Progressive group routing for 393 professional skills via Rust daemon stdio shim.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"skill-shelf": {
"args": [
"D:/Tools/Skill-Shelf/bin/skill-shelf.js",
"mcp"
],
"command": "node"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
给 AI agent 装 skill,最痛的问题是:skill 越多,context 越胖。每个 skill 的 description 常驻上下文,几百个 skill 就是几万 tokens 白白浪费,每次对话都背着跑。开多个客户端还各跑各的进程,内存翻倍。更烦的是,装了一堆 skill 自己都记不住哪个是干嘛的、哪些真的好用哪些是花架子,最后还是全靠人去翻文档。
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'npm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
Packing does not respect root-level ignore files in workspaces
### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` with workspaces, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include. ### Patch - Up
Incorrect Permission Assignment for Critical Resource in NPM
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
Local Privilege Escalation in npm
Affected versions of `npm` use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the `npm` process has permission to write to, potentially resulting in local privilege escalation. ## Recommendation Update to version 1.3.3 or later.
npm CLI exposing sensitive information through logs
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files.
npm Vulnerable to Global node_modules Binary Overwrite
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory. This b
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in maps
Open-source toolkit for the QVeris capability routing network: CLI, MCP server, Python SDK, skills, and REST API docs for agents to discover, inspect, call, and audit real-world tools.
Single MCP server for Belgian public transport, statistics, open data, and geospatial services.
Hawaii MCP: tours, events, weather, restaurants, and day-plan itineraries across 4 islands.
I Ching hexagram analysis and geographic feng shui for Taiwan locations
MCP Security Weekly
Get CVE alerts and security updates for io.github.halflifezyf2680/skill-shelf and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
上千个专业技能,只占 context 7 个工具定义。
给 AI agent 装 skill,最痛的问题是:skill 越多,context 越胖。每个 skill 的 description 常驻上下文,几百个 skill 就是几万 tokens 白白浪费,每次对话都背着跑。开多个客户端还各跑各的进程,内存翻倍。更烦的是,装了一堆 skill 自己都记不住哪个是干嘛的、哪些真的好用哪些是花架子,最后还是全靠人去翻文档。
Skill Shelf 连这个问题一起解决了:LLM 看见 MCP 工具就会自己去查、自己去用。你不需要记住每个 skill 的内容,也不需要判断什么时候该用——LLM 遇到合适的场景自己会去搜索和加载。
Skill Shelf 的解法:skill 全部存本地仓库,context 里只有 7 个工具定义。需要时搜索加载,不需要时零开销。Rust 单例 daemon,一个进程服务所有 MCP 客户端——Claude Code、Codex、Cursor、Windsurf 同时开也只有一个后台进程。
不只是用内置的几百个 skill 和 group。工作中积累的经验、踩过的坑、反复用的工作流,都可以整理成 skill 入库——一份 Markdown 文件就是一个 skill。内置的 18 个组不够用就自己建,manage_group 创建自定义分组,install_skills 批量入库。把自己团队的 know-how 变成可复用的 skill 库。
下载与你的平台匹配的 release 包并解压:
skill-shelf-vX.Y.Z-windows-x64.zip
skill-shelf-vX.Y.Z-windows-arm64.zip
skill-shelf-vX.Y.Z-linux-x64.tar.gz
skill-shelf-vX.Y.Z-linux-arm64.tar.gz
skill-shelf-vX.Y.Z-macos-x64.tar.gz
skill-shelf-vX.Y.Z-macos-arm64.tar.gz
MCP 客户端配置:
{
"mcpServers": {
"skill-shelf": {
"command": "node",
"args": ["D:/Tools/Skill-Shelf/bin/skill-shelf.js", "mcp"]
}
}
}
release 包已经内置对应平台的 Rust daemon 二进制,不需要安装 Rust 或执行 cargo build。
git clone https://github.com/halflifezyf2680/Skill-Shelf.git
cd Skill-Shelf
npm install
npm run rust:build
MCP 客户端配置:
{
"mcpServers": {
"skill-shelf": {
"command": "node",
"args": ["D:/AI_Project/Skill-Shelf/bin/skill-shelf.js", "mcp"]
}
}
}
也可以先 npm link,再使用 npm bin:
npm link
{
"mcpServers": {
"skill-shelf": {
"command": "skill-shelf",
"args": ["mcp"],
"cwd": "/your/path/to/Skill-Shelf"
}
}
}
支持 Claude Code(~/.claude.json)、Claude Desktop(claude_desktop_config.json)、Cursor、Windsurf 等所有 MCP 兼容客户端。每个客户端各自启动一个 stdio shim,共享同一个 daemon 进程。
首次调用时 stdio shim 会自动拉起 Rust daemon。多个 MCP 客户端会共享同一个 daemon,不需要分别管理后台进程。
配置完成后,在 MCP 客户端里先调用:
browse_shelf()
正常结果应包含:
{
"groupsCount": 18,
"totalSkills": 393,
"watcherStatus": {
"running": true
}
}
常用流程:
browse_shelf()
→ 看到 group catalog
→ browse_shelf(group="marketing", limit=10)
→ read_skill(skill="微信公众号运营")
如果不知道该进哪个组,直接搜索:
search_skills(query="运营 用户 增长 活动 社群 内容 数据", limit=10)
安装自己的 skill 包:
install_skills(sourcePath="/path/to/my-skills")
validate_skills()
如果你希望把 skill 库放到包目录以外的位置,设置 SKILL_SHELF_ROOT。例如:
{
"mcpServers": {
"skill-shelf": {
"command": "node",
"args": ["D:/AI_Project/Skill-Shelf/bin/skill-shelf.js", "mcp"],
"env": {
"SKILL_SHELF_ROOT": "D:/SkillShelf/hub"
}
}
}
}
Claude Code (stdio shim) ─┐
Claude Desktop (stdio) ├─→ Rust daemon (单进程, 单端口) → 本地 skill 仓库
Cursor / Windsurf / ... ─┘
SKILL_SHELF_ROOT 的配置各自独立,互不干扰browse_shelf() ← Level 1: group catalog(name + description + count)
│
├─ 选定 group → browse_shelf(group="engineering") → skill summaries
│
├─ 选定 skill → read_skill(skill) → 默认返回 summary
│ └─ 需要全文 → read_skill(skill, full=true)
│
└─ 组路由不足时 → search_skills(query) 作为兜底
│
▼
search_skills(query) ← fallback: 直接按关键字兜底定位
先看组,再看组内 skill,最后才用 search_skills 兜底。
搜索会先用用户语言尝试,没结果时再换英文重试。skill 作者无需为每个 skill 写多语言 description。
search_skills 支持两种输入方式:
品牌 视觉 设计品牌设计视觉 — 自动切分为 CJK bigram,匹配精度略低于手动分词| 工具 | 用途 |
|---|---|
browse_shelf | 不传参返回 group catalog + 状态信息;传 group 返回组内 skill summaries |
search_skills | 兜底搜索全部 skill,返回 top N 匹配结果 |
read_skill | 默认读取 skill summary;full=true 时读取完整正文、资源、参考文件 |
| 工具 | 用途 |
|---|