Show HN: MinimumReleaseAge-style protection for Agent Skills

I’ve been building `agent-skill-porter`, a CLI for managing AI agent Skills across ecosystems:

https://github.com/skill-mill/agent-skill-porter

One thing that bothered me is that Skills usually sit outside normal package-manager protections.

Package ecosystems are increasingly using ideas like pnpm’s `minimumReleaseAge` and uv’s `--exclude-newer` to avoid pulling in artifacts that are too new. But Skills often aren’t package-managed at all, even though they may include helper scripts, downloaded artifacts, and even binaries.

Given recent supply-chain incidents like the axios compromise, and research like Snyk’s ToxicSkills report, that felt like a real gap.

So I added a cooldown mechanism based on the Git tree hash of the skill directory.

The CLI now resolves a Skill from Git history, treats the skill directory tree as the release unit, and only installs/updates to a tree that is older than a configured minimum age. If the latest one is too new, it falls back to the newest eligible older tree.

This is implemented as `--min-age` for add/download/update. ex. `sk add https://github.com/remotion-dev/skills --min-age 30`

I’d be especially interested in feedback on whether “directory tree hash” seems like the right trust/version boundary for non-package-managed AI artifacts.