AI Skill Governance

Know exactly what
your AI can do.
And who approved it.

Vettory is the approval and distribution layer for AI skills. Every skill your teams run — in chat, in documents, in the terminal — reviewed before it ships, versioned when it changes, logged when it runs.

Nothing reaches an employee's agent without passing review.

One immutable, exportable audit trail: every approval, install, and revocation.

Access follows your identity provider — personal, team, or org scope, enforced automatically.

The problem

Your teams are already installing skills. Nobody's reviewing them.

A skill with shell access gets pasted from a blog post into fifty laptops. No one signed off.

Security asks "who can run what?" — and the honest answer is a shrug.

The prompt that handles customer data was edited last month. By whom? To say what?

Great work still dies in chat threads, while risky work spreads without review.

With Vettory

One approval path. Every agent surface.

Skills pass review — automated scanning plus a human approver — before anyone can install them.

Every version is snapshotted; every install, approval, and rollback is logged with actor and timestamp.

New starters say "update my skills" on day one and get the team's approved set. Nothing else.

Usage analytics show what's actually being run — and what's quietly spreading.

How it works

From idea to approved skill
in under a week.

Every skill follows one lifecycle: draft, review, approve, install. No governance theatre — a clear path from a good idea to a governed capability.

01

Write

Create a SKILL.md file with a YAML frontmatter block and your instructions for Claude. Submit it to the registry.

Draft

02

Review

Automated scanning flags risky capabilities; your designated reviewers check quality and fit. High-severity findings block approval.

Pending

03

Approve

Once approved, the skill is published to the registry at its version tag. Previous versions remain accessible.

Approved

04

Install

Team members say "update my skills" in their agent. Vettory syncs the latest approved versions to every surface they use.

Live

Getting connected

Connect once.
Skills stay current.

No copy-pasting prompts, no files to keep in sync. Your teams connect their agent to Vettory once — after that, the approved skill set arrives on demand and updates itself.

01

Install the extension

Add the Vettory extension in Claude (Settings → Extensions) — a one-click .mcpb install, no config files or CLI. On CLI and IDE surfaces it connects as an MCP server the same way.

02

Authenticate once

A secure device-flow login links the agent to your Vettory org. Tokens are kept in your OS keychain, and your identity provider decides which skills you're entitled to — no separate account to manage.

03

Claude pulls skills just in time

Say "update my skills" and the agent syncs your entitled, approved skills straight into the surface — always the latest approved version, and automatically removed the moment your access changes.

Skills sync into the surface Claude already reads — nothing new to open, nothing to remember to update.

Inside the admin panel

The screens your auditor will ask for.

These are the live Audit & Compliance and Access & Policy views in every org — the same ones a reviewer or security assessor gets handed.

/audit

Audit & Compliance

Every approval, distribution and lifecycle event — immutable and exportable

WHEN
EVENT
TARGET
SCOPE
2m ago
Approved
SQL Query Builder v2.1.0
org
41m ago
Submitted
PR Review Assistant v1.4.2
team
3h ago
Distributed
Daily Briefing v3.0.1
personal
1d ago
Revoked
Legacy Onboarding Prompt v1.0.0
org
142 events · retained 7 years · tamper-evident
/access

Access & Policy

Who gets which skills, on which surfaces — and the rules that gate every change

Require review for org-wide distribution

Any skill distributed beyond its author must pass a reviewer.

Two reviewers for shell capability

Skills requesting shell access need two distinct approvals.

Block approval on failing scan

Reviewers cannot approve while the scan reports HIGH findings.

Groups are synced from your identity provider — no local user management to maintain.

For the people doing the work

Governance they'll never notice.
Skills they'll actually use.

orgv2.1.0

SQL Query Builder

Generates optimised SQL from plain English. Supports Postgres, MySQL, and BigQuery dialects.

sqldata
✓ ApprovedInstall →
teamv1.4.2

PR Review Assistant

Thorough code review with actionable items, test suggestions, and security flag checks.

devcode
✓ ApprovedInstall →
personalv3.0.1

Daily Briefing

Personalised AI digest — calendar, emails, and key metrics summarised every morning.

productivity
✓ ApprovedInstall →

Browse and install in plain language — always the approved version, updated the moment it clears review.

Technical spec

Skills are just Markdown.
The governance is the product.

