A lightweight AI Agent Skills secure engine with built-in native system-level sandbox, zero dependencies, and local execution.
[
]
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Agent demo Layer (optional & demo) β
β Built-in chat, planning, memory, tools β
β Binary: skilllite (full) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Core Layer β
β Sandbox + security scan + skills management + MCP β
β Binary: skilllite-sandbox (lightweight) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| skilllite (full) | skilllite-sandbox (lightweight) | |
|---|---|---|
| Binary size | ~6.2 MB | ~3.6 MB |
| Startup RSS | ~4 MB | ~3.9 MB |
| Agent mode RSS (chat / agent-rpc) | ~11 MB | β |
| Sandbox execution RSS | ~11 MB | ~10 MB |
Measured on macOS ARM64, release build. Sandbox RSS is dominated by the embedded Python process. The Agent layer adds memory only when chat, planning, or memory features are actively used.
Core principle: Scan before install, enforce after install. (ε ε€ζ―οΌεθ½ε°οΌθ½ε°ει²ζΉ)
Most sandbox solutions only provide runtime isolation β a single layer. SkillLite is the lightweight engine that defends across the entire skill lifecycle:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 1 β Install-time Scanning β
β ββ Static rule scan (regex pattern matching) β
β ββ LLM-assisted analysis (suspicious β confirm) β
β ββ Supply-chain audit (PyPI / OSV vuln DB) β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Layer 2 β Pre-execution Authorization β
β ββ Two-phase confirm (scan β user OK β run) β
β ββ Integrity check (hash tamper detection) β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Layer 3 β Runtime Sandbox β
β ββ OS-native isolation (Seatbelt / bwrap) β
β ββ Process-exec whitelist (interpreter only) β
β ββ Filesystem / network / IPC lockdown β
β ββ Resource limits (rlimit CPU/mem/fork/fsize) β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
| Capability | SkillLite | E2B | Docker | Claude SRT | Pyodide |
|---|---|---|---|---|---|
| Install-time scanning | β | β | β | β | β |
| Static code analysis | β | β | β | β | β |
| Supply-chain audit | β | β | β | β | β |
| Process-exec whitelist | β | β | β | β | β |
| IPC / kernel lockdown | β | β | β | β | β |
| Filesystem isolation | β | partial | partial | partial | β |
| Network isolation | β | β | β | β | β |
| Resource limits | β | β | partial | partial | partial |
| Runtime sandbox | β | β | β | β | β |
| Zero-dependency install | β | β | β | β | β |
| Offline capable | β | β | partial | β | β |
Other solutions focus on runtime isolation only. SkillLite adds install-time and pre-execution layers β three lines of defense in a single binary.
| Platform | Blocked | Score |
|---|---|---|
| SkillLite (Level 3) | 20/20 | 100% |
| Pyodide | 7/20 | 35% |
| Claude SRT | 7.5/20 | 37.5% |
| Docker (default) | 2/20 | 10% |
| Test Item | SkillLite | Docker | Pyodide | Claude SRT |
|---|---|---|---|---|
| File System | ||||
| Read /etc/passwd | β Blocked | β Allowed | β Blocked | β Allowed |
| Read SSH private key | β Blocked | β Blocked | β Blocked | β Blocked |
| Write to /tmp dir | β Blocked | β Allowed | β Allowed | β Blocked |
| Directory traversal | β Blocked | β Allowed | β Blocked | β Allowed |
| List root directory | β Blocked | β Allowed | β Allowed | β Allowed |
| Network | ||||
| Send HTTP request | β Blocked | β Allowed | β Blocked | β Blocked |
| DNS query | β Blocked | β Allowed | β Allowed | β Blocked |
| Listen port | β Blocked | β Allowed | β Allowed | β Blocked |
| Process | ||||
| Execute os.system() | β Blocked | β Allowed | β Allowed | β Allowed |
| Execute subprocess | β Blocked | β Allowed | β Blocked | β Allowed |
| Enumerate processes | β Blocked | β Allowed | β Allowed | β Blocked |
| Send process signal | β Blocked | β Allowed | β Blocked | |
| Resource Limits | ||||
| Memory bomb | β Blocked | β Allowed | β Allowed | β Allowed |
| Fork bomb | β Blocked | β Allowed | β Blocked | β Allowed |
| CPU intensive compute | β Blocked | β Blocked | β Allowed | β Blocked |
| Code Injection | ||||
| Dynamic import os | β Blocked | β Allowed | β Allowed | β Allowed |
| Use eval/exec | β Blocked | β Allowed | β Allowed | β Allowed |
| Modify built-in funcs | β Blocked | β Allowed | β Allowed | β Allowed |
| Information Leakage | ||||
| Read environment vars | β Blocked | β Allowed | β Allowed | β Allowed |
| Get system info | β Blocked | β Allowed | β Allowed | β Allowed |
# Reproduce: run security comparison tests
cd benchmark && python3 security_vs.py| Dimension | SkillLite | Docker | Pyodide | SRT |
|---|---|---|---|---|
| Warm Start | 40 ms | 194 ms | 672 ms | 596 ms |
| Cold Start | 492 ms | 120s | ~5s | ~1s |
| Memory | ~10 MB | ~100 MB | ~50 MB | ~84 MB |
| Deployment | Single binary | Requires daemon | Requires Node.js | Requires installation |
3-5x faster execution, 10x lower memory footprint vs Docker/SRT.
