diff --git a/docs/superpowers/plans/2026/05/12/local-skill-upload-plan.md b/docs/superpowers/plans/2026/05/12/local-skill-upload-plan.md
new file mode 100644
index 0000000000..102dfab13b
--- /dev/null
+++ b/docs/superpowers/plans/2026/05/12/local-skill-upload-plan.md
@@ -0,0 +1,144 @@
+# Local Skill Upload Implementation Plan
+
+> Source design: `docs/superpowers/specs/2026/05/12/local-skill-upload-design.md`
+
+## Goal
+
+Add a fourth creation method to the Add Skill dialog — "Upload folder or zip" — so users can select one or more local skill directories or zip bundles, preview detected skills in the browser, and submit them to a dedicated batch-import API.
+
+## Architecture
+
+```
+Browser                                     Server
+┌─────────────────────────────┐           ┌──────────────────────────────┐
+│ local-skill-upload.ts       │           │ skill_import_local.go        │
+│ · path normalization        │           │ · path/size/count validation │
+│ · SKILL.md discovery        │  POST     │ · null byte sanitization     │
+│ · group by skill root       │ ───────>  │ · createSkillWithFiles       │
+│ · file read + UTF-8 check   │ /import-  │ · duplicate name → skipped   │
+│ · skip policy + preview     │  local    │ · structured per-item result │
+│ · candidateToImportRequest  │           └──────────────────────────────┘
+│                             │
+│ local-skill-upload-panel.tsx │
+│ · drag-drop / folder / zip  │
+│ · single / multi preview    │
+│ · editable name & desc      │
+│ · batch select (max 16)     │
+│ · import progress & summary │
+└─────────────────────────────┘
+```
+
+## Module Boundaries
+
+| Package | File | Responsibility |
+|---|---|---|
+| `packages/views/skills/utils/` | `local-skill-upload.ts` | Pure functions: path normalization, SKILL.md discovery, file grouping, limit checks, zip parsing, drag-drop reading |
+| `packages/views/skills/components/` | `local-skill-upload-panel.tsx` | UI component: drop zone, preview, editing, import, result summary |
+| `packages/views/skills/components/` | `create-skill-dialog.tsx` | Entry point: add `upload` method card |
+| `packages/views/skills/lib/` | `origin.ts` | Add `uploaded_bundle` origin type |
+| `packages/views/skills/components/` | `skill-columns.tsx`, `skill-detail-page.tsx` | Display uploaded_bundle source info |
+| `packages/views/locales/` | `en/skills.json`, `zh-Hans/skills.json` | i18n strings |
+| `packages/core/types/` | `agent.ts`, `index.ts` | Shared TS types |
+| `packages/core/api/` | `client.ts`, `schemas.ts` | API method + Zod response schema |
+| `server/internal/handler/` | `skill_import_local.go` | Handler: decode, validate, create, publish events |
+| `server/cmd/server/` | `router.go` | Register `POST /api/skills/import-local` |
+
+## Limit Alignment
+
+| Parameter | Client Constant | Server Constant | Notes |
+|---|---|---|---|
+| Per-file size | `MAX_SKILL_FILE_BYTES` = 1 MiB | `maxLocalUploadedSkillFileBytes` = 1 MiB | Includes SKILL.md itself |
+| Files per skill | `MAX_SKILL_FILES` = 128 | `maxLocalUploadedSkillFiles` = 128 | Excludes SKILL.md |
+| Text per skill | `MAX_SKILL_ACCEPTED_BYTES` = 8 MiB | `maxLocalUploadedSkillTotalBytes` = 8 MiB | UTF-8 bytes |
+| Skills per import | `MAX_LOCAL_SKILL_IMPORT_BATCH` = 16 | `maxLocalUploadedSkills` = 16 | |
+| HTTP request body | — | `maxLocalUploadedSkillRequestBytes` = 32 MiB | Covers JSON escaping overhead |
+
+## Security Boundaries
+
+- **Path validation**: Client `normalizeUploadPath` rejects absolute paths and `..` traversal; server `normalizeLocalUploadedSkillFilePath` additionally rejects hidden files (`.` prefix), metadata files (Thumbs.db, desktop.ini), null bytes, Windows drive paths, and SKILL.md overwrites
+- **UTF-8 validation**: Client uses `TextDecoder("utf-8", { fatal: true })`; non-UTF-8 files are skipped as `binary_file`
+- **Null bytes**: Client detects and skips files containing `\0`; accepted text has null bytes stripped before submission; server calls `sanitizeNullBytes` on all fields
+- **Zip safety**: Checks `uncompressedSize` before inflating; only inflates entries under detected skill roots; skips oversized entries instead of rejecting the entire zip
+- **Request body limit**: `http.MaxBytesReader` truncates before JSON decode to bound memory allocation
+- **File input reset**: Clears `<input>` value after selection so the same path can be re-selected
+
+## Test Strategy
+
+### Client Unit Tests (Vitest)
+
+**`local-skill-upload.test.ts`** — 27 tests covering:
+- Frontmatter parsing
+- Single/multi skill root grouping
+- Root-level skill bundle supporting file retention
+- Source label composition
+- Nested SKILL.md ownership
+- Hidden/binary/oversized/traversal file skipping
+- Non-UTF-8 file skipping
+- Oversized SKILL.md surfaced as `unreadable_skill_md`
+- UTF-8 byte counting (CJK multi-byte)
+- File count/byte budget short-circuit (stops reading excess files)
+- Zip path traversal rejection
+- Zip oversized entry marking (no inflate)
+- Zip oversized SKILL.md marker preservation
+- Zip per-skill independent file counting
+- Zip hidden files not consuming budget
+- Zip entries outside detected roots ignored
+
+**`local-skill-upload-panel.test.tsx`** — 7 tests covering:
+- Missing SKILL.md error display
+- Single skill preview and import
+- Zip drag-and-drop import
+- Batch selection UX beyond 16 skills
+- Partial success dialog retention with result summary
+- zh-Hans localization verification
+- File input reset
+
+**`create-skill-dialog.test.tsx`** — 2 tests covering:
+- Upload method card presence
+- Chinese title rendering
+
+**`origin.test.ts`** — 1 test covering uploaded_bundle origin
+
+**`client.test.ts`** — 3 tests covering:
+- API endpoint path and method
+- Response schema parsing
+- Malformed response fallback
+
+### Server Unit Tests (Go test)
+
+**`skill_import_local_test.go`** — 14 tests covering:
+- Valid skill creation with files
+- Duplicate name skip + continue
+- Path traversal rejection
+- Single file size limit rejection
+- SKILL.md size limit rejection
+- SKILL.md path cleaning rejection
+- Request body size rejection
+- Large payload rejection before decode
+- Batch size (>16 skills) rejection
+- JSON-escaped content within decoded bundle limit
+- Multi-skill JSON-escaped batch acceptance
+- Hidden file path rejection
+- Metadata file path rejection
+- Backslash path traversal rejection
+
+## Risks
+
+1. **Drag-and-drop compatibility**: `webkitGetAsEntry` is a non-standard API; some browsers may not support directory traversal. The code includes a plain-file fallback path.
+2. **Zip decompression memory**: Zips with many small files may allocate significant browser memory. Mitigated by pre-inflate size checks and per-root file count limits.
+3. **JSON escaping overhead**: Files with many special characters expand significantly under `JSON.stringify`. The server request cap (32 MiB) provides sufficient headroom for the decoded limits (8 MiB × up to 16 skills).
