AI coding agents are having their npm moment. This week, Addy Osmani’s agent-skills repo hit 32,000 GitHub stars in a matter of weeks. DeepSeek-TUI is pulling 5,787 stars per day. The message is clear: developers are adopting AI coding agents, and they need them to be better.

But there’s a problem no one is talking about.

Every editor has its own skill format. Claude Code has plugins. Cursor has rules. Gemini CLI has skills. Windsurf has rules. Each one is a walled garden. A developer who creates a great security audit skill for Claude Code can’t share it with a Cursor user without rewriting it.

There’s no trust layer. Simon Willison wrote this week about the uncomfortable convergence of “vibe coding” and “agentic engineering.” AI agents can now produce a polished GitHub repo with 100 commits, thorough docs, and comprehensive test coverage in 30 minutes. These outputs “look identical to projects that have had a great deal of care and attention.” Even the author can’t tell what’s genuinely vetted.

The best skills are invisible. The agent-skills repo has 20 excellent skills — but they were all written by one person (Addy Osmani, a Google engineer). What about the security team at a fintech startup who built an incredible compliance review skill? The freelance developer who perfected a React accessibility testing workflow? They have no place to share or sell their work.

This is exactly what npm solved for JavaScript packages in 2010. Before npm, people shared .js files on forums. After npm, a package could be published with npm publish, discovered with npm search, and trusted through download counts and GitHub stars.

Agent skills need the same thing.

What an Agent Skills Marketplace looks like:

  1. A unified skill format. Based on Markdown (like agent-skills’ SKILL.md), with added fields for versioning, pricing, and compatibility. One skill, all editors.

  2. Discovery and search. Find skills by category (security, testing, frontend, DevOps), by editor compatibility, by rating, by usage count.

  3. Trust signals that matter. Not just stars — actual installation counts, verified production usage, reviews from other developers. The kind of signal Simon Willison wants before trusting agent-generated code.

  4. A commercial layer. Free community skills for discoverability. Premium skills ($5-50) for specialized workflows. Authors keep 70-85% of revenue.

The agent skills ecosystem is at a fork in the road. It could fragment into editor-specific silos, with great skills trapped in walled gardens. Or it could converge on a shared marketplace where the best skills rise to the top regardless of which editor you use.

npm didn’t just make JavaScript development easier — it created an entirely new category of value. Before npm, “JavaScript library author” wasn’t a job. Today, thousands of developers make a living from open source packages.

The same opportunity exists for agent skills. Someone is going to build the npm for AI agent skills. The only question is who.