DEV Community

Cover image for How I stopped AI Context Bloat and built a package manager for my local agents
Bruno Arias
Bruno Arias

Posted on

How I stopped AI Context Bloat and built a package manager for my local agents

#ai #opensource #productivity #webdev

I rely heavily on local LLMs and AI coding agents (like Cursor, Copilot, and custom agents) for my daily workflow. But recently, I kept hitting a frustrating wall with how these agents handle their skills.

I realized I was facing two major problems:

1. Context Bloat & Hallucinations
If I keep all my agent skills in a global folder, the AI reads everythingβ€”even skills it doesn't need for the current project. If I'm building a simple React frontend, my agent doesn't need access to my database-seeding skills or DevOps skills. Giving it too much context leads to hallucinations and burns through tokens unnecessarily.

2. The Security Auditing Nightmare
The alternative is to install skills per-project directly from remote sources. But doing this means I waste a ton of time re-auditing each skill for malicious code or weird vulnerabilities every single time I start a new repo.

Enter skillbase 🧠

skillbase is a Node.js CLI that acts as a local package manager specifically designed for AI agent skills.

How it solves the mess

The core idea is simple: Auditing once, using safely everywhere.

skillbase lets you maintain a single, vetted global registry on your machine (defaulting to ~/.skillbase/skills/). Crucially, your AI does not read this folder by default.

When you start a new project, you just run:

skillbase add <skill>
Enter fullscreen mode Exit fullscreen mode

The CLI safely copies your pre-vetted skills directly into your current workspace's .agents/skills/ folder. If you prefer to keep a single source of truth without duplicating files, you can just pass the -s or --sym flag to create a symbolic link instead.

A few cool things under the hood:

  • πŸ“¦ Reproducibility: It generates a skillbase.json manifest (just like a package.json for AI context). You can commit this file, and your teammates can run skillbase install to recreate the exact same skill set for that repository.
  • 🌐 Remote Sources: You can fetch new skills directly from public GitHub repos (skillbase install <repo-url> --remote) to audit and add them to your global registry.
  • ✨ Auto-detection: An init command scans your project's package.json dependencies and suggests which skills you might want to inject.
  • πŸ”„ Easy Migration & Promotion: If you build a custom skill inside a specific project, you can easily promote it to your global registry using the migrate command. It also lets you import legacy global setups in one go.

Check it out!

I originally built this to scratch my own itch, but it's completely open-source and I'd love to see if it helps other developers dealing with the same AI context chaos.

How do you guys manage AI context isolation and skill security in your own setups? I'm all ears for feedback, ideas, or PRs! πŸ‘‡

Top comments (0)