+
+## Acceptance Criteria
+
+- [x] Add Skill dialog shows four creation methods (manual, URL, runtime, upload)
+- [x] Folder picker imports a single skill
+- [x] Zip file imports a single skill
+- [x] Folder/zip imports multiple skills with select/deselect
+- [x] Preview shows skipped files with reasons
+- [x] Duplicate names reported as skipped without affecting other skills
+- [x] Partial success keeps dialog open with result summary
+- [x] Hidden, binary, and oversized files correctly skipped
+- [x] Server-side validation on paths, sizes, and counts
+- [x] API responses validated through Zod schema; malformed responses degrade safely
+- [x] en and zh-Hans localization complete
+- [x] All unit tests pass
diff --git a/docs/superpowers/specs/2026/05/12/local-skill-upload-design.md b/docs/superpowers/specs/2026/05/12/local-skill-upload-design.md
new file mode 100644
index 0000000000..f069413fba
--- /dev/null
+++ b/docs/superpowers/specs/2026/05/12/local-skill-upload-design.md
@@ -0,0 +1,264 @@
+# Local Skill Upload Design
+
+## Context
+
+The Skills page already supports three creation paths in
+`packages/views/skills/components/create-skill-dialog.tsx`:
+
+- manual skill creation
+- URL import from ClawHub, Skills.sh, or GitHub
+- copying an installed skill from an online local runtime
+
+Upstream issue `multica-ai/multica#478` asks for importing a local skill
+directory or zip, and `#702` clarifies the same workflow in Chinese: users may
+receive or create a skill bundle locally and want to upload it into the
+workspace. PR `#913` explores CLI and backend support for local directory
+imports, while PR `#460` explores a browser-side folder picker. The product gap
+left between those approaches is a first-class Web entry for user-selected local
+folders or zip bundles that fits the current dialog architecture.
+
+## Product Goal
+
+Users can import one or more local skill bundles into the current workspace from
+the Add Skill dialog without publishing the skill to a remote registry and
+without relying on a local runtime scan.
+
+The feature should make the source choices clear:
+
+- `Import from URL` is for ClawHub, Skills.sh, and GitHub links.
+- `Copy from runtime` is for skills already installed in a local runtime.
+- `Upload folder or zip` is for files selected from the user's computer.
+
+## Entry Point
+
+Add a fourth method card to the Add Skill chooser:
+
+`Upload folder or zip`
+
+The card uses a familiar upload or folder-upload icon and a short description:
+`Import a local skill folder or zipped skill bundle.`
+
+Choosing this card opens a wider dialog body, matching the interaction density
+of `RuntimeLocalSkillImportPanel` rather than the narrow URL form.
+
+## Upload Panel
+
+The upload panel has three stable regions.
+
+The top region contains the file input surface:
+
+- a dashed drop zone labelled `Drop a skill folder or .zip here`
+- `Choose Folder` and `Choose Zip` buttons
+- a compact hint that a valid skill must contain `SKILL.md`
+
+The middle region is a preview and validation surface. After selection, the
+client scans the selected files and displays either a single-skill preview or a
+multi-skill list.
+
+For a single skill, show:
+
+- editable skill name
+- editable description
+- detected root folder or zip name
+- file count
+- `SKILL.md` as the main file
+- supporting file list
+- skipped file list with reasons
+
+For multiple detected skills, show a checklist:
+
+- one row per detected skill root
+- checkbox for valid rows
+- editable name and description per row
+- file count per row
+- disabled rows for invalid groups, with the validation reason
+
+The bottom region contains the import summary and action:
+
+- single skill: `Ready to import "<name>" into workspace`
+- multiple skills: `Ready to import <n> skills into workspace`
+- primary button: `Import` or `Import <n> skills`
+- during import: `Importing <done> / <total>`
+
+## Skill Detection
+
+The client normalizes all selected paths to forward-slash relative paths and
+groups files by the nearest directory containing `SKILL.md`.
+
+Detection rules:
+
+- If the selected root itself contains `SKILL.md`, treat it as a single skill.
+- If child directories contain their own `SKILL.md`, treat each child root as a
+  separate skill candidate.
+- Ignore directories without `SKILL.md` unless they are supporting files under a
+  detected skill root.
+- Use `SKILL.md` YAML frontmatter for default `name` and `description`.
+- Fall back to the skill root folder name when frontmatter is absent.
+
+The first version should support selecting:
+
+- a folder through `webkitdirectory`
+- a zip file unpacked in the browser
+- drag-and-drop of files or folders where the browser exposes directory entries
+
+## File Policy
+
+The workspace skill storage model stores supporting file content in text fields.
+Until binary asset storage exists, the uploader should avoid pretending binary
+assets are fully supported.
+
+Apply the same limits across folder and zip imports:
+
+- require `SKILL.md`
+- reject absolute paths and path traversal
+- skip hidden files and ignored metadata files
+- skip files above 1 MiB
+- cap each skill at 128 supporting files
+- cap each skill bundle at 8 MiB of accepted text files
+- skip binary or non-UTF-8 supporting files
+- strip null bytes from accepted text content before submission
+
+Skipped files are visible in the preview before import. If a skill has skipped
+files, the user can still import it, but the preview makes the partial import
+explicit.
+
+## API Shape
+
+Prefer a dedicated local-import API over calling generic `createSkill` directly
+from the upload panel.
+
+Add a workspace-scoped endpoint:
+
+`POST /api/skills/import-local`
+
+Request:
+
+```json
+{
+  "skills": [
+    {
+      "name": "Code Review",
+      "description": "Reviews pull requests",
+      "content": "...SKILL.md content...",
+      "files": [
+        { "path": "templates/review.md", "content": "..." }
+      ],
+      "source": {
+        "type": "uploaded_bundle",
+        "label": "team-skills.zip/code-review"
+      }
+    }
+  ]
+}
+```
+
+Response:
+
+```json
+{
+  "created": [
+    { "skill": { "...": "..." }, "source_label": "team-skills.zip/code-review" }
+  ],
+  "skipped": [
+    { "name": "Existing Skill", "reason": "already_exists" }
+  ],
+  "failed": [
+    { "name": "Broken Skill", "reason": "missing_skill_md" }
+  ]
+}
+```
+
+The backend performs the authoritative validation even when the client already
+validated the preview. This keeps the browser UI helpful without trusting it as
+a security boundary.
+
+## Backend Behavior
+
+The backend should create each valid skill in its own transaction so a batch
+import can partially succeed. A duplicate skill name should be reported as a
+skipped item instead of failing the entire batch.
+
+For each skill:
+
+- validate the workspace and owner/admin permission
+- validate name and `SKILL.md` content
+- validate every file path with the existing skill-file path rules
+- sanitize null bytes from text fields
+- enforce file count and accepted-size limits
+- create the skill and supporting files through the same create-with-files path
+- publish normal skill-created realtime events for created skills
+
+The endpoint should return structured per-item results so the UI can show a
+summary without parsing human-readable error strings.
+
+## Frontend Data Flow
+
+Add a new panel beside the existing forms:
+
+- extend `Method` with `upload`
+- add the fourth `MethodChooser` card
+- create `LocalSkillUploadPanel`
+- add a typed API client method for `importLocalSkills`
+
+After successful imports:
+
+- seed each created skill detail cache
+- invalidate `workspaceKeys.skills(wsId)`
+- invalidate `workspaceKeys.agents(wsId)`
+- select the first created skill if the dialog caller provides selection
+- close the dialog only when at least one skill is created and there are no
+  unresolved blocking failures
+
+For partial success, keep the dialog open and show the result summary so the
+user can see what was imported, skipped, or failed.
+
+## Error Handling
+
+Preview-time errors stay local and immediate:
+
+- empty selection
+- no `SKILL.md` found
+- unreadable zip
+- zip path traversal
+- all files skipped
+
+Import-time errors come from the API:
+
+- permission failure
+- duplicate names
+- invalid paths missed by preview
+- request size exceeded
+- server transaction failure
+
+The UI should prefer structured messages such as `already exists`, `missing
+SKILL.md`, `unsupported binary file skipped`, and `bundle is too large`.
+
+## Out of Scope
+
+- Persistent binary asset storage for skill bundles.
+- A public skill registry or package-version system.
+- Runtime multi-select import. That belongs to `Copy from runtime`.
+- Automatic upload from arbitrary filesystem paths without user selection.