Performance benchmark details & commands
cd benchmark/
python benchmark_runner.py --compare-levels --compare-ipc -n 100 -c 10
# Cold start comparison
python benchmark_runner.py --cold-start --compare-ipc
# Full test: cold start + high concurrency
python benchmark_runner.py --cold-start --cold-iterations 20 --compare-levels --compare-ipc -o results.jsonSee benchmark/README.md for full documentation.
| Feature | SkillLite | Claude Code Sandbox | Pyodide | OpenAI Plugins | Semantic Kernel |
|---|---|---|---|---|---|
| Built-in Sandbox | β Rust Native | β Node.js Native | β None | ||
| Sandbox Tech | Seatbelt + Namespace | Seatbelt + bubblewrap | WebAssembly/Docker | Cloud Isolation | β |
| Supply-Chain Defense | β Full-chain | β | β | β | β |
| Local Execution | β | β | β | β | β |
| Zero Dependencies | β Single Binary | β Needs Node.js | β Needs Runtime | β | β |
| Cold Start | β‘ Milliseconds | Medium | π’ Seconds | β | β |
| LLM Agnostic | β Any LLM | β Claude Only | β | β OpenAI Only | β |
Claude/Anthropic's Claude Code Sandbox (Oct 2025) uses the same underlying tech (Seatbelt + bubblewrap) β SkillLite adds full-chain supply-chain defense on top.
pip install skilllite
skilllite init # sandbox binary + .skills/ + download skills
skilllite list # verify installationZero-config quick start (auto-detect LLM, setup skills, launch chat):
skilllite quickstartfrom skilllite import chat
result = chat("Calculate 15 * 27", skills_dir=".skills")
print(result)Or use the CLI: skilllite chat
cp .env.example .env # Edit: BASE_URL, API_KEY, MODEL| File | Description |
|---|---|
| .env.example | Quick start template |
| .env.example.full | Full variable list |
| docs/en/ENV_REFERENCE.md | Complete reference |
Platform Support: macOS, Linux, and Windows (via WSL2 Bridge).
| Tutorial | Time | Description |
|---|---|---|
| 01. Basic Usage | 5 min | Simplest examples, one-line execution |
| 02. Skill Management | 10 min | Create and manage skills |
| 03. Agentic Loop | 15 min | Multi-turn conversations and tool calls |
| 04. LangChain Integration | 15 min | Integration with LangChain framework |
| 05. LlamaIndex Integration | 15 min | RAG + skill execution |
| 06. MCP Server | 10 min | Claude Desktop integration |
| 07. OpenCode Integration | 10 min | One-command OpenCode integration |
π View All Tutorials
from skilllite import run_skill
result = run_skill("./.skills/calculator", '{"operation": "add", "a": 15, "b": 27}')
print(result["text"])skilllite add owner/repo # Add all skills from a GitHub repo
skilllite add owner/repo@skill-name # Add a specific skill by name
skilllite add ./local-path # Add from local directory
skilllite list # List all installed skills
skilllite remove <skill-name> # Remove an installed skillpip install langchain-skilllite # LangChain adapterfrom langchain_skilllite import SkillLiteToolkit
from langgraph.prebuilt import create_react_agent
tools = SkillLiteToolkit.from_directory(
"./skills",
sandbox_level=3, # 1=no sandbox, 2=sandbox only, 3=sandbox+scan
confirmation_callback=lambda report, sid: input("Continue? [y/N]: ").lower() == 'y'
)
agent = create_react_agent(ChatOpenAI(model="gpt-4"), tools)See 05. LlamaIndex Integration for LlamaIndex usage.
