Stop Juggling AI Skills! Use asm Instead
Stop Juggling AI Skills! Use asm Instead
Your AI agent skills are scattered across a dozen hidden directories. You can't remember which version lives where. You just installed the same skill for the third time, and somewhere in your ~/.claude/skills/ folder lurks a script you copied from a random GitHub repo that might be exfiltrating your codebase right now.
Sound familiar? You're not alone.
Every developer using AI coding agents faces the same nightmare: skills scattered everywhere, zero visibility, and manual installation that's both tedious and dangerous. Claude Code wants skills in ~/.claude/skills/. Codex expects them in ~/.codex/skills/. Cursor looks in ~/.cursor/rules/. Windsurf, Cline, Roo Code, Continue — each adds another directory to babysit. The more agents you use, the worse this chaos becomes.
But what if one command could bring order to this mess? What if you could see, search, install, audit, and organize every skill across every AI agent from a single dashboard?
Enter asm — the universal skill manager for AI coding agents that top developers are quietly adopting to 10x their productivity. This isn't another toy project. It's a battle-tested CLI and TUI with 18 built-in providers, built-in security scanning, and a registry of 2,800+ skills ready to install in seconds.
Ready to stop drowning in skill directories? Let's dive in.
What is asm?
agent-skill-manager (asm) is the universal skill manager for AI coding agents, created by Nguyen Van Luong. It's an open-source CLI and interactive TUI built with TypeScript and Ink that gives developers a single interface to manage skills across every major AI coding agent on the market.
The project launched to solve a deceptively simple problem that grows exponentially worse: every AI agent stores skills differently. There's no standard format, no central registry, and no way to track what you've installed where. Developers were reduced to manual cp -r operations between hidden directories, praying they didn't break anything.
asm changes the game by providing one tool to rule them all. It auto-discovers skills across all configured agent directories, validates SKILL.md files, scans for security threats, and even lets you publish your own skills to a community registry. With 41 releases and version 2.6.2 shipping on May 7, 2026, it's actively maintained and production-ready.
The project is MIT licensed, free forever, with no accounts, no telemetry, and no paywalls. You can install it via npm in seconds or use a one-liner curl script. The source code lives at github.com/luongnv89/agent-skill-manager, and the online skill catalog at luongnv.com/asm lets you browse 2,800+ skills without installing anything.
What makes asm genuinely different? It's not just a package manager — it's a complete skill lifecycle platform. Create, develop, audit, test, install, and publish. One tool. Every agent.
Key Features That Make asm Indispensable
Universal Provider Support — asm ships with 18 built-in providers covering every major AI agent: Claude Code, Codex, OpenClaw, Cursor, Windsurf, Cline, Roo Code, Continue, GitHub Copilot, Aider, OpenCode, Zed, Augment, Amp, Gemini CLI, Google Antigravity, Hermes, and a generic Agents provider. All are enabled by default; disable any you don't need via asm config edit.
Dual Interface: TUI + CLI — Launch asm for a full interactive terminal UI with keyboard navigation, search, and detail views. Or script everything with asm --json for CI/CD automation. The TUI is built on Ink with React-style components, giving you a modern interface that feels like a desktop app in your terminal.
Intelligent Auto-Discovery — Run asm and it immediately scans all configured provider directories, detecting skills at both global (~/) and project (.) scopes. No manual path configuration needed for supported tools.
One-Command GitHub Installation — asm install github:user/repo handles cloning, validation, and placement automatically. Supports single-skill repos, multi-skill collections, subfolder URLs, specific branches/tags, and private repos via SSH. The --all flag batch-installs entire collections.
Built-In Security Scanning — Before any installation, asm scans for dangerous patterns: shell execution, network access, credential exposure, obfuscation via atob(), suspicious base64 strings, hex-escape sequences, and hardcoded API keys. The asm audit security command lets you scan any skill before trusting it.
Duplicate Detection & Cleanup — The asm audit command finds redundant skills across providers, shows you exactly which copies exist where, and can automatically remove duplicates with --yes.
