Most agent frameworks assume humans manage the tool catalog. You install a CLI, write a tool schema, register it in a static manifest, and restart the agent. The agent calls tools, but it does not modify them.
Aweskill flips this. It is a CLI-first skill package manager that agents operate themselves. An agent can discover, install, update, and remove its own tools at runtime without human intervention. This introduces a new class of infrastructure problems: versioning when the agent breaks its own tooling, security boundaries when tool schemas are mutable, and observability when the capability surface changes mid-execution.
The Static Registry Assumption
Traditional agent architectures treat the tool registry as immutable configuration:
- Tools are defined in YAML, JSON, or Python decorators.
- The registry is loaded at startup.
- Changes require a restart or redeployment.
- Humans control what tools exist and what permissions they carry.
This works when tools are stable and the human is the operator. It breaks when the agent needs to adapt its capabilities based on context, install dependencies for a new task, or recover from a broken tool definition.
Aweskill’s Approach: Agent-Operated Skill Management
Aweskill treats skills (tool definitions) as first-class artifacts that agents manipulate through a CLI:
# Agent installs a skill
aweskill install awescholar
# Agent lists available skills
aweskill list
# Agent removes a broken skill
aweskill remove awescholarEach skill is a Markdown file with structured metadata. The agent reads the skill directory, parses tool schemas, and updates its capability surface without restarting. This enables:
- Dynamic capability discovery: The agent queries the skill catalog at runtime.
- Self-healing: If a tool fails, the agent can reinstall or roll back.
- Context-aware tooling: The agent installs domain-specific skills only when needed.
Architecture: Mutable Tool Registry
The core shift is from a static registry to a mutable state machine:
| Component | Static Registry | Aweskill (Mutable) |
|---|---|---|
| Tool definitions | Baked into config | Markdown files in ~/.aweskill/skills/ |
| Discovery | Load at startup | Query filesystem at runtime |
| Versioning | Git tags, Docker images | Skill metadata + rollback log |
| Security boundary | Process isolation | File permissions + schema validation |
| Observability | Static manifest diff | Audit log of skill mutations |
The agent interacts with the skill directory as a filesystem-backed database. Each skill file contains:
- Tool name and description
- Input/output schema
- Execution command or API endpoint
- Permission requirements (file access, network, etc.)
When the agent installs a skill, Aweskill writes the file, validates the schema, and updates an internal index. The agent’s tool-calling layer reads from this index on every invocation.
Versioning and Rollback
Self-modifying tool registries introduce a versioning problem. If an agent installs a broken skill or modifies a schema incorrectly, it can lose the ability to recover.
Aweskill handles this with a mutation log:
~/.aweskill/
skills/
awescholar.md
aweshelf.md
history/
2026-05-29T14:32:01-install-awescholar.json
2026-05-29T15:10:22-remove-awescholar.jsonEach mutation is logged with:
- Timestamp
- Operation (install, remove, update)
- Skill name and version
- Previous state (for rollback)
If the agent breaks a skill, it can query the history and revert:
aweskill rollback awescholar --to 2026-05-29T14:32:01This assumes the agent retains enough capability to invoke the rollback command. If the agent corrupts its own tool-calling mechanism, human intervention is required.
Security Boundaries
Allowing an agent to modify its own tool definitions creates privilege escalation risks:
- Schema injection: The agent rewrites a tool schema to accept broader inputs.
- Permission expansion: The agent modifies a skill to request filesystem or network access it did not originally have.
- Malicious skill installation: The agent installs a skill from an untrusted source.
Aweskill mitigates this with:
- Schema validation: Every skill file is validated against a JSON schema before installation. Invalid schemas are rejected.
- Permission manifests: Each skill declares required permissions (file read, file write, network). The agent cannot silently escalate.
- Sandboxed execution: Skills that execute shell commands run in a restricted environment (user-level permissions, no sudo).
- Human approval gates: High-risk operations (network access, file write outside project directory) require explicit human confirmation.
This is not foolproof. If the agent has write access to the skill directory, it can modify the schema validation logic itself. The real security boundary is filesystem permissions: the skill directory should be writable only by the agent’s user, and critical system paths should be off-limits.
