You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Proposes treating skills as versioned packages managed by a dedicated, language-agnostic manifest file — only the manifest gets committed, not the skill files themselves. For teams and companies needing npm-like skill management, a tool like sklz demonstrates this workflow in practice.
Problem
The current discussions around skill distribution (#81, #214) have converged on a real gap: there is no standard way to declare, share, and reproduce which skills a project depends on, without either:
Committing the skill files directly into the repo (treating skills like vendored code), or
Coupling distribution to a language-specific package manager (package.json, pyproject.toml, Cargo.toml).
Both approaches have friction. Vendoring skill files means every update is a manual copy-paste, diffs are noisy, and there's no concept of a version. Language-specific manifests work well for library authors shipping skills alongside their code, but they create a conceptual mismatch for the general case: not every project that uses skills is a Node project, a Python project, or a Rust project. A team with a mixed-language monorepo, a documentation repo, an infrastructure repo — all of them might want to manage skills without adopting a foreign package manager just for that purpose.
The pattern we're missing a dedicated manifest + lockfile that tracks dependencies without vendoring them.
Proposal
Introduce a skill manifest file — a small, language-agnostic JSON file that serves the same conceptual role as package.json + a lockfile, but scoped exclusively to skill management.
The core idea:
Only the manifest is committed — not the skill files themselves.
Skills are installed on demand from their declared sources (git repos, registries, or any source a tooling layer supports).
Reproducibility is guaranteed by pinning to a specific version or commit hash in the manifest.
You can reference private skills since the tool uses you git to do de pulls from the repos.
The installed skills directory (e.g. .agents/skills/) would be gitignored. A collaborator cloning the repo runs a single install command to reproduce the exact same skill set.
Why not package.json?
package.json is a reasonable answer for JavaScript/Node projects — and the npm-based approach in #81 makes good sense for library authors. But:
A repository that contains only infrastructure code, documentation, or multi-language services has no reason to have a package.json. Forcing one just to manage skills is significant conceptual overhead.
A dedicated manifest sidesteps all of this. It has one job. It doesn't care about your language stack.
Why not skill.json or skills.json?
The obvious naming choice would be skill.json or skills.json — but both names create a practical problem with agents.
In testing, when a file named skill.json or skills.json is present at the repo root, agents tend to consume it as the source of truth for skill content, instead of reading the actual skill files from the installed directory (e.g. .agents/skills/). The filename is close enough to SKILL.md semantically that agents treat it as an instruction source rather than a tooling artifact.
I encountered this behavior directly while building a proof of concept for this proposal (more on that below). The manifest needs a name that is clearly machine/tooling-facing, not agent-facing. Something like sklz.json or another name that doesn't pattern-match to skill content is safer in practice.
This is also a reason to be cautious about the skill.json proposal in #214 — if it becomes widespread, agents may start reading it as a skill source, which was not its intent.
Proof of Concept
I built sklz as a proof of concept for this proposal — a CLI that manages skills from git repos using a dedicated manifest file (sklz.json). It is early-stage and the name/format are not the point; the workflow it demonstrates is:
# declare a skills source
sklz repo add https://github.com/AlissonSteffens/alisson-skils.git
# install a skill — updates sklz.json
sklz install flexoki
# teammates reproduce the exact same state
sklz install
Only sklz.json is committed. .agents/skills/ is gitignored. The naming (sklz.json) was deliberately chosen to avoid the agent-consumption problem described above — a name that is unambiguously tooling metadata.
The implementation is available as a reference for what the DX and manifest format could look like, independent of whether sklz itself is adopted.
This enables companies and teams to work smarter with skills, without poluting repositories.
Define the concept — a language-agnostic manifest file that tracks skill dependencies by source + version, without vendoring the files.
Choose a name that avoids agent confusion — explicitly avoid skill.json / skills.json for the manifest, given demonstrated interference with agent behavior.
Leave the implementation open — the spec can define the contract (what fields the manifest must contain) without mandating a specific tool.
Open Questions
Should the manifest format be defined in the spec, or just the concept (leaving format to tooling)?
Is a single file enough, or do we need a manifest + separate lockfile (like npm's package.json + package-lock.json)?
How should the spec handle conflicts between skills from different sources that share the same name?