A skill is a SKILL.md file — YAML frontmatter, free-form body. Powerful enough to warrant review; simple enough to write in an afternoon.

Plain Markdown, no lock-in

Skills are .md files. You own them. Export everything, any time.

Semantic versioning built in

Every submission is a snapshot. Roll back at any time.

Scoped RBAC

Personal, team, or org. Admins control who publishes at each level.

Audit log

Every install, approval, and rejection logged with timestamp and actor, exportable — evidence for SOC 2 and similar programmes.

SKILL.md
---
name: sql-query-builder
description: Generate optimised SQL from plain English
version: 2.1.0
scope: org
tags: [sql, data, postgresql]
---

# SQL Query Builder

You are an expert SQL engineer. When the user describes a
query in plain English, translate it into optimised SQL
for the target dialect (default: PostgreSQL).

## Rules

- Always use parameterised queries ($1, $2, ...)
- Prefer CTEs over nested subqueries
- Add an EXPLAIN comment for queries touching >100k rows
- Flag any unindexed column in a WHERE clause

## Examples

User: "top 10 customers by revenue last quarter"
→ Generate a CTE-based query with date math and LIMIT

Security & compliance

Built for teams whose security team asks questions.

The answers your reviewers actually need — not buried three clicks deep.

Immutable, exportable audit trail

Every approval, distribution, rollback, and revocation is logged with actor, timestamp, and scope. Events are retained for 7 years and tamper-evident — export the full log to CSV at any time.

Enforced review gates, not policy documents

Org-wide distribution requires reviewer approval, shell-capable skills require two distinct reviewers, and approval is blocked automatically while a security scan reports high-severity findings.

SSO / identity provider sync

Groups and team membership sync from your identity provider. There is no separate local user database for Vettory to manage, or leak.

Deploy on your infrastructure, or ours

Run Vettory self-hosted on your own Postgres and Redis, or as a managed deployment — either way, skill content lives in your registry instance, data residency follows your deployment choice, and nothing is ever used to train a model.

Scanning and review reduce risk; they don't eliminate it. Your approvers decide what ships — Vettory makes sure that decision is informed, enforced, and on the record.

Pricing

You pay for governance. Using skills is free.

You pay for governance, not for using skills. Every plan includes governance seats to get started, unlimited skills, unlimited versions, unlimited free consumers, and distribution to every agent surface your teams use — chat, knowledge work, and CLI/IDE.

Business

Best for AI-native teams up to ~500 people

£1,500/month platform fee

2 Governance Admins, 5 Team Managers, 1 Auditor included

Skill consumers: free, unlimited

Request access
Additional Governance Admin seats£79/seat/mo
Additional Team Manager seats£29/seat/mo
Additional Auditor seats£19/seat/mo
Approval workflowSingle-stage
Access controlBasic RBAC
Cross-surface syncAll supported agent surfaces
In-agent discovery (MCP)
Security scanning at the gate
Version history & rollback
Provenance & skill bill of materials
SSO / SCIM
Audit & SIEM export
DeploymentCloud
SupportStandard
For regulated teams

Enterprise

For organisations with compliance, security review, and audit obligations

From £5,000/month platform fee

3 Governance Admins, 10 Team Managers, unlimited Auditors included

Skill consumers: free, unlimited

Talk to sales
Additional Governance Admin seats£89/seat/mo
Additional Team Manager seats£35/seat/mo
Additional Auditor seatsIncluded
Approval workflowMulti-stage approval matrices
Access controlAdvanced RBAC, team hierarchies
Cross-surface syncAll supported agent surfaces
In-agent discovery (MCP)
Security scanning at the gate
Version history & rollback
Provenance & skill bill of materials
SSO / SCIM
Audit & SIEM export
DeploymentCloud, VPC, or on-prem*
SupportPriority, with SLA

* Self-hosted (VPC/on-premises) deployment carries a 35% platform fee premium.

FAQ

Common questions.

Which AI platforms does Vettory work with?

Is Vettory itself SOC 2 certified?

Can Vettory guarantee a skill is safe?

Is the content of skills visible to Vettory?

What happens to old versions?

How long does setup take?

Get started

Ship skills your security team
has already said yes to.

We're onboarding design partners now — working directly with our founding team, with pricing locked for twelve months.

Request access

Response within 24 hours. No credit card required.