Registry & Publishing
Publish skills to a registry and self-host your own.
Overview
spm registries store and distribute skill packages. You can use the public registry or host your own.
Publishing a skill
Prerequisites
- Validate your skill:
spm validate ./my-skill- Authenticate with a registry:
# Via GitHub OAuth
spm login https://registry.example.com --github
# Or direct API token
spm login https://registry.example.com --name your-namePublish
spm publish ./my-skillThe skill is packaged as a .tar.gz archive, hashed with SHA-256, uploaded to S3-compatible storage, and registered in the database.
Options:
# Publish to a specific registry
spm publish ./my-skill --registry my-registry
# Publish from a GitHub repository
spm publish https://github.com/user/repo --github
# Preview without executing
spm publish ./my-skill --dry-run
# Batch publish all skills in subdirectories
spm publish --all
spm publish --all --dry-runPrivate packages
Private packages are only visible to their author. Other users cannot find, view, or install them.
To publish a private package, use the --private flag:
spm publish ./my-skill --privatePrivate packages require a paid plan:
| Plan | Price | Max packages | Private packages |
|---|---|---|---|
| Free | $0 | 100 | 0 |
| Basic | $5/mo | 200 | 10 |
| Pro | $20/mo | 300 | 100 |
You can manage your plan on the Account page.
Package limits
Each package has a maximum size of 50 KB. Packages exceeding this limit are rejected during publish.
The registry requires all published content to be verifiable. The following are not allowed and will be automatically rejected:
- Binary files
- Obfuscated code
- Dependencies with unrestricted shell permissions (
shell:*) without justification
Update
Bump the version in SKILL.md frontmatter and publish again:
spm publish ./my-skillThe registry enforces version immutability — once a version is published, it cannot be overwritten. You must bump the version number to publish changes.
Installing from a registry
# Add latest version
spm add user/my-skill
# Add specific version
spm add user/my-skill --version 1.2.0Dependencies are resolved automatically using semver ranges.
Managing registries
Add a registry
spm registry add https://registry.example.com --name my-registryOptions:
# With authentication token
spm registry add https://registry.example.com --token abc123
Self-hosting
You can run your own registry server. Requirements:
- Node.js 22+
- PostgreSQL for metadata storage
- S3-compatible storage for skill packages (AWS S3, Tigris, R2, MinIO)
Quick start
# Start the registry server
spm server start \
--port 3717 \
--database-url postgres://user:pass@localhost:5432/skillsEnvironment variables
| Variable | Description |
|---|---|
DATABASE_URL | PostgreSQL connection string |
STORAGE_TYPE | s3 or local |
S3_BUCKET | S3 bucket name |
S3_REGION | S3 region |
S3_ENDPOINT | S3 endpoint URL |
S3_ACCESS_KEY_ID | S3 access key |
S3_SECRET_ACCESS_KEY | S3 secret key |
GITHUB_CLIENT_ID | GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | GitHub OAuth app client secret |
Deploy with Docker
A Dockerfile and fly.toml are included in the repository for deploying to Fly.io or any container platform.
docker build -t spm-registry .
docker run -p 3717:3717 \
-e DATABASE_URL=postgres://... \
-e STORAGE_TYPE=s3 \
-e S3_BUCKET=my-skills \
spm-registryAPI
The registry exposes:
- REST API — publish, download, search skills
- GraphQL API — programmatic queries for metadata, authors, versions
- GitHub integration — OAuth device flow, repo-based publishing
Security
Authentication
- API tokens — generated via
spm login --name - GitHub OAuth — device flow via
spm login --github
Trust levels
| Level | Description |
|---|---|
trusted | Core skills vetted by maintainers |
verified | Passed auto-validation + human review |
community | User skills, auto-validated only |
local | No validation (development) |
Package integrity
Every published skill package includes a SHA-256 hash. spm verifies integrity on install.
Content safety
Every skill published to the official registry is automatically scanned for prompt injection patterns and other security threats. The scanning covers categories such as system prompt impersonation, instruction override attempts, data exfiltration, and privilege escalation.
Each skill receives a safety status:
| Status | Meaning |
|---|---|
clean | No issues detected |
flagged | Potential issues found — manual review recommended |
blocked | Dangerous patterns detected — publish rejected (403) |
Safety status is visible on each skill's page in the registry UI.
At runtime, skill content loaded into AI agents is wrapped with Microsoft Spotlighting delimiters — a technique that helps models distinguish between trusted instructions and untrusted skill data, reducing prompt injection risk.
The specific detection patterns and scoring logic are intentionally kept private to prevent adversarial evasion. Self-hosted registries can implement their own safety checks via the plugin system.
Runtime permission enforcement
Starting in v0.5.0, spm enforces skill permissions at runtime via Permission Proxy Tools. See the Security & Permissions guide for full details.