惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Privacy International News Feed
I
Intezer
T
Tenable Blog
S
Schneier on Security
Project Zero
Project Zero
G
GRAHAM CLULEY
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
Know Your Adversary
Know Your Adversary
博客园 - 司徒正美
The Cloudflare Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
博客园 - 叶小钗
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题
aimingoo的专栏
aimingoo的专栏
S
Secure Thoughts
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
罗磊的独立博客
IT之家
IT之家
H
Hacker News: Front Page
I
InfoQ
云风的 BLOG
云风的 BLOG
S
Security Affairs
M
MIT News - Artificial intelligence
GbyAI
GbyAI
Jina AI
Jina AI
Help Net Security
Help Net Security
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
Webroot Blog
Webroot Blog
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
Attack and Defense Labs
Attack and Defense Labs
The Register - Security
The Register - Security
V
V2EX
G
Google Developers Blog
D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
C
Cybersecurity and Infrastructure Security Agency CISA
J
Java Code Geeks
W
WeLiveSecurity
Cloudbric
Cloudbric
T
Tor Project blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
I built a Homebrew for AI skills: install flow and eval harness inside
Sulthon Zainul Habib · 2026-06-18 · via DEV Community

The problem

Last quarter I spent an afternoon writing a SKILL.md for backend FastAPI work by hand. By the time I had a usable prompt set, three templates, and a config file, I realized nobody else on the team would ever do this. Engineering skills are either too rigid, a hand-written prompt for one specific stack, or too generic, a "full-stack" skill that tells you to "use best practices." The GPT Store proved the failure mode in public: when quality is not measurable, prompt wrappers win and nobody comes back.

SkillForge is my attempt at a fix. Install is two pip commands and a serve:

cd apps/api && pip install -e ".[dev]"
cd ../cli   && pip install -e .
skillforge serve --build-web    # → http://localhost:8000

The thing I kept hitting was the category axis. I wanted a skill for a specific stack, FastAPI plus Postgres plus Alembic plus pytest plus Docker, but every skill marketplace wanted me to pick a category first. Categories are the wrong axis. Skills should be named after the stack they target, the way Homebrew formulae are named after the binary they install. A skill called backend-fastapi-postgres is honest about what it does. A skill called "Senior Backend Engineer" is vibes.

The GPT Store angle was the other half. When you cannot measure skill quality, the people who optimize for thumbnails win. The people who optimize for output leave. The marketplace fills with wrappers and stays that way.

The idea

Flip the workflow. Describe the need in plain English. The planner picks the tools and explains each pick. The generator produces a focused skill. Skills are named for their stack, not for a persona:

backend-fastapi-postgres, data-airflow-dbt-bigquery, devops-kubernetes-helm-terraform, ai-rag-langchain-pgvector, observability-opentelemetry-grafana, web-scraping-python-playwright.

Local-first means local-first. SkillForge binds to 127.0.0.1, ships no telemetry, and does not auto-execute generated scripts. The only outbound traffic is to the LLM provider you configure. Skills land on disk under ~/.skillforge/skills. The filesystem is the source of truth.

How it works

Three apps, one service layer. The CLI and the API import the same Python services, so skillforge plan on the command line and POST /api/chat/plan-skill from the browser run the exact same code path.

┌──────────────────────────────────────────────────────────────────┐
│  apps/web   (Next.js + TS + Tailwind)   :3000 / :8000 (bundled)  │
│  ChatPanel → ManifestEditor → SkillPreview → InstallButton       │
└────────────────────────────┬─────────────────────────────────────┘
                             │ HTTP
┌────────────────────────────▼─────────────────────────────────────┐
│  apps/api   (FastAPI)                       :8000                │
│  routers/  ──►  services/  ──►  repositories/                     │
└────────────────────────────┬─────────────────────────────────────┘
                             │ reuses the same service layer
┌────────────────────────────▼─────────────────────────────────────┐
│  apps/cli   (Typer + Rich)                                       │
│  serve | plan | generate | install | list | validate | remove    │
└──────────────────────────────────────────────────────────────────┘

Six provider families ship today, all swappable live from the Settings page with no restart: Mock (default, offline, deterministic), OpenAI-compatible (OpenAI, OpenRouter, Groq, Together, Mistral, DeepSeek, xAI, Fireworks, Z.ai), Ollama, Anthropic, Gemini, and Cohere. The Mock provider is the reason the project runs with zero configuration and the reason the test suite passes offline.

