Tank Documentation
Tank is a security-first package manager for AI agent skills — the npm for the agent era, built after the ClawHavoc incident revealed that 341 malicious skills (12% of a major marketplace) were distributing credential-stealing malware. Where other registries have no versioning, no lockfiles, no permissions, and no security scanning, Tank enforces all four from day one.
Agent skills execute with the agent's full authority — reading files, making API calls, running shell commands. Tank treats that seriously.
Product Guarantees
Every skill installed through Tank is subject to:
| Guarantee | How It Works |
|---|---|
| SHA-512 integrity | Every tarball is verified against a cryptographic hash in tank.lock before extraction |
| Mandatory security scanning | 6-stage pipeline (ingest → structure → static → injection → secrets → supply chain) runs on publish |
| Permission declarations | Skills declare what they need in tank.json; installation fails if a skill exceeds your budget |
| Deterministic lockfile | tank.lock pins exact versions and hashes — same behavior as npm ci, reproducible everywhere |
If any skill exceeds the permission budget, installation fails. This single feature would have prevented ClawHavoc.
Choose Your Path
I'm a Skill Publisher
You build skills that extend AI coding agents. You want to ship quickly without compromising on security posture.
- Getting Started — Install the CLI and authenticate
- Publish Your First Skill — End-to-end tutorial in under 10 minutes
- Publishing Reference —
tank.jsonmanifest, versioning, semver rules - Security Checklist — Pre-publish security review
- GitHub Action — Automate publishing in CI with
tankpkg/tank@v1
Quick start:
npm install -g @tankpkg/cli
tank login
tank init # creates tank.json
tank publish --dry-run
tank publishI'm a Skill Consumer
You use AI coding agents (Claude Code, Cursor, etc.) and want to install community or org-internal skills safely.
- Getting Started — Install the CLI
- Installing Skills —
tank install, lockfile workflow, permission review - Permissions — Understand the permission model before granting access
- CI/CD Integration — Install skills in GitHub Actions, GitLab CI, Docker
Quick start:
npm install -g @tankpkg/cli
tank install @org/skill-name
tank permissions # review what was granted
tank verify # SHA-512 integrity checkI'm in Ops / Security / Self-Hosting
You're deploying Tank for your organization, enforcing internal policies, or need air-gapped operation.
- Self-Hosting — Full deployment runbook (Docker Compose + Kubernetes Helm)
- Self-Host in 15 Minutes — Quickstart with Docker Compose
- Organizations — Namespacing, team access, and member management
- Security Model — Deep dive on the 6-stage scanner, verdict rules, and audit scores
- API Reference — REST endpoints for automation and integration
All Documentation Pages
Core Concepts
| Page | Description |
|---|---|
| Getting Started | Install the CLI, authenticate, and run your first command |
| Publishing | tank.json manifest reference, versioning, and publish workflow |
| Installing | Install skills, manage the lockfile, and review permissions |
| Security Model | 6-stage scanning pipeline, verdict rules, and audit scores |
| Permissions | Declare, review, and enforce skill permission boundaries |
Tutorials
| Page | Description |
|---|---|
| Publish Your First Skill | Step-by-step tutorial — from tank init to live registry listing |
| Security Checklist | Pre-publish checklist covering permissions, code, and secrets |
| Self-Host in 15 Minutes | Docker Compose deployment in one session |
Integrations
| Page | Description |
|---|---|
| CI/CD Integration | GitHub Actions, GitLab CI, Docker pipeline examples |
| GitHub Action | Official tankpkg/tank@v1 action — publish and install in CI |
| MCP Server | Use Tank tools directly inside AI editors via Model Context Protocol |
| Search | Full-text skill discovery, filtering, and the search API |
| Organizations | Create orgs, manage members, publish under @org/ namespaces |
Reference
| Page | Description |
|---|---|
| CLI Reference | Every tank command with flags, examples, and exit codes |
| API Reference | REST API endpoints for the registry and admin operations |
| Self-Hosting | Full production deployment guide with Docker Compose and Helm |
Why Tank Exists
In February 2026, the ClawHavoc incident revealed a systemic failure: 341 malicious skills had been distributed through a major AI agent skill marketplace for weeks before detection. No versioning. No lockfiles. No permissions. No scanning. 12% of listed skills contained credential-stealing malware.
AI agent skills are fundamentally more dangerous than npm packages because they execute with the agent's full authority — reading your files, calling external APIs, running shell commands. Tank was built to apply the security discipline the ecosystem was missing from day one.
Tank is open source under the MIT License. The CLI is published as `@tankpkg/cli` on npm. Contribute at [github.com/tankpkg/tank](https://github.com/tankpkg/tank).