Scan AI agent skills for prompt injection before you install them
╔════════════════════════════════════════════════════════╗
║ ███████╗██╗ ██╗██╗ ██╗██╗ ████████╗ ██████╗ ║
║ ██╔════╝██║ ██╔╝██║ ██║██║ ╚══██╔══╝██╔═══██╗ ║
║ ███████╗█████╔╝ ██║ ██║██║ ██║ ██║ ██║ ║
║ ╚════██║██╔═██╗ ██║ ██║██║ ██║ ██║ ██║ ║
║ ███████║██║ ██╗╚██████╔╝███████╗██║ ╚██████╔╝ ║
║ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═════╝ ║
╠════════════════════════════════════════════════════════╣
║ CROSS-PLATFORM AI SKILLS MANAGEMENT ║
╚════════════════════════════════════════════════════════╝
Skulto is a cross-platform CLI tool for managing AI coding assistant skills across 33 platforms. It provides:
- Multi-platform installation - Install skills to Claude Code, Cursor, Windsurf, Copilot, Codex, Cline, Roo Code, Gemini CLI, Kiro CLI, and 25+ more
- Repository management - Add, sync, and remove skill repositories
- Full-text search - SQLite FTS5-powered search across all indexed skills
- Security scanning - Detect prompt injection and dangerous code patterns
- Platform detection - Automatically detects which AI tools are installed on your system
- Interactive TUI - Bubble Tea-powered terminal interface with collapsible groups, multi-select, and keyboard navigation
- URL-based install - Install directly from GitHub repositories via
skulto install owner/repo
- 33 platform support - Claude Code, Cursor, Windsurf, GitHub Copilot, OpenAI Codex, OpenCode, Cline, Roo Code, Gemini CLI, Kiro CLI, Amp, Continue, Goose, Junie, Qwen Code, Trae, and more
- Platform detection - Detects installed AI tools and surfaces them in platform choosers
- Offline-first - Works without internet after initial sync
- Fast search - FTS5-powered full-text search with BM25 ranking (~50ms latency)
- Git-based sync - Clone and pull repositories for reliable updates
- Security scanner - Detects prompt injection in frontmatter, references, scripts and dangerous patterns with threat levels
- Smart multi-skill install - Install multiple skills from a repository URL with per-skill conflict resolution (skip already-installed, add new locations, or skip all)
- Scope selection - Install skills globally (
~/) or per-project (./) with separate control per platform - Collapsible platform groups - Detected/preferred platforms at top, all others in a collapsed group across all choosers
- Install location memory - Optionally remember your platform/scope choices for future installs
- Favorites - Save favorite skills that persist across database resets
- Recently viewed - Tracks and displays skills you've recently viewed
- MCP Server - Model Context Protocol server for AI tool integration (search, install, manage skills programmatically)
- Telemetry - Anonymous usage stats (opt-out with env var in Settings)
Skulto detects and installs skills to 33 AI coding tools:
| Claude Code | Cursor | Windsurf | GitHub Copilot |
| OpenAI Codex | OpenCode | Cline | Roo Code |
| Gemini CLI | Kiro CLI | Amp | Continue |
| Goose | Junie | Kilo Code | Trae |
| Qwen Code | Kimi Code CLI | CodeBuddy | Command Code |
| Crush | Droid | Kode | MCPJam |
| Mux | OpenHands | Pi | Qoder |
| Zencoder | Neovate | Pochi | Antigravity |
| Moltbot |
brew install asteroid-belt/tap/skultoTo upgrade:
brew upgrade asteroid-belt/tap/skulto# Clone the repository
git clone https://github.com/asteroid-belt/skulto.git
cd skulto
# Install dependencies
make deps
# Build (outputs to ./build/)
make build-all
# Run
./build/skulto- Go 1.25+
- (Optional)
GITHUB_TOKENfor higher API rate limits
# Launch the TUI (guided onboarding on first run)
skulto
# Or install skills directly from a repository URL
skulto install asteroid-belt/skillsOn first launch, Skulto walks you through onboarding:
- Platform selection - Detected AI tools appear at top; select which ones to sync skills to
- Skill selection - Curated starter skills from Asteroid Belt (superplan, superbuild, teach, agentsmd-generator, and more)
- Location chooser - Pick global or project scope per platform, with your previous selections pre-filled
Skulto works like a package manager for AI agent skills. Use skulto.json to define the skills your project needs, then skulto sync to install them — so every developer and CI environment has the same skill setup.