+- Editing imported files inside the upload preview before creation.
+
+## Testing
+
+Add focused coverage for:
+
+- grouping selected files into one or many skill candidates
+- parsing frontmatter defaults from `SKILL.md`
+- skipping binary, hidden, oversized, and traversal-path files
+- zip import path normalization and traversal rejection
+- upload panel states for empty, invalid, single-skill, and multi-skill inputs
+- API client response parsing for created, skipped, and failed results
+- backend validation and partial-success behavior
+- duplicate-name handling as a skipped result
+- cache invalidation after successful import
+
+Manual verification should cover:
+
+- folder picker import of a single skill
+- zip import of a single skill
+- folder or zip import containing multiple skills
+- partial import with one duplicate skill
+- partial import with binary supporting files
diff --git a/packages/core/api/client.test.ts b/packages/core/api/client.test.ts
index d710fa198f..85f0c99ba6 100644
--- a/packages/core/api/client.test.ts
+++ b/packages/core/api/client.test.ts
@@ -173,6 +173,110 @@ describe("ApiClient", () => {
     expect(headers["X-Client-OS"]).toBeUndefined();
   });
 
+  it("imports local skills through the dedicated endpoint", async () => {
+    const fetchMock = vi.fn().mockResolvedValue(
+      new Response(
+        JSON.stringify({
+          created: [
+            {
+              skill: {
+                id: "skill-1",
+                workspace_id: "ws-1",
+                name: "Review Helper",
+                description: "Reviews PRs",
+                content: "# Review Helper",
+                config: {},
+                created_by: "user-1",
+                created_at: "2026-05-12T00:00:00Z",
+                updated_at: "2026-05-12T00:00:00Z",
+                files: [],
+              },
+              source_label: "team.zip/review-helper",
+            },
+          ],
+          skipped: [],
+          failed: [],
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      ),
+    );
+    vi.stubGlobal("fetch", fetchMock);
+
+    const client = new ApiClient("https://api.example.test");
+    const result = await client.importLocalSkills({
+      skills: [
+        {
+          name: "Review Helper",
+          description: "Reviews PRs",
+          content: "# Review Helper",
+          files: [{ path: "templates/review.md", content: "body" }],
+          source: { type: "uploaded_bundle", label: "team.zip/review-helper" },
+        },
+      ],
+    });
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      "https://api.example.test/api/skills/import-local",
+      expect.objectContaining({
+        method: "POST",
+        body: JSON.stringify({
+          skills: [
+            {
+              name: "Review Helper",
+              description: "Reviews PRs",
+              content: "# Review Helper",
+              files: [{ path: "templates/review.md", content: "body" }],
+              source: { type: "uploaded_bundle", label: "team.zip/review-helper" },
+            },
+          ],
+        }),
+      }),
+    );
+    expect(result.created[0]?.skill.name).toBe("Review Helper");
+  });
+
+  it("falls back for malformed local skill import responses", async () => {
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue(
+        new Response(JSON.stringify({ created: null, skipped: "bad", failed: {} }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+      ),
+    );
+
+    const client = new ApiClient("https://api.example.test");
+    const result = await client.importLocalSkills({
+      skills: [{ name: "Review Helper", content: "# Review Helper", source: { type: "uploaded_bundle", label: "review" } }],
+    });
+
+    expect(result).toEqual({ created: [], skipped: [], failed: [] });
+  });
+
+  it("falls back when imported local skill entries are missing required skill fields", async () => {
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue(
+        new Response(
+          JSON.stringify({
+            created: [{ skill: { id: "skill-1" }, source_label: "team.zip/review-helper" }],
+            skipped: [],
+            failed: [],
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+
+    const client = new ApiClient("https://api.example.test");
+    const result = await client.importLocalSkills({
+      skills: [{ name: "Review Helper", content: "# Review Helper", source: { type: "uploaded_bundle", label: "review" } }],
+    });
+
+    expect(result).toEqual({ created: [], skipped: [], failed: [] });
+  });
+
   it("uses the Cloud Runtime node API contract and forwards bootstrap PAT on create", async () => {
     const node = {
       id: "node-1",
diff --git a/packages/core/api/client.ts b/packages/core/api/client.ts
index a08e6264c3..c174f333c6 100644
--- a/packages/core/api/client.ts
+++ b/packages/core/api/client.ts
@@ -34,6 +34,8 @@ import type {
   Skill,
   SkillSummary,
   CreateSkillRequest,
+  ImportLocalSkillsRequest,
+  ImportLocalSkillsResponse,
   UpdateSkillRequest,
   SetAgentSkillsRequest,
   PersonalAccessToken,
@@ -130,6 +132,7 @@ import {
   EMPTY_CLOUD_RUNTIME_NODE_LIST,
   EMPTY_CREATE_AGENT_FROM_TEMPLATE_RESPONSE,
   EMPTY_GROUPED_ISSUES_RESPONSE,
+  EMPTY_IMPORT_LOCAL_SKILLS_RESPONSE,
   EMPTY_LIST_ISSUES_RESPONSE,
   EMPTY_SQUAD_MEMBER_STATUS_LIST,
   EMPTY_TIMELINE_ENTRIES,
@@ -137,6 +140,7 @@ import {
   EMPTY_LIST_WEBHOOK_DELIVERIES_RESPONSE,
   EMPTY_WEBHOOK_DELIVERY,
   GroupedIssuesResponseSchema,
+  ImportLocalSkillsResponseSchema,
   ListIssuesResponseSchema,
   ListWebhookDeliveriesResponseSchema,
   RuntimeHourlyActivityListSchema,
@@ -1275,6 +1279,16 @@ export class ApiClient {
     });
   }
 
+  async importLocalSkills(data: ImportLocalSkillsRequest): Promise<ImportLocalSkillsResponse> {
+    const raw = await this.fetch<unknown>("/api/skills/import-local", {
+      method: "POST",
+      body: JSON.stringify(data),
+    });
+    return parseWithFallback(raw, ImportLocalSkillsResponseSchema, EMPTY_IMPORT_LOCAL_SKILLS_RESPONSE, {
+      endpoint: "POST /api/skills/import-local",
+    });
+  }
+
   async listAgentSkills(agentId: string): Promise<SkillSummary[]> {
     return this.fetch(`/api/agents/${agentId}/skills`);
   }
diff --git a/packages/core/api/schemas.ts b/packages/core/api/schemas.ts
index 735b49847d..1e9b80601e 100644
--- a/packages/core/api/schemas.ts
+++ b/packages/core/api/schemas.ts
@@ -6,6 +6,7 @@ import type {
   Attachment,
   CreateAgentFromTemplateResponse,
   GroupedIssuesResponse,
+  ImportLocalSkillsResponse,
   ListIssuesResponse,
   ListWebhookDeliveriesResponse,
   TimelineEntry,
@@ -206,6 +207,20 @@ export const ChildIssuesResponseSchema = z.object({
   issues: z.array(IssueSchema).default([]),
 }).loose();
 
+const ImportLocalSkillResultSchema = z.object({
+  name: z.string(),
+  reason: z.string(),
+}).loose();
+
+const SkillFileSchema = z.object({
+  id: z.string(),
+  skill_id: z.string(),
+  path: z.string(),