Live Development with Symlinks — asm link ./my-skill -p claude creates a symlink so every edit is immediately visible to the agent. No reinstall loop. Link multiple skills at once, override names, or force-overwrite existing links.
Quality Evaluation Engine — asm eval runs a scored rubric over structure, frontmatter, clarity, prompt engineering, context efficiency, safety, testability, and naming — with concrete improvement suggestions and auto-fix capability.
Registry Publishing Pipeline — asm publish validates, audits, generates a signed manifest, forks the registry, and opens a PR automatically via the gh CLI. Once merged, anyone can install your skill by name.
Real-World Use Cases Where asm Shines
The Multi-Agent Developer
You use Claude Code at work, Codex for side projects, and Cursor for quick experiments. Without asm, you're maintaining three separate skill directories, manually copying updates, and constantly losing track of versions. With asm, one asm list shows everything across all tools. One asm search finds skills regardless of which agent uses them. One asm install deploys to any target.
The Security-Conscious Team Lead
Your team wants to use community skills but can't risk malicious code. asm audit security --all scans every installed skill for threats. asm audit security github:user/repo previews risks before installation. The verification system automatically flags unverified skills in the catalog, and the registry CI runs independent security scans before any skill goes live.
The Skill Creator & Open Source Contributor
You're building skills to share with the community. asm init scaffolds valid SKILL.md files. asm link gives you live reload development. asm eval scores quality before publication. asm publish automates the entire registry submission. The typical workflow — scaffold, edit, link, test, audit, inspect, eval, push, verify install, publish — is all handled by one tool.
The DevOps Engineer Automating Agent Setup
You need to provision consistent agent environments across CI runners, developer machines, and production containers. asm install code-review --yes --json gives you deterministic, machine-readable installations. Custom bundles let you define entire skill sets as JSON and install them in one command. The --no-cache flag ensures fresh registry fetches when you need the latest versions.
Step-by-Step Installation & Setup Guide
Getting started with asm takes under 30 seconds. Choose your preferred method:
Method 1: npm (Recommended)
npm install -g agent-skill-manager
Requires Node.js ≥ 18. No other runtime needed — both CLI and TUI run on Node alone.
Method 2: One-Liner Install
curl -sSL https://raw.githubusercontent.com/luongnv89/agent-skill-manager/main/install.sh | bash
This downloads and installs agent-skill-manager globally. Verify with:
asm --version
First Launch & Auto-Discovery
Simply run:
asm
The TUI launches and immediately scans all 18 provider directories. Skills appear automatically — no configuration required for supported tools.
Configuration (Optional)
To customize which providers are active:
asm config edit
This opens ~/.config/agent-skill-manager/config.json in your $EDITOR. Set "enabled": false for any providers you don't use, or add custom paths via customPaths.
Troubleshooting Shadowed Installs
If asm --version warns about multiple binaries, run:
asm doctor
This lists the resolved path and any shadowed installs. Remove stale versions with your package manager, then re-verify.
REAL Code Examples from the Repository
Let's walk through actual commands from the asm README, with detailed explanations of what each does and when to use it.
Example 1: Scaffold and Link a Skill for Live Development
# Create a new skill with valid SKILL.md template
asm init my-skill -p claude
# Symlink into Claude Code for instant live reload
asm link ./my-skill -p claude
What's happening here? asm init generates a my-skill/ directory containing a SKILL.md with proper YAML frontmatter — name, description, and a markdown template ready for your instructions. The -p claude flag targets Claude Code's skill directory specifically.
The asm link command creates a symbolic link from your local ./my-skill folder into ~/.claude/skills/my-skill. Because it's a symlink, not a copy, every file edit you make is immediately visible to Claude Code. No reinstall, no restart. This is the fastest iteration loop for skill development — edit your SKILL.md, test with your agent, refine, repeat.