# 1. Install skills into your project
skulto install superplan
skulto install teach
# 2. Save project skills to a manifest
skulto save
# 3. Commit skulto.json to your repo
git add skulto.json
git commit -m "add skulto skill manifest"
# 4. Teammates (or CI) sync from the manifest
skulto syncThe manifest tracks which skills your project depends on and where they come from:
{
"version": 1,
"skills": {
"superplan": "asteroid-belt/skills",
"teach": "asteroid-belt/skills",
"resume-ats-optimizer": "paramchoudhary/resumeskills"
}
}Each entry maps a skill slug to its source repository (owner/repo). When a teammate runs skulto sync, Skulto clones any missing repositories, resolves the skills, and installs them to the selected platforms.
Captures your current project-scope installations into skulto.json:
$ skulto save
SAVED to skulto.json
teach asteroid-belt/skills
superplan asteroid-belt/skills
2 skill(s) savedOnly project-scope installations are saved — global installs are personal and not shared via the manifest.
Reads skulto.json and installs any missing skills:
$ skulto sync
SYNCING from skulto.json (2 skills)
────────────────────────────────────────────────
Done! Installed: 2, Skipped: 0On sync, Skulto:
- Adds any source repositories not already in the local database
- Resolves each skill by slug
- Prompts for platform and scope selection (or uses detected defaults with
-y) - Skips skills that are already installed at the selected locations
Shows all installed skills and where they're installed:
$ skulto check
SKILL INSTALLED LOCATIONS
─────────────────────────────────────────────────────────────
superplan claude (global), codex (global + project)
teach claude (global + project)
2 skill(s) installedBoth skulto save and skulto check automatically detect skills that exist on disk (as symlinks in your project's platform dirs) but are missing from the database. This happens after migrations, database resets, or when a teammate installs skills outside of Skulto.
$ skulto check
RECONCILED 2 project skill(s)
brainstorming claude
modern-python codex
SKILL INSTALLED LOCATIONS
─────────────────────────────────────────────────────────────
brainstorming claude (project)
modern-python codex (project)
2 skill(s) installedPlain directories in your project (skills committed directly to the repo) are left alone — they don't need Skulto management.
skulto
Key Bindings:
| Key | Action |
|---|---|
/ |
Open search |
j / k |
Navigate down / up |
h / l |
Navigate left / right (between columns) |
↑ / ↓ |
Navigate results |
Enter |
Select / confirm |
Space |
Toggle selection (in choosers) |
f |
Toggle favorite / bookmark |
i |
Install / manage skill locations |
c |
Copy skill content to clipboard |
p |
Pull/sync repositories |
Esc |
Back / cancel |
q |
Quit |
The home view displays three columns:
- Installed Skills - Your installed skills (scrollable, shows up to 5 at a time)
- Recently Viewed Skills - Skills you've recently viewed
- Top Tags - Popular skill categories
When you select a skill, you'll see:
- Install / Manage - Install to new platforms or manage existing locations
- Metadata - Author, category, source repository
- Tags - Categorized skill tags
- Security status - Threat level from security scan
- Full markdown content - Rendered with syntax highlighting and scrolling
- Copy to clipboard - Press
cto copy the full skill content
When installing a skill, you choose where to install it:
- Platform headers - Each AI tool listed with nested scope options
- Global vs Project - Install to
~/.claude/skills/(user-wide) or./.claude/skills/(project-local) - Collapsible groups - Preferred/detected platforms at top, others collapsed below
- Remember locations - Optionally save choices for future installs
- Quick keys -
aall,nnone,gglobal only,pproject only
