Cross-Agent Skills Hit the npm Moment: 351K Skills, Three Marketplaces, and a Portability Standard
Cross-Agent Skills Hit the npm Moment
A Termdock analysis published in May 2026 makes a compelling case: the Agent Skills ecosystem is reaching its “npm circa 2011” inflection point — a standardised format (SKILL.md), fragmented distribution, incomplete tooling, but foundational conventions that are solidifying fast.
The Numbers
| Marketplace | Skills Listed | Security Scanning | Key Feature |
|---|---|---|---|
| SkillsMP | 351K+ | No | Semantic search, REST API, 9-language UI |
| Skills.sh | 83K | Yes (Snyk) | Vercel-backed, telemetry-based popularity |
| ClawHub | ~3,200 | Manual curation | Curated quality over quantity |
Total ecosystem: 351,000+ published skills across three competing marketplaces. A 13.4% critical vulnerability rate in scanned skills remains a significant concern — security tooling is the clearest gap versus npm’s mature audit pipeline.
The Portability Promise
Six major agents now support SKILL.md, but each expects a different directory:
| Agent | Skills Directory |
|---|---|
| Claude Code | .claude/skills/ |
| Codex CLI | .agents/skills/ (primary) |
| GitHub Copilot | .github/skills/ |
| Gemini CLI | .gemini/skills/ |
| Cursor | .cursor/skills/ |
| Windsurf | .windsurf/skills/ |
The emerging convention: .agents/skills/ as a universal fallback. Codex CLI already uses this as its primary directory, which positions it well for cross-agent portability.
agent-skills-cli: The Universal Package Manager
The agent-skills-cli tool (npm install -g agent-skills-cli) acts as a universal skills package manager across 45 agent platforms. Key commands:
skills install @owner/skill-name— install to all detected agentsskills search [query]— interactive FZF-powered discoveryskills compose— compose multiple skillsskills sandbox— test skills in isolation-a codex— target a specific agent
This is the closest equivalent to npm’s cross-project install experience for agent skills.
Cross-Agent Authoring Rules
Four principles for skills that work everywhere:
- Basic frontmatter only — name and description; avoid agent-specific metadata
- Outcome-oriented language — describe what should happen, not which tools to call
- Relative paths — never assume a specific workspace layout
- Test on two+ agents — portability is only real when verified
Why This Matters for Enterprise / Agentic Pod
For Daniel’s agentic pod work, the implications are:
- Skill portability means the same governance skills (security review, code quality, deployment checklists) work whether the team uses Codex CLI, Claude Code, or Cursor
- Registry consolidation is likely — Skills.sh (Vercel + Snyk) looks positioned to become the npm equivalent
- Security scanning gaps mean enterprise teams must run their own skill audit pipeline until marketplace scanning matures
- skillpm maps skills onto npm’s semver and dependency system — worth watching for enterprise version pinning
Prediction
The article forecasts three convergences:
- Skills.sh emerges as the dominant registry (Vercel backing + security scanning)
- Skills become npm packages with metadata, not a separate distribution channel
- Agents adopt
.agents/skills/as primary directory instead of fallback
This mirrors npm’s own consolidation arc — fragmented registries, then a single winner, then tight build-tool integration.