Registry

---

The public index of all skills available through Brox.

This repo is the registry — index.json is the source of truth for what skills exist, their versions, and where to fetch them.

How publishing works

┌─────────────────┐  fork+PR  ┌────────────────────────┐
│  brox publish   │ ───────► │  broxhq/registry       │
│  (in author's   │           │  index.json + PR       │
│   skill repo)   │           │  CI validates + merges │
└─────────────────┘           └────────────────────────┘

1. Author runs brox login (one-time GitHub Device Flow)
2. Author runs brox publish from inside their skill directory
3. CLI forks this repo, updates index.json, opens a PR
4. CI (.github/workflows/validate.yml) runs four checks:
   • Schema: manifest conforms to the spec
   • Diff: PR adds/updates exactly one skill (no bundled changes)
   • Ownership: PR author's GitHub login matches the skill's scope (@alice/foo requires login = alice)
   • Source: the referenced repo and ref exist on GitHub, and skill.json is present at the subdirectory
5. CI auto-approves and merges if all checks pass; otherwise comments with the failure reason

Namespace rules

• Personal scope: @<your-github-username>/... — you publish under your own GitHub username, no setup required
• Reserved scopes: @brox, @anthropic, @official — only members of the broxhq org may publish under these

index.json format

{
  "version": 1,
  "updated": "2026-05-15T00:00:00Z",
  "skills": {
    "@brox/pdf-extractor": {
      "description": "Extract structured text and tables from PDF files.",
      "repo": "https://github.com/broxhq/examples",
      "subdirectory": "pdf-extractor",
      "license": "MIT",
      "keywords": ["pdf", "extraction", "documents"],
      "versions": {
        "0.1.0": {
          "ref": "v0.1.0",
          "published": "2026-05-15T00:00:00Z"
        }
      },
      "latest": "0.1.0"
    }
  }
}

Required fields per skill

Field	Type	Notes
description	string	Max 200 characters
repo	string	Must be https://github.com/...
license	string	SPDX identifier
versions	object	Maps semver string → {ref, published?}
latest	string	Must be a key in versions

Optional fields

Field	Type	Notes
subdirectory	string	Path inside the repo where skill.json lives
author	string	Display name
keywords	string[]	For search

Reporting malicious skills

Email security@brox.sh or open an issue tagged security. Confirmed malicious entries are removed within 24 hours and the namespace is locked from further publishing.

Manual publishing (without CLI)

If brox publish isn't an option, you can publish manually:

1. Fork this repo
2. Edit index.json — add or update your skill entry
3. Open a PR; CI will validate and merge

Your GitHub login must match the scope. CI will reject the PR if it doesn't.