Documentation
Everything you need to publish, verify, and install skills.
Overview
SkillSafe is a secured registry for AI coding tool skills. It provides cryptographic integrity verification, dual-side scan report comparison, and content-addressed storage to ensure every skill you install is exactly what the publisher intended.
For AI tool integration, read the raw guide at /skill.md.
Quick Start
1. Install SkillSafe
Copy and send this message to your AI coding tool:
Install skillsafe from https://skillsafe.ai/skill.mdYour AI tool reads the skill definition, downloads the client, and sets up SkillSafe automatically. Works with Claude Code, Cursor, Windsurf, and any AI coding tool that supports skills.
2. Register & Publish
skillsafe auth myname --email me@example.com
skillsafe scan ./my-skill
skillsafe publish ./my-skill --version 1.0.0Creates your account, scans your skill for security issues, generates a tree hash, and uploads with the scan report. Email verification is required before publishing.
3. Install & Verify
skillsafe install @publisher/skill-name --claudeDownloads, re-scans independently, verifies the report against the publisher's, and installs only if the verdict is verified.
Authentication
All authenticated requests use a Bearer token:
Authorization: Bearer sk_your_api_key_hereAPI keys are hashed with SHA-256 before storage. The server never stores plaintext keys.
Key Limits
- Free: 5 active keys
- Paid: 20 keys
- Enterprise: unlimited
Manage keys at /account/keys.
Publishing a Skill
POST /v1/skills/@{namespace}/{name}
Content-Type: multipart/form-data
Fields:
archive — .tar.gz of the skill directory
scan_report — JSON scan report
metadata — JSON with version, description, category, tagsSize Limits
- Max archive: 10 MB per version
- Free: 10 MB total | Paid: 100 MB | Enterprise: 500 MB
Installing a Skill
GET /v1/skills/@{namespace}/{name}/download/{version}
Authorization: Bearer sk_...After downloading, the consumer CLI extracts, re-scans, submits a report, and installs only on verified.
Verification Model
SkillSafe uses dual-side verification.
Reports match. Safe to install.
Reports disagree. Review before installing.
Tree hashes mismatch. Do not install.
Searching
GET /v1/skills/search?q=formatter&sort=popular&limit=20Sort: popular, recent, verified, trending, hot
Personal Vault
Encrypted backup with AES-256-GCM. Server stores only ciphertext.
PUT /v1/vault/{key}
Authorization: Bearer sk_...API Reference
Base URL: https://api.skillsafe.ai
| Method | Path | Auth |
|---|---|---|
| POST | /v1/register | No |
| GET | /v1/account | Yes |
| POST | /v1/skills/@ns/name | Yes |
| GET | /v1/skills/@ns/name | No |
| GET | /v1/skills/search | No |
| POST | /v1/skills/@ns/name/star | Yes |
| GET | /v1/billing/portal | Yes |
Security Model
- Content-addressed storage: SHA-256 hashes
- Tree hashes: Immutable per-version
- Dual verification: Independent publisher + consumer scans
- API key hashing: SHA-256 before storage
- Vault encryption: AES-256-GCM, client-side
Report issues: security@skillsafe.ai