Show HN: Skillscript – A declarative, sandboxed language for tool orchestration Skillscript is a new declarative, sandboxed programming language designed for AI agents to write persistent, executable procedures, reducing cost, latency, and drift compared to transient reasoning. The language allows agents to crystallize learned routines into composable skills that can be reused and inspected. A language for agents to write themselves in. TL;DR— npm install -g skillscript-runtime && skillfile init && skillfile dashboard . See Quickstart . The problem the-problem The frame the-frame Why a new language why-a-new-language Why not just have the agent write a Skill? why-not-just-have-the-agent-write-a-skill Three kinds of skill three-kinds-of-skill What you get what-you-get The bet the-bet Quickstart quickstart Connector model connector-model Configuration & security knobs configuration--security-knobs CLI cli MCP server surface mcp-server-surface Examples examples Architecture and deep documentation architecture-and-deep-documentation Status status Contributing contributing License license AI agents are mostly transient. Every routine task is re-derived from prose reasoning. The agent that summarized a thread yesterday will summarize one tomorrow by reasoning from scratch about how to summarize threads, burning frontier inference on a procedure with a known shape, a known output format, and known failure modes. The waste compounds in three directions: cost every routine operation runs through the most expensive reasoning layer in the system , latency every operation pays the full inference cost , and drift the same task produces slightly different results each invocation because nothing crystallizes . The deeper problem is that agents have no substrate to write themselves down in . Agents are partly defined by what they can do and what they can do is currently held entirely in a soft, transient form of reasoning at inference time. There's no hard form. No place for an agent to crystallize a learned procedure into something cheap to execute, cheap to inspect, and cheap to improve. Most agent infrastructure projects today focus on memory — episodic recall, retrieval-augmented context, conversation summarization. Those projects answer "what does the agent know." They don't answer "what can the agent do" in any persistent, executable, inspectable form. Skillscript intends to answer the second question. Agents are code, and skillscript is the language they write themselves in. Not memory in the recall sense. Not prompt templates. Not configuration. Code, in the strict sense of named, typed, composable, executable artifacts that constitute capability. A skillscript skill is a declarative recipe, a small program with a dependency DAG of typed operations — that an agent authors once and the runtime fires many times. Where typical agent code is procedural Python scripts, TypeScript handlers , skillscript is orchestration-only : it composes calls into tools, models, and data stores through swappable connector contracts. Computation lives in tools; coordination lives in skills. Skill: hello Status: Approved Description: The canonical first-run example. Vars: WHO=world Hello, ${WHO} Welcome to Skillscript. That's a complete, runnable skill — and the body text is the output. No target, no boilerplate, no emit ceremony: the runtime renders the body against the skill's variables and publishes it. The same shape scales to multi-stage DAGs that classify inputs, dispatch to LLMs, query data stores, branch on conditions, and orchestrate sub-agents, all in the same declarative grammar. The obvious alternative is "let the agent write Python." Python is Turing-complete, has mature tooling, and models write it well. For one-shot exploratory work or where computation matters, Python is the right tool, and we're not proposing anyone stop using it for that. But agent-authored persistent automation has a different shape: - An agent not a human writes the code. - The code runs autonomously — cron-fired, event-triggered — with no human in the loop at execution time. - The work is dispatch-shaped : call a tool, classify a result, branch, call another tool. Not algorithmic computation. - The code needs to be auditable by humans at human tempo even though it's authored at agent tempo. For this shape, Python's strengths invert into liabilities: Turing completeness becomes a liability. An agent-authored script can do anything including things the agent didn't realize were dangerous. subprocess.run , arbitrary network calls, file writes. None of these are gated. The blast radius of a buggy agent-authored script is the whole host. Mature tooling doesn't help when the author isn't human. Debuggers and REPLs are for human iteration. Agents don't iterate that way. Direct execution magnifies failure. When an agent ships a broken Python script to production cron, there's no validation layer. The script fails silently at 3am and the human discovers it the next day. The package ecosystem becomes an unbounded attack surface. Agents that can pip install anything can install anything — including supply-chain-compromised packages. The package ecosystem assumes human review before adoption; agent adoption breaks that assumption. Skillscript deliberately constrains expressiveness. It's not Turing complete. It can't eval , can't subprocess , can't import arbitrary code. The constraint is the safety story — enforced at the language level, not as an aspiration. In exchange: Sandboxed grammar. The language can only do what configured connectors permit. Declarative legibility. Skills are DAGs of typed dispatches. A human reading a skill sees exactly which tools get called, which data writes happen, which model prompts fire. The same source produces the same audit diagram every time. Connector-mediated capability. Skills don't import packages, they invoke connectors, gated artifacts with curated tool surfaces. Python doesn't disappear from the system; it moves out of the agent's hands and into the connector implementations adopters write deliberately. The safety boundary moves to the connector edge. Static validation before admission. A skill that fails the linter can't enter the library. Structural issues, missing dependencies, undeclared variables, mutation paths without confirmation gates are caught at authorship time, not at 3am. Signed approval before effect. In secured mode, only skills carrying a valid operator signature perform effectful ops — an unapproved or tampered skill is inert no matter how it's dispatched CLI, cron, /event , MCP, composition . Approval is an Ed25519 signature applied operator-side and verified on every execution; the runtime never holds the signing key. Asymmetric cost. Routine work classify, dispatch, transform costs local-model tokens. The frontier model is reserved for the small fraction of work that actually needs frontier judgment. Skills Anthropic/OpenAI are the existing convention for giving agents named, reusable capabilities, hand-authored markdown that loads instructions into the model's context. They work, and skillscript is complementary to them, not competing. The problem with hand-authoring is that both authoring populations produce badly-shaped artifacts when working in prose: Agents authoring markdown produce artifacts shaped for humans, not agents — verbose explanations, hedging language, redundant context-setting, prose where structure would do. The result is expensive to load, noisy to parse, and hard to maintain. Humans authoring markdown produce the opposite failure modes . Either ultra-terse and missing context, or kitchen-sink comprehensive in ways that bury the actual procedure under hedges and edge cases. Making this a programming problem disciplines both populations into the right shape. The grammar doesn't permit rambling. The compiler emits structure, not prose-pretending-to-be-structure. A skillscript skill compiles into an artifact of the same shape as a hand-authored Skill — Skill: