AutoVault
AutoVault is a skill management service that validates, stores, retrieves, and maintains SKILL.md capability files in a local-first vault — without executing skill content itself.
get_skill— Find and load installed skills by exact name or fuzzy query; optionally render agent-specific variants (with transforms applied) and inline packaged resource/binary file contents.add_skill— Install a skill from supported sources (github,agentskills,url, orlocalbundle), with validation, security checks, and agent profile sync.propose_skill— Submit newly authoredSKILL.mdcontent through the full validation pipeline: schema check, security scan, capability cross-check, three-tier deduplication (exact hash → near-exact similarity → functional overlap), signing, and storage.bulk_import— Import multiple skills from a directory, applying the same validation and deduplication pipeline to each, then syncing profiles once at the end.update_skill— Refresh an installed skill from its recorded upstream source, a new source, a local bundle, or inline bytes, with re-validation enforced.delete_skill— Remove an installed skill and all its vault-local transforms, then refresh agent profile links.check_updates— Detect upstream drift by comparing each installed skill's stored content hash against its current source state.
Key characteristics: All write operations enforce strict validation. Skill transforms allow agent-specific rendering without altering the original SKILL.md. Provenance is tracked via Ed25519 signing. In remote mode, OAuth handles authentication and per-user skill visibility.
Allows installing, updating, and auditing skills sourced from GitHub repositories.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AutoVaultlist my installed skills"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AutoVault
SKILL.md files already move through GitHub repos, team docs, public indexes,
Slack threads, and agent-written drafts. AutoVault gives those files one
canonical home: validate them at admission time, sign what passes, track where
they came from, and render the right view for each agent without maintaining
forks by hand.
AutoVault is a Node/TypeScript capability library, CLI, and MCP server. It has local stdio and remote Streamable HTTP MCP entry points, both backed by the same filesystem vault and SQLite capability index.
It does not execute skills through the MCP server. The server validates and
serves skill content; the host agent decides how to use that content inside its
own tool sandbox. The separate user-invoked autovault skill <action> CLI can
run signed bin: actions from installed skills, and that surface is documented
under Security Model.
Docs and public site: https://autovault.dev
Why AutoVault
The SKILL.md format is intentionally plain. The hard part is everything around it:
Skill drift - the same skill gets copy-pasted into Claude Code, Codex, Cursor, and project folders with no upstream tracking.
Supply-chain risk - remote skill bytes should be treated like untrusted package contents until they pass a gate.
Duplicate explosion - agents can author near-identical skills unless new proposals are deduplicated before storage.
Platform mismatch - one agent says
read, another saysfile_read, and a third expects a different filesystem tool name.Scope leakage - local dev skills should not silently show up in prod or in another client's project.
AutoVault's answer is deliberately simple: keep one canonical skill folder, record provenance, sign the admitted content, and sync or serve agent-specific views from that source.
Related MCP server: local-skills-mcp
Quick Start
Requirements:
Node.js
>=22.0.0curl,tar, andnpmmacOS 13+, Linux x64/arm64, or Windows through WSL2
Install the local vault:
curl -fsSL https://autovault.sh | sh
export PATH="$HOME/.autovault/bin:$PATH"
autovault --version
autovault doctor
autovault setup --review
autovault skill listInstall with Homebrew:
brew install autoworks-ai/tap/autovault
autovault setupInstall the packaged CLI/library directly from npm:
npm install -g @autoworks-ai/autovault
autovault setup --review
autovault doctorManual source install:
git clone https://github.com/autoworks-ai/autovault.git
cd autovault
npm ci
npm run build
node scripts/bootstrap-skills.mjs
node dist/cli.js doctorThe shell installer builds the app under ~/.autovault/app, preserves
~/.autovault as user-owned vault storage, installs the autovault CLI shim,
and bootstraps bundled skills unless AUTOVAULT_NO_BOOTSTRAP=1 is set. By
default it installs the latest stable release; set AUTOVAULT_REF=main only
when you explicitly want the unreleased main branch.
