AI engineering skills for Root.io — secure your stack from inside your AI coding assistant.
When your AI assistant edits a package.json, pom.xml, requirements.txt, or pyproject.toml, Root.io automatically checks for vulnerable packages and surfaces security-fixed versions from the Root.io registry.
- You (or your AI assistant) edit a dependency file
- The Root.io skill runs
rootio_patcherin dry-run mode - If patches are available, you're notified inline
- Ask your AI assistant to apply them — it runs the patcher with
--dry-run=false
| Platform | Integration type |
|---|---|
| Claude Code | Plugin + PostToolUse hook |
| GitHub Copilot | Skill (.github/skills/) |
| Codex | Plugin + Hook + Skill |
| Cursor | Rule (.cursor/rules/) |
| File | Ecosystem |
|---|---|
package.json |
npm |
pom.xml |
Maven |
requirements.txt, pyproject.toml, Pipfile |
pip |
- A Root.io account and API key — get one at app.root.io → Settings → API Keys
rootio_patcherbinary installed
curl -fsSL https://raw.githubusercontent.com/rootio-avr/root-ai/main/install.sh | ROOTIO_API_KEY=<your-key> bashOr clone and run locally:
git clone https://github.com/rootio-avr/root-ai.git
ROOTIO_API_KEY=<your-key> bash root-ai/install.shexport ROOTIO_API_KEY=<your-key>
# Add to ~/.zshrc or ~/.bashrc to persist# From your project root:
cp -r path/to/root-ai/platforms/claude-code/.claude-plugin .claude-plugin
cp -r path/to/root-ai/platforms/claude-code/hooks .claude/hooks
cp -r path/to/root-ai/platforms/claude-code/skills .claude/skillsOr install via the Claude Code plugin registry (coming soon).
Copy the skill into your repo:
mkdir -p .github/skills
cp -r path/to/root-ai/.github/skills/rootio-patcher .github/skills/Copilot auto-discovers skills in .github/skills/.
cp -r path/to/root-ai/platforms/codex/.codex-plugin .codex-plugin
cp path/to/root-ai/platforms/codex/hooks.json .
cp -r path/to/root-ai/platforms/codex/scripts .
cp -r path/to/root-ai/platforms/codex/skills .The publishable OpenAI skill package lives at platforms/codex/skills/rootio-patcher/
and includes both SKILL.md and agents/openai.yaml.
Codex also uses platforms/codex/hooks.json plus platforms/codex/scripts/post-edit.sh
to run a Root.io dry-run after package.json, pom.xml, requirements.txt,
Pipfile, or pyproject.toml edits.
mkdir -p .cursor/rules
cp path/to/root-ai/platforms/cursor/rootio-patcher.mdc .cursor/rules/The installer configures ~/.npmrc automatically. To configure manually:
@rootio:registry=https://pkg.root.io/npm/
//pkg.root.io/npm/:_authToken=${ROOTIO_API_KEY}
The installer creates ~/.m2/settings.xml if it doesn't exist. If you already have one, add the Root.io server and repository manually — see docs.root.io/maven.
No configuration needed — rootio_patcher handles the registry via --index-url automatically.
# Check for available patches (dry-run, default)
rootio_patcher npm remediate
# Apply patches
rootio_patcher npm remediate --dry-run=false
# Other ecosystems
rootio_patcher maven remediate --dry-run=false
rootio_patcher pip remediate --dry-run=false# Run tests
bats tests/
# Regenerate platform files from skill.md
bash build.shThe skill.md file is the single source of truth for generated skill content.
build.sh regenerates the skill payloads and Codex agent metadata. Hook scripts
remain platform-specific source files.
Apache 2.0 — see LICENSE.