Architecture
How it works
- Reads
SKILL.mdfrom the source and parses metadata (slug, name, owner) - Runs a security scan on all skill files — checks for prompt injection, command injection, obfuscated code, credential harvesting, and sensitive file access. Scores 0–100. Blocks dangerous skills unless
--yes - Copies (or symlinks with
--symlink) all files alongsideSKILL.mdto the target directory - Computes a SHA256 content hash and stores it in the lockfile
- Updates
~/.agents/.skill-lock.jsonso agents can discover the skill rolecraft verifychecks installed files against the stored hashrolecraft cire-installs all skills from the lockfile (e.g. in CI pipelines)rolecraft doctorruns a system health check across Node.js, agent directories, and lockfiles- Compatible with skills installed by
@agentskill.sh/cli,add-skill, or manual installs
Project structure
rolecraft/
├── bin/rolecraft.js # CLI entry point
├── src/
│ ├── commands/
│ │ ├── bundle.js # multi-skill install from bundle file
│ │ ├── check.js # skill update checking
│ │ ├── ci.js # frozen lockfile install
│ │ ├── completions.js # shell completion generation
│ │ ├── doctor.js # system health check
│ │ ├── init.js # SKILL.md scaffolding
│ │ ├── install.js # install logic + interactive scope
│ │ ├── list.js # list installed skills
│ │ ├── remove.js # remove skill + lockfile cleanup
│ │ ├── search.js # GitHub skill discovery
│ │ ├── setup.js # detect agents + install to all
│ │ ├── update.js # re-install skill to latest
│ │ ├── upgrade.js # self-upgrade
│ │ ├── use.js # preview skill without installing
│ │ └── verify.js # integrity verification
│ └── utils/
│ ├── resolver.js # source resolver (local / GitHub / GitLab / npm)
│ ├── installer.js # copy/symlink files to target dirs
│ ├── lockfile.js # read/write .skill-lock.json + content hash
│ └── security.js # static analysis scoring (0–100)
├── package.json
├── CHANGELOG.md # Release history
├── CONTRIBUTING.md # Contribution guide
├── docs/ # Documentation
└── README.md