The Package Manager
for AI Agents
Install from registries or any URL — every package scanned through a 6-stage security pipeline. Permission budgets, SHA-512 lockfiles, and escalation detection. What npm did for JavaScript, Tank does for AI agents.
Works with
How Tank compares
Agent skills deserve the same security infrastructure as npm packages — and more.
| Feature | npm | Current Registries | Tank |
|---|---|---|---|
| Versioning | Semver | Git tags / none | Semver + escalation detection |
| Lockfile | package-lock.json | None | tank.lock with SHA-512 |
| Permission model | Network, filesystem, subprocess | ||
| Security scanning | npm audit (deps only) | Basic / none | 6-stage pipeline |
| Audit score | Transparent 0–10 | ||
| Escalation detection | Auto-flagged at publish | ||
| Install from URL | No scanning | Scanned before install | |
| Self-hosted | Verdaccio etc. | 7-step setup wizard | |
| MCP server | 17 tools, full CLI parity |
Why Tank Exists
Agent skills today have zero security infrastructure.
Today's Reality
No versioning
Skills update silently. No lockfiles, no pinning, no rollback. What you installed yesterday might be different today.
No permissions
Every skill runs with the agent's full access — files, API keys, shell commands. No sandboxing, no boundaries.
No scanning
341 malicious skills (12% of a major marketplace) went undetected. ClawHavoc shipped credential-stealing malware.
With Tank
Locked versions + integrity
SHA-512 hashes pin every package. Tampered content fails on install. Enforced semver with permission escalation detection.
Permission budgets
Declare network, filesystem, and subprocess limits. Packages that exceed the budget are rejected before they run.
6-stage security pipeline
Every package is scanned at publish time: ingestion, validation, static analysis, injection detection, secrets scanning, dependency audit.
Self-host for your organization
Run your own registry internally. Keep packages in your network with the same security guarantees.
How Tank Works
Three steps from publish to verified.
Publish with scanning
Every package passes through a 6-stage security pipeline before it reaches the registry.
- ▸Ingestion & hashing
- ▸Structure validation
- ▸Static analysis (Semgrep + Bandit)
- ▸Injection detection
- ▸Secrets scanning (detect-secrets)
- ▸Dependency audit (OSV)
Install with integrity
Every package is pinned with SHA-512 hashes in a lockfile. If the content changes after install, the next verify fails.
- ▸SHA-512 integrity hashing
- ▸Lockfile pinning (tank.lock)
- ▸Tamper detection on verify
- ▸Install from URL — scanned first
Run with permissions
Declare what your agent can do. Packages exceeding the permission budget are rejected before they run.
- ▸Network outbound allowlists
- ▸Filesystem read/write scopes
- ▸Subprocess enable/disable
- ▸Escalation detection on update
Security at every layer
From publish to install — every package is scanned, scored, and verified.
Every package pinned with sha512 hashes. If content doesn't match, installation fails. No silent tampering.
Declare what your agent can do — network, filesystem, subprocess. Packages exceeding the budget are rejected.
Transparent 0–10 security score. Static analysis, permission matching, package hygiene — all visible.
Not a social contract. A patch that adds network access? Detected and flagged. Permission escalation requires a major bump.
Scoped API tokens for CI/CD — read-only, publish-only, or full access. Revoke instantly from the dashboard.
Create organizations, invite members, assign roles (owner/admin/member). Scoped publishing per team.
Scan any package URL from the web UI. Full 6-stage pipeline with Semgrep, Bandit, secrets detection, and LLM analysis.
Filter by verdict, freshness, atom type, popularity. Star packages. Browse trending skills and top publishers.
Machine identities for CI/CD pipelines. Scoped permissions, no human credentials needed. Full audit trail.
20+ commands — install, publish, audit, build, search, verify, permissions. Designed for developers.
Every action logged — publishes, installs, permission changes, moderation decisions. Filter by action, user, or date.
Built in the open from day one. MIT licensed. Transparent scanning. No vendor lock-in.
7 primitives. Every platform.
Atoms are the building blocks of AI agent skills. Write once in tank.json, compile to native configs for every editor.
System prompts & behavioral rules
Lifecycle events (pre-file-write, pre-command, ...)
MCP tools agents can invoke
Autonomous sub-agents with scoped roles
Guardrails & constraints that override instructions
External data sources (APIs, databases, files)
Reusable prompt templates with variables
Combine 2+ atoms into a single installable skill
# One command compiles for every editor
$ tank build
build
Reading tank.json → 3 instructions, 2 hooks, 1 tool
├ .claude/commands/ ✓
├ .cursor/rules/ ✓
├ .opencode/ ✓
├ .windsurf/rules/ ✓
└ .clinerules/ ✓
compiled 6 atoms for 5 platforms
Declare what your agent is allowed to do
tank.json is like package.json — but with permissions.
