Publish Your First Skill
This tutorial walks you through publishing your first AI agent skill to the Tank registry in under 10 minutes. By the end, your skill will be scanned, versioned, and available for others to install.
Prerequisites
- Node.js 24+ installed
- A Tank account (sign up free)
- A skill directory you want to share
Step 1: Install the Tank CLI
npm install -g @tankpkg/cliVerify installation:
tank --versionStep 2: Authenticate
tank loginThis opens your browser for GitHub OAuth authentication. Once complete, your API key is stored securely in ~/.tank/config.json.
Step 3: Initialize Your Skill
Navigate to your skill directory and run:
tank initThis creates a tank.json manifest file:
{
"name": "@acme/my-skill",
"version": "1.0.0",
"description": "A brief description",
"permissions": {
"network": { "outbound": [] },
"filesystem": { "read": [], "write": [] },
"subprocess": false
}
}Required Fields
| Field | Description |
|---|---|
name | Scoped skill identifier (@org/name) |
version | Semantic version (semver) |
description | Short description for registry listing |
permissions | Explicit capability declarations |
Step 4: Declare Permissions
Tank enforces least-privilege by default. Declare only what your skill actually needs:
{
"name": "@acme/my-skill",
"version": "1.0.0",
"description": "Audits SEO for a given URL",
"permissions": {
"network": { "outbound": ["api.openai.com"] },
"filesystem": {
"read": ["./data/**"],
"write": ["./output/**"]
},
"subprocess": false
}
}Skills with minimal, specific permissions are easier to review and less likely to fail project permission budgets during install.
See the Permissions reference for the full permission schema and best practices.
Step 5: Run Security Scan
Before publishing, run Tank's 6-stage security scanner locally to catch issues early:
tank scanThis runs:
- Ingest — Hashes files, validates tarball structure
- Structure validation — Manifest integrity, file count and size limits
- Static analysis — AST and regex scanning for dangerous patterns, plus Bandit for Python
- Injection detection — Prompt injection and code injection patterns
- Secret scanning — Credential and API key detection
- Supply chain — Dependency vulnerability scanning (OSV API)
Fix any CRITICAL or HIGH findings before proceeding. The registry will reject skills that fail the mandatory security pipeline.
`tank scan` runs the local security check. `tank verify` checks lockfile integrity for installed skills — these are different commands with different purposes.
Step 6: Publish
# Validate first (no upload)
tank publish --dry-run
# Publish for real
tank publishYour skill is now:
- Scanned for security issues by the full 6-stage pipeline
- Assigned an audit score (0–10) based on quality and security
- Uploaded to the Tank registry tarball storage
- Available for others to install with
tank install @you/my-skill
Step 7: Verify Publication
Check your skill on the registry:
tank info my-skillOr visit: https://tankpkg.dev/skills/my-skill
You'll see:
- The audit score and security scan results
- Version history and semver metadata
- Declared permissions
- Download and star counts
Next Steps
- Install a skill to see the consumer experience end-to-end
- Read the CLI reference for all available commands and flags
- Learn about the security model to understand how the 6-stage pipeline works
- Security checklist to review your skill against best practices before publishing
- CI/CD Integration to automate publishing with the GitHub Action