Install policy
Org owners can set an install policy that the CLI evaluates on skillist install and skillist update when SKILLIST_API_KEY is present.
- Warn / block severity — mapped from registry security status (
pass→ low,advisory→ medium,fail→ high) and issue severities. - Allowed sources —
registry_org_only,registry_any, orregistry_plus_gitwith an optional git host allowlist. - Minimum release age — reject installs of releases younger than N days.
# Enforce against your org policy (requires API key)export SKILLIST_API_KEY=sk_...skillist install other/skill --org my-org
# Skip warn prompts in CI (blocks still fail)skillist install other/skill --org my-org --accept-warningsConfigure the policy in the app under Governance → Install policies, or via:
PATCH /v1/orgs/{orgId}/install-policyPOST /v1/orgs/{orgId}/install-checkCI review gate
Section titled “CI review gate”skillist review ./my-skill --threshold 80 --fail-on high --jsonOr use the composite action at .github/actions/skillist-review:
name: Skill reviewon: pull_request: paths: ["skills/**"]jobs: review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: blakebauman/skillist/.github/actions/skillist-review@main with: path: skills/my-skill threshold: "80" fail-on: highOptional api-url, api-key, and org inputs load the org review rubric from the API.