Skip to content

[Bug]: Global install from private GitHub repo results in missing skillFolderHash in .skill-lock.json #436

New issue
New issue
Open
#437
Open
[Bug]: Global install from private GitHub repo results in missing skillFolderHash in .skill-lock.json#436
#437
Labels
bugSomething isn't working
@ThomSMG

Description

@ThomSMG
ThomSMG
opened on Feb 26, 2026

Description

When installing a skill globally (npx skills add <private_repo> -g) from a private GitHub repository, the skill is correctly downloaded and installed, but .skill-lock.json ends up with an empty skillFolderHash string for that entry (e.g., "skillFolderHash": "").

This silently breaks future update checks and auto-update, because the update logic in the CLI skips any skill whose entry has an empty hash. The skill never receives updates, and the user gets no warning during install that tracking will not work.

The root cause appears to be that the install process (in add.ts) fetches the tree SHA from the GitHub Trees API via fetchSkillFolderHash(...), but calls this function without passing a GitHub token. This API request works for public repos, but fails with a 404 for private repos, returning null (and so setting hash to "").

The download path uses the user's credentials or local Git config (so succeeds on private), but the hashing path doesn't, so the install appears successful while silently breaking update tracking.

Steps to Reproduce

  1. Ensure you have access credentials set up for a private GitHub repo containing one or more skills (e.g., smg-real-estate/agent-skills-for-dev).
  2. Install a skill from this repo globally: 
    npx skills add <org>/<path>/SKILL.md -g
  3. Observe that the skill installs fine.
  4. Examine ~/.agents/.skill-lock.json and see the skill entry, but skillFolderHash is blank.
  5. Run npx skills update — observe that the skill is not updated or checked.
  6. Repeat steps with a public repo for comparison — note that field is filled.

Expected Behavior

When installing a skill globally from a private GitHub repo, the installer should fetch the hash with user credentials (token), so skillFolderHash is correctly filled, identical to public repo installs.

Actual Behavior

skillFolderHash is blank for skills installed from private repos unless the Trees API is public (never the case for a true private repo), so update/auto-update for those skills is broken and users aren't warned at install time.

Version

1.4.1

Node.js Version

22.9.0

Operating System

macOS

Logs / Error Output

No errors visible — install reports success. Silent failure; key diagnostic is missing hash in the lock file.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions