skillshare v0.11.5 Release Notes
Release date: 2026-02-11
TL;DR
v0.11.5 adds skill folder organization, makes audit policy fully configurable, and expands audit to scan any path:
--intoflag — organize installed skills into subdirectories (--into frontend)- Nested skill support everywhere — check, update, uninstall all resolve skills in subfolders
- Configurable audit threshold — set
audit.block_thresholdin config or--thresholdper-command - Audit any path —
skillshare audit <path>scans files outside the source directory - Risk scoring — weighted scores give a quantitative view of skill safety
Why These Changes
Skills grew unwieldy in a flat directory
Teams installing 30+ skills ended up with a cluttered flat list. The --into flag lets you install into subdirectories (e.g., --into frontend/react) and all commands — check, update, uninstall — now walk nested directories with short-name fallback, so skillshare update vue still works even when the skill lives at frontend/vue/vue-best-practices.
Audit blocking was all-or-nothing
v0.11.4 externalized audit rules but the blocking threshold was still hardcoded to CRITICAL. Security-conscious teams wanted to block on HIGH findings too, while others needed to let CI proceed without scanning. Now audit.block_threshold in config and --skip-audit / --threshold flags give full control per-environment.
Audit couldn't scan before install
Previously audit only worked on already-installed skills. With path scanning (skillshare audit ~/Downloads/suspicious-skill), users can vet skills before installing — useful in review workflows and CI pipelines.
New Features
Skill folder organization (--into)
Install skills into subdirectories for logical grouping:
skillshare install anthropics/skills -s pdf --into frontend
# → skills/frontend/pdf/
skillshare install anthropics/skills -s react-best-practices --into frontend/react
# → skills/frontend/react/react-best-practices/Nested skills auto-flatten on sync: frontend/react/react-best-practices → frontend__react__react-best-practices in targets.
All management commands resolve nested paths:
skillshare check # walks subdirectories recursively
skillshare update vue # short-name lookup finds frontend/vue/vue-best-practices
skillshare uninstall vue # same fallback in uninstallSee the new Organizing Skills guide for patterns and recommendations.
Configurable audit block threshold
Set the severity level that blocks installation:
# ~/.config/skillshare/config.yaml (or .skillshare/config.yaml)
audit:
block_threshold: HIGH # block on HIGH+ (default: CRITICAL)Override per-command:
skillshare audit --threshold medium # treat MEDIUM+ as blocking
skillshare install evil-skill --force # override block decision
skillshare install safe-skill --skip-audit # bypass scanning entirely--force runs the scan but overrides the block. --skip-audit skips scanning entirely. There is no config switch to globally disable audit — use --skip-audit per command when needed.
Audit path scanning
Scan any file or directory, not just installed skills:
skillshare audit ~/Downloads/untrusted-skill
skillshare audit ./vendor/third-party/Useful for vetting skills before install or auditing directories outside the source.
Audit JSON output
Machine-readable output for CI integration:
skillshare audit --json
skillshare audit my-skill --json --threshold highReturns a JSON object with results[] (per-skill findings, risk score, risk label) and summary (counts, threshold, pass/fail).
Risk scoring
Each scanned skill gets a weighted risk score:
| Severity | Weight |
|---|---|
| CRITICAL | 25 |
| HIGH | 15 |
| MEDIUM | 8 |
| LOW | 3 |
| INFO | 1 |
Risk labels: clean (0) → low (1–10) → medium (11–25) → high (26–50) → critical (51+)
Scores appear in CLI summary, JSON output, Web UI audit page, and operation logs.
LOW and INFO severity levels
Two new finding severities for lower-signal patterns:
- LOW — weaker suspicious patterns that still deserve review
- INFO — contextual hints for triage and visibility
These contribute to risk scoring but don't block installation at the default threshold.
Project init agent grouping
Multiple agents that map to the same project skills path (Amp, Codex, Copilot, Gemini, Goose, Kimi, OpenCode, Replit → .agents/skills) are now collapsed into a single group entry during skillshare init -p, reducing visual clutter.
Web UI improvements
- File viewer — JavaScript/TypeScript syntax highlighting (
.js,.ts,.jsx,.tsx) via CodeMirror; all non-markdown files now use CodeMirror instead of plain<pre> - Audit page — risk score badges, threshold display, and updated summary
- Install form —
--intodirectory field and--skip-audittoggle - Skill detail — YAML block scalar frontmatter (
>-,|,|-) parsed correctly; update button uses full relative path for nested skills
Important Changes
- Goose project path changed from
.goose/skillsto.agents/skills(universal agent directory convention). Existing Goose project targets need manual update. - IBM Bob added to built-in targets (
~/.bob/skills/.bob/skills). - Moltbot removed (renamed to OpenClaw in a prior release; stale entry cleaned up).
Upgrade Notes
No breaking changes. Recommended post-upgrade:
skillshare sync # pick up target path changes (Goose)
skillshare audit --json # try the new JSON output
skillshare check # verify nested skills are detectedIf you organize skills into folders:
skillshare install my-repo -s my-skill --into frontend
skillshare syncChangelog
- 90a46d7 feat: add --into flag for skill install command
- a8b0838 feat: add IBM Bob target and update Goose to universal project path
- 4103866 feat: add JavaScript/TypeScript syntax highlighting in file viewer
- 793e2cb feat: enhance security audit thresholds, logging, and UI
- b5de69a feat: group shared-path agents in project init UI
- 663d3ba feat: support nested skills in check/update and add organizing guide
- 526b199 feat: support nested skills in uninstall command
- fde8052 fix: parse YAML block scalars in frontmatter and use CodeMirror for all file types
- 3e539d0 fix: update nested skills by full relative path in Web UI