0 m · surface

                    |\
                    | \
                    |  \
                    ;   \
                    :    \

  \      _____,,--''      ''--,,______
   \ ,-''                             ''-,_
    X.          (((            o          '=,>
   / '--,,_______________   ______,,,---''
  /                      '-,'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SKILLSHARK

Share an agent skill like you'd share a file. One command out, one command in — encrypted, revocable, self-verifying links.

No server. No registry. No new accounts. The GitHub you already have is the infrastructure: skills travel as encrypted gists (GitHub stores only ciphertext — the key rides in your link), receivers need nothing but Node.

$ npx skillshark install <link>

v0.5.0 · npm · MIT · Claude Code · Cursor · Codex · Copilot · Windsurf · Gemini CLI · opencode

beta channel (latest from main): npx github:Holy-Coders/skillshark · bare skillshark opens an interactive session · GitHub Enterprise: --host ghe.corp.com

200 m · twilight zone

the handoff

Watch a skill change hands

how it works

Three moves, zero ceremony

[1/3] PACK

skillshark share /j finds the skill in .claude/skills, infers the manifest (you never write one), scrubs .env and key-shaped files, and uploads a tarball as a secret gist. The full npx skillshark install '…' one-liner lands on your clipboard — receivers just paste it. On GitHub Enterprise, add --host and nothing leaves your company's GitHub.

[2/3] PASTE

the link

It's a plain gist URL with a fingerprint riding the fragment: #fp=3f9a7c21. Unlisted, attributable to your GitHub identity, revocable at any moment. The gist page doubles as a free browser preview.

[3/3] INSTALL

install

They paste the one-liner. It fetches, verifies every byte, shows a preview, asks consent, and copies files into the right place for their tool — rename with --name, cross tools with --agent. Works from any public repo too: gh:owner/repo/path@ref.

1 000 m · midnight zone

the surface area

Six commands. That's the tool.

share <path|name>

Package → secret gist → link on clipboard. Advisory expiry, dry-runs, secret scanner.

$ skillshark share /j --expires 24h
$ skillshark share ./prompts --dry-run

install <source>

Verify, preview, confirm, copy. Never executes anything. Rename with --name; cross tools with --agent (cursor, codex, copilot, windsurf, gemini, opencode).

$ skillshark install <gist-url|id>
$ skillshark install <link> --name jmp --agent codex
$ skillshark install gh:acme/skills/review@main

inspect <source>

Look before you leap — full download + verification, zero writes. --preview renders the skill's SKILL.md right in your terminal; --cat prints any single file.

$ skillshark inspect <link> --preview
$ skillshark inspect <link> --cat SKILL.md

shares [name]

Recall any link you've shared — the key never left your machine, so the full one-liner comes right back to your clipboard.

$ skillshark shares
$ skillshark shares j   # copies the install one-liner again

revoke <id|name>

Deletes the gist via your gh auth — it remembers which host a share went to. The link dies; installers get an honest message.

$ skillshark revoke j
# → "This share was deleted by the sender."

prune

Deletes your own shares that are past their advisory expiry — the real cleanup behind the advisory date. A nightly Action makes it self-hosted cron.

$ skillshark prune   # confirms, then deletes the expired ones

Prefer menus? Run bare skillshark for an interactive session: a picker over every skill on your machine, paste-a-link installs that offer to preview the SKILL.md first with a keep-or-rename prompt, share recall, guided revokes, spinners on the slow parts. Bare skillshark share / install / inspect / revoke jump straight to that command's wizard.

SkillShark dogfoods itself — there's a Claude Code skill that drives the CLI for you, installed (of course) with npx skillshark install '<link>'. Inside Claude Code, "can you send me that skill?" just works.

2 500 m · bathypelagic

crossing agents

Share from one tool, install to another

Bare names resolve across all seven tools' conventions when you share, and --agent re-renders the instructions in another tool's dialect when you install. A Codex prompt can land as a Cursor command; a Claude skill can become a Gemini TOML command.

--agent	artifacts	where they land
claude-code	skills · commands	`.claude/skills/<n>/` · `.claude/commands/<n>.md`
cursor	rules · commands	`.cursor/rules/<n>.mdc` · `.cursor/commands/<n>.md`
codex	prompts	`~/.codex/prompts/<n>.md` (global only)
copilot	prompt files	`.github/prompts/<n>.prompt.md`
windsurf	rules · workflows	`.windsurf/rules/<n>.md` · `.windsurf/workflows/<n>.md`
gemini	commands	`.gemini/commands/<n>.toml` (TOML dialect)
opencode	commands	`.opencode/command/<n>.md` · `~/.config/opencode/…`

$ skillshark share draftpr                  # found in ~/.codex/prompts/draftpr.md
$ skillshark install <link> --agent cursor  # lands as .cursor/commands/draftpr.md
$ skillshark install <link> --name jmp      # rename on the way in (frontmatter too)

Two honest limits, stated loudly at install time: a skill's bundled scripts/ can't follow it across tools (every file left behind is named in the warning), and conversion is best-effort — read the result. Same-agent installs are always byte-verbatim.

4 000 m · abyssopelagic

trust model

Paranoid by construction

Encrypted at rest by default. AES-256-GCM over the whole package, key derived (HKDF) from a fresh link secret + per-share salt. GitHub stores ciphertext and a stub with no name, no description, no file list. --no-encrypt opts out when you want the gist page readable.
Never executes package content. Install = copy files. No postinstall hooks, no scripts, ever.
Executable bits stripped by default. Flagged in the preview; --allow-exec is an explicit opt-in.
Every byte verified. Per-file sha256 + a tree fingerprint, checked after guarded extraction — path traversal, symlinks, absolute paths, decompression bombs all abort with nothing written.
Self-verifying links. The #fp= fragment is recomputed from downloaded bytes — if the gist was edited after sharing, the install hard-fails.
Receivers need no GitHub account. The receive path is anonymous HTTPS only, and provably never shells out (enforced by tests).

⚠ the link IS the key. Anyone holding the full link can decrypt and install, and a lost link is unrecoverable (just share again). A skill is instructions an AI will obey: SkillShark makes installs private, informed, and tamper-evident — not safe-from-strangers. Share with people you trust; read what people send you.

6 000 m · hadal zone

enterprise

Private waters

Company runs GitHub Enterprise? SkillShark works entirely inside it — gists live on your GitHub, links carry their host, and nothing about your skills ever touches public github.com.

$ gh auth login --hostname ghe.corp.com     # once — senders and receivers alike
$ skillshark share j --host ghe.corp.com
# clipboard → npx skillshark install 'https://ghe.corp.com/gist/<id>#fp=…'

Links route themselves. Enterprise URLs carry their host — receivers never need a flag. GH_HOST sets the default for bare ids and gh:owner/repo sources.
No anonymous requests, ever. Enterprise links are fetched exclusively through the receiver's own gh auth (enforced by tests). Unauthenticated users get a precise gh auth login --hostname … pointer, not a leak.
One honest cap. The gists API truncates inline content at ~1 MB, so enterprise gist shares stop at ~900 KB encoded — bigger skills go in a repo on your GHES, shared as gh:owner/repo/path.