skillox install
Provenance-checked install: scan first, verify the signature against the creator's public key, write to the right per-agent path, then mark installed.
Shipped in skillox 0.3.0. Sigstore signature verification (step 3 below) is still pending — currently the install validates grade only, not provenance signature. The end-to-end flow otherwise matches what's described here.
Usage
# Install for the default agent (claude-code if detected) skillox install @stripe/checkout-skill # Install for a specific agent skillox install @stripe/checkout-skill --agent=cursor # Install but skip the audit step (NOT recommended) skillox install @stripe/checkout-skill --no-audit
What it does
- Resolves the skill via the canonical Skills.sh / ClawHub / paid-registry sources
- Runs the full scan; refuses to install if grade is D or F (override with
--allow-grade=D) - Verifies the signature against the creator's registered public key (Sigstore)
- Writes the SKILL.md to the agent-appropriate path (e.g.
.claude/skills/<name>/for Claude Code) - Records the install in
~/.skillox/inventory.jsonfor later inventory queries
Supported agents
- Claude Code
- Cursor
- OpenAI Codex
- Gemini CLI
- GitHub Copilot (with the agent-skill extension)
- Goose
Each writes to its own conventional path; the CLI handles the mapping.