+  content: z.string(),
+  created_at: z.string(),
+  updated_at: z.string(),
+}).loose();
+
 export const CloudRuntimeNodeSchema = z.object({
   id: z.string(),
   owner_id: z.string(),
@@ -222,6 +237,36 @@ export const CloudRuntimeNodeSchema = z.object({
   updated_at: z.string(),
 }).loose();
 
+const SkillSchema = z.object({
+  id: z.string(),
+  workspace_id: z.string(),
+  name: z.string(),
+  description: z.string(),
+  config: z.record(z.string(), z.unknown()),
+  created_by: z.string().nullable(),
+  created_at: z.string(),
+  updated_at: z.string(),
+  content: z.string(),
+  files: z.array(SkillFileSchema),
+}).loose();
+
+const ImportLocalSkillCreatedSchema = z.object({
+  skill: SkillSchema,
+  source_label: z.string(),
+}).loose();
+
+export const ImportLocalSkillsResponseSchema = z.object({
+  created: z.array(ImportLocalSkillCreatedSchema).default([]),
+  skipped: z.array(ImportLocalSkillResultSchema).default([]),
+  failed: z.array(ImportLocalSkillResultSchema).default([]),
+}).loose();
+
+export const EMPTY_IMPORT_LOCAL_SKILLS_RESPONSE: ImportLocalSkillsResponse = {
+  created: [],
+  skipped: [],
+  failed: [],
+};
+
 export const CloudRuntimeNodeListSchema = z.array(CloudRuntimeNodeSchema);
 
 export const EMPTY_CLOUD_RUNTIME_NODE_LIST: CloudRuntimeNode[] = [];
diff --git a/packages/core/types/agent.ts b/packages/core/types/agent.ts
index c8d636195d..2321b7e62e 100644
--- a/packages/core/types/agent.ts
+++ b/packages/core/types/agent.ts
@@ -319,6 +319,37 @@ export interface CreateSkillRequest {
   files?: { path: string; content: string }[];
 }
 
+export interface ImportLocalSkillRequest {
+  name: string;
+  description?: string;
+  content: string;
+  files?: { path: string; content: string }[];
+  source: {
+    type: "uploaded_bundle";
+    label: string;
+  };
+}
+
+export interface ImportLocalSkillsRequest {
+  skills: ImportLocalSkillRequest[];
+}
+
+export interface ImportLocalSkillCreated {
+  skill: Skill;
+  source_label: string;
+}
+
+export interface ImportLocalSkillResult {
+  name: string;
+  reason: string;
+}
+
+export interface ImportLocalSkillsResponse {
+  created: ImportLocalSkillCreated[];
+  skipped: ImportLocalSkillResult[];
+  failed: ImportLocalSkillResult[];
+}
+
 export interface UpdateSkillRequest {
   name?: string;
   description?: string;
diff --git a/packages/core/types/index.ts b/packages/core/types/index.ts
index 2612ffefbf..346a11699e 100644
--- a/packages/core/types/index.ts
+++ b/packages/core/types/index.ts
@@ -23,6 +23,11 @@ export type {
   AgentSkillSummary,
   SkillFile,
   CreateSkillRequest,
+  ImportLocalSkillRequest,
+  ImportLocalSkillsRequest,
+  ImportLocalSkillCreated,
+  ImportLocalSkillResult,
+  ImportLocalSkillsResponse,
   UpdateSkillRequest,
   SetAgentSkillsRequest,
   RuntimeUsage,
diff --git a/packages/views/locales/en/skills.json b/packages/views/locales/en/skills.json
index de6a32b0b2..c9bfbfb38d 100644
--- a/packages/views/locales/en/skills.json
+++ b/packages/views/locales/en/skills.json
@@ -49,7 +49,9 @@
     "source_runtime_unknown": "From a runtime",
     "source_clawhub": "From ClawHub",
     "source_skills_sh": "From Skills.sh",
-    "source_github": "From GitHub"
+    "source_github": "From GitHub",
+    "source_uploaded_bundle": "From uploaded bundle",
+    "source_uploaded_bundle_named": "From {{label}}"
   },
   "detail": {
     "all_skills": "All skills",
@@ -72,6 +74,8 @@
       "origin_clawhub": "Imported · ClawHub",
       "origin_skills_sh": "Imported · Skills.sh",
       "origin_github": "Imported · GitHub",
+      "origin_uploaded_bundle": "Uploaded bundle",
+      "origin_uploaded_bundle_named": "Uploaded · {{label}}",
       "origin_workspace": "Workspace",
       "updated_label": "Updated {{when}}",
       "by_creator": "by {{name}}"
@@ -107,6 +111,7 @@
       "imported_clawhub": "Imported from ClawHub",
       "imported_skills_sh": "Imported from Skills.sh",
       "imported_github": "Imported from GitHub",
+      "imported_uploaded_bundle": "Imported from uploaded bundle",
       "provider": "provider · {{provider}}"
     },
     "not_found": {
@@ -162,6 +167,10 @@
       "runtime": {
         "title": "Copy from runtime",
         "desc": "Scan a local runtime and promote one of its on-disk skills into this workspace."
+      },
+      "upload": {
+        "title": "Upload folder or zip",
+        "desc": "Import a local skill folder or zipped skill bundle."
       }
     },
     "method_card": {
@@ -170,7 +179,9 @@
       "url_title": "Import from URL",
       "url_desc": "Pull a published skill from ClawHub or Skills.sh.",
       "runtime_title": "Copy from runtime",
-      "runtime_desc": "Promote a skill already installed on your local runtime."
+      "runtime_desc": "Promote a skill already installed on your local runtime.",
+      "upload_title": "Upload folder or zip",
+      "upload_desc": "Import a local skill folder or zipped skill bundle."
     },
     "manual": {
       "name_label": "Name",
@@ -199,6 +210,50 @@
       "toast_imported": "Skill imported"
     }
   },
+  "upload_import": {
+    "drop_title": "Drop a skill folder or .zip here",
+    "drop_label": "Dropped files",
+    "hint": "A valid skill must contain SKILL.md.",
+    "choose_folder": "Choose Folder",
+    "choose_zip": "Choose Zip",
+    "name_label": "Skill name",
+    "description_label": "Description",
+    "source_label": "Source",
+    "primary_file_badge": "SKILL.md",
+    "files_count_one": "{{count}} file",
+    "files_count_other": "{{count}} files",
+    "skipped_count_one": "{{count}} skipped",
+    "skipped_count_other": "{{count}} skipped",
+    "ready_single": "Ready to import \"{{name}}\" into workspace",
+    "ready_multiple": "Ready to import {{count}} skills into workspace",
+    "select_skill": "Select a valid skill to import.",
+    "import": "Import",
+    "import_many": "Import {{count}} skills",
+    "importing": "Importing {{done}} / {{total}}",
+    "toast_imported": "Skill imported",
+    "result_reasons": {
+      "already_exists": "already exists",
+      "missing_skill_md": "missing SKILL.md",
+      "invalid_file_path": "invalid file path",
+      "hidden_file": "hidden file skipped",
+      "metadata_file": "metadata file skipped",
+      "absolute_path": "absolute path skipped",
+      "path_traversal": "path traversal skipped",
+      "file_too_large": "file too large",
+      "binary_file": "binary file skipped",
+      "too_many_files": "too many files",
+      "bundle_too_large": "bundle is too large",
+      "imported": "imported"
+    },
+    "errors": {
+      "empty_selection": "Select a folder or zip to continue.",
+      "no_skill_md": "No SKILL.md found",
+      "unreadable_skill_md": "SKILL.md is unreadable (binary or too large)",
+      "unreadable_zip": "Unable to read zip file.",
+      "import_failed": "Import failed",
+      "too_many_skills": "Select up to {{count}} skills. Import them, then repeat for the rest."
