C
ChaoBro
Tools

Sx: An npm for AI Skills—AI Coding Assistants Finally Get a Package Manager

by ChaoBro
#AI Skills #MCP #Package Manager #AI Coding Assistant #Open Source
Sx: An npm for AI Skills—AI Coding Assistants Finally Get a Package Manager

Have you used Claude Code's .claude/ directory? Or Cursor's custom instructions?

These "skills" for AI coding assistants—like "generate API docs using this template" or "write code reviews following this spec"—are currently scattered everywhere.

Skills configured in Claude Code don't work in Cursor. Everyone on your team configures them repeatedly. No version management. No discovery mechanism. No dependency handling.

This is like the JavaScript ecosystem in 2010—manually downloading .js files for each project, no npm.

sx wants to be the npm for AI skills.

What sx Is

sx is an open-source package manager by sleuth-io, specifically for managing AI coding assistant skill modules.

It supports three types of packages:

  • Skills: AI Agent skill definitions (prompt templates + tool bindings)
  • MCPs: Model Context Protocol services
  • Commands: CLI commands

Written in Go, 463 commits, supports self-uninstallation.

Installation is simple: sx install <package>, just like npm install.

Why a Dedicated Package Manager Is Needed

You might say: isn't it just a directory? Can't you cp -r?

The issue is that AI skill packages have special requirements:

Dependency management. A skill might depend on another. A "Python code review" skill depends on a "Python syntax analysis" skill. Without a package manager, you manually manage dependencies—and it quickly becomes a mess.

Version control. Skills get updated. New versions may be incompatible with old Agent configurations. You need semantic versioning and lock files—the same problem as npm's package-lock.json.

Discovery and distribution. You wrote a useful skill—how do you share it with the team? Email? Shared drive? sx provides a registry and publishing mechanism; skills can be searched, installed, and updated.

Security. AI skill packages are essentially code (prompt + tool call instructions) that can do many things. Package managers can do security review, signature verification before installation.

Comparison with Existing Solutions

Claude Plugin System: Claude Code has its own .claude-plugin/ directory, but it's closed—only works in Claude Code. sx is cross-platform, targeting all AI coding assistants.

Cursor Custom Instructions: Cursor's skill configuration is locked in the Cursor ecosystem. Same problem.

Open Skills Protocol: Community-proposed open standard, but lacks tool support. sx is the first package manager to operationalize this standard.

Manual copying: What most people currently do. Works but doesn't scale.

sx's positioning is similar to npm's when it started: not the first to try package management, but the first done well enough that people are willing to migrate.

Current State

178 stars, 9 forks. This is an early-stage project.

But there are signals worth watching:

From sleuth-io. sleuth-io is a company focused on AI toolchain, not a personal project. This means commercial drive and sustained investment behind it.

463 commits. For a 178-star project, that's quite a lot. The team is developing densely, iterating features fast.

Written in Go. Choosing Go over Node.js/Python shows the team values cross-platform distribution and binary deployment convenience. sx's goal is: install once, run everywhere.

Self-uninstall command. The project recently added sx uninstall sx, showing the team is seriously polishing UX—even considering "how to cleanly uninstall itself."

Potential Challenges

Cold start problem. A package manager's value depends on the number of packages in its ecosystem. npm succeeded because of the massive JavaScript package ecosystem. sx's ecosystem is currently tiny—this is the first hurdle for all new-category package managers.

Standardization. AI skills don't yet have a unified standard format. Different Agent frameworks (Claude Code, Cursor, Copilot) have different skill formats. sx needs to be compatible or push for a unified standard.

Security. AI skill packages can contain arbitrary tool call instructions. Malicious skill packages can steal code, send data externally. sx needs robust security mechanisms—signing, sandboxing, permission control.

My Take

178-star projects usually aren't worth writing about. But sx is different.

It defines a new category: AI skill package manager. This category looks small now, but if AI coding assistants continue to proliferate, skill sharing will become a must-have. Whoever defines the standard first occupies the position.

npm had only a few hundred stars in 2010.

Main sources:

  • sleuth-io/sx on GitHub — 178 stars, 9 forks, 463 commits
  • Project documentation and code structure analysis
  • Show HN discussion (49 points)

Related

CloakBrowser: The Stealth Browser That Passed 30/30 Anti-Detection Tests, 18,500 Stars

CloakHQ/CloakBrowser gained 7,769 stars in a week, reaching 18,544 stars. It is a stealth browser that modifies Chromium fingerprints at the C++ source code level, passes tests across 30+ anti-detection sites, and serves as a plug-and-play replacement for Playwright/Puppeteer.

CodeGraph: A Code Knowledge Graph Tool That Saves 35% Tokens for Claude Code and Cursor

colbymchenry/codegraph has surpassed 15,600 stars on GitHub, gaining over 10,700 stars this week alone. This tool provides AI coding agents with a pre-indexed code knowledge graph, proven to reduce token consumption by approximately 35% and tool calls by 70%, while running 100% locally.

Cognee: Equipping AI Agents with a Memory System in 6 Lines of Code – The Real Demand Behind 17k Stars

Cognee has reached 17,300 stars on GitHub, and its slogan is quite bold: "Memory control plane for AI Agents in 6 lines of code." This infrastructure project, which provides memory capabilities to AI Agents, is rapidly becoming a new standard in AI application development.