Skip to content
Open app

Install policy

Org owners can set an install policy that the CLI evaluates on skillist install and skillist update when SKILLIST_API_KEY is present.

  • Warn / block severity — mapped from registry security status (pass → low, advisory → medium, fail → high) and issue severities.
  • Allowed sourcesregistry_org_only, registry_any, or registry_plus_git with an optional git host allowlist.
  • Minimum release age — reject installs of releases younger than N days.
Terminal window
# Enforce against your org policy (requires API key)
export SKILLIST_API_KEY=sk_...
skillist install other/skill --org my-org
# Skip warn prompts in CI (blocks still fail)
skillist install other/skill --org my-org --accept-warnings

Configure the policy in the app under Governance → Install policies, or via:

PATCH /v1/orgs/{orgId}/install-policy
POST /v1/orgs/{orgId}/install-check
Terminal window
skillist review ./my-skill --threshold 80 --fail-on high --json

Or use the composite action at .github/actions/skillist-review:

.github/workflows/skill-review.yml
name: Skill review
on:
pull_request:
paths: ["skills/**"]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: blakebauman/skillist/.github/actions/skillist-review@main
with:
path: skills/my-skill
threshold: "80"
fail-on: high

Optional api-url, api-key, and org inputs load the org review rubric from the API.