| Level | Description |
|---|---|
| 1 | No sandbox β direct execution |
| 2 | Sandbox isolation only |
| 3 | Sandbox + static security scan (requires confirmation for high-severity issues) |
| Provider | base_url |
|---|---|
| OpenAI | https://api.openai.com/v1 |
| DeepSeek | https://api.deepseek.com/v1 |
| Qwen | https://dashscope.aliyuncs.com/compatible-mode/v1 |
| Moonshot | https://api.moonshot.cn/v1 |
| Ollama (Local) | http://localhost:11434/v1 |
Each Skill is a directory with a SKILL.md:
my-skill/
βββ SKILL.md # Skill metadata (required)
βββ scripts/main.py # Entry script
βββ references/ # Reference documents (optional)
βββ assets/ # Resource files (optional)
SKILL.md example
---
name: my-skill
description: My custom Skill that does something useful.
license: MIT
compatibility: Requires Python 3.x with requests library, network access
metadata:
author: your-name
version: "1.0"
---
# My Skill
Detailed description of the Skill.
## Input Parameters
- `query`: Input query string (required)
## Output Format
Returns JSON result.Dependencies are declared in
compatibility(notrequirements.txt). Entry point is auto-detected (main.py>main.js>main.ts>main.sh).
- skilllite (Rust binary) β Sandbox executor, CLI, Agent loop, MCP server β single binary
- python-sdk (
pip install skilllite) β Thin bridge (~600 lines), zero runtime deps - langchain-skilllite (
pip install langchain-skilllite) β LangChain adapter
CLI Commands
| Command | Description |
|---|---|
skilllite init |
Initialize project (.skills/ + download skills + dependencies + audit) |
skilllite quickstart |
Zero-config: detect LLM, setup skills, launch chat |
skilllite chat |
Interactive agent chat (or --message for single-shot) |
skilllite add owner/repo |
Add skills from GitHub |
skilllite remove <name> |
Remove an installed skill |
skilllite list |
List installed skills |
skilllite show <name> |
Show skill details |
skilllite run <dir> '<json>' |
Execute a skill directly |
skilllite scan <dir> |
Scan skill for security issues |
skilllite mcp |
Start MCP server (Cursor/Claude Desktop) |
skilllite serve |
Start IPC daemon (stdio JSON-RPC) |
skilllite init-cursor |
Initialize Cursor IDE integration |
skilllite init-opencode |
Initialize OpenCode integration |
skilllite clean-env |
Clean cached runtime environments |
skilllite reindex |
Re-index all installed skills |
Build from Source
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env| Package | Binary | Command | Description |
|---|---|---|---|
| skilllite | skilllite | cargo build -p skilllite |
Full (Agent + Chat + MCP + sandbox + audit) |
| skilllite | skilllite | cargo build -p skilllite --features memory_vector |
Full + vector memory search |
| skilllite | skilllite | cargo build -p skilllite --no-default-features |
Minimal: run/exec/bash/scan only |
| skilllite | skilllite-sandbox | cargo build -p skilllite --bin skilllite-sandbox --no-default-features --features sandbox_binary |
Sandbox + MCP only |
| Command | What you get |
|---|---|
cargo install --path skilllite |
skilllite β full |
cargo install --path skilllite --features memory_vector |
skilllite β full + vector memory |
cargo install --path skilllite --bin skilllite-sandbox --no-default-features --features sandbox_binary |
skilllite-sandbox β sandbox + MCP only |
Default features = sandbox, audit, agent. Vector memory (memory_vector) is not in default.
skilllite/
βββ Cargo.toml # [workspace] members
βββ skilllite/ # Main binary (CLI entry point)
βββ crates/
βββ skilllite-assistant/ # Desktop app (Tauri + React)
βββ skilllite-core/ # Config, skill metadata, path validation
βββ skilllite-sandbox/ # Sandbox executor (independently deliverable)
βββ skilllite-executor/ # Session, transcript, memory
βββ skilllite-agent/ # LLM Agent loop, tool extensions
Dependency direction: skilllite β agent β sandbox + executor β core. See ARCHITECTURE.md.
OpenCode Integration
pip install skilllite
skilllite init-opencode # Auto-configure OpenCode MCP
opencodeThe init-opencode command automatically detects the best way to start the MCP server, creates opencode.json, and discovers your skills.
Desktop Assistant (skilllite-assistant)
Tauri 2 + React Desktop, located at crates/skilllite-assistant/:
cd crates/skilllite-assistant
npm install
npm run tauri dev # dev mode (HMR)
npm run tauri buildMIT β See THIRD_PARTY_LICENSES.md for third-party details.
- Getting Started β Installation and quick start guide
- Environment Variables Reference β Complete env var documentation
- Architecture β Project architecture and design
- Contributing Guide β How to contribute