How I stopped AI Context Bloat and built a package manager for my local agents

Bruno Arias — Sun, 05 Apr 2026 16:56:20 +0000

I rely heavily on local LLMs and AI coding agents (like Cursor, Copilot, and custom agents) for my daily workflow. But recently, I kept hitting a frustrating wall with how these agents handle their skills.

I realized I was facing two major problems:

1. Context Bloat & Hallucinations
If I keep all my agent skills in a global folder, the AI reads everything—even skills it doesn't need for the current project. If I'm building a simple React frontend, my agent doesn't need access to my database-seeding skills or DevOps skills. Giving it too much context leads to hallucinations and burns through tokens unnecessarily.

2. The Security Auditing Nightmare
The alternative is to install skills per-project directly from remote sources. But doing this means I waste a ton of time re-auditing each skill for malicious code or weird vulnerabilities every single time I start a new repo.

Enter `skillbase` 🧠

skillbase is a Node.js CLI that acts as a local package manager specifically designed for AI agent skills.

How it solves the mess

The core idea is simple: Auditing once, using safely everywhere.

skillbase lets you maintain a single, vetted global registry on your machine (defaulting to ~/.skillbase/skills/). Crucially, your AI does not read this folder by default.

When you start a new project, you just run:

skillbase add <skill>

The CLI safely copies your pre-vetted skills directly into your current workspace's .agents/skills/ folder. If you prefer to keep a single source of truth without duplicating files, you can just pass the -s or --sym flag to create a symbolic link instead.

A few cool things under the hood:

📦 Reproducibility: It generates a skillbase.json manifest (just like a package.json for AI context). You can commit this file, and your teammates can run skillbase install to recreate the exact same skill set for that repository.
🌐 Remote Sources: You can fetch new skills directly from public GitHub repos (skillbase install <repo-url> --remote) to audit and add them to your global registry.
✨ Auto-detection: An init command scans your project's package.json dependencies and suggests which skills you might want to inject.
🔄 Easy Migration & Promotion: If you build a custom skill inside a specific project, you can easily promote it to your global registry using the migrate command. It also lets you import legacy global setups in one go.

Check it out!

I originally built this to scratch my own itch, but it's completely open-source and I'd love to see if it helps other developers dealing with the same AI context chaos.

GitHub Repo: ariasbruno/skillbase
npm: @ariasbruno/skillbase

How do you guys manage AI context isolation and skill security in your own setups? I'm all ears for feedback, ideas, or PRs! 👇

DEV Community: Bruno Arias

How I stopped AI Context Bloat and built a package manager for my local agents

Enter skillbase 🧠

How it solves the mess

A few cool things under the hood:

Check it out!

Enter `skillbase` 🧠