What Ships Today
AutoVault supports:
local filesystem storage under
AUTOVAULT_STORAGE_PATHa SQLite capability index for callers, profiles, tool groups, aliases, context rules, and MCP servers
per-agent and tag-filtered profile symlink generation
vault-local skill transforms that render agent-specific variants without forking upstream
SKILL.mdinstall, update, proposal, bulk-import, removal, resource-read, and drift-check workflows
enrolled pull-sync foundations for signed upstream skill releases, including metadata-only update checks, local approval policy, bundle verification, and revocation state
source adapters for GitHub,
agentskills, arbitrary HTTPS URLs, local bundles, and inline MCP-proposed contentthree-tier deduplication for proposals
Ed25519 signatures and manifest checks for stored skills and executable resources
local stdio MCP and remote Streamable HTTP MCP at
/mcpwith OAuth-backed bearer auth
The npm package and Homebrew formula are live. The shell installer is still the
easiest local bootstrap path because it provisions ~/.autovault, installs the
CLI shim, and seeds bundled skills in one pass.
Distribution:
Source and releases: https://github.com/autoworks-ai/autovault
NPM package page: https://www.npmjs.com/package/@autoworks-ai/autovault
Homebrew tap: https://github.com/autoworks-ai/homebrew-tap
Container image:
ghcr.io/autoworks-ai/autovault:<tag>
CLI Surface
The CLI is the local operator surface:
autovault add <source-or-path> [--source github|agentskills|url|local] [--provenance <value>] [--version <v>] [--agent <agent>] [--sync-profiles|--no-sync-profiles] [--discover|--no-discover] [--link agent=/path/to/skills] [--dry-run] [--yes] [--quiet] [--verbose] [--json]
autovault add-local <path> [--source <provenance>] [--sync-profiles] [--link agent=/path/to/skills] [--json]
autovault remove <skill-name> [--discover|--no-discover] [--link agent=/path/to/skills] [--json]
autovault sync-profiles [--discover] [--link agent=/path/to/skills] [--json]
autovault profiles list [--json]
autovault setup [--json] [--review] [--advanced]
autovault doctor [skill-name] [--clean] [--repair] [--json]
autovault audit-repo --repo /path/to/repo [--format json|markdown]
autovault import-autohub --tool-filters /path/tool-filters.json [--mcp-servers /path/mcp-servers.json] [--reset] [--json]
autovault init <upstream-catalog-or-directory> [--json]
autovault resolve --caller <id> --platform <name> [--channel <id>] --query <text> [--json]
autovault serve [--help]
autovault ui [--port <n>] [--no-open]
autovault skill list [--json]
autovault skill search <query> [--top-k N] [--json]
autovault skill which <name> [<action>]
autovault skill <action> <name>Human-readable output is the default. Use --json or --format json only
for scripts and other machine consumers.
autovault ui starts a loopback-only browser dashboard for local skill
metadata edits, named profile management, profile sync, update checks, deletion,
signed upstream update installs, enrolled-client revocation, and
permission-group visibility. It serves the packaged React assets and uses the
same /api/v1 management API shape as remote AutoVault.
autovault init <upstream-catalog-or-directory> enrolls the local vault with a
signed upstream catalog. The first implementation supports file-backed catalogs
for local testing and future cloud adapters; downloaded resources still install
through AutoVault's existing validation, manifest, and profile-sync paths.
Common flows:
# Inspect vault health and integrity.
autovault doctor
autovault doctor --clean
autovault doctor --repair
# Add a known skill from any supported source.
autovault add ./path/to/your-skill --sync-profiles
autovault add ./path/to/your-skill/SKILL.md --sync-profiles
autovault add https://github.com/org/repo/tree/main/skills/your-skill
autovault add owner/repo:skills/your-skill/SKILL.md
autovault add my-skill --source agentskills
autovault add https://example.com/SKILL.md --source url
# Search installed skills locally.
autovault skill search code-review --top-k 5
# Enroll a local test upstream and review signed updates in the dashboard.
autovault init ./path/to/upstream-catalog
autovault ui
# Remove a vaulted skill and refresh managed profile links.
autovault remove skill-authorautovault add is the canonical terminal path for known skills from local
bundles, GitHub repositories, agentskills slugs, or HTTPS URLs. Existing
installer scripts can keep using add-local as a compatibility alias for
local bundles; there, --source still means local provenance. For new local
adds, omit provenance and AutoVault records the normalized absolute bundle
directory.
