Skillforge

Skillforge est le pipeline automatise pour decouvrir, evaluer et integrer de nouvelles competences (tools) from external sources. Instead of manually configuring every tool, Skillforge can scout GitHub repositories and the Clawhub registry, evaluate whether a discovered skill fits your agent's needs, and generate the integration manifest -- all without human intervention.

Apercu

The Skillforge pipeline consists of three stages:

┌─────────────┐     ┌──────────────┐     ┌──────────────┐
│   Scout      │────▶│   Evaluate   │────▶│  Integrate   │
│              │     │              │     │              │
│ Discover     │     │ Fitness      │     │ Manifest     │
│ skills from  │     │ scoring,     │     │ generation,  │
│ GitHub,      │     │ security     │     │ config       │
│ Clawhub      │     │ review       │     │ injection    │
└─────────────┘     └──────────────┘     └──────────────┘

Stage	Trait	Responsibility
Scout	Scout	Discover candidate skills from configured sources
Evaluate	Evaluator	Score each candidate for fitness, security, and compatibility
Integrate	Integrator	Generate manifests and register skills into le registre d'outils

Architecture

Skillforge est construit sur trois traits async principaux: Scout (decouvre les candidats correspondant a SearchCriteria), Evaluator (scores candidates for fitness and security), and Integrator (generates manifests and registers skills). Each trait can have multiple implementations, and le pipeline orchestrator runs them in sequence, filtering candidates at each stage.

Configuration

[skillforge]
enabled = true

# Automatic discovery: periodically scout for new skills.
auto_discover = false
discover_interval_hours = 24

# Minimum evaluation score (0.0-1.0) for a skill to be integrated.
min_fitness_score = 0.7

# Require manual approval before integrating discovered skills.
require_approval = true

# Maximum number of skills to evaluate per discovery run.
max_candidates = 20

Scout Sources

Configure where Skillforge looks for skills:

[skillforge.sources.github]
enabled = true

# GitHub repositories to search.
# Supports org/user patterns and topic-based discovery.
search_topics = ["prx-skill", "mcp-server", "ai-tool"]
search_orgs = ["openprx", "modelcontextprotocol"]

# Rate limiting for GitHub API calls.
max_requests_per_hour = 30

# GitHub token for higher rate limits (optional).
# token = "${GITHUB_TOKEN}"

[skillforge.sources.clawhub]
enabled = true

# Clawhub registry endpoint.
registry_url = "https://registry.clawhub.dev"

# Categories to search.
categories = ["tools", "integrations", "automation"]

Scout Stage

Le Scout decouvre les competences candidates depuis les sources configurees. Chaque source implemente le trait Scout differently:

GitHub Scout

Searches GitHub for repositories matching configured topics, organizations, or search queries. For each matching repository, the scout extracts:

• Repository metadata (name, description, stars, last update)
• README content (for capability analysis)
• Manifest files (prx-skill.toml, mcp.json, package.json)
• License information

Clawhub Scout

Queries the Clawhub registry API for published skills. Clawhub provides structured metadata incluant :

• Skill name, version, and description
• Input/output schemas
• Dependency requirements
• Compatibility tags (PRX version, OS, runtime)

Search Criteria

pub struct SearchCriteria {
    /// Keywords describing the desired capability.
    pub keywords: Vec<String>,

    /// Required runtime: "native", "docker", "wasm", or "any".
    pub runtime: String,

    /// Minimum repository stars (GitHub only).
    pub min_stars: u32,

    /// Maximum age of last commit in days.
    pub max_age_days: u32,

    /// Required license types (e.g., "MIT", "Apache-2.0").
    pub licenses: Vec<String>,
}

Evaluate Stage

Chaque candidat passe par l'Evaluateur, qui produit un score de fitness et une evaluation de securite:

Evaluation Criteria

Criterion	Weight	Description
Relevance	30%	How well the skill matches the search criteria
Quality	25%	Code quality signals: tests, CI, documentation
Security	25%	License compatibility, dependency audit, no unsafe patterns
Maintenance	10%	Recent commits, active maintainers, issue response time
Compatibility	10%	PRX version compatibility, runtime requirements met

Securite Checks

The evaluator performs automated security analysis: license compatibility scanning, dependency vulnerability audit, dangerous code pattern detection (network calls, file system access, eval), and sandbox compatibility verification.

The Evaluation struct contient le overall fitness_score (0.0-1.0), per-criterion scores, a security_status (safe/caution/blocked), a human-readable summary, and a list of concerns.

Integrate Stage

Skills that pass the evaluation threshold enter the integration stage:

Manifest Generation

The Integrator genere a Manifest that describes how to install and register the skill:

# Generated manifest: ~/.local/share/openprx/skills/web-scraper/manifest.toml
[skill]
name = "web-scraper"
version = "1.2.0"
source = "github:example/web-scraper"
runtime = "docker"
fitness_score = 0.85
integrated_at = "2026-03-21T10:30:00Z"

[skill.tool]
name = "web_scrape"
description = "Scrape and extract structured data from web pages."

[skill.tool.parameters]
url = { type = "string", required = true, description = "URL to scrape" }
selector = { type = "string", required = false, description = "CSS selector" }
format = { type = "string", required = false, default = "text", description = "Output format" }

[skill.runtime]
image = "example/web-scraper:1.2.0"
network = "restricted"
timeout_secs = 30

Registration

Once the manifest is generated, the skill est enregistre in the PRX registre d'outils. If require_approval = true, the manifest is staged for review:

# List pending skill integrations
prx skillforge pending

# Review a pending skill
prx skillforge review web-scraper

# Approve integration
prx skillforge approve web-scraper

# Reject integration
prx skillforge reject web-scraper --reason "Security concerns"

CLI Commands

# Manually trigger a discovery run
prx skillforge discover

# Discover with specific keywords
prx skillforge discover --keywords "web scraping" "data extraction"

# Evaluate a specific repository
prx skillforge evaluate github:example/web-scraper

# List all integrated skills
prx skillforge list

# Show skill details
prx skillforge info web-scraper

# Remove an integrated skill
prx skillforge remove web-scraper

# Re-evaluate all integrated skills (check for updates, security issues)
prx skillforge audit

Integration with Self-Evolution

Skillforge integrates with PRX's self-evolution pipeline. When l'agent identifies a capability gap, it can trigger a discovery run automatically -- scouting, evaluating, and (if approved) integrating a matching skill pour le next tour.

Securite Nontes

• Approval gates -- always set require_approval = true in production. Automated integration of untrusted code is a security risk.
• Sandbox enforcement -- integrated skills run within the same sandbox constraints as outils integres. Le sandbox backend doit etre configured.
• Source trust -- only enable scout sources that you trust. Public GitHub search can retour malicious repositories.
• Manifest review -- review generated manifests before approval. Check the runtime, network, and timeout_secs settings.
• Audit trail -- all Skillforge operations sont journalises in the activity log for compliance review.

Voir aussi Pages

• Tools Overview
• Self-Evolution Pipeline
• Security Moteur de politiques
• Runtime Backends
• MCP Integration