skill-vision-control
mcp
Fail
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 64 GitHub stars
Code Fail
- network request — Outbound network request in package.json
- fs.rmSync — Destructive file system operation in src/svc/cli.ts
- network request — Outbound network request in src/svc/core/checker.ts
- network request — Outbound network request in src/svc/core/manager.ts
- rm -rf — Recursive force deletion command in src/svc/core/security.ts
- network request — Outbound network request in src/svc/core/security.ts
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This is a version manager for MCP skills. It allows developers to track, download, switch, and merge updates for external tools directly from GitHub or npm.
Security Assessment
Overall Risk: Medium
The tool makes several outbound network requests to fetch updates and package information from external sources, which is expected for a package manager but requires awareness. It does not request explicitly dangerous system permissions.
However, the audit failed due to highly destructive file system operations. The codebase utilizes `fs.rmSync` in the CLI and executes `rm -rf` (recursive force deletion) commands within the security scanner. If triggered unexpectedly or exploited, these operations could result in catastrophic data loss. No hardcoded secrets were detected.
Quality Assessment
The project is actively maintained with a recent push (0 days ago) and a decent community footprint (64 stars). It is licensed under the standard MIT license, making it highly accessible for integration and modification.
Verdict
Use with caution. While active and well-structured, the implementation of recursive force deletion commands presents a significant risk to local files and requires thorough testing in isolated environments before deploying in production.
This is a version manager for MCP skills. It allows developers to track, download, switch, and merge updates for external tools directly from GitHub or npm.
Security Assessment
Overall Risk: Medium
The tool makes several outbound network requests to fetch updates and package information from external sources, which is expected for a package manager but requires awareness. It does not request explicitly dangerous system permissions.
However, the audit failed due to highly destructive file system operations. The codebase utilizes `fs.rmSync` in the CLI and executes `rm -rf` (recursive force deletion) commands within the security scanner. If triggered unexpectedly or exploited, these operations could result in catastrophic data loss. No hardcoded secrets were detected.
Quality Assessment
The project is actively maintained with a recent push (0 days ago) and a decent community footprint (64 stars). It is licensed under the standard MIT license, making it highly accessible for integration and modification.
Verdict
Use with caution. While active and well-structured, the implementation of recursive force deletion commands presents a significant risk to local files and requires thorough testing in isolated environments before deploying in production.
Safe MCP Skill version manager - detect updates, A/B testing, smart merge
README.md
Skill Vision Control (SVC)
Safe MCP Skill Version Manager - Detect updates, parallel testing, smart merge, confirm before replace
Features
- 🔍 Update Detection - Automatically detect new versions from GitHub/npm
- 🛡️ Security Scanning - Auto scan before download (Sentinel integration)
- 📦 Version Management - Keep multiple versions, switch anytime
- 🔀 Smart Merge - Merge official updates with your custom changes
- 🧪 A/B Testing - Test new versions before switching
- ⏰ Scheduled Checks - Automatic weekly/monthly update checks
- 🔔 Notifications - Desktop notifications for updates
- 🤖 MCP Server - Let AI manage your skills
Installation
npm install -g skill-vision-control
Or with yarn:
yarn global add skill-vision-control
Quick Start
# Add a skill to manage
svc add weather --source github:username/weather-mcp
# Check for updates
svc check
# Download new version (keeps old version)
svc download weather
# Test and switch
svc switch weather --version v1.1.0
# Or if you have custom changes, merge them
svc merge weather
Commands
Skill Management
| Command | Description |
|---|---|
svc add <name> --source <url> |
Register a skill (github:user/repo or npm:package) |
svc list |
List all managed skills |
svc info <name> |
Show detailed information |
svc remove <name> |
Remove a skill |
Version Control
| Command | Description |
|---|---|
svc check [name] |
Check for updates |
svc download <name> |
Download new version (keep old) |
svc versions <name> |
List all local versions |
svc switch <name> -v <version> |
Switch to specific version |
svc rollback <name> |
Rollback to previous version |
svc confirm <name> |
Confirm current version |
svc cleanup <name> --keep <n> |