If a remote skill omits AutoVault-specific agents frontmatter, pass
--agent codex (repeatable) for profile sync, or --no-sync-profiles for a
vault-only install.
autovault setup is the first-run adoption wizard. It scans the vault, bundled
skills, and discovered native roots such as ~/.claude/skills,
~/.codex/skills, and ~/.cursor/skills, then asks how to adopt each skill.
Run it from a real terminal; without a TTY the installer defers setup and tells
you to rerun the wizard manually.
MCP Tool Surface
MCP hosts can spawn the local stdio server with node dist/index.js, while
remote clients connect to dist/remote.js at /mcp.
Registered tools:
get_skill- search by query or fetch by exact name, optionally rendering for an agent and including packaged resources.add_skill- install a known skill fromgithub,agentskills,url, orlocal.propose_skill- submit newly authored SKILL.md bytes for validation, security scan, deduplication, signing, and storage.bulk_import- import every immediate child directory containing aSKILL.md.update_skill- refresh from the recorded source or replace from a new source, local bundle, or inline bytes.delete_skill- remove an installed skill and its vault-local transforms, then refresh generated profiles.check_updates- compare installed skills against upstream source state and report drift or transform-review work.
Tool handlers return plain objects. src/mcp/server.ts wraps and serializes
them into the MCP content[0].text envelope. Remote mode applies an additional
policy layer for scopes and skill visibility.
Library Surface
The source package exports the same helpers used by the CLI and MCP server:
resolveCapabilities()/resolve_capabilities()syncProfiles()anddiscoverProfileRoots()addSkill(),updateSkill(),deleteSkill(),installSkill(),addLocalSkill(),proposeSkill(), andbulkImport()proposeSkillTransform(),listSkillTransforms(),removeSkillTransform(), andrenderSkillForAgent()auditRepo()importAutohubCapabilities()/ensureAutohubSeeded()
Unknown callers fail closed. Register callers explicitly or map unknown users to
a restricted caller such as guest.
Validation Gate
Every install, update, proposal, and bulk import runs through the same validation path:
Repair and normalize frontmatter formatting.
Parse YAML frontmatter with
gray-matter.Validate schema with
zod.Scan content against the denylist in
scripts/security/patterns.json.Cross-check declared capabilities against observed behavior.
Deduplicate exact, near-exact, and functionally similar proposals.
Write the skill, source sidecar, signed manifest, and Ed25519 signature.
In strict mode (AUTOVAULT_SECURITY_STRICT=true, the default), denylist hits
block writes. In non-strict mode they become warnings.
Storage Layout
Default storage is ~/.autovault; override it with
AUTOVAULT_STORAGE_PATH.
$AUTOVAULT_STORAGE_PATH/
autovault.sqlite # capability index
.signing-key.json # Ed25519 keypair, mode 0600
skills/
<name>/
SKILL.md
.autovault-source.json # source, hash, timestamps
.autovault-signature # detached Ed25519 signature, mode 0600
.autovault-manifest # signed manifest for declared resources/bin
<resources...>
transforms/
<base-skill>/<transform>/
TRANSFORM.md
BASE_SKILL.md
.autovault-transform.json
.autovault-manifest
rendered/
<agent>/<skill>/ # generated variants
profiles/
<agent>/<skill-name> -> ../../skills/<skill-name> or ../../rendered/<agent>/<skill-name>
<named-profile>/<skill-name> -> ../../skills/<skill-name> or ../../rendered/<agent>/<skill-name>
profiles.config.json
cloud-sync/
upstreams.json # enrolled upstream/device metadata, mode 0600Skills are plain files. Back them up like dotfiles:
tar -czf autovault-backup-$(date +%F).tgz -C "$HOME" .autovaultSkill Transforms
Transforms let a workspace or agent adjust a skill without editing the upstream
SKILL.md. AutoVault stores the transform under the vault, appends transform
instructions to the base skill at render time, applies declared capability
metadata overrides, and materializes generated variants under rendered/.