{
"skills": {
"@vercel/next-skill": "^2.1.0",
"@community/seo-audit": "3.0.0"
},
"permissions": {
"network": {
"outbound": ["*.anthropic.com"]
},
"filesystem": {
"read": ["./src/**"],
"write": ["./output/**"]
},
"subprocess": false
}
}Your secrets never leave your machine
The Credential Vault intercepts API keys before they reach any LLM provider. Format-preserving tokenization means agents work normally — but real credentials stay local.
# Launch agent with vault protection
$ tank run claude
vault
Detected 3 credentials in environment
├ sk_live_4eC39H → sk_live_fK9mR2vL8nP3
├ AKIAIOSFODNN → AKIAXQMR7NWG5BPT
└ ghp_xxMJsa91 → ghp_kL4nR8vP2mQ6wX
proxy listening on 127.0.0.1:9384
launching claude with vault protection...
Detect
10 credential patterns matched via regex
Tokenize
CSPRNG format-preserving fakes generated
Proxy
HTTP intercept swaps fakes before LLM sees them
Restore
Real credentials restored in agent output
Detected credential types
Works with Claude Code, Cursor, OpenCode, Codex, and any agent
Get started in seconds
Everything you need, right from the terminal.
# Install Tank CLI
$curl -fsSL https://raw.githubusercontent.com/tankpkg/tank/main/install.sh | sh
# Install with integrity verification
$tank install @vercel/next-skill
# Launch agent with Credential Vault protection
$tank run claude
# Compile atoms for Claude Code, Cursor, OpenCode, and more
$tank build
# Search the registry
$tank search "react hooks"
# View 6-stage security scan results
$tank audit
# Verify lockfile integrity (SHA-512)
$tank verify
# Diagnose your setup in one command
$tank doctor
Native in your editor
The Tank MCP server gives your AI agent 17 tools — full CLI parity, right inside your IDE. No terminal needed.
Install & update
Install, update, and remove packages without leaving your editor
Search & discover
Search the registry and view package details inline
Security scanning
Scan packages and view audit results directly
Publish
Pack, scan, and publish — all from your IDE
Permissions & verify
Check permission budgets and verify lockfile integrity
Diagnostics
Run tank doctor to troubleshoot your setup
{
"mcpServers": {
"tank": {
"command": "npx",
"args": ["@tankpkg/mcp-server"]
}
}
}# Works with: Claude Code · Cursor · VS Code Copilot · OpenCode · Windsurf · Cline · Roo Code
Run it on your infrastructure
One Docker image. Your database, your storage, your auth. Full control, no data leaves your network.
# Deploy Tank in one command
$ docker compose up -d
# Open the setup wizard
$ open https://tank.internal/setup
Setup wizard
7-step guided deployment — database, storage, auth providers, scanner LLM, admin user. Production-ready in minutes.
Admin panel
Full moderation dashboard — manage users, packages, organizations. Quarantine, ban, rescan. Every action audit-logged.
Flexible storage
S3-compatible object storage (AWS, MinIO, Cloudflare R2) or local filesystem for single-instance deployments.
SSO & OIDC
Bring your own identity provider — GitHub OAuth, any OIDC-compliant IdP (Okta, Azure AD, Keycloak), or email/password.
Organizations
Teams with scoped publishing, member invitations, and role-based access. Service accounts for CI/CD pipelines.
CLI from your instance
Users install the Tank CLI directly from your instance — pre-configured with your registry URL. No npm required.
Built by the community
Thank you to everyone who has contributed.
Frequently Asked Questions
What is Tank?
Tank is a security-first package manager for AI agent packages. It provides integrity verification (SHA-512), permission budgets, 6-stage security scanning, and enforced semver — features that current package registries lack.
How is this different from npm?
npm manages JavaScript packages. Tank manages AI agent packages — the reusable capabilities you add to coding agents like Claude Code or Cursor. Unlike npm, Tank enforces permission budgets and scans every package through a 6-stage security pipeline before publication.
Is Tank free?
Yes. Tank is open source under the MIT license. The registry, CLI, and security scanner are all free to use.
How does the security scanning work?
Every package goes through 6 stages: ingestion (SHA-512 hashing), structure validation, static analysis (Semgrep + Bandit), injection detection, secrets scanning (detect-secrets), and dependency audit (OSV). Packages receive a 0–10 audit score and a verdict: PASS, FLAGGED, or FAIL.
Who built Tank?
Tank is built by developers who saw the ClawHavoc incident — where 341 malicious skills (12% of a major marketplace) distributed credential-stealing malware — and decided AI agent packages deserved the same security infrastructure as npm packages.
Ready to secure your agent packages?
Tank is open source and free. Install with confidence.