Pro tip: Link multiple skills at once with asm link ./skill-a ./skill-b ./skill-c -p claude, or link an entire folder of skills with asm link ./my-skills-folder -p claude.
Example 2: Security Audit Before Installation
# Scan a GitHub repo for dangerous patterns before installing
asm audit security github:user/repo
# Audit every skill already on your system
asm audit security --all
Why this matters: AI skills are executable instructions that run in your development environment. A malicious SKILL.md could exfiltrate code, execute shell commands, or leak credentials. The security scanner catches:
atob()calls (runtime base64 decoding used for obfuscation)- Suspicious base64 strings (40+ character blocks with padding)
- Hex-escape sequences (
\xNNpatterns) - Hardcoded credential assignments (
API_KEY,SECRET_KEY,PASSWORD) - External URL references and shell execution patterns
Running asm audit security --all periodically is essential hygiene for any developer using community skills.
Example 3: Registry Installation and Publishing
# Install a verified skill by name — no GitHub URL needed
asm install code-review
# Publish your own skill to the ASM Registry
asm publish ./my-skill
The registry magic: When you run asm install code-review, asm fetches the registry index (cached for 1 hour at ~/.config/agent-skill-manager/registry-cache.json), finds the manifest with pinned commit SHA, clones the exact version, and installs it. No more hunting for GitHub URLs or worrying about breaking changes.
The asm publish command is equally sophisticated. It validates your SKILL.md, runs a security audit, generates a signed manifest with the current commit SHA, forks luongnv89/asm-registry, creates a branch, writes the manifest, and opens a PR — all via the gh CLI. The registry CI then validates schema, checks author identity, runs duplicate detection, typosquat detection, and an independent security scan before human review.
Preview before publishing:
asm publish --dry-run ./my-skill
Example 4: Quality Evaluation with Auto-Fix
# Score your skill and get improvement suggestions
asm eval ./my-skill
# Apply deterministic auto-fixes to SKILL.md
asm eval ./my-skill --fix
# CI-friendly machine-readable output
asm eval ./my-skill --machine
Going beyond validation: While asm audit checks for security threats, asm eval assesses quality. The built-in quality provider scores structure, frontmatter completeness, clarity, prompt engineering effectiveness, context efficiency, safety considerations, testability, and naming conventions. Each category gets a score with concrete suggestions.
The --fix flag applies safe, deterministic improvements automatically — fixing formatting, completing missing frontmatter fields, improving structure. This is invaluable for maintaining consistent quality across team-authored skills.
Example 5: Bundle Installation for Team Workflows
# List pre-defined bundles for common workflows
asm bundle list --predefined
# Install entire frontend development bundle
asm bundle install frontend-dev
# Create and export custom bundle
asm bundle create my-workflow
asm bundle export my-workflow ./my-workflow.json
Scaling across teams: Bundles are JSON manifests defining sets of skills that work together. Pre-defined bundles cover frontend development, DevOps, iOS release workflows, content writing, and more. Custom bundles let you capture your team's standard toolkit and share it via version control.
Advanced Usage & Best Practices
Use --json for Automation — Every major command supports --json output. Pipe asm list --json into jq for custom reporting, or use asm search "api design" --json in CI pipelines to verify skill availability.
Leverage Scope Filtering — The -s, --scope option filters by global, project, or both. Use asm list --scope project to see only skills in your current directory's .claude/skills/, keeping global noise out of project-specific work.
SSH for Private Repos — When installing from private repositories, use --transport ssh or --transport auto to fall back from HTTPS. This integrates cleanly with your existing SSH key setup.
Version Pinning for Reproducibility — Install specific commits or tags with asm install github:user/repo#v1.0.0. This is critical for team environments where reproducibility matters more than bleeding-edge updates.
Regular Duplicate Audits — Run asm audit --yes monthly to clean redundant skills. The tool shows exactly which duplicates exist across providers and recommends which to keep based on version and location.
