Hub
Use Hub to browse, publish, pull, and reuse capabilities, security tasks, datasets, and models before you run or evaluate anything.
Hub is the shared registry surface in the app and the package registry behind reusable capabilities, security tasks, datasets, models, and task environments.
Use it when the question is “what reusable thing do I want to inspect, install, publish, compare, or pin before I start work?”
What lives in Hub
Section titled “What lives in Hub”| Surface | What it is for |
|---|---|
| Capabilities | reusable bundles of agents, tools, skills, and MCP servers |
| Security Tasks / Environments | reusable challenge definitions with environment and verification logic |
| Datasets | pinned shared inputs for evaluations, training, and reproducible experiments |
| Models | stored model artifacts with versions, aliases, metrics, and downloads |
The artifact lifecycle
Section titled “The artifact lifecycle”Across all four families, the lifecycle is the same even though the verbs differ a little:
- author or edit the local source directory
- inspect or validate it before publishing
- push it into the organization registry
- change visibility when other orgs should see it
- pull, install, or download it when another workflow needs it
- run or reference the pinned version from compute, evaluation, training, or optimization flows
That shared lifecycle is the main reason Hub matters. It is the durable “what are we using?” layer between local authoring and execution.
References and naming
Section titled “References and naming”Hub refs are organization-scoped. In the CLI, the most common forms are:
Three details matter in practice:
- Capabilities, datasets, and models are versioned assets. If you omit the version in CLI commands
like
info,pull, orinstall, the command resolves the latest version first. - Tasks are different. The publishing pipeline stores a version from
task.yaml, but the CLI and API address tasks by name and treat the latest published task as the active one. - Low-level SDK helpers use two URI styles:
dn.load()usesscheme://org/name@versiondn.pull_package()uses OCI-stylescheme://org/name:version
import dreadnode as dn
# Pull packages into local storage or the local package cache firstdn.pull_package( [ "dataset://acme/support-evals:1.0.0", "model://acme/vuln-classifier:2.1.0", "capability://acme/recon-kit:1.2.0", "environment://acme/sqli-lab", ])
# Then open pulled dataset or model artifacts locallyCommon workflows
Section titled “Common workflows”- browse the catalog before installing a capability into a runtime
- inspect a task or environment before using it in an evaluation
- pin a dataset version for training, benchmarking, or optimization
- compare model artifact versions before promotion or download
Naming note
Section titled “Naming note”The app and docs use slightly different language around tasks:
taskis the durable object used in the CLI and APISecurity Taskis the clearer docs label- some app copy uses
environmentbecause the task includes a runnable environment
In SDK internals and pull URIs, task packages are stored as environment packages. The CLI keeps
the user-facing command name task.
Create local artifacts before publishing
Section titled “Create local artifacts before publishing”Hub packages always start as local content on disk.
| Package type | How you create it locally | Key local files |
|---|---|---|
| Capabilities | Scaffold with dreadnode capability init or hand-author the directory | capability.yaml, agents/, optional skills/, optional .mcp.json |
| Datasets | Create the directory manually, then preview it with dreadnode dataset inspect | dataset.yaml plus the data files it references |
| Models | Create the directory manually, then preview it with dreadnode model inspect | model.yaml plus model weights or adapter files |
| Tasks | Scaffold with dreadnode task init or hand-author the directory | task.yaml, docker-compose.yaml, challenge/Dockerfile, optional verify.sh, optional solution.sh |
# Scaffold a capabilitydreadnode capability init recon-kit \ --description "Recon helpers" \ --with-skills \ --with-mcp
# Scaffold a task environmentdreadnode task init sqli-lab --with-verify --with-solutionDatasets and models do not currently have matching init commands in the CLI. For those artifact
types, the normal flow is: create the directory yourself, add dataset.yaml or model.yaml, then
use inspect before you push.
