skillkit
SkillKit
Production observability for AI agent skills. Monitors usage, detects conflicts, analyzes cost, and prunes what you don't use.
Commands
SkillKit is a standalone CLI. Run with bunx @crafter/skillkit <command> or install globally (bun i -g @crafter/skillkit).
Usage & Budget
skillkit scan- Discover skills + index session data (auto-runs on first use)skillkit scan --include-commands- Also track slash commands (not just skills)skillkit stats- Usage analytics with sparklines, streak count, weekly velocity (last 30 days)skillkit stats --all --days 90- Full list over 90 daysskillkit stats --json- JSON outputskillkit list- Installed skills with size and context budgetskillkit health- Unused skills + metadata budget checkskillkit health --json- JSON output
More from crafter-station/skills
intent-layer
>
220skill-gen
Auto-generate Claude skills from documentation URLs using Firecrawl agent. Use when user wants to create a skill from docs, API references, or tool homepages. Asks up to 3 clarifying questions before deep extraction. Supports topic focus (e.g., "only auth endpoints") and outputs to local .claude/skills/ by default.
12spoti-cli
|
5supply-chain-audit
Read-only audit of a developer machine for npm/PyPI supply-chain compromise. Checks for known IOCs from the 2025-2026 wave — Shai-Hulud 2.0 (Nov 2025), Mini Shai-Hulud / TeamPCP (May 2026), Axios DPRK (Mar 2026), and any future campaigns added to the IOC pack. Scans persistence artifacts (LaunchAgent / systemd unit / Windows Run key / gh-token-monitor), payload files (router_init.js, setup_bun.js, bun_environment.js), compromised package versions in every node_modules under the user's project roots, C2 / typosquat domain strings (git-tanstack.com, api.masscan.cloud, sfrclak.com, getsession.org), malicious commit hashes (79ac49ee), payload SHA256s, optionalDependencies pointing at git refs, and files written during the published attack windows. Produces a PASS/FAIL verdict, IOC checklist, at-risk package list, phase summary, and 48h bake-period remediation. Use this skill whenever the user asks "am I affected by the npm attack", "scan my machine", "check if I'm infected", "is package X compromised", "audit my coworker's machine", mentions Shai-Hulud / TanStack hack / TeamPCP / Mini Shai-Hulud / pull_request_target compromise / npm worm / axios attack / Bun installer malware / TruffleHog secret theft, asks about IOCs or supply chain risk, or wants to verify a host after a security disclosure. Trigger even when the user uses informal phrasing ("estoy chiveado?", "ya me hackearon?", "this safe?"). Never modifies files.
1