+    }
+  },
   "runtime_import": {
     "runtime_label": "Runtime",
     "runtime_placeholder": "Select a local runtime",
diff --git a/packages/views/locales/zh-Hans/skills.json b/packages/views/locales/zh-Hans/skills.json
index 611a80cb41..3972409648 100644
--- a/packages/views/locales/zh-Hans/skills.json
+++ b/packages/views/locales/zh-Hans/skills.json
@@ -61,7 +61,9 @@
     "source_runtime_unknown": "来自某个运行时",
     "source_clawhub": "来自 ClawHub",
     "source_skills_sh": "来自 Skills.sh",
-    "source_github": "来自 GitHub"
+    "source_github": "来自 GitHub",
+    "source_uploaded_bundle": "来自上传包",
+    "source_uploaded_bundle_named": "来自 {{label}}"
   },
   "detail": {
     "all_skills": "全部 skill",
@@ -84,6 +86,8 @@
       "origin_clawhub": "导入自 · ClawHub",
       "origin_skills_sh": "导入自 · Skills.sh",
       "origin_github": "导入自 · GitHub",
+      "origin_uploaded_bundle": "上传包",
+      "origin_uploaded_bundle_named": "上传自 · {{label}}",
       "origin_workspace": "工作区",
       "updated_label": "{{when}}更新",
       "by_creator": "由 {{name}}"
@@ -119,6 +123,7 @@
       "imported_clawhub": "从 ClawHub 导入",
       "imported_skills_sh": "从 Skills.sh 导入",
       "imported_github": "从 GitHub 导入",
+      "imported_uploaded_bundle": "从上传包导入",
       "provider": "provider · {{provider}}"
     },
     "not_found": {
@@ -174,6 +179,10 @@
       "runtime": {
         "title": "从运行时复制",
         "desc": "扫描本地运行时，把它磁盘上的 skill 提升到工作区。"
+      },
+      "upload": {
+        "title": "上传 文件夹 或 zip压缩包",
+        "desc": "导入本地 skill 文件夹或打包后的 skill。"
       }
     },
     "method_card": {
@@ -182,7 +191,9 @@
       "url_title": "从 URL 导入",
       "url_desc": "从 ClawHub 或 Skills.sh 拉取已发布的 skill。",
       "runtime_title": "从运行时复制",
-      "runtime_desc": "把本地运行时里已经装好的 skill 提升过来。"
+      "runtime_desc": "把本地运行时里已经装好的 skill 提升过来。",
+      "upload_title": "上传 文件夹 或 zip压缩包",
+      "upload_desc": "导入本地 skill 文件夹或打包后的 skill。"
     },
     "manual": {
       "name_label": "名称",
@@ -211,6 +222,50 @@
       "toast_imported": "已导入 skill"
     }
   },
+  "upload_import": {
+    "drop_title": "将 skill 文件夹或 .zip 拖到这里",
+    "drop_label": "拖入的文件",
+    "hint": "有效 skill 必须包含 SKILL.md。",
+    "choose_folder": "选择文件夹",
+    "choose_zip": "选择 Zip",
+    "name_label": "Skill 名称",
+    "description_label": "描述",
+    "source_label": "来源",
+    "primary_file_badge": "SKILL.md",
+    "files_count_one": "{{count}} 个文件",
+    "files_count_other": "{{count}} 个文件",
+    "skipped_count_one": "{{count}} 个已跳过",
+    "skipped_count_other": "{{count}} 个已跳过",
+    "ready_single": "准备将\"{{name}}\"导入工作区",
+    "ready_multiple": "准备将 {{count}} 个 skill 导入工作区",
+    "select_skill": "请选择一个有效 skill 导入。",
+    "import": "导入",
+    "import_many": "导入 {{count}} 个 skill",
+    "importing": "导入中 {{done}} / {{total}}",
+    "toast_imported": "已导入 skill",
+    "result_reasons": {
+      "already_exists": "已存在",
+      "missing_skill_md": "缺少 SKILL.md",
+      "invalid_file_path": "文件路径无效",
+      "hidden_file": "已跳过隐藏文件",
+      "metadata_file": "已跳过元数据文件",
+      "absolute_path": "已跳过绝对路径",
+      "path_traversal": "已跳过路径穿越文件",
+      "file_too_large": "文件过大",
+      "binary_file": "已跳过二进制文件",
+      "too_many_files": "文件数量过多",
+      "bundle_too_large": "文件包过大",
+      "imported": "已导入"
+    },
+    "errors": {
+      "empty_selection": "请选择文件夹或 zip 后继续。",
+      "no_skill_md": "未找到 SKILL.md",
+      "unreadable_skill_md": "SKILL.md 无法读取（二进制文件或文件过大）",
+      "unreadable_zip": "无法读取 zip 文件。",
+      "import_failed": "导入失败",
+      "too_many_skills": "最多选择 {{count}} 个 skill。先导入它们，再导入剩余 skill。"
+    }
+  },
   "runtime_import": {
     "runtime_label": "运行时",
     "runtime_placeholder": "选择一个本地运行时",
diff --git a/packages/views/package.json b/packages/views/package.json
index acc53a0bc1..7cc67a83db 100644
--- a/packages/views/package.json
+++ b/packages/views/package.json
@@ -80,6 +80,7 @@
     "@tiptap/suggestion": "^3.22.1",
     "cmdk": "^1.1.1",
     "hast-util-to-html": "^9.0.5",
+    "jszip": "catalog:",
     "katex": "catalog:",
     "lowlight": "^3.3.0",
     "mermaid": "catalog:",
diff --git a/packages/views/skills/components/create-skill-dialog.test.tsx b/packages/views/skills/components/create-skill-dialog.test.tsx
new file mode 100644
index 0000000000..bd7eb76d95
--- /dev/null
+++ b/packages/views/skills/components/create-skill-dialog.test.tsx
@@ -0,0 +1,56 @@
+// @vitest-environment jsdom
+
+import type { ReactNode } from "react";
+import { describe, expect, it, vi } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen } from "@testing-library/react";
+import { I18nProvider } from "@multica/core/i18n/react";
+import enCommon from "../../locales/en/common.json";
+import enSkills from "../../locales/en/skills.json";
+import zhHansCommon from "../../locales/zh-Hans/common.json";
+import zhHansSkills from "../../locales/zh-Hans/skills.json";
+import { CreateSkillDialog } from "./create-skill-dialog";
+
+vi.mock("@multica/core/hooks", () => ({
+  useWorkspaceId: () => "ws-1",
+}));
+
+vi.mock("@multica/core/api", () => ({
+  api: {
+    createSkill: vi.fn(),
+    importSkill: vi.fn(),
+    importLocalSkills: vi.fn(),
+  },
+}));
+
+function wrapper({ children }: { children: ReactNode }) {
+  return (
+    <I18nProvider locale="en" resources={{ en: { common: enCommon, skills: enSkills } }}>
+      <QueryClientProvider client={new QueryClient({ defaultOptions: { queries: { retry: false } } })}>
+        {children}
+      </QueryClientProvider>
+    </I18nProvider>
+  );
+}
+
+function zhHansWrapper({ children }: { children: ReactNode }) {
+  return (
+    <I18nProvider locale="zh-Hans" resources={{ "zh-Hans": { common: zhHansCommon, skills: zhHansSkills } }}>
+      <QueryClientProvider client={new QueryClient({ defaultOptions: { queries: { retry: false } } })}>
+        {children}
+      </QueryClientProvider>
+    </I18nProvider>
+  );
+}
+
+describe("CreateSkillDialog", () => {
+  it("offers upload folder or zip as a creation method", () => {
+    render(<CreateSkillDialog onClose={vi.fn()} />, { wrapper });
+    expect(screen.getByRole("button", { name: /Upload folder or zip/i })).toBeInTheDocument();
+  });
+
+  it("uses the requested Chinese title for local upload", () => {
+    render(<CreateSkillDialog onClose={vi.fn()} />, { wrapper: zhHansWrapper });
+    expect(screen.getByRole("button", { name: /上传 文件夹 或 zip压缩包/ })).toBeInTheDocument();
+  });
+});
diff --git a/packages/views/skills/components/create-skill-dialog.tsx b/packages/views/skills/components/create-skill-dialog.tsx
index e52908547e..aa3985325c 100644
--- a/packages/views/skills/components/create-skill-dialog.tsx
+++ b/packages/views/skills/components/create-skill-dialog.tsx
@@ -6,6 +6,7 @@ import {
   ArrowLeft,
   ChevronRight,
   Download,
+  FolderUp,
   HardDrive,
   Loader2,
   Pencil,
@@ -39,11 +40,12 @@ import { Textarea } from "@multica/ui/components/ui/textarea";
 import { useScrollFade } from "@multica/ui/hooks/use-scroll-fade";
 import { cn } from "@multica/ui/lib/utils";
 import { openExternal } from "../../platform";
+import { LocalSkillUploadPanel } from "./local-skill-upload-panel";
 import { RuntimeLocalSkillImportPanel } from "./runtime-local-skill-import-panel";
 import { useT } from "../../i18n";
