oska
Get Started

How it works

The skill delivery pipeline

Oska sits between the organizations that produce AI skills and the people who use AI tools. Here is exactly how it works.

[01] The skill format

SKILL.md is the
open standard.

Skills follow the open Agent Skills specification published by Anthropic and adopted by OpenAI for ChatGPT and Codex. A skill is a directory with a SKILL.md file containing YAML frontmatter and an instruction body.

Skills load progressively. At startup, only the name and description are loaded — about 100 tokens per skill. When the AI decides a skill is relevant, it loads the full instruction body. Additional referenced files load on demand.

This means an organization can have hundreds of skills installed without a context window penalty.

stripe-best-practices/SKILL.md
---
name: Stripe Best Practices
description: |
Stripe integration patterns —
Checkout, PaymentIntents, Connect,
billing, subscriptions, and Treasury.
---
# When working with Stripe
Always use PaymentIntents for custom flows.
Prefer Checkout Sessions when possible.
## Webhooks
Always verify webhook signatures using
the endpoint secret, not the API key...
stripe-best-practices/
SKILL.md# Required
scripts/# Optional executables
references/# Loaded on demand
assets/# Templates, images

[02] Publishing

Six ways in.

All publishing paths call the same API. The surface is just a client.

Web Editor

Author skills from scratch in the browser. Fork and customize existing skills from the catalog.

CLI

Publish from a local directory with oska publish, similar to npm publish.

GitHub App

Install the Oska GitHub App on any repo with SKILL.md files. Skills sync automatically.

CI/CD

Publish on merge to main using a GitHub Action or any CI pipeline.

REST API

POST /v1/skills for programmatic publishing from any toolchain.

Catalog Import

One-click import from the public catalog. Verified skills from leading vendors.

Terminal
# Publish from a local directory
$ oska publish ./stripe-best-practices --version 2.1.0
# Or via the API
$ curl -X POST https://api.oska.dev/v1/skills \
-H "Authorization: Bearer $OSKA_TOKEN" \
-F "skill=@./stripe-best-practices"
.github/workflows/publish-skills.yml
name: Publish Skills
on:
push:
branches: [main]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: oska/publish-action@v1
with:
workspace: acme-corp
token: ${{ secrets.OSKA_TOKEN }}

[03] Access control

Role-based.
Identity-driven.

Admins create roles, assign skills to roles, and assign users to roles. Role assignment can be manual or automatic via SAML attribute mapping or SCIM group sync from the IdP.

Skills

A SKILL.md directory containing instructions, scripts, references, and assets. Versioned with semver. Only live skills are delivered.

Roles

Admin-defined groups like engineering, sales, support. Roles are the unit of access control. A user can hold multiple roles.

Assignments

The binding between skills and roles. Remove a skill from a role and it disappears from all users in that role.

Users

People in your organization who use AI tools. Provisioned via SCIM, SSO, or manual invite. They never interact with Oska.

Role-based access control
Roles
engineering
sales
support
Assigned skills
Stripe, Sentry, Terraform, React
Notion, Amplitude, Google WS
Sentry, Notion, Datadog
Delivery
User in engineering
Receives: Stripe, Sentry, Terraform, React
Synced to: Claude, ChatGPT, Codex
Updated when role changes
Revoked within 60s on departure

[04] Delivery

Same artifact.
Every surface.

The skill artifact (SKILL.md directory) is identical across all surfaces. Only the delivery mechanism differs per tool.

SurfaceMechanismPath
Claude CodeFile drop via sync agent~/.claude/skills/<skill-name>/
Claude.aiFile drop via sync agent~/.claude/skills/<skill-name>/
ChatGPT EnterpriseWorkspace library via admin APIWorkspace library
Codex CLIFile drop via sync agent~/.codex/skills/<skill-name>/

For file-based surfaces (Claude, Codex), the sync agent writes skill directories to the appropriate path. Claude Code and Codex discover them automatically on startup. For ChatGPT Enterprise, the platform calls the workspace admin API directly — no file system access required.

[05] Authentication

Identity resolves
to capabilities.

Authentication resolves a user's identity to a role and issues a scoped credential for skill delivery. When their role changes in the IdP, skills update. When they leave, access is revoked within 60 seconds.

SAML SSO

Any SAML 2.0 IdP: Okta, Azure AD, Google Workspace, Ping Identity. Attribute mapping connects IdP attributes to Oska roles.

SCIM 2.0

Automated user provisioning and deprovisioning. Auto-create accounts, update roles on team changes, revoke access on departure.

MDM Deployment

Generate deployable packages for Jamf, Intune, and Workspace ONE. IT pushes centrally. Zero user interaction after deployment.

Credential delivery

On first sign-in, a small installer authenticates with the platform, receives a role-scoped credential, and writes it to the OS keychain (macOS Keychain, Windows Credential Manager, or libsecret on Linux). The user never handles a token directly. When they are removed from the IdP, their credential is revoked within 60 seconds.

[06] The sync agent

Install once.
Forget forever.

The sync agent is a lightweight background process installed on the user's machine. It holds a role-scoped credential in the OS keychain and keeps skills in sync with the platform. Runs silently. No user interaction after onboarding.

Terminal
# User onboarding (one time)
$ oska login
Opening browser for authentication...
Authenticated as jane@acme.com
Role: engineering (48 users)
Credential stored in macOS Keychain
Syncing 12 skills to 3 surfaces...
Done. Skills will stay in sync automatically.
# After this, the user never runs oska again.
# Skills update silently in the background.

Ready to deploy AI skills at scale?

Start with the free tier and upgrade as your organization grows.

Get Started FreeTalk to Sales