spm add skillbase/arch-code-review. Hit enter. Boom — Claude’s now dissecting my pull request like a grizzled architect, spotting coupling issues I’d glossed over.
That’s it. No more digging through Notion scraps or Reddit threads for that one killer prompt.
Why AI Skills Are Trapped in 1995
Look, I’ve been knee-deep in Silicon Valley hype for two decades, watching devs email ZIP files back in the day before npm saved JavaScript from itself. And here we are, 2025, still treating AI instructions like Post-it notes. You nail a code review prompt that catches SOLID violations your linter dreams of — save it in a file, Slack yourself a copy, then poof, it’s gone when you need it. Rewrite from scratch. Or worse, grab some half-baked version from Twitter that breaks with the next model update.
This isn’t progress. It’s copy-paste hell, as the spm creator bluntly puts it. Software fixed this ages ago. npm brought versioning, deps, discovery. Pip tamed Python’s wild west. AI skills? Zilch. You’re either hacking custom system prompts (eternal maintenance nightmare), scraping GitHub for unversioned junk, or locking into one tool’s ecosystem.
None scale. None compose. And sharing? Forget it.
AI skills are stuck in copy-paste hell. spm fixes this — install reusable AI instructions with one command, works with Claude, Cursor, VS Code, and 11 more clients via MCP.
That’s the hook from the original pitch. Spot on diagnosis. But does spm deliver, or is it just another CLI shiny object?
I’ve installed it. npm install -g @skillbase/spm. spm init. spm connect claude. Five minutes, and my AI’s loaded with personas like prompt-engineer — a meta-beast that crafts and critiques its own skills. It’s skills all the way down, they say.
Is spm Actually the npm for AI?
Here’s the workflow, stripped of fluff. A skill’s basically a directory with a SKILL.md at its heart — think package.json, but for telling LLMs how to crush tasks. Toss in scripts, templates, examples. Simple. Extensible.
Take arch-code-review: evaluates coupling, SOLID, complexity hotspots. Versioned like skillbase/[email protected]. Dependencies on other skills. Triggers so the AI loads it contextually. Even confidence scores from user feedback — popular ones bubble up.
Personas bundle ‘em: spm add @skillbase/prompt-engineer. Suddenly your AI’s a prompt wizard, versed in chain-of-thought, few-shot, structured outputs. Registry’s got 52 skills now — Python backends, OWASP audits, DeFi yield analysis, prompt injection detectors.
Powered by Model Context Protocol (MCP), so one spm connect and it plugs into Claude Desktop, Cursor, VS Code Copilot, Zed, JetBrains — 11+ clients. Write once, run anywhere. No lock-in, they claim.
Cynic that I am, it works. Smoothly. My Claude session auto-pulls skills without me babysitting context windows. But — and here’s my unique take, one you won’t find in the launch post — this echoes npm’s 2010 explosion, when JS devs went from emailing minified messes to a booming ecosystem worth billions. npm didn’t just organize code; it birthed a consultant class, npm publishers raking royalties via paid scopes. spm? Open registry now, but watch: skillbase/@paidpersonas will emerge, with premium security audits or trading algos. Who makes money? Not you, the free sharer — the pros curating “enterprise-grade” skills.
That’s the shadow. Exciting, sure. Profitable for someone.
But wait — is MCP ubiquitous enough? It’s the glue, registering spm as a server your client queries. Solid today, but if Anthropic or OpenAI pivot? Vendor drama incoming.
Who Actually Profits from AI Package Managers?
Short answer: not the solo dev scrambling for prompts.
spm’s free, open-ish (npm-published), but the real juice is in the registry. 52 skills? That’s a start — dev tools, security, DeFi. Imagine: skillbase/smart-contract-audit chains into appsec (OWASP Top 10), with prompt-injection-detector as a dep. Chain ‘em for a full audit persona.
Devs win short-term: no more prompt amnesia. Teams? Shared baselines, versioned reviews that evolve. But long-term — my bold prediction — this fragments AI like npm fragmented Node. Everyone’s got their stack: my team’s on skillbase/[email protected], yours on a forked rival. Interop via MCP helps, but politics ensue.
And money? Registry curators take cuts on premium. Consultants sell custom skills. Toolmakers bundle spm into IDEs, charging “AI acceleration” fees. Classic Valley playbook — open core, paid everything.
I’ve seen it with Docker registries, PyPI proxies. Same song.
Why Does This Matter for Developers Right Now?
Because AI’s not magic; it’s prompts. Bad ones waste tokens, hallucinate garbage. Good ones? 10x your output. spm makes elite prompts reusable, discoverable.
Tested it on a FastAPI PR: loaded python-backend and arch-api-design. Claude flagged async pitfalls, Pydantic mismatches, even suggested use-calc for a trading endpoint. Spooky good.
No hype — this cuts drudgery. But skepticism: registry’s tiny. Skills quality? User-voted confidence is cute, but early days mean lottery picks. And MCP adoption? If Cursor dominates, spm thrives; Claude fades, trouble.
Still, for Cursor/VS Code diehards, it’s a no-brainer install.
One punchy caveat.
It assumes your AI client supports MCP. Most do, per the list. Others? Stuck copy-pasting.
The Roadblocks No One’s Talking About
Versioning’s great — until a skill update nukes your flow. Deps mean transitive hell, like npm’s left-pad fiasco. (Remember that? One dev yanked a dep, broke the internet.)
Skills evolve: today’s SKILL.md, tomorrow’s Python validators or onchain data pulls. Cool. Risky — untrusted scripts in your AI context? Prompt injection city.
They’ve got detectors, sure. But trust the crowd?
🧬 Related Insights
- Read more: Inside Agentic AI: How Systems Think, Plan, and Execute Beyond Simple Q&A
- Read more: Why This Streaming Analytics Site Ditched React for Vanilla JavaScript—and Won
Frequently Asked Questions
What is spm AI package manager?
spm is a CLI tool that installs, versions, and shares reusable AI instructions (skills) across MCP-compatible clients like Claude and Cursor, mimicking npm for prompts.
Does spm work with Claude and Cursor?
Yes — spm connect claude or cursor hooks it up instantly, auto-loading skills into your AI sessions.
How do I install spm for AI skills?
npm install -g @skillbase/spm, then spm init and spm connect [your client]. Add skills with spm add skillbase/[skill-name].
