skillhub

SkillHub is a self-hosted, open-source agent skill registry that lets organizations publish, version, govern, and distribute reusable “skill packages” within private namespaces. It provides a Web UI and CLI-first workflows plus a backend REST API, with RBAC and audit logging, and supports pluggable storage (filesystem, S3/MinIO).

Evaluated Mar 30, 2026 (0d ago)
Repo ↗ Ai Ml self-hosted open-source skill-registry rbac audit-logs versioning cli-first rest-api docker kubernetes java postgresql redis s3-minio
⚙ Agent Friendliness
50
/ 100
Can an agent use this?
🔒 Security
71
/ 100
Is it safe for agents?
⚡ Reliability
30
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
0
Documentation
70
Error Messages
0
Auth Simplicity
70
Rate Limits
10

🔒 Security

TLS Enforcement
80
Auth Strength
75
Scope Granularity
85
Dep. Hygiene
50
Secret Handling
60

Security-relevant signals from README: HTTPS is implied for a production entrypoint; it includes RBAC, audit logs, scoped API tokens, and mention of password bootstrap defaults that must be changed/rotated. Explicit guidance on TLS enforcement, token hashing details, secure secret storage practices, rate limiting, and dependency vulnerability posture are not fully verifiable from the provided text.

⚡ Reliability

Uptime/SLA
0
Version Stability
55
Breaking Changes
30
Error Recovery
35
AF Security Reliability

Best When

You need an on-prem registry with RBAC, auditability, versioning, and controlled distribution of reusable agent skills across teams.

Avoid When

You cannot provide the required infrastructure (Docker/K8s, PostgreSQL/Redis, object storage) or you need a fully managed SaaS experience.

Use Cases

  • Private, governed internal registry for agent/robot skill packages
  • Namespace-based discovery and installation of versioned skills (team/global scopes)
  • Enterprise publishing workflows with review, promotion gates, and audit logs
  • Integrating agent platforms/skill CLIs that can use a registry endpoint (e.g., OpenClaw/ClawHub-compatible)
  • Hosting behind a firewall with control over storage backends (local, S3/MinIO)

Not For

  • Public untrusted multi-tenant deployments without strong operational hardening (networking, secrets, backups, patching)
  • If you need hosted SaaS with turnkey SLA/support (it’s self-hosted)
  • If you need real-time/streaming APIs (no indication of websockets/streaming)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: OAuth2 (referenced as OAuth identity merging) API tokens (scoped tokens for CLI/programmatic access) RBAC roles (Owner/Admin/Member) for namespaces
OAuth: Yes Scopes: Yes

README mentions OAuth identity merging and scoped API tokens for CLI/programmatic access, plus RBAC with audit logging. Local development uses mock-auth via X-Mock-User-Id header; production auth details beyond tokens/OAuth are not fully specified in the provided text.

Pricing

Free tier: No
Requires CC: No

Self-hosted open-source; no pricing or hosted tiers described.

Agent Metadata

Pagination
unknown
Idempotent
False
Retry Guidance
Not documented

Known Gotchas

  • Local development uses mock auth via X-Mock-User-Id; agents should not assume this works in production.
  • Bootstrap admin exists by default in release template and local profile—agents should rotate/disable it before operating in real environments.
  • The README references OpenAPI contract sync and SDK regeneration; tooling drift can occur if clients/SDKs are not regenerated when contracts change.

Alternatives

Other self-hosted artifact/registry patterns for skills (e.g., generic package registries plus custom governance) Self-hosted package registries with custom packaging and policy layers Cloud-hosted registries (if acceptable for your privacy/compliance needs)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for skillhub.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.

6370
Packages Evaluated
20033
Need Evaluation
586
Need Re-evaluation
Community Powered