 import { isNameConflictError } from "../lib/utils";
 
-type Method = "chooser" | "manual" | "url" | "runtime";
+type Method = "chooser" | "manual" | "url" | "runtime" | "upload";
 
 function seedAfterCreate(
   qc: ReturnType<typeof useQueryClient>,
@@ -64,10 +66,11 @@ function MethodChooser({ onChoose }: { onChoose: (m: Method) => void }) {
   const methods: {
     key: Method;
     icon: typeof Plus;
-    titleKey: "manual" | "url" | "runtime";
+    titleKey: "manual" | "url" | "runtime" | "upload";
   }[] = [
     { key: "manual", icon: Plus, titleKey: "manual" },
     { key: "url", icon: Download, titleKey: "url" },
+    { key: "upload", icon: FolderUp, titleKey: "upload" },
     { key: "runtime", icon: HardDrive, titleKey: "runtime" },
   ];
   return (
@@ -439,7 +442,7 @@ export function CreateSkillDialog({
     onClose();
   };
 
-  const wide = method === "runtime";
+  const wide = method === "runtime" || method === "upload";
 
   return (
     <Dialog open onOpenChange={(v) => !v && onClose()}>
@@ -519,6 +522,9 @@ export function CreateSkillDialog({
             onBulkDone={onClose}
           />
         )}
+        {method === "upload" && (
+          <LocalSkillUploadPanel onImported={handleCreated} />
+        )}
       </DialogContent>
     </Dialog>
   );
diff --git a/packages/views/skills/components/local-skill-upload-panel.test.tsx b/packages/views/skills/components/local-skill-upload-panel.test.tsx
new file mode 100644
index 0000000000..bb0ed2aba1
--- /dev/null
+++ b/packages/views/skills/components/local-skill-upload-panel.test.tsx
@@ -0,0 +1,217 @@
+// @vitest-environment jsdom
+
+import type { ReactNode } from "react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import JSZip from "jszip";
+import { I18nProvider } from "@multica/core/i18n/react";
+import enCommon from "../../locales/en/common.json";
+import enSkills from "../../locales/en/skills.json";
+import zhHansCommon from "../../locales/zh-Hans/common.json";
+import zhHansSkills from "../../locales/zh-Hans/skills.json";
+
+const mockImportLocalSkills = vi.hoisted(() => vi.fn());
+
+vi.mock("@multica/core/api", () => ({
+  api: { importLocalSkills: (...args: unknown[]) => mockImportLocalSkills(...args) },
+}));
+
+vi.mock("@multica/core/hooks", () => ({
+  useWorkspaceId: () => "ws-1",
+}));
+
+vi.mock("sonner", () => ({ toast: { success: vi.fn(), error: vi.fn() } }));
+
+import { LocalSkillUploadPanel } from "./local-skill-upload-panel";
+
+function wrapper({ children }: { children: ReactNode }) {
+  return (
+    <I18nProvider locale="en" resources={{ en: { common: enCommon, skills: enSkills } }}>
+      <QueryClientProvider client={new QueryClient({ defaultOptions: { queries: { retry: false } } })}>
+        {children}
+      </QueryClientProvider>
+    </I18nProvider>
+  );
+}
+
+function zhHansWrapper({ children }: { children: ReactNode }) {
+  return (
+    <I18nProvider locale="zh-Hans" resources={{ "zh-Hans": { common: zhHansCommon, skills: zhHansSkills } }}>
+      <QueryClientProvider client={new QueryClient({ defaultOptions: { queries: { retry: false } } })}>
+        {children}
+      </QueryClientProvider>
+    </I18nProvider>
+  );
+}
+
+describe("LocalSkillUploadPanel", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockImportLocalSkills.mockResolvedValue({
+      created: [{ skill: skill("skill-1", "Review Helper"), source_label: "review" }],
+      skipped: [],
+      failed: [],
+    });
+  });
+
+  it("shows an invalid state when no SKILL.md is found", async () => {
+    render(<LocalSkillUploadPanel />, { wrapper });
+    const input = screen.getByTestId("local-skill-folder-input");
+    fireEvent.change(input, { target: { files: [file("notes.txt", "hello")] } });
+    expect(await screen.findByText(/No SKILL\.md found/i)).toBeInTheDocument();
+  });
+
+  it("previews and imports a single skill", async () => {
+    const onImported = vi.fn();
+    render(<LocalSkillUploadPanel onImported={onImported} />, { wrapper });
+
+    fireEvent.change(screen.getByTestId("local-skill-folder-input"), {
+      target: { files: [file("review/SKILL.md", "---\nname: Review Helper\n---\nBody")] },
+    });
+
+    expect(await screen.findByDisplayValue("Review Helper")).toBeInTheDocument();
+    fireEvent.click(screen.getByRole("button", { name: /^Import$/i }));
+
+    await waitFor(() => {
+      expect(mockImportLocalSkills).toHaveBeenCalledWith({
+        skills: [expect.objectContaining({ name: "Review Helper", content: expect.stringContaining("Body") })],
+      });
+      expect(onImported).toHaveBeenCalledWith(expect.objectContaining({ name: "Review Helper" }));
+    });
+  });
+
+  it("previews a dropped zip skill", async () => {
+    const zip = new JSZip();
+    zip.file("review/SKILL.md", "---\nname: Review Helper\n---\nBody");
+    const blob = await zip.generateAsync({ type: "blob" });
+    const archive = new File([blob], "review.zip", { type: "application/zip" });
+
+    render(<LocalSkillUploadPanel />, { wrapper });
+
+    fireEvent.drop(screen.getByText(/Drop a skill folder or \.zip here/i).parentElement!, {
+      dataTransfer: {
+        items: [dataTransferFileItem(archive)],
+        files: [archive],
+      },
+    });
+
+    expect(await screen.findByDisplayValue("Review Helper")).toBeInTheDocument();
+    expect(screen.queryByText(/No SKILL\.md found/i)).not.toBeInTheDocument();
+  });
+
+  it("lets users pick any local skill batch under the server limit", async () => {
+    render(<LocalSkillUploadPanel />, { wrapper });
+
+    fireEvent.change(screen.getByTestId("local-skill-folder-input"), {
+      target: {
+        files: Array.from({ length: 17 }, (_, index) =>
+          file(`team/skill-${String(index).padStart(2, "0")}/SKILL.md`, `# Skill ${index}`),
+        ),
+      },
+    });
+
+    expect(await screen.findByText(/Select up to 16 skills/i)).toBeInTheDocument();
+    expect(screen.getByText(/Ready to import 16 skills/i)).toBeInTheDocument();
+
+    const checkboxes = screen.getAllByRole("checkbox");
+    expect(checkboxes).toHaveLength(17);
+    expect(checkboxes.slice(0, 16).every((checkbox) => checkbox.getAttribute("aria-checked") === "true")).toBe(true);
+    expect(checkboxes[16]).toHaveAttribute("aria-checked", "false");
+    expect(checkboxes[16]).toHaveAttribute("aria-disabled", "true");
+
+    fireEvent.click(checkboxes[0]!);
+    expect(checkboxes[16]).not.toHaveAttribute("aria-disabled");
+    fireEvent.click(checkboxes[16]!);
+    expect(checkboxes[16]).toHaveAttribute("aria-checked", "true");
+
+    fireEvent.click(screen.getByRole("button", { name: /^Import$/i }));
+
+    await waitFor(() => {
+      expect(mockImportLocalSkills).toHaveBeenCalledWith({
+        skills: expect.arrayContaining([
+          expect.objectContaining({ name: "skill-01" }),
+          expect.objectContaining({ name: "skill-16" }),
+        ]),
+      });
+    });
+    expect(mockImportLocalSkills.mock.calls[0]?.[0].skills).toHaveLength(16);
+    expect(mockImportLocalSkills.mock.calls[0]?.[0].skills).not.toEqual(
+      expect.arrayContaining([expect.objectContaining({ name: "skill-00" })]),
+    );
+  });
+
+  it("keeps the dialog open on partial success summary", async () => {
+    mockImportLocalSkills.mockResolvedValue({
