The problem

Right now, those instructions come from everywhere but one place.

A CLAUDE.md that was never checked into git. Someone's .cursor/rules on their laptop. A brand-voice.pdf buried in a drive. A pin in the #sales Slack channel. And skills installed straight from the open internet. Every one of them is shaping what your agents do — and none of them was reviewed.

How it works

One governed path, from upload to install.

No new runtime, no rip-and-replace. AgentStack sits above the agents you already run.

Upload a skill

Package context, examples, and policies as a governed unit with one owner and one version.

Sentinel + team gates review it

Every upload is scanned for injection and secrets, then cleared by the gates a team requires — before it can ship.

Teams install & subscribe

Approved skills install into Claude Code, Codex, and your repos. Subscribe once; improve it for everyone at once.

03 — Review

Sentinel scans every upload before it can ship.

The built-in security layer for all skills and stacks. It stops malicious agent instructions from reaching your team — prompt injection, hidden or override instructions, embedded secrets and credential paths, exfiltration paths, suspicious links, and over-broad tool use. On top of that, define custom gates for brand, legal, privacy, or anything unique to how a team works.

Sentinel scan — all checks passedacme/invoice-processing v2.3 → v2.4

Prompt injection · Hidden instructions · Secrets & tokens

Exfiltration paths · Suspicious links · Tool-use scope

Finance gateapproved

Privacy gateapproved

Payment authoritypending

The cost of doing nothing

Ungoverned skills don't stay harmless for long.

A leaked secretAn installed-from-the-internet skill quietly exfiltrates a credential path your agent had access to.

An off-brand answer at scaleA laptop-local rules file ships the wrong voice to every customer an agent touches — for weeks.

An audit you can't answerAsked "who approved this behavior and when?", the honest answer is a shrug across five tools.

FAQ

Questions, answered.

What is AgentStack?

A private registry and governance layer for your organization's AI capabilities. Every skill and stack gets one owner, one approved current version, the gates it had to clear, and a full audit trail. AgentStack does not run your agents; it governs what they're allowed to follow.

How is it different from a prompt library?

A prompt library stores text for a person to copy and paste. AgentStack governs capabilities your agents install: every skill has an owner, a reviewed version, the gates it cleared, and an audit trail. Text in a doc has none of that.

Why not just use GitHub or CLAUDE.md and .cursor/rules?

Many instructions start there, and a repo can still be a source. But a file on one laptop isn't a governed answer for the whole organization. AgentStack sits above those sources and gives every team and runtime one owner, one current version, one review trail, and one place to install from.

What does Sentinel scan for?

Prompt injection, hidden or override instructions, embedded secrets and credential paths, exfiltration paths, suspicious links, and over-broad tool use — before any team gate begins. It's a security baseline, not a full security review, and it's actively expanding.

Where can my agents install skills?

Wherever your agents already work. The CLI installs into runtimes like Claude Code and Codex, and into your repos; the Portal covers everyone else. The same approved skill lands in every target.

Your agents are following instructions. Nobody approved them.