A first plan:

skillforge plan "I need a backend skill for FastAPI, PostgreSQL, Docker, and Pytest"

The CLI surface is intentionally small: serve, plan, generate, install, list, validate, remove. The generator is pure with respect to execution. It never calls subprocess. The scripts/ directory it writes is reference text on disk, runnable when you choose to run it.

What you actually get

A skill lands at ~/.skillforge/skills/<name>/ with this shape:

~/.skillforge/skills/backend-fastapi-postgres/
  SKILL.md
  README.md
  config.yaml
  prompts/
  templates/
  scripts/      # real FastAPI server, Alembic, pytest, Dockerfile, MCP server
  examples/

The scripts/ directory is the part that took the longest. Each artifact is a real, runnable file produced by a ToolArtifactRegistry at generation time, not a placeholder. The FastAPI skill ships a working dev_server.py. The data skill ships an Alembic migrate.sh. The devops skill ships a Helm Chart.yaml. The config.yaml is a manifest, not a config dump:

schema_version: "1.0"
skill:
  name: backend-fastapi-postgres
  domain: Backend Engineering
tools:
  - name: Python
    category: language
    reason: Primary language for this backend skill.
safety:
  auto_execute_scripts: false
  require_user_confirmation_before_install: true

Every generated skill carries the safety block. auto_execute_scripts is always false. The installer will not overwrite an existing skill without an explicit flag.

The analogy

SkillForge is not a new shape. It is the same shape as four package managers you already know.

SkillForge Homebrew npm VS Code Helm
config.yaml formula (.rb) package.json package.json (contributes) Chart.yaml
SKILL.md install block main / bin extension.ts templates/
scripts/ resource blocks bin/ bundled commands n/a
~/.skillforge/skills Cellar node_modules ~/.vscode/extensions release namespace
.skillpkg tarball bottle pack tarball .vsix chart .tgz
marketplace bridge tap (git repo) scoped pkg + token Marketplace publisher OCI registry
skillforge validate brew audit npm publish --dry-run vsce package helm lint

Homebrew taps federate anyone's git repo of formulae (https://docs.brew.sh/Formula-Cookbook). npm scoped packages use auth tokens for verified namespaces. Helm OCI registries host signed charts. The SkillForge marketplace bridge is the same model: anyone can host a marketplace, and the local app pairs with it via a 6-character code.

The marketplace vision

The marketplace is not a website. It is an HTTP contract. Anyone can run one. The local app does not care whose marketplace it is paired with. Today the repo ships a LocalStubAdapter that implements the full publish, search, download, install flow offline, so you can try the entire loop without a cloud backend.

The pairing flow borrows from VS Code plus GitHub. The local user generates a single-use 6-character code with a 10-minute TTL:

# 1. Local user generates a single-use 6-char code
POST /api/marketplace/pair/code
→ {"code": "AB3X9K", "ttl_minutes": 10}

# 2. User enters the code on the marketplace site

# 3. Marketplace exchanges the code for a 32-byte scoped bearer token
POST /api/bridge/pair/complete
Body: {"code": "AB3X9K", "label": "skillforge-marketplace"}
→ 200: {"token": "<32-byte-urlsafe>", "token_id": "...", "scopes": [...]}

Only the SHA-256 hash of the token is stored locally, in a chmod 600 file. Comparison is constant-time via hmac.compare_digest. Pairing endpoints are rate-limited to 10 attempts per minute per client, which makes the 887-million code space provably infeasible to brute force.

Default scopes are registry:read, skills:install, skills:publish. The dangerous one, skills:install:unattended, is off by default and requires explicit grant. Marketplace-originated installs land in an approval queue. The local user clicks Approve. No silent installs, ever.

The wire bundle is a gzipped tarball called .skillpkg:

skill-creator.skillpkg
├── PACKAGING        # JSON: name, version, packaged_at, packaged_by
├── manifest.json    # canonical SkillManifest
├── SKILL.md
├── config.yaml
├── prompts/
├── templates/
├── scripts/
└── examples/

Path traversal is rejected on unpack. The manifest is the source of truth.

The vision: anyone designs a skill, anyone hosts a marketplace, anyone installs. The reason the GPT Store filled with prompt wrappers is that there was no quality signal. SkillForge ships with one.

The eval harness

The eval harness is the quality signal. It lives at /eval in the Web UI.

