Use a rig

Inspect before installing

rig inspect — read the manifest of an artifact without extracting it.

rig inspect <source>

The source can be anything that rig use accepts:

rig inspect hub:maria/market-researcher
rig inspect github:acme/agents-research@v0.4.1
rig inspect ./dist/foo-0.1.0.rig.tgz
rig inspect registry:maria/market-researcher

What it shows

  • The manifest, section by section (identity, what gets shared, env, tools, MCP, plugins, permissions, install hooks, run instructions, collab).
  • The file list inside the tarball.
  • The artifact SHA-256 (when available from the source).
  • Warnings — if the artifact contains anything that looks like a secret, large binaries, or other surprises.

Why you'd use it

  • Before installing a stranger's rig. Read the manifest first; check the install hooks; check the permissions.
  • Before publishing your own. rig pack && rig inspect ./dist/... is the last sanity check before rig hub publish.
  • Auditing the supply chain. Inspect a pinned version and compare to a later version.

Flags

FlagWhat
--jsonMachine-readable output. The Hub UI uses the same shape.
--plainSuppress colors.

Run setup

rig install — the convergent setup step that creates dirs, fills env vars, merges permissions, and (for shared rigs) starts the sync daemon.

Update a rig

rig hub update — pull a newer version while preserving your local state.

On this page

What it showsWhy you'd use itFlagsRelated