skrptiq.yaml Manifest

Every workspace has a skrptiq.yaml file at its root. This is the manifest — it describes what the skrpt contains, what it depends on, and what access it needs.

A minimal manifest needs only a name. A published skrpt includes richer metadata for discovery, security review, and version tracking.

Minimal Manifest

name: "my-project"

That’s it. This is enough for a local workspace. All other fields are optional until you want to share or publish.

Full Example

name: "code-review-pipeline"
display_name: "Code Review Pipeline"
description: "Automated PR review with style checking and structured feedback"
version: "1.0.0"
engine: ">=1.0.0"

author:
  name: "skrptiq"
licence: "MIT"
repository: "https://github.com/skrptiq/hub-code-review-pipeline"

category: "developer"
tags:
  - "code-review"
  - "security"

requires:
  services:
    - "anthropic-claude"
    - "github-mcp"
  permissions:
    - "network:github.com"
  data_handling:
    - "source-code"

contents:
  skills: 3
  prompts: 5
  workflows: 1
  services: 2
  sources: 1
  documents: 0
  assets: 0
  total: 12

dependencies:
  company-core:
    source: "https://github.com/acme/core-skills.git"
    version: "^2.0.0"
    objects: "*"

Identity

Field	Required	Description
`name`	Always	URL-safe slug (`lowercase-with-hyphens`). Unique identifier for the skrpt.
`display_name`	No	Human-readable name. Defaults to `name` if omitted.
`description`	For publishing	One-liner shown in listings and search results.
`version`	For publishing	Semver version number (e.g. `1.0.0`).
`engine`	No	Minimum skrptiq app version required (e.g. `>=1.2.0`). The app warns if its version is too old.
`private`	No	Set to `true` to prevent accidental publishing to the Hub.

Attribution

Field	Required	Description
`author.name`	For publishing	Display name of the publisher.
`author.url`	No	Link to the author’s profile or website.
`licence`	For publishing	SPDX licence identifier (e.g. `MIT`, `Apache-2.0`, `CC-BY-4.0`).
`repository`	No	Git URL for the skrpt’s source code.

Security & Access

The requires block declares what the skrpt needs to function. This information is shown before import so you can make an informed decision.

Services

requires:
  services:
    - "anthropic-claude"
    - "github-mcp"

Lists the service nodes (LLM providers, MCP servers) the skrpt expects to connect to. These match service node slugs in the workspace.

Permissions

requires:
  permissions:
    - "filesystem:read"
    - "network:github.com"
    - "shell:execute"

Declares capabilities beyond basic LLM calls:

Permission	What it means
`filesystem:read`	Can read files via MCP filesystem server
`filesystem:write`	Can write or create files via MCP filesystem server
`network:<domain>`	Can make network requests to a specific domain
`shell:execute`	Can execute shell commands — highest risk

Data Handling

requires:
  data_handling:
    - "pii"
    - "source-code"

Declares what kind of sensitive data flows through the skrpt:

Type	Description
`pii`	Personally identifiable information (names, emails, addresses)
`source-code`	Proprietary or sensitive source code
`credentials`	API keys, tokens, passwords
`financial`	Financial records, invoices, payment data
`health`	Health or medical data
`legal`	Legal documents, contracts

Dependencies

Dependencies are other skrpts that this workspace imports objects from.

dependencies:
  company-core:
    source: "https://github.com/acme/core-skills.git"
    version: "^2.0.0"
    objects: "*"
  community-templates:
    source: "https://github.com/skrptiq/hub-community-templates.git"
    version: "1.2.0"
    objects:
      - "toxicity-detection"
      - "content-moderation-pipeline"

Field	Description
`source`	Git clone URL for the dependency.
`version`	Semver range (e.g. `^2.0.0`, `~1.2.0`, `1.2.3`). Omit for latest.
`objects`	`"*"` for everything, or a list of specific node slugs to import.

Imported objects appear read-only in your graph. Use Fork to copy them into your workspace for editing.

contents:
  skills: 3
  prompts: 5
  workflows: 1
  services: 2
  sources: 1
  documents: 0
  assets: 0
  total: 12

Auto-generated summary of node counts by type. The app computes this from the workspace directory — you don’t write it by hand.

Integrity & Trust

Published skrpts from the Hub include additional fields set by the Hub on publish. These are never written by hand:

integrity — a checksum and cryptographic signature verifying the contents haven’t been tampered with. The app verifies this automatically on import.
trust — indicates who published the skrpt and whether it has been reviewed. Three tiers:
- Official — published by skrptiq
- Verified — third-party, reviewed and approved
- Community — user-submitted, not yet reviewed

Skrpts cloned directly from git without Hub metadata are treated as unverified.

Workspace Directory Structure

The manifest sits at the root of a standard directory layout:

my-skrpt/
├── skrptiq.yaml          # Manifest
├── tags.yaml             # Tag definitions (name + colour)
├── .gitignore            # Ignores .skrptiq/
├── .skrptiq/             # Local-only state (not shared)
│   └── local.yaml        # Node positions
├── skills/               # Skill nodes (.md files)
├── prompts/              # Prompt nodes
├── workflows/            # Workflow nodes
├── services/             # Service nodes
├── sources/              # Source nodes
├── documents/            # Document nodes
└── assets/               # Asset nodes

Each node is a markdown file with YAML frontmatter containing its type, title, description, tags, and connections. See Import & Export for details on the file format.