Example TRANSFORM.md:
---
name: perplexity
base: research-skill
description: Use Perplexity instead of the default web search path.
targets:
agents: [codex]
priority: 100
capability_overrides:
network: true
tools:
add: [mcp__perplexity__search]
remove: [web_search]
metadata:
version: "1.0.0"
---
Use `mcp__perplexity__search` instead of `web_search` for research.When the base skill changes, check_updates continues rendering the transform
but returns transform_reviews with the pinned old base so the delta can be
reviewed.
Remote Deploy
Remote mode is for a shared or managed vault. It serves Streamable HTTP MCP at
/mcp, uses OAuth for client registration/login/token issuance, and stores the
vault under the mounted AUTOVAULT_STORAGE_PATH.
npm run build
AUTOVAULT_MODE=remote \
AUTOVAULT_PUBLIC_URL=http://localhost:3000 \
AUTOVAULT_ADMIN_EMAIL=admin@example.com \
AUTOVAULT_ADMIN_PASSWORD=replace-with-a-long-random-password \
npm run start:remoteDocker:
AUTOVAULT_ADMIN_EMAIL=admin@example.com \
AUTOVAULT_ADMIN_PASSWORD=replace-with-a-long-random-password \
docker compose up --buildRemote mode cannot create symlinks on client machines. sync-profiles is
local-only because a remote MCP server has no filesystem access to
~/.codex/skills, ~/.claude/skills, or other host roots. Remote clients
should discover and read skills directly through get_skill.
Configuration
Runtime environment:
Variable | Default | Purpose |
|
|
|
|
| Root path for installed skills. |
|
| SQLite capability index. |
| unset | Comma-separated |
|
| Optional named profile config. |
|
| Vendor routing: |
|
| Block denylist hits when true; warn when false. |
|
| Search backend. Metadata text search is the current implementation. |
|
|
|
| unset | Set to |
| required in remote mode | Public origin for OAuth metadata and callbacks. |
|
| HTTP port when |
| unset | Optional CORS allowlist for remote mode. |
| required until owner exists | First remote owner email. |
| required until owner exists | First remote owner password, at least 12 characters. |
| unset | Optional GitHub API rate-limit headroom. |
|
| Override the agentskills API base. |
Installer-only environment:
Variable | Default | Purpose |
|
| Install root for app, shim, and default storage. |
|
| Directory for the |
| latest stable release | GitHub branch or tag downloaded by |
| derived from | Fully override the source archive URL. |
|
| Set to |
Security Model
AutoVault has two execution surfaces with different boundaries.
The MCP servers (dist/index.js over stdio and dist/remote.js over
Streamable HTTP) are storage-and-validation services. They never execute skill
content. Remote sources are treated as untrusted input and must pass schema,
security, capability, dedup, signing, and path-safety checks before any write.
All diagnostics go to stderr so stdout stays reserved for stdio MCP framing.
Remote mode additionally requires OAuth bearer tokens and filters skill
visibility for non-owner users.
The autovault skill <action> CLI is a user-invoked execution surface for
skills that declare signed bin: actions. It runs the script as the invoking
user, with that user's filesystem and network access. Before execution, the CLI
hard-fails if the signed manifest, SKILL.md, or declared bin resources have
been changed post-install.
Important limits:
The trust root is the keypair at
$AUTOVAULT_STORAGE_PATH/.signing-key.json. Treat storage-root write access as full vault compromise.autovault doctor --cleanremoves only ignored OS/editor metadata such as.DS_Store,Thumbs.db,desktop.ini, and AppleDouble._*files.Unknown hidden files, symlinks, special files, unsigned helpers, and changed signed files remain integrity failures.