Clean old versions |
Custom Modifications
| Command | Description |
|---|---|
svc fork <name> |
Create custom branch for modifications |
svc save <name> -c "comment" |
Save your modifications |
svc diff <name> |
View differences from official |
svc merge <name> |
Merge official update with your changes |
svc conflicts <name> |
View merge conflicts |
svc resolve <name> -f <file> -u <choice> |
Resolve conflicts |
Schedule
| Command | Description |
|---|---|
svc schedule set -i <days> |
Set check interval (1/7/14/30 days) |
svc schedule show |
Show current schedule |
svc schedule enable |
Enable scheduled checks |
svc schedule disable |
Disable scheduled checks |
svc schedule run |
Manually trigger check |
Security Scanning
| Command | Description |
|---|---|
svc scan <path> |
Scan any skill directory for security issues |
svc audit [name] |
Audit installed skill(s) |
svc download <name> --skip-security |
Download without security scan (not recommended) |
Workflow Examples
Basic Update Flow
# 1. Check for updates
svc check
# Output: weather: v1.0.0 → v1.1.0 available
# 2. Download (old version preserved)
svc download weather
# 3. Test new version
svc switch weather -v v1.1.0 -t official
# 4. If good, confirm; if not, rollback
svc confirm weather
# or
svc rollback weather
Security Audit Before Install
# Scan a skill before installing
svc scan ~/Downloads/some-mcp-skill
# Output:
# 🛡️ Sentinel Security Scan Report
# ══════════════════════════════════════════════════
# Risk Level: MEDIUM
# Recommendation: REVIEW
#
# ⚠️ SUSPICIOUS: 3 items found
# - src/api.ts:15 - Network request (axios)
# - src/config.ts:8 - Environment variable access
# Audit all installed skills
svc audit
# Audit specific skill with details
svc audit weather -v
Custom Changes + Update
# 1. Create custom branch
svc fork weather
# 2. Make your modifications...
# 3. Save changes
svc save weather -c "Added Chinese language support"
# 4. Later, when update available
svc check
# Output: ⚠️ You have custom changes. Use "svc merge"
# 5. Download and merge
svc download weather
svc merge weather
# 6. If conflicts exist
svc conflicts weather
svc resolve weather -f src/config.ts -u custom
# 7. Test merged version
svc switch weather -v v1.1.0-merged -t merged
# 8. Confirm
svc confirm weather
Using as MCP Server
Add to your MCP configuration:
{
"mcpServers": {
"skill-vision-control": {
"command": "svc",
"args": ["serve"]
}
}
}
Available MCP tools:
svc_list_skills- List all managed skillssvc_get_skill_info- Get skill detailssvc_check_updates- Check for updatessvc_get_versions- Get local versionssvc_switch_version- Switch versionsvc_rollback- Rollback to previoussvc_download_update- Download new versionsvc_merge- Merge with custom changessvc_get_conflicts- View merge conflicts
Data Storage
All data is stored in ~/.svc/:
~/.svc/
├── skills.json # Skill registry
├── schedule.json # Schedule settings
├── config.json # Global config
└── versions/ # Version storage
└── <skill>/
├── official/
├── custom/
├── merged/
└── active -> ...
Security Scanning
SVC integrates Sentinel security patterns for automatic code scanning.
Detection Capabilities
| Level | Description | Examples |
|---|---|---|
| CRITICAL | High-risk patterns | eval(), exec(), rm -rf, registry access |
| SUSPICIOUS | Needs review | Network requests, env vars, file operations |
| WARNING | Potential issues | Long lines, high entropy files |
Risk Levels
| Level | Action |
|---|---|
SAFE |
Safe to install |
LOW |
Minor concerns, review recommended |
MEDIUM |
Review required before install |
HIGH |
Significant risks detected |
CRITICAL |
Do not install without careful review |
Auto-Scan on Download
When you run svc download, security scan runs automatically:
svc download weather
# 🛡️ Running security scan...
# ✅ Security scan passed
# ✓ Download complete
If issues found:
svc download untrusted-skill
# 🛡️ Running security scan...
# 🛑 Security scan found critical issues!
# ? Do you still want to proceed? (NOT RECOMMENDED) (y/N)
To skip (not recommended):
svc download weather --skip-security
Configuration
Supported Sources
- GitHub:
github:username/repoorusername/repo - npm:
npm:package-name
Schedule Options
1d- Daily checks7d- Weekly checks (default)14d- Bi-weekly checks30d- Monthly checks
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT License - see LICENSE for details.
📱 关注作者 / Follow Me
如果这个仓库对你有帮助,欢迎关注我。后面我会持续更新更多 AI Skill、版本管理、A/B 对比和系统升级工作流。
If this repo helped you, follow me for more AI skills, versioning tools, A/B comparisons, and automation workflows.
- X (Twitter): @xiaoerzhan
- 微信公众号 / WeChat Official Account: 扫码关注 / Scan to follow
中文:欢迎关注我的公众号,一起研究 AI Skill、版本管理、A/B 对比和系统升级。
English: Follow my WeChat Official Account for more AI skills, version control workflows, A/B comparisons, and system upgrades.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found