SkillSafe + Codex
Install verified, scanned skills into Codex with the SkillSafe desktop app or npx skills add.
These commands are prefilled for @owner/skill-name in Codex.
1. Install a skill (recommended)
The fastest way to install a verified skill into Codex is the SkillSafe desktop app (macOS / Windows / Linux). On any skill page, click View in SkillSafe app — the app re-runs a local scan, verifies it against the publisher's report, and writes files to ~/.agents/skills/.
Or install from the command line with Vercel's skills CLI — every SkillSafe skill is cloneable via git, so it works natively:
npx skills add https://api.skillsafe.ai/owner/skill-nameThe skills CLI auto-detects Codex and writes files to the correct location.
Agent prompt
Paste this into Codex when you want the agent to handle setup and verification:
Find a security-scanned skill on SkillSafe for my task, prefer clean scans and tested skills when available, then install it with the SkillSafe desktop app or npx skills add. Before using it, review the SkillSafe security tab, source, and exact version.Desktop app
Best when you want the safest default. The app opens the checked version, re-runs a local scan, compares it to the publisher's report, then writes files for you.
- Best for: first installs and trust-sensitive workflows
- Strength: local verification before files land in
~/.agents/skills/
npx skills add
Best when you want a terminal-first flow, shell history, or automation inside existing dev setup scripts.
- Best for: headless installs and repeatable setup docs
- Strength: no desktop app required; works anywhere the skills CLI runs
Before you trust a skill
- Check the exact version you are installing instead of relying on a moving latest tag.
- Open the source repository and confirm the publisher and subdirectory look expected.
- Prefer the desktop app when you want an extra local verification step before files are written.
2. Optional: add the SkillSafe MCP server
Install skills with the desktop app or npx skills add from step 1. If you also want in-tool search, scanning, and publishing without leaving Codex, add the SkillSafe MCP server to ~/.codex/mcp.json:
{
"mcpServers": {
"skillsafe": {
"url": "https://api.skillsafe.ai/mcp"
}
}
}Restart Codex to pick up the MCP server. You'll get 8 native SkillSafe tools (search, scan, save, share, etc.) — useful for power users, but not required for installing skills.
3. Find more skills
Browse the verified skill registry by category, tag, or publisher, then install any skill with the desktop app or npx skills add from step 1.
If you added the MCP server in step 2, you can also discover skills conversationally — just ask Codex naturally:
"Find a code review skill on SkillSafe"Your agent calls search_skills or recommend_skills to surface matches; install the one you want with the desktop app or npx skills add from step 1.
4. Scan for security issues
Every shared skill on SkillSafe is already scanned, and the desktop app re-verifies each skill against the publisher's report on install. To check anything yourself, paste a GitHub URL into the free scanner — no signup required.
With the MCP server, you can also scan from inside Codex:
"Scan this skill for security issues" or "Scan my MCP config for poisoning"Uses the scan_skill and scan_mcp_config tools. Detects prompt injection, credential theft, exfiltration, and 40+ other patterns. See the full ruleset →
5. Save & share your own skills
Publish your own skills to the registry from the desktop app or the web dashboard. Skills are private by default — sharing creates revocable links and requires a clean scan report.
With the MCP server, you can save and share directly from Codex (add an API key to your MCP config headers):
"Save this skill to SkillSafe as @myname/my-skill version 1.0.0"Uses the save_skill and share_skill MCP tools.