Press i on an installed skill to manage its locations:
- Installed platforms shown at top with checkboxes pre-selected
- Other platforms collapsed below in an expandable group
- Add/remove locations across any combination of platforms and scopes
Skulto provides CLI subcommands for scripting and automation:
| Command | Purpose |
|---|---|
skulto |
Launch the interactive TUI |
skulto install <slug or repo> |
Install skills by slug or from a repository URL |
skulto uninstall <slug> |
Uninstall a skill from selected platforms |
skulto save |
Save project-scope installations to skulto.json |
skulto sync |
Install all skills from skulto.json manifest |
skulto check |
List all installed skills and their locations |
skulto add <repo> |
Add a skill repository and sync its skills |
skulto list |
List all configured source repositories |
skulto pull |
Pull/sync all repositories and reconcile installed skills |
skulto remove [repo] |
Remove a repository (interactive selection if no repo specified) |
skulto scan |
Scan skills for security threats |
skulto update |
Pull + scan with change reporting |
skulto info <slug> |
Show detailed information about a skill |
skulto favorites add <slug> |
Add a skill to favorites |
skulto favorites remove <slug> |
Remove a skill from favorites |
skulto favorites list |
List all favorited skills |
skulto feedback |
Open the feedback/bug report page |
Install skills by slug or directly from a GitHub repository:
# Install a single skill by slug
skulto install superplan
# Install from a repository (auto-detects all skills)
skulto install asteroid-belt/skills
# Install from a full GitHub URL
skulto install https://github.com/asteroid-belt/skills
# Non-interactive mode (accept defaults)
skulto install asteroid-belt/skills -yWhen installing from a repository URL:
- Skulto syncs the repository and presents all available skills
- Select which skills to install with an interactive checklist
- Choose target platforms with a collapsible platform chooser (detected platforms at top)
- Smart skip for already-installed skills: prompted with
y(add locations),N(skip, default), ors(skip all remaining) - Final summary shows installed, skipped, and failed counts
Add a skill repository to Skulto:
# Short format
skulto add asteroid-belt/skills
# Full URL
skulto add https://github.com/asteroid-belt/skills
# Skip initial sync
skulto add asteroid-belt/skills --no-syncSync all registered repositories:
skulto pullThis clones/updates all repositories and reconciles installed skill state with the filesystem.
Remove a repository and all its skills:
# Interactive selection
skulto remove
# Specify repository
skulto remove asteroid-belt/skills
# Skip confirmation
skulto remove asteroid-belt/skills --forceScan skills for security threats:
# Scan all skills
skulto scan --all
# Scan specific skill by slug or ID
skulto scan --skill teach
# Scan skills from a source
skulto scan --source asteroid-belt/skills
# Scan only unscanned skills
skulto scan --pendingReports threat levels: CRITICAL, HIGH, MEDIUM, LOW
Combined pull + scan with reporting:
# Update and scan new/updated skills
skulto update
# Update and scan ALL skills
skulto update --scan-allManage your favorite skills. Favorites persist across database resets and are stored separately in ~/.agents/skulto/favorites.json.
# Add a skill to favorites
skulto favorites add docker-expert
# Remove a skill from favorites
skulto favorites remove docker-expert
# List all favorited skills
skulto favorites listYou can also toggle favorites in the TUI by pressing f on any skill detail view.
Skulto includes an MCP (Model Context Protocol) server that exposes skills to Claude Code and other MCP-compatible clients. This enables AI assistants to search, browse, install, and manage skills and repositories programmatically.