+      created: [{ skill: skill("skill-1", "Review Helper"), source_label: "review" }],
+      skipped: [{ name: "Existing", reason: "already_exists" }],
+      failed: [{ name: "Broken", reason: "missing_skill_md" }],
+    });
+    const onImported = vi.fn();
+    render(<LocalSkillUploadPanel onImported={onImported} />, { wrapper });
+
+    fireEvent.change(screen.getByTestId("local-skill-folder-input"), {
+      target: { files: [file("review/SKILL.md", "# Review")] },
+    });
+    expect(await screen.findByText(/Ready to import "review"/i)).toBeInTheDocument();
+    const importButton = await screen.findByRole("button", { name: /^Import$/i });
+    await waitFor(() => expect(importButton).not.toBeDisabled());
+    fireEvent.click(importButton);
+
+    await waitFor(() => expect(mockImportLocalSkills).toHaveBeenCalled());
+    expect(await screen.findByText(/Existing.*already exists/i)).toBeInTheDocument();
+    expect(screen.getByText(/Broken.*missing SKILL\.md/i)).toBeInTheDocument();
+    expect(onImported).not.toHaveBeenCalled();
+  });
+
+  it("localizes upload result reasons", async () => {
+    mockImportLocalSkills.mockResolvedValue({
+      created: [{ skill: skill("skill-1", "Review Helper"), source_label: "review" }],
+      skipped: [{ name: "Existing", reason: "already_exists" }],
+      failed: [{ name: "Broken", reason: "missing_skill_md" }],
+    });
+    render(<LocalSkillUploadPanel />, { wrapper: zhHansWrapper });
+
+    fireEvent.change(screen.getByTestId("local-skill-folder-input"), {
+      target: { files: [file("review/SKILL.md", "# Review")] },
+    });
+    const importButton = await screen.findByRole("button", { name: /^导入$/i });
+    await waitFor(() => expect(importButton).not.toBeDisabled());
+    fireEvent.click(importButton);
+
+    await waitFor(() => expect(mockImportLocalSkills).toHaveBeenCalled());
+    expect(await screen.findByText(/Existing.*已存在/i)).toBeInTheDocument();
+    expect(screen.getByText(/Broken.*缺少 SKILL\.md/i)).toBeInTheDocument();
+  });
+});
+
+function file(path: string, content: string): File & { webkitRelativePath: string } {
+  const value = new File([content], path.split("/").at(-1) ?? "file.txt", { type: "text/plain" });
+  Object.defineProperty(value, "webkitRelativePath", { value: path });
+  return value as File & { webkitRelativePath: string };
+}
+
+function dataTransferFileItem(value: File): DataTransferItem {
+  return {
+    kind: "file",
+    type: value.type,
+    getAsFile: () => value,
+    getAsString: vi.fn(),
+    webkitGetAsEntry: () => null,
+  } as unknown as DataTransferItem;
+}
+
+function skill(id: string, name: string) {
+  return {
+    id,
+    workspace_id: "ws-1",
+    name,
+    description: "",
+    content: "# Skill",
+    config: {},
+    files: [],
+    created_by: "user-1",
+    created_at: "2026-05-12T00:00:00Z",
+    updated_at: "2026-05-12T00:00:00Z",
+  };
+}
diff --git a/packages/views/skills/components/local-skill-upload-panel.tsx b/packages/views/skills/components/local-skill-upload-panel.tsx
new file mode 100644
index 0000000000..b53523b402
--- /dev/null
+++ b/packages/views/skills/components/local-skill-upload-panel.tsx
@@ -0,0 +1,484 @@
+"use client";
+
+import { useMemo, useRef, useState } from "react";
+import { useQueryClient } from "@tanstack/react-query";
+import { AlertCircle, CheckCircle2, FileArchive, FolderUp, Loader2, Upload } from "lucide-react";
+import { toast } from "sonner";
+import { api } from "@multica/core/api";
+import type { ImportLocalSkillResult, Skill } from "@multica/core/types";
+import { useWorkspaceId } from "@multica/core/hooks";
+import {
+  skillDetailOptions,
+  workspaceKeys,
+} from "@multica/core/workspace/queries";
+import { Badge } from "@multica/ui/components/ui/badge";
+import { Button } from "@multica/ui/components/ui/button";
+import { Checkbox } from "@multica/ui/components/ui/checkbox";
+import { Input } from "@multica/ui/components/ui/input";
+import { Label } from "@multica/ui/components/ui/label";
+import { Textarea } from "@multica/ui/components/ui/textarea";
+import { useScrollFade } from "@multica/ui/hooks/use-scroll-fade";
+import { useT } from "../../i18n";
+import {
+  buildLocalSkillCandidates,
+  candidateToImportRequest,
+  filesFromDataTransfer,
+  MAX_LOCAL_SKILL_IMPORT_BATCH,
+  readZipFile,
+  type LocalSkillCandidate,
+  type LocalSkillInputFile,
+} from "../utils/local-skill-upload";
+
+interface ImportSummary {
+  created: { skill: Skill; source_label: string }[];
+  skipped: ImportLocalSkillResult[];
+  failed: ImportLocalSkillResult[];
+}
+
+interface ResultReasonLabels {
+  already_exists: string;
+  missing_skill_md: string;
+  invalid_file_path: string;
+  hidden_file: string;
+  metadata_file: string;
+  absolute_path: string;
+  path_traversal: string;
+  file_too_large: string;
+  binary_file: string;
+  too_many_files: string;
+  bundle_too_large: string;
+  imported: string;
+}
+
+export function LocalSkillUploadPanel({
+  onImported,
+}: {
+  onImported?: (skill: Skill) => void;
+}) {
+  const { t } = useT("skills");
+  const wsId = useWorkspaceId();
+  const qc = useQueryClient();
+  const folderInputRef = useRef<HTMLInputElement>(null);
+  const zipInputRef = useRef<HTMLInputElement>(null);
+  const scrollRef = useRef<HTMLDivElement>(null);
+  const fadeStyle = useScrollFade(scrollRef);
+
+  const [candidates, setCandidates] = useState<LocalSkillCandidate[]>([]);
+  const [error, setError] = useState("");
+  const [importing, setImporting] = useState(false);
+  const [doneCount, setDoneCount] = useState(0);
+  const [summary, setSummary] = useState<ImportSummary | null>(null);
+
+  const selectedCandidates = useMemo(
+    () => candidates.filter((candidate) => candidate.valid && candidate.selected && candidate.name.trim()),
+    [candidates],
+  );
+  const validCandidates = candidates.filter((candidate) => candidate.valid);
+  const invalidCandidate = candidates.find((candidate) => !candidate.valid);
+  const overBatchLimit = validCandidates.length > MAX_LOCAL_SKILL_IMPORT_BATCH;
+
+  const setCandidate = (id: string, patch: Partial<LocalSkillCandidate>) => {
+    setCandidates((prev) =>
+      prev.map((candidate) =>
+        candidate.id === id ? { ...candidate, ...patch } : candidate,
+      ),
+    );
+  };
+
+  const handleFiles = async (files: File[] | LocalSkillInputFile[], label: string) => {
+    setError("");
+    setSummary(null);
+    try {
+      const next = await buildLocalSkillCandidates(files, label);
+      setCandidates(limitSelectedCandidates(next));
+    } catch (err) {
+      setCandidates([]);
+      setError(err instanceof Error ? err.message : t(($) => $.upload_import.errors.unreadable_zip));
+    }
+  };
+
+  const handleFolderChange = async (files: FileList | null) => {
+    if (!files || files.length === 0) {
+      setError(t(($) => $.upload_import.errors.empty_selection));
+      return;
+    }
+    const list = Array.from(files);
+    await handleFiles(list, rootLabel(list[0]?.webkitRelativePath || list[0]?.name || "upload"));
+  };
+
+  const handleZipChange = async (files: FileList | null) => {
+    const file = files?.[0];
+    if (!file) {
+      setError(t(($) => $.upload_import.errors.empty_selection));
+      return;
+    }
+    await handleZipFile(file);
+  };
+
