Skill Sync
v1.2.1Audit and converge local skills across Codex, Claude, OpenClaw, OpenCode, workspace skills, and shared agent libraries; compute a hygiene score, classify sha...
⭐ 0· 57·0 current·0 all-time
bycasper@donttal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, README, SKILL.md, and scripts/skill_sync.py all describe and implement discovery, hashing, diffing, backup, and symlink-based convergence across the same set of local agent skill roots (codex, claude, openclaw, opencode, workspace, ~/.agents). No unrelated cloud credentials, network exfil endpoints, or surprising binaries are requested.
Instruction Scope
Runtime instructions and CLI examples are explicit: scan first, preview plans, then apply with --apply. The code will move real directories into a backup location and create symlinks when you apply changes. The SKILL.md contains safety guidance (backup-before-overwrite, strict vs prefer-latest strategies). This is expected given its purpose, but users should be aware that applying changes mutates filesystem state under scanned roots and writes backups (default ~/.skill-sync/backups unless overridden).
Install Mechanism
No install spec; the repo includes a simple install.sh that links or copies the project into selected local skill roots. There are no network downloads or archive extraction steps in the install script. No high-risk install behavior detected.
Credentials
The skill does not request credentials or secrets. The code reads HOME and optional SKILL_SYNC_* env vars (SKILL_SYNC_CODEX_ROOT, SKILL_SYNC_AGENTS_ROOT, SKILL_SYNC_CLAUDE_ROOT, SKILL_SYNC_OPENCODE_ROOT, SKILL_SYNC_OPENCLAW_ROOT, SKILL_SYNC_CLAUDE_VENDOR_ROOT, SKILL_SYNC_OPENCLAW_EXTENSIONS_ROOT, and likely a backup root variable used in tests). These env vars are proportional and documented as overrides in the code/tests; none are sensitive keys.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will create a project-specific backup area (~/.skill-sync/backups) and can modify skill roots only when the user runs apply or uses install.sh with --force. Autonomous invocation is allowed by default (disable-model-invocation=false) but that is normal and not in itself a concern here.
Assessment
This project appears to do what it claims: scanning local agent skill directories, producing a hygiene report, and optionally converging duplicates by moving originals into backups and creating symlinks. Before running any destructive action: 1) Run scans and previews only (omit --apply) to inspect recommended operations. 2) Verify the backup location (default ~/.skill-sync/backups) and/or set SKILL_SYNC_BACKUP_ROOT to a safe path. 3) Inspect the export manifest (--export-manifest) and review operations the import preview reports. 4) Avoid using install.sh --force unless you understand it will remove/replace destinations. 5) Test in a disposable directory or VM (the included tests are a good model) if you have many important skills. If you need extra assurance, review the full scripts/skill_sync.py to confirm the exact move/backup logic and run the unit tests locally.Like a lobster shell, security has layers — review code before you run it.
dedupevk97a10dcybr82npdrjqd4sba15845t8bdeveloper-toolsvk97a10dcybr82npdrjqd4sba15845t8blatestvk97a10dcybr82npdrjqd4sba15845t8blocal-toolsvk97a10dcybr82npdrjqd4sba15845t8bskill-managementvk97a10dcybr82npdrjqd4sba15845t8bsymlinkvk97a10dcybr82npdrjqd4sba15845t8b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.