withastro/rosie

COLLECTIONcommunity
withastroBSD-3-ClauseUpdated 23d agonpmGitHub

Agent package manager

A fast, cross-platform package manager for AI agent skills. Use as a CLI or as a typed JS library — same binary either way, via a native build on supported platforms or WebAssembly everywhere else. The package is ESM-only. Use a namespace import: All functions return Promises. Failures throw with a descriptive message. couldn't symlink into: ${result.failedAgents.join(', ')} is non-fatal: rosie…

This collection bundles
23 skills

⚠ The trust score below reflects the installer package rosie-skills only. The bundled units are not individually verified or scanned — review them before use.

Automatically indexed from public sources. Not yet verified by the developer on Forge.Claim this listing →
139GitHub stars
8Forks
23d agoLast update
Package
Authorwithastro
LicenseBSD-3-Clause
Sourcegithub
Trust Status
A
95/100Trusted
Listed in Forge index+10/10
Publisher identity verified+0/25
Publisher: run `forge publish` from the package repo to claim ownership
Ed25519 publish signature+0/10
Included automatically when the publisher runs `forge publish`
Domain verification+0/5
Publisher: host /.well-known/forge.json on the package homepage with { "publisher": "<github-login>" }
CVE scan · clean+30/30
Static analysis · clean+20/20
npm provenance (Sigstore)+5/5
Paste into Claude Code, Cursor, or any AI assistant to fix all gaps
StatusCommunity-indexed
PublisherUnverified
SignatureUnsigned
Domain
Provenance✓ Sigstore-verified · 06c1137
Dependencies1 resolved · none vulnerable
Tool surface
Security scan✓ Cleanv0.8.3 · 19d ago
EvalsNone
IndexedJun 14, 2026

Verification confirms publisher identity (repo ownership), not code safety. The security scan covers known CVEs and suspicious install scripts — it cannot prove the absence of malicious code.

About

A fast, cross-platform package manager for AI agent skills. Use as a CLI or as a typed JS library — same binary either way, via a native build on supported platforms or WebAssembly everywhere else. The package is ESM-only. Use a namespace import: All functions return Promises. Failures throw with a descriptive message. couldn't symlink into: ${result.failedAgents.join(', ')} is non-fatal: rosie tries every detected agent and reports the misses. The canonical install at still lands and the…

Keywords
collection