Pick a skill. Pick a prompt suite. For each prompt, the harness runs the skill's SKILL.md as guidance against the configured provider, then asks an LLM-as-judge to score the response 0 through 10 against the skill's own output_standards. Results stream into an expandable table with color-coded scores and reasoning. Runs persist to SQLite so you can track scores across iterations.

POST /api/eval/run
{
  "skill_name": "backend-fastapi-postgres",
  "suite": "general",
  "provider": "anthropic",
  "judge_provider": "openai-compatible"
}
 200: {"run_id": "...", "results": [...]}

Compare mode is where the harness earns its keep. Pick two or more skills and a shared suite. You get an aggregate score, a win count, and per-prompt side-by-side cards with the winner highlighted. Manual override is supported. When five people publish a backend-fastapi-postgres skill, you can run them head to head on the same suite and see which one actually wins. Quality becomes measurable.

The cost guard caps completions per run at SKILLFORGE_EVAL_MAX_CALLS=50. Eval never executes generated scripts. It only calls the chat API.

Two honest caveats. The judge and the generator can already be configured to use different providers, which kills the worst of the self-grading bias. The default config still uses the same provider for both, and most users will not change it. The roadmap item Tier 2.1 is to make the judge default to a different provider than the generator. The second caveat: per-domain output standards are still generic. Every domain currently judges against one shared standards list. Tier 1.2 on the roadmap specializes them.

The GPT Store failed partly because there was no quality signal. SkillForge ships with one. It is rough, it has known bias, and it is better than nothing.

Safety and honest limitations

Safety first. The local server binds to 127.0.0.1 by default. A LocalOriginGuardMiddleware rejects browser requests whose Origin or Referer header names a non-loopback host, which is the CSRF and DNS-rebinding defense Jupyter and VS Code use. Token comparison is constant-time. Install is atomic: write to a staging directory, then os.replace. SQLite runs in WAL mode with busy_timeout=5000 and synchronous=NORMAL, so concurrent eval and registry access no longer hits "database is locked." Generated scripts are never executed automatically. The tool executor requires explicit confirm=True, an allowlist match, and a 30-second timeout.

Now the limits. These are the engagement magnet, so I will be direct about them:

  • Cross-platform binary releases need CI work. The release workflow ships in the repo. The automation that runs it on tag push does not. Today you build the binary on your own platform with ./scripts/build-binary.sh.
  • The skill-creator skill, the meta skill that helps you author new skills, is auto-bootstrapped on first run. It works. It is still rough.
  • No streaming SSE yet. Plan responses return as a single JSON payload. The Web UI shows a spinner.
  • The web layer has no Playwright coverage. Snapshot tests for generated SKILL.md do not exist.
  • The repo has 247 tests passing across 21 files. That number is real, not rounded up.

If you want to find a bug, those bullets are where to look first.

Roadmap

The big vision is a federated marketplace where anyone can design a skill, publish it, and have end users compare skill outputs head to head. Best skills rise. Weak skills get forked and improved.

Concrete items on the roadmap:

  • Streaming plan responses via Server-Sent Events
  • Per-domain output standards for the eval judge
  • A separate judge provider by default to kill self-grading bias
  • Cross-platform binary releases via CI on tag push
  • Multi-language catalog contributions with a PR template and CI check
  • A "skill linter" CI action usable in external repos
  • Pluggable marketplace adapters beyond LocalStub, including a read-only public registry
  • Statistical eval with multiple judge samples and significance testing

Out of scope by design: cloud sync, multi-user workspaces, auth, team permissions, remote deployment, auto-executing generated scripts. If those matter to you, the MIT license and the clean service layer make forking straightforward.

Try it

git clone https://github.com/sulthonzh/skillforge
cd skillforge
cd apps/api && pip install -e ".[dev]"
cd ../cli   && pip install -e .
skillforge serve --build-web

I want bug reports and edge cases, not stars. Tell me where it breaks. Specific things I would like feedback on:

  • Did the planner pick the wrong tools for your stack?
  • Did the generator produce a script that does not run when you execute it?
  • Did the eval judge score something obviously wrong, and against which standards?
  • Did the marketplace pairing flow fail on your network setup?
  • Did the local-origin guard reject a legitimate tool you use?

The file apps/api/skillforge_api/data/tool_catalog.yaml is a great first PR. Add a domain. Add a tool. Add a reason. The catalog is the part that gets better with every contributor.

Repo: https://github.com/sulthonzh/skillforge