Observability and Audit Trails
When the tool catalog is mutable, observability becomes harder. You cannot diff a static manifest to see what changed. You need a runtime audit log.
Aweskill logs every skill mutation:
{
"timestamp": "2026-05-29T15:10:22Z",
"operation": "install",
"skill": "awescholar",
"version": "0.2.1",
"source": "https://github.com/webioinfo/awescholar",
"permissions": ["file_read", "network"],
"agent_session": "claude-code-session-abc123"
}This log is append-only and stored outside the skill directory to prevent tampering. You can query it to answer:
- What skills did the agent install during this session?
- When did the agent remove a skill, and why?
- What permissions did a skill request at installation time?
For multi-agent systems, each agent should write to a separate log or include an agent ID in every entry. This prevents log collisions and enables per-agent auditing.
In-Flight Task Handling
What happens when an agent modifies a skill definition while another task is using it?
Aweskill does not lock the skill directory during execution. If the agent removes a skill mid-task, the tool call fails with a “skill not found” error. The agent must handle this gracefully:
- Retry the operation after reinstalling the skill.
- Fall back to a different tool.
- Escalate to the human.
A more robust approach would be to version skills and allow concurrent access:
~/.aweskill/skills/
awescholar@0.2.1.md
awescholar@0.2.2.mdThe agent specifies a version when calling a tool. If it updates the skill, in-flight tasks continue using the old version until they complete. This requires the agent framework to support versioned tool calls, which most do not yet.
Multi-Agent Skill Discovery
In a multi-agent system, each agent can have a different skill catalog. This creates a discovery problem: how does Agent A know what tools Agent B has installed?
Aweskill does not solve this natively. Each agent operates on its own skill directory. If you want shared skills, you have two options:
- Shared skill directory: All agents read from
~/.aweskill/skills/. This requires locking to prevent concurrent writes. - Skill registry service: A central service tracks which agents have which skills. Agents query the registry before delegating tasks.
The second approach is more scalable but adds latency and a single point of failure. For small teams or single-machine setups, a shared directory with file-based locking is simpler.
Deployment Shape
Aweskill is a local CLI tool. It does not require a server or database. The skill directory is the source of truth. This makes it easy to deploy:
- Install the CLI via pip or npm.
- Set the skill directory path (default:
~/.aweskill/skills/). - Give the agent write access to the directory.
For containerized agents, mount the skill directory as a volume:
volumes:
- ~/.aweskill/skills:/root/.aweskill/skillsThis persists skills across container restarts. If you want ephemeral skills (fresh catalog on every run), omit the volume mount.
Failure Modes
Self-modifying tool registries fail in predictable ways:
| Failure | Cause | Recovery |
|---|---|---|
| Agent installs broken skill | Invalid schema or missing dependency | Rollback via history log |
| Agent removes critical skill | Logic error or hallucination | Human reinstalls from backup |
| Skill directory corruption | Filesystem error or concurrent write | Restore from version control |
| Permission escalation | Agent modifies skill to request broader access | Audit log review + manual fix |
| Infinite install loop | Agent repeatedly installs/removes same skill | Circuit breaker or rate limit |
The most dangerous failure is when the agent loses the ability to call the rollback command. If the agent corrupts the skill that defines the aweskill CLI itself, you need out-of-band recovery (manual file edit or restore from backup).
Technical Verdict
Use Aweskill when:
- Your agent needs to adapt its tooling based on task context (install a PDF parser only when processing documents).
- You run multiple agents with different capability requirements and want to avoid maintaining separate manifests.
- You want agents to self-heal by reinstalling broken tools without human intervention.
- You are building a local development workflow where agents operate on a single machine.
Avoid it when:
- You need strict change control and cannot tolerate agents modifying their own capabilities.
- Your security model requires immutable tool definitions (compliance, audit requirements).
- You run agents in a distributed system where skill discovery across nodes is critical.
- Your agent framework does not support runtime tool registration (you will need to restart on every skill change).
The core trade-off is flexibility versus control. Static registries are predictable and auditable. Mutable registries enable agent autonomy but require robust versioning, logging, and rollback mechanisms. Aweskill is a practical implementation of the latter, suitable for local development and small-scale deployments where the benefits of self-management outweigh the risks of mutable state.