SkillSync

A single-binary CLI that treats AI coding agent skills like packages — one canonical source, push to every platform, diff to catch drift before it bites you.

Problem

Developers using more than one AI coding agent — Claude Code, Codex CLI, Gemini CLI, Cursor — maintain near-identical skill files scattered across four different directories in four different formats. Every skill update triggers N manual copy operations, and one missed copy means the agent on Platform B is running the stale version of a skill the agent on Platform A already refined. With addyosmani/agent-skills surging to 61,198 stars and the Skills ecosystem entering a security-governance phase (NVIDIA's SkillSpector found that 26.1% of skills in the wild contain exploitable vulnerabilities), the cost of sloppy skills management is no longer just frustration — it is a real attack surface. No tooling exists that treats skills the way npm treats packages: a lockable, diffable, pushable registry.

Target user

Senior or staff engineers at startups and mid-size tech companies who pay real money for AI coding tokens, maintain a personal library of 10–50+ skills, and use two or more AI coding agents daily across different tasks. Their job-to-be-done: "when I improve a skill, I want it reflected everywhere in seconds — and I want to know if any platform is running something I didn't sanction."

MVP scope

• Single binary (Go or Rust), installable via brew, npm -g, and pip — no runtime dependency
• skills.toml manifest: maps canonical skill source files to one or more target platform directories (Claude Code ~/.claude/skills/, Codex ~/.codex/skills/, Gemini CLI ~/.gemini/skills/, Cursor .cursorrules/)
• skill-sync push — writes source skills to all configured targets; uses symlinks for local platforms that support them, hard copies otherwise; dry-run flag shows what would change
• skill-sync diff — compares each platform's current skill file against the canonical source and prints a unified diff, highlights files that have drifted since last push
• skill-sync pull <platform> — imports all skill files from a named platform into the canonical source tree, deduplicating identical content
• skill-sync check — static analysis pass before push: scans skill files for the 16-category vulnerability taxonomy (prompt injection, data exfiltration markers, privilege escalation strings) using a local rule set derived from SkillSpector's published patterns; exits non-zero if risk score exceeds a configurable threshold

Monetization

Donation/sponsor (MIT license, GitHub Sponsors). Long-term: a paid skill-sync cloud adapter tier at $5/month that handles browser-automation-based sync to platforms without local file APIs — Perplexity Computer, Claude Desktop dashboard, and future cloud IDEs that require dashboard uploads rather than file-system paths.

Why now

addyosmani/agent-skills accumulated +11,088 stars in the single week of June 9–17, 2026, reaching 61,198 total — the fastest-growing repo on GitHub Trending that week — signaling that developer adoption of skills is hitting an inflection point. Simultaneously, NVIDIA's SkillSpector reported that 26.1% of skills "in the wild" contain vulnerabilities, moving skills management from a convenience problem to a security problem. The DEV Community post published in June 2026 documenting the three-workaround status quo (manual copy, symlinks-only, per-project storage) explicitly concludes that no single approach covers both local and cloud platforms, leaving a clear tool-shaped gap for a package-manager-style CLI.

Risks & open questions

• Platform format consolidation: if the AI coding agent ecosystem converges on a single AGENTS.md spec (the GitHub issue requesting it has 3,020 upvotes as of June 2026), the format-translation layer becomes unnecessary and the tool's value narrows to sync logistics only
• First-party tooling: Anthropic, OpenAI, or Google ships a native multi-platform skills sync feature inside their respective CLIs, collapsing the gap overnight
• Low adoption ceiling: developers who maintain large skill libraries are a small slice of the overall AI-coding-tool user base; most copy-paste once and never think about it again
• Build complexity: reliably resolving all platform path conventions on macOS, Linux, and Windows — including WSL2 path translation — requires broad testing infrastructure for a weekend project
• Monetization fragility: the cloud adapter tier depends on browser-automation stability; any platform UI change breaks the paid feature

Next step

Promote to weekly prototype — build a Go binary with push, diff, and a hardcoded skills.toml schema; validate against real Claude Code and Codex directories on a single dev machine before adding Playwright cloud-sync.

Sources

• https://www.shareuhack.com/en/posts/github-trending-weekly-2026-06-17 — addyosmani/agent-skills +11,088 stars in June 9–17 week; SkillSpector 26.1% vulnerability finding
• https://dev.to/opensite/how-to-sync-ai-coding-agent-skills-across-every-platform-one-repo-zero-copy-paste-ba0 — documents the three failing workarounds and confirms no tool bridges local + cloud platforms
• https://github.com/anthropics/claude-code/issues/31005 — AGENTS.md / unified skills spec request at 3,020 upvotes, confirming unmet community demand