent calls to interact with the world: APIs, shell commands, file operations, and more.
A tool without knowledge leaves the agent unsure when to use it. Knowledge without tools leaves the agent unable to act. CAPA pairs them declaratively in a single capabilities.yaml file that you can version-control, share across a team, and reproduce on any machine.
Features
- 🔌 Single MCP server that proxies only the necessary tools
- ⚡ Dynamic on-demand tool loading
- 🖥️ Expose shell commands as MCP tools
- 💻 Run any configured tool from the terminal with
capa sh - 🔑 Credential management via interactive UI or
.envfile - 🛡️ Security controls (blocked phrases, character sanitization)
- 📦 Compatible with skills.sh
- 🤖 Supports Cursor and Claude plugin installation
- 🔒 Installation of skills and plugins from private repositories (GitHub and GitLab)
- 🧠 Self-improving agents
- 🎯 Default argument values for MCP tools
- 🔧 CLI prerequisite verification before installation
Installation
macOS and Linux:
curl -LsSf https://capa.infragate.ai/install.sh | sh
Windows:
powershell -ExecutionPolicy ByPass -c "irm https://capa.infragate.ai/install.ps1 | iex"
Quick Start
1. Initialize your project
cd your-project
capa init
This creates a capabilities.yaml file where you define your agent's tools and skills.
2. Define your capabilities
providers:
- cursor
skills:
- id: web-researcher
type: inline
def:
content: |
---
name: web-researcher
description: Search the web for information
---
Use the brave.search tool to find current information online.
requires:
- "@brave.search"
servers:
- id: brave
type: mcp
description: Brave web search
def:
cmd: npx -y @modelcontextprotocol/server-brave-search
env:
BRAVE_API_KEY: ${BraveApiKey}
tools:
- id: search
type: mcp
description: Search the web using Brave Search
def:
server: "@brave"
tool: brave_web_search
3. Install and launch
capa install
CAPA installs your skills, starts the capability server, and automatically registers with your MCP client (Cursor, Claude Desktop).
4. Run tools from the terminal
capa sh # list all available commands
capa sh brave # list brave subcommands
capa sh brave search --query "…" # run a tool directly
capa sh turns every configured tool into a CLI command. MCP tools are exposed as server_name.tool_name and grouped under their server ID in the CLI. Command tools appear at the top level (or under a custom group). Any unrecognised command is passed through to the OS shell.
Documentation
For complete guides, examples, and API reference, visit:
License
MIT
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found