Custom Providers for Niche Tools — If your team uses an unsupported agent, add it to customPaths in config. Any tool that stores skills as directories with SKILL.md files works with asm.
Comparison with Alternatives
| Feature | Manual Management | Vercel Skills CLI | asm |
|---|---|---|---|
| Multi-agent support | ❌ Manual paths per tool | ❌ Vercel-only | ✅ 18 built-in + custom |
| Security scanning | ❌ None | ⚠️ Limited | ✅ Built-in, pre-install |
| Duplicate detection | ❌ Manual find/diff |
❌ None | ✅ Automatic across providers |
| TUI dashboard | ❌ None | ❌ None | ✅ Full interactive UI |
| Registry publishing | ❌ Manual PRs | ⚠️ Vercel ecosystem | ✅ Automated via gh CLI |
| Quality evaluation | ❌ None | ❌ None | ✅ Scored rubric with auto-fix |
| Skill bundles | ❌ None | ❌ None | ✅ Pre-defined + custom |
| Live development | ❌ Copy/paste loop | ❌ None | ✅ Symlink with instant reload |
| JSON output for CI | ❌ None | ⚠️ Partial | ✅ All major commands |
| Offline/air-gapped | ✅ Always | ❌ Requires network | ✅ Local index, cached installs |
The verdict: Manual management doesn't scale past two agents. Vercel's CLI is polished but locked to their ecosystem. asm is the only tool that treats skill management as a cross-platform, security-first, lifecycle-complete discipline.
FAQ: Common Developer Concerns
Is asm free for commercial use? Yes — MIT licensed, no restrictions. Use it in personal projects, enterprise teams, or commercial products without cost.
Does asm send telemetry or require accounts? No telemetry, no accounts, no backend. The registry index is a public GitHub repository. Your skill data never leaves your machine except for explicit GitHub operations you initiate.
Can I use asm with private GitHub repositories?
Absolutely. Use --transport ssh for private repos, or --transport auto to try HTTPS then fall back to SSH. Your existing gh auth or SSH keys handle authentication.
What happens if a skill fails verification?
Unverified skills are still indexed and installable, but marked clearly. The verification criteria (valid frontmatter, meaningful body, no malicious patterns, proper structure) help users make informed decisions. Run asm eval locally to check your own skills before publishing.
How do I uninstall asm if I don't like it?
Since asm only manages symlinks and copies — never modifies your original skill sources — uninstalling is clean. Remove the npm package with npm uninstall -g agent-skill-manager, then delete ~/.config/agent-skill-manager/ if desired. Your agent skill directories remain intact.
Does asm work on Windows? Node.js ≥ 18 runs everywhere, and the path handling uses cross-platform abstractions. The TUI renders in any terminal that supports ANSI colors. Windows Terminal, PowerShell, and WSL are all supported.
How often is the registry updated? The registry index caches for 1 hour locally. New submissions go through automated CI validation before maintainer review. Most skills are live within hours of PR merge.
Conclusion: One Tool to Rule All Your AI Skills
The explosion of AI coding agents has created a hidden crisis: skill sprawl. Every new tool adds another directory, another convention, another maintenance burden. Developers waste hours on manual copying, version confusion, and security guesswork.
asm solves this with elegant finality. One installation. One interface. Eighteen providers. Built-in security. Automated publishing. Live development. Quality scoring. Bundle management.
Whether you're a solo developer juggling Claude Code and Codex, a team lead standardizing agent setups, or a creator building skills for the community — asm gives you the toolchain you didn't know you needed until the chaos became unbearable.
The project is free, open-source, and actively maintained with 41 releases and counting. The online catalog at luongnv.com/asm lets you explore 2,800+ skills instantly. And the source code at github.com/luongnv89/agent-skill-manager welcomes contributions.
Stop juggling skill directories. Start managing your AI agent skills like a pro.
npm install -g agent-skill-manager
asm
Your future self — the one with clean, audited, organized skills across every agent — will thank you.
Comments (0)
No comments yet. Be the first to share your thoughts!
