Early Development — Building in the open

Security-first package manager for AI agent skills

Today's skill registries have no versioning, no lockfiles, no permissions, and no code signing. Tank is the npm for agent skills — with security built in from day one.

Get Started Browse Skills

Declare what your agent is allowed to do

skills.json is like package.json — but with a permissions field. If any skill exceeds the budget, installation fails.

skills.json

{
  "skills": {
    "@vercel/next-skill": "^2.1.0",
    "@community/seo-audit": "3.0.0"
  },
  "permissions": {
    "network": {
      "outbound": ["*.anthropic.com"]
    },
    "filesystem": {
      "read": ["./src/**"],
      "write": ["./output/**"]
    },
    "subprocess": false
  }
}

Security at every layer

From publish to install to runtime — every step is verified, signed, and sandboxed.

🔒Integrity Verification

Every skill is pinned with sha512 hashes in skills.lock. If content doesn't match its hash, installation fails. No silent tampering.

🛡️Permission Budgets

Declare what your agent is allowed to do — network, filesystem, subprocess. If any skill exceeds the budget, installation fails.

📊Audit Scores

Transparent 0–10 security score for every skill. Code signing, static analysis, reproducible builds, vulnerability checks — all visible.

📦Enforced Semver

Not a social contract — enforced. A patch that adds network access? Rejected. Breaking changes require a major bump.

⚡CLI-First Workflow

Install, publish, audit, and manage permissions from the terminal. Designed for developers, not dashboards.

🌐Open Source (MIT)

Built in the open from day one. MIT licensed. Community-driven security reviews. No vendor lock-in.

Get started in seconds

Everything you need, right from the terminal.

terminal

# Install with full integrity verification

$ tank install @vercel/next-skill

# See exactly what your agent is allowed to do

$ tank permissions

# Check signatures, vulnerabilities, permission escalations

$ tank audit

# Publish with mandatory signing and static analysis

$ tank publish

Agent skills are more dangerous than npm packages

A malicious npm package runs inside your app's sandbox. A malicious agent skill runs with the agent's full permissions — reading any file, making API calls with your credentials, executing shell commands. The attack surface is fundamentally larger.

ClawHavoc (Feb 2026):341 malicious skills — 12% of a major marketplace — distributing credential-stealing malware.

Ready to secure your agent skills?

Tank is open source and free. Start publishing and installing skills with confidence.

Get Started View on GitHub