What naming convention avoids agent confusion while remaining intuitive for humans? (sklz.json, skills.lock, agent-skills.json?)
DISCLOSURE: Written with AI assistance. Reviewed and edited by the author.
Summary
Proposes treating skills as versioned packages managed by a dedicated, language-agnostic manifest file — only the manifest gets committed, not the skill files themselves. For teams and companies needing npm-like skill management, a tool like sklz demonstrates this workflow in practice.
Problem
The current discussions around skill distribution (#81, #214) have converged on a real gap: there is no standard way to declare, share, and reproduce which skills a project depends on, without either:
package.json,pyproject.toml,Cargo.toml).Both approaches have friction. Vendoring skill files means every update is a manual copy-paste, diffs are noisy, and there's no concept of a version. Language-specific manifests work well for library authors shipping skills alongside their code, but they create a conceptual mismatch for the general case: not every project that uses skills is a Node project, a Python project, or a Rust project. A team with a mixed-language monorepo, a documentation repo, an infrastructure repo — all of them might want to manage skills without adopting a foreign package manager just for that purpose.
The pattern we're missing a dedicated manifest + lockfile that tracks dependencies without vendoring them.
Proposal
Introduce a skill manifest file — a small, language-agnostic JSON file that serves the same conceptual role as
package.json+ a lockfile, but scoped exclusively to skill management.The core idea:
A minimal manifest could look like:
{ "sklz": { "flexoki": { "repo": "https://github.com/AlissonSteffens/alisson-skils", "repoName": "alisson-skils", "version": "0.0.0", "commit": "46c4cdb", "installedAt": "2026-03-11T02:58:39.549Z", "tags": [] } "react-patterns": { "source": "https://github.com/another-org/frontend-skills.git", "version": "0.9.1", "commit": "f4e5d6c" } } }The installed skills directory (e.g.
.agents/skills/) would be gitignored. A collaborator cloning the repo runs a single install command to reproduce the exact same skill set.Why not
package.json?package.jsonis a reasonable answer for JavaScript/Node projects — and the npm-based approach in #81 makes good sense for library authors. But:package.json. Forcing one just to manage skills is significant conceptual overhead.agentskillsfield proposed in RFC: Standardize npm/JavaScript Package Distribution #81 lives inside npm's resolver logic, meaning the entire npm dependency graph is involved in what is essentially a skills concern.A dedicated manifest sidesteps all of this. It has one job. It doesn't care about your language stack.
Why not
skill.jsonorskills.json?The obvious naming choice would be
skill.jsonorskills.json— but both names create a practical problem with agents.In testing, when a file named
skill.jsonorskills.jsonis present at the repo root, agents tend to consume it as the source of truth for skill content, instead of reading the actual skill files from the installed directory (e.g..agents/skills/). The filename is close enough toSKILL.mdsemantically that agents treat it as an instruction source rather than a tooling artifact.I encountered this behavior directly while building a proof of concept for this proposal (more on that below). The manifest needs a name that is clearly machine/tooling-facing, not agent-facing. Something like
sklz.jsonor another name that doesn't pattern-match to skill content is safer in practice.This is also a reason to be cautious about the
skill.jsonproposal in #214 — if it becomes widespread, agents may start reading it as a skill source, which was not its intent.Proof of Concept
I built sklz as a proof of concept for this proposal — a CLI that manages skills from git repos using a dedicated manifest file (
sklz.json). It is early-stage and the name/format are not the point; the workflow it demonstrates is:Only
sklz.jsonis committed..agents/skills/is gitignored. The naming (sklz.json) was deliberately chosen to avoid the agent-consumption problem described above — a name that is unambiguously tooling metadata.The implementation is available as a reference for what the DX and manifest format could look like, independent of whether
sklzitself is adopted.This enables companies and teams to work smarter with skills, without poluting repositories.
What This Proposal Asks
skill.json([Proposal]: Add skill.json as an optional package-level metadata file #214) and npm distribution (RFC: Standardize npm/JavaScript Package Distribution #81).skill.json/skills.jsonfor the manifest, given demonstrated interference with agent behavior.Open Questions
package.json+package-lock.json)?sklz.json,skills.lock,agent-skills.json?)DISCLOSURE: Written with AI assistance. Reviewed and edited by the author.