skrun
mcp
Pass
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 120 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool deploys AI agent skills as callable APIs via a POST endpoint. It translates SKILL.md files into stateful, multi-model APIs that can be called locally or hosted, featuring automatic fallbacks across major LLM providers.
Security Assessment
Overall Risk: Medium. The tool executes shell commands and scripts defined in agent configurations, and makes external network requests to various LLM providers (Anthropic, OpenAI, Google, etc.). It manages sensitive data by handling LLM API keys, though it allows caller-provided keys via the `X-LLM-API-Key` header. No hardcoded secrets or dangerous permission requests were found in the codebase scan. Users should be cautious about the CLI tools and scripts they bundle with their agents, as the tool will execute whatever is defined in the agent's configuration.
Quality Assessment
The project demonstrates strong maintenance and health indicators. It is actively updated (last pushed today), uses the permissive MIT license, and has a solid base of 120 GitHub stars indicating growing community trust. The light code audit scanned 12 files and found no dangerous patterns or malicious code. It features CI testing and standard npm packaging, which are good signs of professional development practices. However, it is still in early development (v0.1) with cloud deployment capabilities on the roadmap.
Verdict
Safe to use, but review custom scripts carefully before deploying agents locally.
This tool deploys AI agent skills as callable APIs via a POST endpoint. It translates SKILL.md files into stateful, multi-model APIs that can be called locally or hosted, featuring automatic fallbacks across major LLM providers.
Security Assessment
Overall Risk: Medium. The tool executes shell commands and scripts defined in agent configurations, and makes external network requests to various LLM providers (Anthropic, OpenAI, Google, etc.). It manages sensitive data by handling LLM API keys, though it allows caller-provided keys via the `X-LLM-API-Key` header. No hardcoded secrets or dangerous permission requests were found in the codebase scan. Users should be cautious about the CLI tools and scripts they bundle with their agents, as the tool will execute whatever is defined in the agent's configuration.
Quality Assessment
The project demonstrates strong maintenance and health indicators. It is actively updated (last pushed today), uses the permissive MIT license, and has a solid base of 120 GitHub stars indicating growing community trust. The light code audit scanned 12 files and found no dangerous patterns or malicious code. It features CI testing and standard npm packaging, which are good signs of professional development practices. However, it is still in early development (v0.1) with cloud deployment capabilities on the roadmap.
Verdict
Safe to use, but review custom scripts carefully before deploying agents locally.
Deploy any Agent Skill as an API via POST /run. Multi-model, stateful, open source.
README.md
Turn any Agent Skill (SKILL.md) into a callable API via POST /run. Multi-model, stateful, open source.
Quick Start
npm install -g @skrun-dev/cli
# Import an existing skill → deploy → call
skrun init --from-skill ./my-skill
skrun deploy
curl -X POST localhost:4000/api/agents/dev/my-skill/run \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"input": {"query": "analyze this"}}'
Get Started
Create a new agent
skrun init my-agent
cd my-agent
# Creates SKILL.md (instructions) + agent.yaml (config)
Import an existing skill
skrun init --from-skill ./path-to-skill
# Reads SKILL.md, asks 2-3 questions, generates agent.yaml
Develop locally
skrun dev
# ✓ Server running at http://localhost:3000
# POST /run ready — watching for changes...
skrun test
# ✓ basic-test (output.score >= 0)
# 1 passed, 0 failed
Deploy
skrun deploy
# ✓ Validated → Built → Pushed
# 🚀 POST http://localhost:4000/api/agents/you/my-agent/run
v0.1 ships with a local runtime. Cloud deploy is on the roadmap — the architecture is ready (
RuntimeAdapterinterface).
Key Concepts
- Agent Skills — SKILL.md standard, compatible with Claude Code, Copilot, Codex
- agent.yaml — Runtime config: model, inputs/outputs, permissions, state, tests
- POST /run — Every agent is an API. Typed inputs, structured outputs.
- Multi-model — Anthropic, OpenAI, Google, Mistral, Groq with automatic fallback
- Stateful — Agents remember across runs via key-value state
- Tool calling — Two approaches: CLI tools (
scripts/— write your own, bundled with the agent) and MCP servers (npx— standard ecosystem, same as Claude Desktop)
Caller-provided API Keys
By default, POST /run uses the server's LLM API keys (from .env). You can instead provide your own keys per request via the X-LLM-API-Key header:
curl -X POST http://localhost:4000/api/agents/dev/code-review/run \
-H "Authorization: Bearer dev-token" \
-H "Content-Type: application/json" \
-H 'X-LLM-API-Key: {"anthropic": "sk-ant-your-key"}' \
-d '{"input": {"code": "function add(a,b) { return a + b; }"}}'
The header value is a JSON object mapping provider names to API keys. Accepted providers: anthropic, openai, google, mistral, groq.
Key priority: caller key > server key > 401 error. If the caller key fails (invalid, quota exceeded), the error is returned directly — no fallback to server keys.
Security: caller keys are never logged, stored, or returned in responses. Use HTTPS in production.
Demo Agents
All examples use Google Gemini Flash by default. Change the model section in agent.yaml to use any supported provider.
| Agent | What it shows |
|---|---|
| code-review | Import a skill, get a code quality API |
| pdf-processing | Tool calling with local scripts |
| seo-audit | Stateful — run twice, it remembers and compares |
| data-analyst | Typed I/O — CSV in, structured insights out |
| email-drafter | Business use case — non-dev API consumer |
| web-scraper | MCP server — headless browser via @playwright/mcp |
Try an example
# 1. Start the registry
cp .env.example .env # add your GOOGLE_API_KEY
pnpm dev:registry # keep this terminal open
# 2. In another terminal
skrun login --token dev-token
cd examples/code-review
skrun build && skrun push
# 3. Call the agent
curl -X POST http://localhost:4000/api/agents/dev/code-review/run \
-H "Authorization: Bearer dev-token" \
-H "Content-Type: application/json" \
-d '{"input": {"code": "function add(a,b) { return a + b; }"}}'
Windows (PowerShell): use
curl.exeinstead ofcurl, and use@input.jsonfor the body.
CLI
| Command | Description |
|---|---|
skrun init [dir] |
Create a new agent |
skrun init --from-skill <path> |
Import existing skill |
skrun dev |
Local server with POST /run |
skrun test |
Run agent tests |
skrun build |
Package .agent bundle |
skrun deploy |
Build + push + live URL |
skrun push / pull |
Registry upload/download |
skrun login / logout |
Authentication |
skrun logs <agent> |
Execution logs |
Documentation
Contributing
git clone https://github.com/skrun-dev/skrun.git
cd skrun
pnpm install && pnpm build && pnpm test
See CONTRIBUTING.md for conventions and setup.
License
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found