The CLI requires an interactive TTY for bin actions as defense in depth, but a pseudo-terminal can satisfy that check. The hard boundary is validation plus manifest signing, not proof of a human at the keyboard.
For the full model and accepted risks, read
docs/THREAT-MODEL.md.
Development
npm ci
npm run build
npm test
node scripts/smoke.mjs
node scripts/remote-smoke.mjs
node scripts/probe.mjsThe smoke, probe, and remote-smoke scripts require npm run build first because
they spawn compiled files from dist/.
Fresh Installer Sandbox
Use this when you want to walk through the shell installer like a new user
without touching your real ~/.autovault, shell profile, or installed skills.
The recipe packages the current development checkout, including uncommitted
files, and points the installer at that local archive.
SANDBOX="$(mktemp -d -t autovault-fresh.XXXXXX)"
FRESH_HOME="$SANDBOX/home"
ARCHIVE="$SANDBOX/autovault-dev.tgz"
mkdir -p "$FRESH_HOME"
tar \
--exclude ./.git \
--exclude ./node_modules \
--exclude ./dist \
-czf "$ARCHIVE" \
-C "$(dirname "$PWD")" "$(basename "$PWD")"
HOME="$FRESH_HOME" \
AUTOVAULT_HOME="$FRESH_HOME/.autovault" \
AUTOVAULT_BIN_DIR="$FRESH_HOME/.autovault/bin" \
AUTOVAULT_TARBALL_URL="file://$ARCHIVE" \
AUTOVAULT_REF=dev \
sh scripts/install.sh --verboseAfter install, keep the sandboxed HOME and PATH on commands you want to run
from the new-user perspective:
HOME="$FRESH_HOME" PATH="$FRESH_HOME/.autovault/bin:$PATH" autovault --version
HOME="$FRESH_HOME" PATH="$FRESH_HOME/.autovault/bin:$PATH" autovault doctor
HOME="$FRESH_HOME" PATH="$FRESH_HOME/.autovault/bin:$PATH" autovault skill list
HOME="$FRESH_HOME" PATH="$FRESH_HOME/.autovault/bin:$PATH" autovault ui --no-open --port 0To skip the setup wizard during install and run it manually:
HOME="$FRESH_HOME" \
AUTOVAULT_HOME="$FRESH_HOME/.autovault" \
AUTOVAULT_BIN_DIR="$FRESH_HOME/.autovault/bin" \
AUTOVAULT_TARBALL_URL="file://$ARCHIVE" \
AUTOVAULT_REF=dev \
AUTOVAULT_NO_SETUP=1 \
sh scripts/install.sh --verbose
HOME="$FRESH_HOME" PATH="$FRESH_HOME/.autovault/bin:$PATH" autovault setup --reviewRemove the whole sandbox when finished:
rm -rf "$SANDBOX"Architecture map:
src/index.ts- local stdio MCP entry pointsrc/remote.ts- remote Streamable HTTP MCP entry pointsrc/mcp/- tool registration and serializationsrc/tools/- MCP tool handlerssrc/cli/- local operator CLI and UIsrc/library.ts- public ESM exportssrc/capabilities/- SQLite schema, resolver, AutoHub importsrc/profiles/- profile discovery, filtering, and symlink syncsrc/validation/- frontmatter repair, schema, security, dedupsrc/sources/- source adapterssrc/storage/- filesystem storage, locks, manifests, signingsrc/util/- shared helpers
Release and operations docs:
Roadmap
Likely next areas:
stronger key storage for signature enforcement
semantic search via local embeddings
additional source adapters such as ClawHub, LobeHub, and Tessl
local mirror helper for permitted remote skills
secret resolver design, without storing secret values in the vault
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/autoworks-ai/autovault'
If you have feedback or need assistance with the MCP directory API, please join our Discord server