AgentStack

The package managerfor agent skills.

Install reviewed, versioned skills into Claude Code and Codex with one command. Update them all from one source. No more copy-paste.

Join the beta
curl -fsSL https://agentstack.gg/install.sh | sh

Requires an AgentStack account for registry access.

agentstack — zsh — 92×24
# install your team's stack
agentstack stack install acme/engineering-default
installed stack acme/engineering-default
- repo-conventions
- code-review
- release-notes
# two weeks later: a new code-review version is released
agentstack stack update acme/engineering-default
updated stack acme/engineering-default
- code-review 6 -> 7

The problem

Good instructions are everywhere. Keeping them current is the hard part.

Your best guidance already exists: repo conventions, code review habits, support playbooks, brand rules. But once it is copy-pasted into every agent, repo, and laptop, each copy becomes its own source of truth.

One copy improves. Another goes stale. Someone installs a skill nobody reviewed.

one playbook, four copies

  • payments-api/CLAUDE.md

    updated last week

  • web/.cursor/rules

    diverged in March

  • ~/Desktop/review-notes.md

    five months stale

  • Notion · Code review checklist

    which copy is current?

Stacks

The best skills travel in stacks.

A skill teaches one behavior: review a PR, write a release note, escalate a support case. A stack bundles the skills you rely on, yours or your whole team's, with one owner and one approved version. Install it once.

Review

Every upload is scanned before it can publish.

Skills are instructions your agents will follow, so Sentinel, the registry's built-in security baseline, scans every upload for malicious agent instructions before it can reach you. Add your own gates on top: tool-use, brand, legal, whatever your team needs.

Sentinel scanall checks passed

acme/invoice-processing

v3 v4

Stops an agent from sending a payment when a vendor's bank details do not match the approved record.

Security baseline
  • Prompt injection
  • Hidden instructions
  • Secrets & tokens
  • Exfiltration paths
  • Suspicious links
  • Tool-use scope
Custom gates1 pending
Spend controls
Finance
approved
Data handling
Privacy
approved
Controller sign-off
Payment authority
pending
Candidate held

Not yet current. Approved current remains v3. Every install keeps following v3 until this clears.

FAQ

Questions, answered.

Direct answers about what AgentStack is, what it replaces, and where it fits above your agent runtimes.

  • What is AgentStack?

    AgentStack is a package manager for agent skills: a simple CLI and private registry for the instructions your agents follow. A stack bundles skills into one installable playbook, with one owner, one approved current version, the gates it had to clear, and a full audit trail of who changed what. AgentStack does not run your agents; it governs what they are allowed to follow.

  • What is a skill?

    A skill tells an agent how to perform one unit of work the way your organization wants it done. It packages the context, examples, and policies an agent needs, with an owner, a version, and the gates it cleared to ship.

  • What is a stack?

    A stack is a versioned bundle of approved skills for a team or scope. Install it once and follow the approved current version as it ships, or pin to a version you trust.

  • How is AgentStack different from a prompt library?

    A prompt library stores text for a person to copy and paste. AgentStack governs stacks your agents install: every skill has an owner, every stack has a reviewed current version, and every install leaves a trail. Text in a doc has none of that.

  • How is AgentStack different from an agent runtime?

    AgentStack does not execute agents. It governs which skills and stacks your agents are allowed to use, and the gates each version clears before it becomes current.

  • Why not just use GitHub or repo files like CLAUDE.md and .cursor/rules?

    Many instructions start there, and a repo can still be a source. But a file on one laptop is not a governed answer for the whole organization. AgentStack sits above those sources and gives every team and runtime one owner, one current version, one review trail, and one place to install from.

  • What does Sentinel scan for?

    Sentinel checks every upload for prompt injection, hidden or override instructions, embedded secrets and credential paths, exfiltration paths, suspicious links, and over-broad tool use, before any team gate begins. It is a security baseline, not a full security review, and it is actively expanding.

  • Where can my agents install stacks?

    Wherever your agents already work. The CLI installs stacks and skills into Claude Code and Codex, at the user level or per repo, plus a runtime-agnostic local library. The same approved stack lands in every target, and more targets are in development.

  • How do teams stay in sync after they install?

    They update from the same source instead of re-copying files. When a new version is approved, one command moves an install forward: agentstack stack update applies it, the --check flag previews it first, and pinned versions stay put until you move them. Run it by hand, or let CI run it on a schedule.

  • Is there a web interface?

    A browser portal over the same registry is in development, for reviews and audit in clickable form. The beta is CLI-first, and the CLI stays the source-of-truth surface.

  • What do beta teams get?

    The agentstack CLI, a private registry org, and hands-on onboarding. Bring the instructions one team already trusts; we help you package them into your first approved stack and install it into the runtimes your agents use.

The loop, closed

Give your agents one approved stack.

Every instruction your agents follow has an owner, a version, and a review behind it. We onboard every beta user by hand, one stack at a time.

Join the beta