Common issues when running skillpm locally.
Meaning: execution completed, but risk posture failed strict policy.
What to do:
- Re-run with JSON output and inspect risk fields.
- Review recommended command(s) in JSON (
recommendedCommand/recommendedCommands). - Resolve hotspot source, then re-run strict gate.
./bin/skillpm sync --strict --json > sync.jsonMeaning: runtime/validation/execution error.
What to do:
- Run
doctorto auto-detect and fix environment drift. - Retry in dry-run mode to isolate planning issues.
- Check source reachability and local file permissions.
./bin/skillpm doctor
./bin/skillpm sync --dry-runSymptoms: injections reference uninstalled skills, orphan directories in installed/, adapter's injected.toml out of sync with state.
Fix: run doctor — it detects and auto-repairs all of these in one pass:
skillpm doctorThe doctor runs 7 checks in dependency order:
- config — creates missing config, enables detected adapters
- state — resets corrupt state
- installed-dirs — removes orphan dirs and ghost state entries
- injections — removes stale refs
- adapter-state — re-syncs injected.toml
- agent-skills — restores missing skill files
- lockfile — reconciles lock with state
Doctor is idempotent — run it again and the second pass will show all [ok].
Likely causes:
- invalid URL
- auth/network failure
- unsupported source type
Checklist:
- verify URL is reachable
- re-run with a known-good public repo
- confirm
--kindmatches source type
Meaning: the skill content triggered one or more security scan rules. See Security Scanning for the full rule reference.
Error codes:
SEC_SCAN_CRITICAL: critical finding (e.g.curl|bash, reverse shell) — cannot be bypassedSEC_SCAN_BLOCKED: high or medium finding — may be bypassed with--force(except critical)
What to do:
- Read the error message to identify which rule and pattern triggered the block.
- Inspect the skill content manually to verify whether the flagged pattern is legitimate.
- For medium-severity findings you trust, re-run with
--force:
./bin/skillpm install my-repo/admin-tool --force- To disable a specific rule, add it to config:
[security.scan]
disabled_rules = ["SCAN_DANGEROUS_PATTERN"]- To disable scanning entirely (not recommended):
[security.scan]
enabled = falseChecklist:
- run
source updatefirst - verify lock/state files are writable
- confirm selected ref/version exists upstream
See Project-Scoped Skills for the full project workflow.
You used --scope project but no .skillpm/skills.toml exists above the current directory.
Fix: run skillpm init in the project root first.
The --scope flag only accepts global or project.
This is by design. Project and global scopes are fully isolated with separate state directories, lockfiles, and injection paths. Use --scope global to explicitly target global scope from within a project.
skillpm publish needs a bearer token in the environment.
Fix:
export CLAWHUB_TOKEN="your-token"
skillpm publish ./my-skill --version 1.0.0The named registry source does not exist in your config.
Fix:
- Check configured sources with
skillpm source list. - Add or update the target registry source.
- Re-run
skillpm publish --source <name>.
- No cloud-hosted control plane (local-first operation only).
- No built-in scheduler or leaderboard in
v4.x; usesource update,search, and manual or external automation aroundsync. - Adapter behavior can differ across runtimes; validate in your target environment.
- Automation consumers must parse JSON output; human-readable text is not a stable API.
- Strict risk policy is intentionally conservative and may require manual follow-up in edge cases.