v0.3.1

This release deprecates all previous versions (<0.3.1) and fixes minor* security findings

What's Changed

• docs: Update examples in README and help cmd #8
• Fix help flag #8
• Fix security code scanning (#9):
  • Harden git arg handling and path validation (Resolves https://github.com/Fcmam5/skilleton/security/code-scanning/1 and https://github.com/Fcmam5/skilleton/security/code-scanning/2)
  • Use a while loop in normalizeRepoUrl instead of regex (Resolves https://github.com/Fcmam5/skilleton/security/code-scanning/3)
• Setup eslint-plugin-security and fix findings
• Update dependencies and refactor tests

^{* The impact is low as it's a CLI and the library is not popular enough that someone else is already using it, I published GHSA-5g3j-89fr-r2vp for transparency}

Full Changelog: v0.3.0...v0.3.1

v0.3.0 - DEPRECATED

Important

This release has a breaking change in the Two-segment shorthand parsing: owner/skill. It resolves to repo root (owner/skill, path .) instead of monorepo subdirectory (owner/skills, path skill), see migration guide for details

What's Changed

• Allow to install skills from repo root (#6) - 💥 This causes a breaking change, see migration guide
• Fix JSON schema path by (#6)
• Print warning when .lock.json file is not present (#6)
• Add 'prune' logic to install and update commands (#6)
• Expose public API to use in scripts (#7)
• Fix linting issues and add docstrings by (#7)

Why not release a major version, and just tag with v0.3.0?

@Fcmam5: Let's be honest, I'm & my direct contacts are still the only users of this library; Everything is still experimental

Full Changelog: v0.2.1...v0.3.0

v0.2.1 - DEPRECATED

What's Changed

• feat: Replace GitHub REST API with git ls-remote for ref resolution by @Fcmam5 in #3
• chore: run npm audit fix to close depandabot alert
• add unit tests to increase coverage

Full Changelog: v0.2.0...v0.2.1

v0.2.0 - DEPRECATED

Fixed

• Fix list command output; Use console.table and provide an optional --format=json|table flag

skilleton list
# ┌─────────┬───────────────────────┬───────────────────────────────────────┬───────────┬───────────┐
# │ (index) │ Name                  │ Repo                                  │ Path      │ Commit    │
# ├─────────┼───────────────────────┼───────────────────────────────────────┼───────────┼───────────┤
# │ 0       │ typescript-magician   │ https://github.com/mcollina/skills    │ skills/...│ 3e2ffbb   │
# │ 1       │ jest                  │ https://github.com/Mindrally/skills   │ jest      │ 47f47c1   │
# └─────────┴───────────────────────┴───────────────────────────────────────┴───────────┴───────────┘

Added

• describe command to show package metadata

skilleton describe typescript-magician
# Name: typescript-magician
# Repo: https://github.com/mcollina/skills
# Path: skills/typescript-magician
# Ref: main
# Commit: 3e2ffbb90fda9e31d84011c765252b00bfc2d4d6
# Install path: .skilleton/skills/typescript-magician
#
# Folder structure:
#   README.md
#   SKILL.md
#   rules/
#   rules/rule.md
#
# SKILL.md header:
# ---
# name: typescript-magician
# description: ...
# ---

---

Full Changelog: v0.1.1...v0.2.0

v0.1.1 - DEPRECATED

Changes

• Update documentation and add repository links to package.json/npmjs page

Full Changelog: v0.1.0...v0.1.1

v0.1.0 - DEPRECATED

First Release

Skilleton is a skills skeleton - a lightweight CLI that treats AI skills like deterministic project dependencies. Think package.json for skills, with lockfile-driven reproducibility and Git-based resolution.

Features

• Declarative manifests: skilleton.json + skilleton.lock.json for project-scoped skill dependencies
• Git-based resolution: GitHub-first with support for full repo URLs or owner/repo slugs
• Deterministic installs: Exact commit pinning via lockfiles; cache-friendly git operations
• Commands: add, install, update, list, audit (scaffold)
• Filesystem isolation: Skills install under .skilleton/skills/ with optional per-agent symlinks
• Privacy-first: No telemetry, no network requests except git/GitHub API

Installation

npm install -g skilleton
# or
npx skilleton --help

Usage

skilleton add Mindrally/skills/chrome-extension-development
skilleton install
skilleton list

Testing & CI

• Full test suite (Jest) with unit + end-to-end flow coverage
• CI/CD via GitHub Actions (lint → test → build)
• Automated npm publishing on GitHub releases

Documentation

• README with quickstart guide
• Architecture docs with Mermaid diagrams
• Contributing guide + Code of Conduct
• Security policy

Housekeeping

• Renamed project from "skillset" → "skilleton" to avoid npm name collisions
• Updated all file names, environment variables, and branding
• Configured GitHub workflows for CI and automated releases

---

Full Changelog: https://github.com/Fcmam5/skilleton/commits/v0.1.0