If you find vskill useful, give it a star on GitHub→
vskill
LoginSkillsStudioWatchSubmitPublishersTrustQueueDocsInsights
Overview
Quickstart
Studio
Core Concepts
Skills
Workflows
Integrations
Reference
CLI Reference
FAQ

CLI Reference

v1.0.18

Complete reference for every vskill command. Run npx vskill@latest --help or npx vskill@latest <command> --help for inline usage in your terminal.

vskill install <source>

Install a skill after running a full security scan. The source can be a skill name from the verified-skill.com registry, a GitHub repository, or a local file path. Every install triggers a security scan — there is no way to skip it.

bash
npx vskill@latest install <source>
FlagDescription
--yes, -yAccept scan results and install without confirmation prompt
--global, -gInstall the skill globally instead of to the current project
--copyCopy the skill file instead of symlinking it
--skill <name>Install a specific skill from a multi-skill repository
--plugin <name>Install a specific plugin by name from a repository
--repo <owner/repo>Install from a GitHub repository
--agent <id>Install to a specific agent only (e.g. cursor, claude)
--forceOverwrite an existing installation
--allInstall all skills from a multi-skill repository

Source types:

Registry namenpx vskill@latest install remotion-best-practices
GitHub reponpx vskill@latest install remotion-dev/skills
Repo + pluginnpx vskill@latest install --repo anton-abyzov/vskill --plugin frontend
Local pathnpx vskill@latest install ./my-skill
Auto-detection

vskill detects all installed AI agents (Claude Code, Cursor, Copilot, Windsurf, etc.) and installs the skill to all of them. Use --agent cursor to target a single agent.

vskill find <query>

Search the verified-skill.com registry for skills matching a keyword or category. Returns skill names, descriptions, trust tiers, and install counts.

bash
npx vskill@latest find <query>
bash
# Search by keyword
npx vskill@latest find react
 
# Search by category
npx vskill@latest find --category frontend

vskill scan <path>

Run a security scan on a skill without installing it. Useful for skill authors who want to check their skill before submitting. Reports pattern matches, severity scores, and the overall verdict (PASS / CONCERNS / FAIL).

bash
npx vskill@latest scan <path>
bash
# Scan a local skill
npx vskill@latest scan ./my-skill
 
# Verbose output with pattern details
npx vskill@latest scan --verbose ./my-skill
Pre-submission check

Always run vskill scan before vskill submit. The scan is identical to what the registry runs — if it passes locally, it will pass on submit.

vskill list

Show all installed skills with their trust tier, version, source, and install location. Displays both project-level and global installations.

bash
npx vskill@latest list

vskill remove <skill>

Remove an installed skill. Cleans up symlinks and config entries from all detected agents, or a specific agent with --agent.

bash
npx vskill@latest remove <skill>
bash
npx vskill@latest remove remotion-best-practices

vskill update [skill]

Update an installed skill to its latest version. Diffs the new version against the locked version, re-scans for security issues, and shows a summary of changes before applying. If the scan fails, the update is blocked.

bash
npx vskill@latest update [skill]
FlagDescription
--allUpdate all installed skills at once
bash
# Update a single skill
npx vskill@latest update remotion-best-practices
 
# Update all installed skills
npx vskill@latest update --all

vskill audit [path]

Run a full security audit on all skills in a project directory. Scans every installed skill, checks for blocklisted skills, and produces a consolidated report. Supports CI mode for pipeline integration and SARIF output for GitHub code scanning.

bash
npx vskill@latest audit [path]
FlagDescription
--ciCI mode — exit with non-zero code on findings above threshold
--report sarifOutput results in SARIF format for GitHub code scanning
--severity <levels>Filter by severity levels (comma-separated: high,critical)
bash
# Audit current project
npx vskill@latest audit
 
# CI pipeline with SARIF output
npx vskill@latest audit --ci --report sarif
 
# Only show high and critical findings
npx vskill@latest audit --severity high,critical
CI integration

In CI mode, the audit exits with code 1 if any findings match the severity filter. Add npx vskill@latest audit --ci to your CI pipeline to block deployments with untrusted skills.

vskill info <skill>

Display detailed information about a skill, including its description, author, verification status, trust tier, scan history, and install count. Works for both installed skills and registry skills.

bash
npx vskill@latest info <skill>
bash
npx vskill@latest info remotion-best-practices

vskill submit <source>

Submit a skill to the verified-skill.com registry for verification. The source must be a public GitHub repository containing a SKILL.md file. The skill goes through the full verification pipeline (static scan, LLM analysis, provenance check) before being listed.

bash
npx vskill@latest submit <source>
bash
npx vskill@latest submit owner/repo
Before submitting

Run npx vskill@latest scan ./your-skill locally first. See the

Security Guidelines

for the full list of patterns and the pre-submission checklist.

vskill blocklist

View and manage the local blocklist of known malicious skills. Blocked skills cannot be installed. The blocklist is seeded from the verified-skill.com registry and updated automatically.

bash
npx vskill@latest blocklist

vskill init

Initialize vskill in the current project. Creates the configuration files and vskill.lock needed to manage skills at the project level. Run this once in a new project before installing skills.

bash
npx vskill@latest init

Related resources

Getting Started→Security Guidelines→Submitting Skills→

On this page

installfindscanlistremoveupdateauditinfosubmitblocklistinit
vskill

Securing the AI skills supply chain.

SkillsStudioWatchPublishersTrustDocsQueueSubmitInsightsGitHubnpmSpecWeave

MIT License