Marketplace
The Komand marketplace is a curated catalog of skills that agents can use. Every skill is reviewed for security and quality before it receives a verified badge — this is the AppExchange model, not the npm wild west.
Philosophy
Section titled “Philosophy”Komand’s marketplace exists because open-source agent ecosystems have proven that unreviewed plugins are a security liability. Cisco found skills doing data exfiltration, prompt injection vulnerabilities are rampant, and IT departments fight “shadow AI” from unmanaged installs.
The marketplace solves this with:
- Code review — every skill is reviewed before verification
- Permission declarations — skills declare what they need upfront
- User consent — users grant specific permissions when installing
- Sandboxed execution — skills cannot access resources beyond their declared scope
- Signed packages — verified skills have a cryptographic signature for integrity
Browsing Skills
Section titled “Browsing Skills”Via Dashboard
Section titled “Via Dashboard”The web dashboard includes a marketplace browser at /marketplace with:
- Category browsing and search
- Skill detail pages with description, publisher, version history
- Ratings and reviews from other users
- Permission summary before installation
- One-click install for agents
Via API
Section titled “Via API”# Browse all verified skillscurl "https://your-instance/api/skills/?verifiedOnly=true&page=1&pageSize=20"
# Search by categorycurl "https://your-instance/api/skills/?category=crm&page=1&pageSize=20"
# Search by publishercurl "https://your-instance/api/skills/?publisherId=komand-official"Via CLI
Section titled “Via CLI”komand skill search "crm contact"komand skill info crm-contact-lookupkomand skill install crm-contact-lookup --agent defaultSkill Categories
Section titled “Skill Categories”| Category | Examples |
|---|---|
| CRM | Contact lookup, deal management, pipeline analytics |
| Communication | Email send, SMS, push notifications |
| Scheduling | Calendar booking, reminders, availability check |
| Finance | Invoice generation, payment processing, expense tracking |
| Research | Web search, market data, competitor analysis |
| Productivity | Document generation, file management, task tracking |
| Development | GitHub integration, CI/CD triggers, code review |
| Industrial | PLC data access, alarm states, site operations |
Installing a Skill
Section titled “Installing a Skill”When a user installs a skill for an agent:
- The marketplace displays the skill’s required permissions
- The user grants or denies each permission
- If all required permissions are granted, the skill is added to the agent’s enabled skills
- Credentials (API keys, tokens) are configured and stored in the secure vault
Skill requires: ["crm:read", "network:outbound"]User grants: ["crm:read", "network:outbound"]Result: ✅ Installed — skill is available to the agentSkill requires: ["crm:read", "crm:write"]User grants: ["crm:read"]Result: ❌ Missing crm:write — installation blockedPublishing a Skill
Section titled “Publishing a Skill”1. Register as a Publisher
Section titled “1. Register as a Publisher”Create a publisher account to get your publisher-id and API key:
2. Build and Test
Section titled “2. Build and Test”Follow the Skill Development guide to implement and test your skill.
3. Package
Section titled “3. Package”dotnet komand skill packThis bundles your skill into a .komandskill package.
4. Submit for Review
Section titled “4. Submit for Review”dotnet komand skill publish --api-key YOUR_PUBLISHER_KEYYour skill enters the review queue with a status of Pending Review.
5. Review Process
Section titled “5. Review Process”The Komand team reviews every submission against these criteria:
| Criteria | What We Check |
|---|---|
| Security | No data exfiltration, proper sandboxing, input validation, no hardcoded secrets |
| Permissions | Minimal permission requests with justified access for each |
| Quality | Clear documentation, comprehensive error handling, test coverage |
| Compatibility | Works across supported Komand versions |
| Content | Accurate description, appropriate naming, no policy violations |
Common rejection reasons:
- Requesting
network:outboundwithout justification - Missing error handling for edge cases
- Insufficient test coverage
- Vague or misleading skill description
6. Verification
Section titled “6. Verification”Approved skills receive:
- Verified badge — displayed in the marketplace catalog
- Cryptographic signature — SHA-256 hash for package integrity verification
- Marketplace listing — discoverable by all Komand users
- Version tracking — updates go through a streamlined re-review
Updating a Skill
Section titled “Updating a Skill”To publish a new version:
- Increment the
Versionin yourSkillDefinition - Package and publish as normal
- Updates to verified skills go through an expedited review (unless permissions change)
- Users on the previous version are notified of the update
Breaking changes to input/output schemas require a major version bump and full re-review.
Revenue Sharing
Section titled “Revenue Sharing”Skill publishers can charge for their skills and earn revenue:
| Tier | Publisher Share | Komand Share |
|---|---|---|
| Standard | 70% | 30% |
| Featured | 80% | 20% |
Featured status is granted to high-quality, high-demand skills that meet additional criteria (consistent updates, excellent reviews, publisher support).
Free skills are welcome and encouraged — they help grow the ecosystem and establish publisher reputation.
Marketplace Policies
Section titled “Marketplace Policies”Prohibited Content
Section titled “Prohibited Content”- Skills that exfiltrate user data beyond their declared scope
- Skills with undisclosed network access
- Malware, spyware, or skills with deceptive functionality
- Skills that violate third-party terms of service
Publisher Responsibilities
Section titled “Publisher Responsibilities”- Respond to security reports within 48 hours
- Maintain compatibility with current Komand releases
- Provide accurate, up-to-date documentation
- Handle user support for premium skills
Removal
Section titled “Removal”Skills can be removed from the marketplace if they:
- Are found to violate security policies post-verification
- Become incompatible and the publisher doesn’t update
- Receive consistent negative reviews without improvement
- The publisher account is suspended
Official Skills
Section titled “Official Skills”Komand publishes a set of first-party skills under the komand-official publisher. These serve as reference implementations and cover common use cases:
- komand-crm — built-in CRM contact and deal operations
- komand-calendar — scheduling and availability
- komand-email — email composition and sending
- komand-web-search — web search and summarisation
- komand-file-manager — file upload, download, and processing
Official skills are always free and verified. Their source code is included in the SDK as examples.