CLI and SDK workflows
Section titled “CLI and SDK workflows”dreadnode capability list --search recon --include-public
dreadnode dataset list --include-public
dreadnode model listdreadnode model compare vuln-classifier 1.0.0 2.0.0
dreadnode task list --search sqldreadnode task info sqli-labdreadnode capability validate ./capabilities/recon-kitdreadnode capability push ./capabilities/recon-kit --public
dreadnode dataset inspect ./datasets/support-evalsdreadnode dataset push ./datasets/support-evals
dreadnode model inspect ./models/vuln-classifierdreadnode model push ./models/vuln-classifier
dreadnode task validate ./tasks/sqli-labdreadnode task validate sqli-lab --pulldreadnode task push ./tasks/sqli-lab --publicimport dreadnode as dn
dn.configure( server="https://api.example.com", api_key="dn_key_...", organization="acme",)
# Publish local content to the Hubdn.push_capability("./capabilities/recon-kit", public=True)dn.push_dataset("./datasets/support-evals")dn.push_model("./models/vuln-classifier")dn.push_environment("./tasks/sqli-lab", public=True)
# Pull packages for local reusedn.pull_package( [ "dataset://acme/support-evals:1.0.0", "model://acme/vuln-classifier:2.1.0", "capability://acme/recon-kit:1.2.0", "environment://acme/sqli-lab", ])
# Load versioned Hub artifacts after they are locally availableTwo SDK-specific details are easy to miss:
dn.load_capability()loads a local capability by path or installed name. There is no matchingdn.load("capability://...")convenience loader in the current SDK.dn.list_registry("datasets"),dn.list_registry("models"),dn.list_registry("capabilities"), anddn.list_registry("environments")expose the mixed local and remote registry view when you need programmatic discovery.dn.load()anddn.load_package()open packages that are already locally available. Pull first when you are starting from a remote Hub ref.
Install, pull, and load are different
Section titled “Install, pull, and load are different”These operations sound similar but mean different things in Dreadnode Hub.
| Package type | Install | Pull / download | Load / use |
|---|---|---|---|
| Capabilities | dreadnode capability install activates the capability for local agents and the TUI | dreadnode capability pull downloads to the local package cache without activating it | dn.load_capability() loads a local capability by path or installed name |
| Datasets | No dedicated install step | dreadnode dataset pull prints a pre-signed URL or saves a file with --output; dn.pull_package(["dataset://..."]) caches the package manifest locally | dn.load("dataset://org/name@version"), dn.load_package(...), or Dataset("org/name") |
| Models | No dedicated install step | dreadnode model pull prints a pre-signed URL or saves a file with --output; dn.pull_package(["model://..."]) caches the package manifest locally | dn.load("model://org/name@version") or dn.load_package(...) after the package is available |
| Tasks | No dedicated install step | dreadnode task pull extracts the environment package to the local package cache for inspection or forking | run it as a pulled environment package or publish it back after changes |
For datasets and models, dn.pull_package() stores the versioned manifest locally so the SDK can
resolve it later. The actual large artifacts are fetched from CAS or object storage on demand.
Advanced artifact management
Section titled “Advanced artifact management”When you need lifecycle operations beyond the basic list/info/pull flow, use the more specific commands below:
dreadnode capability sync ./capabilities/recon-kit
dreadnode dataset inspect ./datasets/support-evals
dreadnode model compare vuln-classifier 1.0.0 2.0.0dreadnode model alias set vuln-classifier stable 2.0.0
dreadnode task validate ./tasks/sqli-labdreadnode task sync ./tasks/sqli-labdreadnode task delete sqli-labThe CLI group names are the stable mental model:
dreadnode capability syncanddreadnode capability deletefor capability upkeepdreadnode dataset inspect,dreadnode dataset pull --split, anddreadnode dataset deletefor dataset artifact managementdreadnode model compare,dreadnode model alias,dreadnode model metrics, anddreadnode model deletefor model promotion and cleanupdreadnode task validate,dreadnode task sync, anddreadnode task deletefor task packages
For scripted registry access, see the API Client.
Current TUI coverage
Section titled “Current TUI coverage”The current TUI codebase does not expose a single all-in-one Hub screen. Hub workflows are split across separate screens instead:
/capabilitiesmanages capability installs and updates for the active runtime/environmentsbrowses task environments/modelsopens the inference model picker, not the Hub model registry
What agents should assume
Section titled “What agents should assume”- prefer pinned refs like
org/name@versionwhenever reproducibility matters - registry state is separate from runtime installation or execution state
- Hub is the right place to decide what artifact to use before moving into evaluations, optimization, training, or compute surfaces
For the artifact-specific surfaces, use Capabilities, Security Tasks & Environments, Datasets, and Models. For scripted registry access, use Packages and Registry, the SDK API Client, or SDK Data depending on whether you are publishing, inspecting, or loading artifacts.