Add to your Claude Code settings (.claude.json):
{
"mcpServers": {
"skulto": {
"command": "/opt/homebrew/bin/skulto-mcp",
"type": "stdio"
}
}
}| Tool | Description |
|---|---|
skulto_search |
Search skills using full-text search with BM25 ranking |
skulto_get_skill |
Get detailed information about a skill including full content and tags |
skulto_list_skills |
List all skills with pagination |
skulto_browse_tags |
List available tags by category (language, framework, tool, concept, domain) |
skulto_get_stats |
Get database statistics (total skills, tags, sources) |
skulto_get_recent |
Get recently viewed skills |
skulto_install |
Install a skill to any supported platform (33 platforms, global or project scope) |
skulto_uninstall |
Uninstall a skill from specified platforms |
skulto_favorite |
Add or remove a skill from favorites |
skulto_get_favorites |
Get favorite skills |
skulto_check |
List all installed skills and their installation locations |
skulto_add |
Add a skill repository and sync its skills |
The MCP server also exposes resources for direct skill access:
| Resource URI | Description |
|---|---|
skulto://skill/{slug} |
Full markdown content of a skill |
skulto://skill/{slug}/metadata |
JSON metadata including tags, source, and stats |
Skulto stores data in ~/.agents/skulto/, coexisting with other agent tooling under the shared ~/.agents/ namespace:
| Path | Purpose |
|---|---|
~/.agents/skulto/skulto.db |
SQLite database |
~/.agents/skulto/skulto.log |
Logfile |
~/.agents/skulto/repositories/ |
Cloned git repositories |
~/.agents/skulto/skills/ |
User's local skills directory |
~/.agents/skulto/favorites.json |
Favorite skills (persists across DB resets) |
Upgrading from a previous version? If you have an existing
~/.skulto/directory, Skulto automatically migrates it to~/.agents/skulto/on first launch — including database records and installed skill symlinks. No manual steps required.
# Build
make build # Production build
make dev # Development build with race detector
# Test
make test # Run all tests with coverage
make test-race # Run with race detector
# Lint
make lint # Run golangci-lint
make format # Format code
# Clean
make clean # Remove build artifactsskulto/
├── cmd/skulto/ # Main CLI entry point
├── cmd/skulto-mcp/ # MCP server binary
├── internal/
│ ├── cli/ # Cobra CLI commands (add, install, pull, etc.)
│ │ └── prompts/ # Interactive CLI prompts (platform selector)
│ ├── config/ # Configuration (env vars only)
│ ├── db/ # GORM + SQLite + FTS5 database layer
│ ├── detect/ # AI tool detection on system
│ ├── embedding/ # Embedding provider abstraction
│ ├── favorites/ # File-based favorites persistence
│ ├── installer/ # Skill installation via symlinks (33 platforms)
│ ├── llm/ # LLM provider abstraction
│ ├── log/ # Structured logging
│ ├── mcp/ # MCP server implementation
│ ├── migration/ # Database migrations
│ ├── models/ # Data structures (Skill, Tag, Source, etc.)
│ ├── scraper/ # GitHub scraping (git clone based)
│ ├── search/ # Search service
│ ├── security/ # Security scanner for skills
│ ├── telemetry/ # PostHog analytics (opt-in)
│ ├── testutil/ # Test utilities
│ ├── tui/ # Bubble Tea TUI
│ │ ├── components/ # Reusable UI components (dialogs, selectors)
│ │ └── views/ # Screen views (home, search, detail, onboarding, manage)
│ └── vector/ # Vector store
├── pkg/version/ # Version info (set via ldflags)
└── scripts/ # Build and release scripts
Skulto is configured entirely via environment variables (no config file):
| Variable | Purpose |
|---|---|
GITHUB_TOKEN |
Higher GitHub API rate limits (optional) |
OPENAI_API_KEY |
Embeddings for semantic search (optional) |
SKULTO_TELEMETRY_TRACKING_ENABLED |
Set to false to disable telemetry |
Skulto collects anonymous usage stats (command frequency, error rates) to improve the tool. Telemetry is enabled by default.
To opt-out:
export SKULTO_TELEMETRY_TRACKING_ENABLED=falseNo personal data, no IP addresses are collected. See more in events.
- Overview - Project identity and key features
- Architecture - System design, components, and data flow
- Getting Started - Prerequisites, installation, and first run
- Development - Contributing workflow, testing, and CI/CD
- Architecture Decision Records - Key technical decisions and rationale
- Glossary - Domain terminology
Contributions welcome! Please read CONTRIBUTING.md first.
MIT License - see LICENSE for details.
Made with ❤️ by Asteroid Belt