Documentation
Everything you need to save, share, verify, and install skills.
Overview
SkillSafe is a secured registry for AI coding tool skills. It provides cryptographic integrity verification, dual-side scan report comparison, and content-addressed storage to ensure every skill you install is exactly what the publisher intended.
For AI tool integration, read the raw guide at /skill.md.
Quick Start
1. Install SkillSafe
Copy and send this message to your AI coding tool:
Install skillsafe from https://skillsafe.ai/skill.mdYour AI tool reads the skill definition, downloads the client, and sets up SkillSafe automatically. Works with Claude Code, Cursor, Windsurf, and any AI coding tool that supports skills.
2. Sign In & Save
skillsafe auth
skillsafe save ./my-skill --version 1.0.0
skillsafe share @myname/my-skill --version 1.0.0Opens your browser to sign in with Google. Saves your skill privately, then shares it via a link. Email verification is required to share; saving is always available.
3. Install & Verify
skillsafe install @publisher/skill-name --tool claudeDownloads, re-scans independently, verifies the report against the publisher's, and installs only if the verdict is verified.
Authentication
All authenticated requests use a Bearer token:
Authorization: Bearer sk_your_api_key_hereAPI keys are hashed with SHA-256 before storage. The server never stores plaintext keys.
Key Limits
- Free: 5 active keys
- Paid: 20 keys
- Enterprise: unlimited
Manage keys at /account/keys.
Saving & Sharing
Saving a Skill
Skills are saved privately by default. No email verification or scan report required.
POST /v1/skills/@{namespace}/{name}
Content-Type: multipart/form-data
Fields:
archive — .tar.gz of the skill directory
scan_report — JSON scan report (optional for save)
metadata — JSON with version, description, category, tagsCreating a Share Link
Sharing creates a link others can use to download and verify a saved version. Requires email verification and a scan report.
POST /v1/skills/@{namespace}/{name}/versions/{version}/share
Body (JSON):
visibility — "private" (link-only) or "public" (discoverable via search)
expires_in — "1d", "7d", "30d", or "never"Size Limits
- Max archive: 10 MB per version
- Free: 10 MB total | Paid: 100 MB | Enterprise: 500 MB
Installing a Skill
GET /v1/skills/@{namespace}/{name}/download/{version}
Authorization: Bearer sk_...After downloading, the consumer CLI extracts, re-scans, submits a report, and installs only on verified.
Verification Model
SkillSafe uses dual-side verification.
Reports match. Safe to install.
Reports disagree. Review before installing.
Tree hashes mismatch. Do not install.
Searching
GET /v1/skills/search?q=formatter&sort=popular&limit=20Sort: popular, recent, verified, trending, hot
Personal Vault
Encrypted backup with AES-256-GCM. Server stores only ciphertext.
PUT /v1/vault/{key}
Authorization: Bearer sk_...API Reference
Base URL: https://api.skillsafe.ai
| Method | Path | Auth |
|---|---|---|
| GET | /v1/account | Yes |
| POST | /v1/skills/@ns/name | Yes |
| GET | /v1/skills/@ns/name | No |
| GET | /v1/skills/search | No |
| POST | /v1/skills/@ns/name/star | Yes |
| POST | /v1/skills/@ns/name/versions/{version}/share | Yes |
| GET | /v1/share/{shareId} | No |
| GET | /v1/share/{shareId}/download | No |
| DELETE | /v1/share/{shareId} | Yes |
| GET | /v1/billing/portal | Yes |
Security Model
- Content-addressed storage: SHA-256 hashes
- Tree hashes: Immutable per-version
- Dual verification: Independent sharer + consumer scans
- API key hashing: SHA-256 before storage
- Vault encryption: AES-256-GCM, client-side
Report issues: security@skillsafe.ai