Security-first package manager for AI agent skills.
"I know Kung Fu." — but verified, locked, and scanned.
AI coding agents (Claude Code, Codex, Cursor) can be extended with skills — reusable packages that teach agents how to perform tasks. The ecosystem is growing fast: 110,000+ installs in 4 days on one registry alone.
But today's skill registries have no versioning, no lockfiles, no permissions, and no security scanning. In February 2026, the ClawHavoc incident revealed that 341 malicious skills (12% of a major marketplace) were distributing credential-stealing malware.
Agent skills are more dangerous than npm packages because they execute with the agent's full authority — reading files, making API calls, running shell commands. The attack surface is fundamentally larger.
Tank is the npm for agent skills, with security built into the foundation:
| Feature | npm (2012) | Current Registries | Tank |
|---|---|---|---|
| Versioning | Social contract | Git tags / none | Semver with escalation detection |
| Lockfile | package-lock.json |
None | skills.lock with SHA-512 |
| Permissions | None | None | Declared + enforced at install |
| Static analysis | None built-in | Basic / none | 6-stage security pipeline |
| Audit score | npm audit (deps only) |
None | Transparent 0-10 score |
| Code signing | npm provenance (2023) | None | Planned (Sigstore) |
| Sandbox | None | None | Planned (Phase 3) |
# Authentication
tank login # Authenticate via GitHub OAuth
tank whoami # Show current user info
tank logout # Clear credentials
# Project setup
tank init # Create skills.json interactively
# Publishing
tank publish # Pack and publish a skill
tank publish --dry-run # Validate without uploading
# Installation & management
tank install @org/skill # Install a specific skill
tank install # Install all from lockfile (like npm ci)
tank install --yes # Auto-accept permission budget expansions
tank update @org/skill # Update within semver range
tank update # Update all skills
tank remove @org/skill # Remove a skill
# Verification & security
tank verify # Verify lockfile integrity
tank permissions # Display resolved permission summary
tank audit # Show security analysis results
tank audit @org/skill # Audit a specific skill
# Discovery
tank search "query" # Search the registry
tank info @org/skill # Show skill metadataskills.json — declare what your agent is allowed to do:
{
"skills": {
"@vercel/next-skill": "^2.1.0",
"@community/seo-audit": "3.0.0"
},
"permissions": {
"network": { "outbound": ["*.anthropic.com"] },
"filesystem": { "read": ["./src/**"], "write": ["./output/**"] },
"subprocess": false
}
}If any skill exceeds the permission budget, Tank prompts you to review and approve the expansion — or auto-accept with --yes in CI. No silent escalation. This single feature would have prevented ClawHavoc.
- Node.js 24+
- Bun 1.x+
- Python 3.14+ (for security analysis functions)
git clone https://github.com/tankpkg/tank.git
cd tank
bun install
cp .env.example .env.local # fill in credentials
just db-admin # promotes FIRST_ADMIN_EMAIL to adminjust dev # Start all workspaces in dev mode
just build # Build all packages
just test # Run all unit tests
just test-python # Run Python scanner tests
just test-perf # Run performance tests
just check # Biome lint + format validation
just fmt # Auto-format code
just --list # See all available commandstank/
├── packages/
│ ├── web/ # Next.js 15 web app + API (Vercel)
│ ├── cli/ # Tank CLI (TypeScript)
│ ├── mcp-server/ # MCP server for editor integration
│ ├── scanner/ # Python security scanner (FastAPI)
│ └── shared/ # Shared schemas, types, constants
├── infra/ # Docker Compose, Helm charts
└── docs/ # Product brief, architecture
Tank MVP is code-complete. We're building in the open from day one.
| Document | Description |
|---|---|
| Product Brief | Full vision, features, and technical direction |
| Architecture | Technical design and decisions |
| Performance Testing | Methodology and regression protocol |
| Contributing | How to get involved |
In The Matrix, Tank is the operator — the person who loads skills into people's minds. He's the one who makes "I know Kung Fu" possible. But he doesn't just load anything blindly. He verifies, he monitors, he's the last line of defense.
That's what this project does for AI agent skills.
Tank is open source under the MIT License. We welcome contributions of all kinds — see CONTRIBUTING.md to get started.
MIT — do what you want, just include the license.