Skip to main content

auto-skill lock

Manage the skill lock file for integrity verification. The lock file tracks SHA-256 hashes of installed skills to detect tampering and ensure reproducible skill environments.

Usage

auto-skill lock [action] [options]

Actions

status
action
default:"true"
Show lock file summary (version, path, skill count)
list
action
List all locked skills with their metadata
verify
action
Verify integrity of all locked skills using SHA-256 hashes

Options

--json
boolean
default:"false"
Output results in JSON format

Lock File Format

The lock file is stored at ~/.claude/auto-skill/skills.lock and contains:
  • Version - Lock file format version
  • Skills - Array of locked skill entries
  • Metadata - Timestamps, sources, and hashes

Lock Entry Structure

name
string
required
Skill name or identifier
source
string
required
Source of the skill (e.g., “local”, “skillssh”, “github”)
contentHash
string
required
SHA-256 hash of the skill file content
lockedAt
string
required
ISO 8601 timestamp when the skill was locked

How It Works

1

Skill Installation

When a skill is generated or installed, its content is hashed using SHA-256
2

Lock File Update

The hash, source, and metadata are written to skills.lock atomically
3

Verification

On verification, current file content is hashed and compared to the locked hash
4

Integrity Check

Mismatches indicate the skill has been modified, corrupted, or tampered with

Examples

Show Lock File Status

auto-skill lock status

Lock File Status

  Path: /Users/username/.claude/auto-skill/skills.lock
  Version: 1.0
  Skills: 12

List All Locked Skills

auto-skill lock list

Locked Skills (12)

  debug-api-errors
     Source: local | Hash: a3f2b8c1e4d6f9a2...
     Locked: 2024-03-15T10:23:45.123Z

  react-test-patterns
     Source: skillssh | Hash: b9e7c2d1f3a5b8c4...
     Locked: 2024-03-14T15:42:18.456Z

  tdd-workflow
     Source: local | Hash: c1d8e3f2a9b6c7d4...
     Locked: 2024-03-13T09:15:32.789Z

  typescript-migration
     Source: github | Hash: d4f1a7b3c9e2d8f5...
     Locked: 2024-03-12T14:28:51.234Z

Verify Skill Integrity

auto-skill lock verify

Integrity Verification

  PASS debug-api-errors
  PASS react-test-patterns
  PASS tdd-workflow
  FAIL typescript-migration
  PASS git-workflow-automation
  PASS api-endpoint-testing
A FAIL status means the skill file has been modified since it was locked. This could indicate:
  • Intentional edits by the user
  • File corruption
  • Security concern (tampering)
Review the skill file and re-lock if the changes are intentional.

JSON Output - Status

auto-skill lock status --json

{
  "version": "1.0",
  "skillCount": 12,
  "path": "/Users/username/.claude/auto-skill/skills.lock"
}

JSON Output - List

auto-skill lock list --json

{
  "count": 12,
  "skills": [
    {
      "name": "debug-api-errors",
      "source": "local",
      "contentHash": "a3f2b8c1e4d6f9a2b5c8d1f4e7a9b2c5d8e1f4a7b9c2d5e8f1a4b7c9d2e5f8a1",
      "lockedAt": "2024-03-15T10:23:45.123Z"
    },
    {
      "name": "react-test-patterns",
      "source": "skillssh",
      "contentHash": "b9e7c2d1f3a5b8c4d7e9f1a3b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3",
      "lockedAt": "2024-03-14T15:42:18.456Z"
    },
    {
      "name": "tdd-workflow",
      "source": "local",
      "contentHash": "c1d8e3f2a9b6c7d4e1f8a3b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5",
      "lockedAt": "2024-03-13T09:15:32.789Z"
    }
  ]
}

JSON Output - Verify

auto-skill lock verify --json

{
  "total": 6,
  "passed": 5,
  "failed": 1,
  "results": {
    "debug-api-errors": "pass",
    "react-test-patterns": "pass",
    "tdd-workflow": "pass",
    "typescript-migration": "fail",
    "git-workflow-automation": "pass",
    "api-endpoint-testing": "pass"
  }
}

Security Features

SHA-256 Hashing

Cryptographic hashing ensures tamper detection

Atomic Writes

Lock file updates are atomic to prevent corruption

Path Security

Path traversal prevention and null byte blocking

Unicode Normalization

Prevents unicode-based attacks on file paths

Use Cases

CI/CD Verification

# In CI pipeline
auto-skill lock verify
if [ $? -ne 0 ]; then
  echo "Skill integrity check failed"
  exit 1
fi

Audit Trail

# Check when skills were last locked
auto-skill lock list --json | jq '.skills[] | {name, lockedAt}'

Detect Modifications

# Find which skills have been modified
auto-skill lock verify --json | jq -r '.results | to_entries[] | select(.value == "fail") | .key'

Lock File Location

The lock file is stored at: 
~/.claude/auto-skill/skills.lock
The lock file is automatically created when the first skill is generated. You don’t need to manually create it.

Troubleshooting

If you intentionally edited a skill, this is expected. The lock file tracks the original content. To re-lock:
  1. Verify the changes are correct
  2. Re-generate or re-install the skill to update the lock
  3. Or manually update the lock file (not recommended)
The lock file is created automatically when skills are generated. If it’s missing:
auto-skill init
Then generate or install a skill to create the lock file.
This could indicate:
  • Lock file corruption
  • Skills directory moved or restored from backup
  • File system issues
Try:
auto-skill lock list
If the list looks corrupt, you may need to re-initialize and re-install skills.

List Agents

Check which agents have skills installed

View Telemetry

See which skills are most used

Build docs developers (and LLMs) love

Get started for freeTalk to us