Skip to main content

Tutorial: Govern at scale

The Govern stage is where Skillsmith stops being a personal tool and becomes infrastructure. It covers audit logs, role-based access control, SIEM export, and the team-scope view of the same namespace audit you ran in Maintain. Most flows here are Team or Enterprise tier.

These tutorials show Skillsmith in Claude Code. For installation in your preferred runtime (Cursor, Continue, Copilot, Windsurf), see Getting Started.

What you will do

  • Query audit logs for a time range and event type
  • Export audit events for compliance reporting
  • Stream events to a SIEM (Splunk, Elastic, Datadog)
  • Run skill-level and pack-level security audits
  • Read the session-start governance summary at the start of every Claude Code session

Tools that map to Govern

Surface Tool / command Purpose Tier
MCP skill_audit Audit a single skill for security advisories Team+
MCP skill_pack_audit Audit a pack of skills (bulk advisory check) Team+
MCP audit_query Query the audit log with filters (event type, actor, time range) Enterprise
MCP audit_export Export audit events for a time range (CSV / JSON) Enterprise
MCP siem_export Export audit events for SIEM ingestion (CEF / LEEF / JSON) Enterprise
CLI skillsmith audit advisories Run security advisory scan against installed skills Team+
CLI skillsmith audit collisions Same namespace audit as Maintain, with team-scope reporting All (deeper modes Team+)

Tier gating is enforced

Governance tools require a Team or Enterprise license. Free and Individual tiers see typed errors when they invoke these tools — not stub data. Configure SKILLSMITH_LICENSE_KEY in your MCP env config; missing keys produce a "license required" error rather than a silent fallback.

Step 1 — Audit a skill for security advisories

Before adding a skill to your team's approved set, run the security audit. It checks for known CVEs in declared dependencies, flagged authors, and structural patterns associated with malicious skills.

Try these prompts:

  • "Audit community/jest-helper for security advisories"
  • "Run a security audit on community/git-commit"
  • "Check this skill for known vulnerabilities"

Or from the terminal:

skillsmith audit advisories community/jest-helper
skillsmith audit advisories --all   # Audit every installed skill

The audit returns a per-skill verdict (clean, advisory, blocked) with links to the underlying advisory feed. Treat blocked verdicts as hard stops; revisit advisory verdicts case-by-case.

Step 2 — Audit a pack of skills in bulk

For team rollouts you typically pack a curated set of skills together — a "frontend pack", "backend pack", "compliance pack" — and need to audit the whole pack at once.

Try this prompt:

  • "Audit my team's approved skill pack for advisories"

The MCP tool skill_pack_audit takes a pack manifest, runs advisory checks on every skill in it, and returns a roll-up report. Use it before publishing internal pack updates so you do not roll out a skill with a new CVE attached.

Step 3 — Query the audit log

Every Skillsmith operation that mutates state (install, uninstall, update, pin, publish) writes an event to the audit log. The audit_query tool lets you read that log back filtered by actor, event type, and time range.

Try these prompts:

  • "Show me Skillsmith audit events from the last 24 hours"
  • "Query the audit log for installs by user @alice in March"
  • "List uninstall events for community/jest-helper"

The MCP returns structured events (timestamp, actor, action, target, metadata). For ad-hoc analysis, ask Claude Code to summarize patterns: "Are there any unusual patterns in last week's audit events?"

Step 4 — Export audit events for compliance

Annual audit cycles, SOC 2 reviews, and customer security questionnaires all need exportable evidence. audit_export emits a sealed JSON or CSV bundle for a time range.

Try this prompt:

  • "Export the Skillsmith audit log for Q1 2026 as JSON"

The export includes a SHA-256 manifest hash so the auditor can verify the bundle has not been tampered with. Store the bundle alongside your other compliance evidence; do not commit it to source control.

Step 5 — Stream events to a SIEM

For continuous monitoring rather than point-in-time export, siem_export emits events in a format your SIEM can ingest: CEF (ArcSight), LEEF (QRadar), or structured JSON (Splunk, Elastic, Datadog).

Try this prompt:

  • "Configure Skillsmith to stream audit events to our SIEM in CEF format"

The MCP returns the export endpoint and authentication token; wire those into your SIEM's HTTP collector. Events stream within seconds of the underlying mutation. See the API reference for the wire format details.

Step 6 — Read the session-start governance summary

Team and Enterprise installs include a SessionStart hook in Claude Code that runs the namespace audit on every session and emits a summary on stderr. Free and Individual tiers see no output (intentional — the audit is a paid feature).

A typical Team summary looks like:

[skillsmith] audit: 0 collisions, 2 advisories pending review

The hook is debounced 24 hours (it does not fire on every session), and is bounded to a 5-second wall clock. Disable it with SKILLSMITH_SESSION_AUDIT_DISABLE=1 if it interferes with automation; logs land in ~/.skillsmith/logs/.

Step 7 — Apply policy at team scope

The Maintain tutorial's namespace audit reports collisions for a single user. At team scope, the same audit rolls up across every developer in your workspace, surfacing drift between team members' installed inventories.

Combine the audit output with apply_recommended_edit (Team+) and apply_namespace_rename (Team+) to centrally enforce naming policy. Renames apply via the namespace-overrides ledger so subsequent audits respect them.

Both apply tools return a non-mutating preview by default; pass confirmed: true to actually write the change.

Common pitfalls

"License required" on every Govern call

Set SKILLSMITH_LICENSE_KEY in your MCP server's env config (not in your shell — MCP subprocesses do not inherit shell env). The license key resolves your team via the resolve_team_from_license RPC. If you have just upgraded and the error persists, restart the MCP server so it picks up the new env.

Audit log returns empty

Audit logs are scoped to your team. If you query without a license key or with a key that resolves to a different team, you see an empty result. Verify with "Who am I authenticated as?" before assuming the log is empty.

SIEM ingestion drops events

The SIEM endpoint is HTTPS only and requires a bearer token in the Authorization header. Most ingestion drops trace back to misconfigured authentication — check your SIEM's HTTP collector logs first. The Skillsmith side will log the export attempts in the audit log itself (recursive but useful).

Where to next

The full lifecycle ends at Retire — deliberately uninstalling skills you no longer need. For ongoing day-to-day hygiene, Govern's signals feed back into Maintain's actions.

Reference: MCP audit tools · CLI reference · API reference · Tier pricing.

Previous: Author — Next: Retire