How It Works

Discovery

New entries enter the registry in two ways: community submissions via pull request to the public registry, or automated import from known maintainer repositories. Every 6 hours, our import pipeline checks for new submissions and ingests them into the CMS with status pending.

Enrichment

Every entry with a source repository is automatically enriched with live metadata: stars, forks, language, topics, contributors, license, and latest commit. This runs every 6 hours and is monorepo-aware — skills sharing a repository are enriched in a single API call.

Review

Every entry goes through a three-tier review process:

Trusted Maintainer

The maintainer is marked as trusted (e.g. Anthropic, Google, Vercel). All their entries are auto-approved.

Auto-Reviewed

Our automated analyzer scores the source code for permissions, network access, destructive operations, and supply chain signals.

Manually Reviewed

A human auditor inspects the code, verifies permissions, and writes an assessment summary. This is the highest level of assurance.

Every review is version-pinned: the exact Git commit is recorded. If the repository is updated after review, the assessment is flagged as potentially stale.

Publication

When an entry is approved, the site rebuilds automatically: static pages are generated, the search index is updated, and the entry appears in the browse directory, JSON catalog, RSS feed, and LLM-readable index. Approved entries are also exported to the public registry as review cards.

Agent Access

Any AI agent with the Aescut MCP server installed can query the registry at runtime. Before installing or invoking a skill, the agent calls check_risk and gets a recommendation: allow, review, avoid, or block — with reasons and next steps.

npx -y @aeptus/aescut