How Skillett Works
Skillett is a unified skills layer that sits between AI agents and external services. Instead of agents calling APIs directly, they use the Skillett CLI — and Skillett handles authentication, credential management, and request proxying.
Architecture
Section titled “Architecture”Agent (Claude, Cursor, Windsurf) → skillett CLI → Skillett API (Fastify) → Integration Proxy Layer → External APIs (GitHub, Gmail, Google Calendar, etc.)The agent never touches OAuth tokens or API credentials. Everything flows through the CLI, which talks to the Skillett API, which proxies to upstream services.
Key design decisions
Section titled “Key design decisions”CLI-first, not API-first
Section titled “CLI-first, not API-first”Agents interact through the CLI (skillett run, skillett skills), not raw HTTP. This keeps the interface simple — agents call shell commands and get JSON back. The CLI wraps the REST API, so direct HTTP access is available for advanced use cases.
Proxy model
Section titled “Proxy model”Agents never call external APIs directly. All requests go through Skillett’s proxy layer, which:
- Validates the API key
- Loads the user’s OAuth credentials (encrypted, stored server-side)
- Injects the authentication token into the upstream request
- Forwards the request to the external service
- Returns the response as structured JSON
- Automatically refreshes expired tokens on 401 responses
Skills are documentation, not code
Section titled “Skills are documentation, not code”Skills are structured markdown files that describe what an endpoint does, what parameters it accepts, and what it returns. They’re not code — they’re documentation that agents can read to understand available capabilities.
Device authorization for CLI login
Section titled “Device authorization for CLI login”The CLI uses RFC 8628 device authorization to authenticate. This works in any terminal environment — the user opens a browser, enters a code, and the CLI picks up the authorization automatically.
Data flow for a skill execution
Section titled “Data flow for a skill execution”When an agent runs skillett run github create_issue --repo acme/app --title "Bug":
- CLI parses flags into JSON params
- CLI sends
POST /v1/github/create_issuewith{"params": {"repo": "acme/app", "title": "Bug"}} - API validates the Bearer token (API key)
- API checks the user has GitHub connected
- API checks plan limits (daily API calls)
- Proxy loads encrypted OAuth credentials from the database
- Proxy maps params to GitHub’s API format
- Proxy sends
POST https://api.github.com/repos/acme/app/issueswith the OAuth token - Proxy returns GitHub’s response to the CLI
- CLI outputs JSON to stdout
Database overview
Section titled “Database overview”| Table | Purpose |
|---|---|
profiles | User accounts |
api_keys | API credentials (hashed, never stored in plaintext) |
connections | Integration connections per user |
credentials | OAuth tokens (encrypted at rest) |
integrations | Integration definitions and metadata |
routes | API endpoint definitions |
skill_calls | Execution audit log |
skill_files | Skill documentation content |
device_codes | Pending device authorization codes |