+  const handleZipFile = async (file: File) => {
+    try {
+      const entries = await readZipFile(file);
+      await handleFiles(entries, file.name);
+    } catch {
+      setCandidates([]);
+      setError(t(($) => $.upload_import.errors.unreadable_zip));
+    }
+  };
+
+  const handleDrop = async (event: React.DragEvent<HTMLDivElement>) => {
+    event.preventDefault();
+    const droppedFiles = Array.from(event.dataTransfer.files);
+    const droppedZip = droppedFiles.length === 1 ? droppedFiles[0] : null;
+    if (droppedZip && isZipFile(droppedZip)) {
+      await handleZipFile(droppedZip);
+      return;
+    }
+    if (event.dataTransfer.items.length > 0) {
+      const files = await filesFromDataTransfer(event.dataTransfer.items);
+      await handleFiles(files, t(($) => $.upload_import.drop_label));
+      return;
+    }
+    await handleFolderChange(event.dataTransfer.files);
+  };
+
+  const handleImport = async () => {
+    if (selectedCandidates.length === 0) return;
+    setImporting(true);
+    setError("");
+    setSummary(null);
+    setDoneCount(0);
+    try {
+      const payload = {
+        skills: selectedCandidates.map(candidateToImportRequest),
+      };
+      const result = await api.importLocalSkills(payload);
+      for (const item of result.created) {
+        qc.setQueryData(skillDetailOptions(wsId, item.skill.id).queryKey, item.skill);
+      }
+      await Promise.all([
+        qc.invalidateQueries({ queryKey: workspaceKeys.skills(wsId) }),
+        qc.invalidateQueries({ queryKey: workspaceKeys.agents(wsId) }),
+      ]);
+      setDoneCount(result.created.length);
+      setSummary(result);
+      if (result.created.length > 0 && result.skipped.length === 0 && result.failed.length === 0) {
+        toast.success(t(($) => $.upload_import.toast_imported));
+        onImported?.(result.created[0]!.skill);
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : t(($) => $.upload_import.errors.import_failed));
+    } finally {
+      setImporting(false);
+    }
+  };
+
+  const readyLabel =
+    selectedCandidates.length === 1
+      ? t(($) => $.upload_import.ready_single, { name: selectedCandidates[0]?.name ?? "" })
+      : t(($) => $.upload_import.ready_multiple, { count: selectedCandidates.length });
+
+  return (
+    <div className="flex min-h-0 flex-1 flex-col">
+      <div className="shrink-0 border-b px-5 py-3">
+        <div
+          onDragOver={(event) => event.preventDefault()}
+          onDrop={handleDrop}
+          className="flex flex-col items-center justify-center rounded-lg border border-dashed bg-muted/20 px-4 py-5 text-center"
+        >
+          <Upload className="h-5 w-5 text-muted-foreground" />
+          <p className="mt-2 text-sm font-medium">{t(($) => $.upload_import.drop_title)}</p>
+          <p className="mt-1 text-xs text-muted-foreground">{t(($) => $.upload_import.hint)}</p>
+          <div className="mt-3 flex flex-wrap justify-center gap-2">
+            <Button type="button" size="sm" variant="outline" onClick={() => folderInputRef.current?.click()}>
+              <FolderUp className="h-3.5 w-3.5" />
+              {t(($) => $.upload_import.choose_folder)}
+            </Button>
+            <Button type="button" size="sm" variant="outline" onClick={() => zipInputRef.current?.click()}>
+              <FileArchive className="h-3.5 w-3.5" />
+              {t(($) => $.upload_import.choose_zip)}
+            </Button>
+          </div>
+          <input
+            ref={folderInputRef}
+            data-testid="local-skill-folder-input"
+            type="file"
+            multiple
+            className="hidden"
+            onChange={(event) => {
+              handleFolderChange(event.currentTarget.files);
+              event.currentTarget.value = "";
+            }}
+            {...{ webkitdirectory: "" }}
+          />
+          <input
+            ref={zipInputRef}
+            data-testid="local-skill-zip-input"
+            type="file"
+            accept=".zip,application/zip"
+            className="hidden"
+            onChange={(event) => {
+              handleZipChange(event.currentTarget.files);
+              event.currentTarget.value = "";
+            }}
+          />
+        </div>
+      </div>
+
+      <div
+        ref={scrollRef}
+        style={fadeStyle}
+        className="flex-1 min-h-0 overflow-y-auto px-5 py-3"
+        aria-disabled={importing || undefined}
+      >
+        {error && <AlertMessage tone="destructive">{error}</AlertMessage>}
+        {overBatchLimit && (
+          <AlertMessage tone="destructive">
+            {t(($) => $.upload_import.errors.too_many_skills, { count: MAX_LOCAL_SKILL_IMPORT_BATCH })}
+          </AlertMessage>
+        )}
+        {invalidCandidate?.reason === "missing_skill_md" && (
+          <AlertMessage tone="destructive">
+            {t(($) => $.upload_import.errors.no_skill_md)}
+          </AlertMessage>
+        )}
+        {invalidCandidate?.reason === "unreadable_skill_md" && (
+          <AlertMessage tone="destructive">
+            {t(($) => $.upload_import.errors.unreadable_skill_md)}
+          </AlertMessage>
+        )}
+
+        {validCandidates.length === 1 && (
+          <SingleSkillPreview
+            candidate={validCandidates[0]!}
+            onChange={(patch) => setCandidate(validCandidates[0]!.id, patch)}
+          />
+        )}
+        {validCandidates.length > 1 && (
+          <MultiSkillPreview
+            candidates={candidates}
+            selectedCount={selectedCandidates.length}
+            onChange={setCandidate}
+          />
+        )}
+
+        {summary && <ResultSummary summary={summary} />}
+      </div>
+
+      <div className="flex shrink-0 items-center gap-3 border-t bg-muted/30 px-5 py-3">
+        <div className="min-w-0 flex-1 text-xs text-muted-foreground">
+          {selectedCandidates.length > 0
+            ? readyLabel
+            : t(($) => $.upload_import.select_skill)}
+        </div>
+        <Button
+          type="button"
+          size="sm"
+          onClick={handleImport}
+          disabled={selectedCandidates.length === 0 || importing}
+        >
+          {importing ? (
+            <>
+              <Loader2 className="h-3.5 w-3.5 animate-spin" />
+              {t(($) => $.upload_import.importing, { done: doneCount, total: selectedCandidates.length })}
+            </>
+          ) : (
+            t(($) => $.create.url.import)
+          )}
+        </Button>
+      </div>
+    </div>
+  );
+}
+
+function SingleSkillPreview({
+  candidate,
+  onChange,
+}: {
+  candidate: LocalSkillCandidate;
+  onChange: (patch: Partial<LocalSkillCandidate>) => void;
+}) {
+  const { t } = useT("skills");
+  return (
+    <div className="space-y-3">
+      <div className="rounded-lg border bg-card p-3">
+        <div className="grid gap-3 sm:grid-cols-2">
+          <div className="space-y-1">
+            <Label className="text-xs text-muted-foreground">{t(($) => $.upload_import.name_label)}</Label>
+            <Input value={candidate.name} onChange={(event) => onChange({ name: event.target.value })} />
+          </div>
+          <div className="space-y-1">
+            <Label className="text-xs text-muted-foreground">{t(($) => $.upload_import.source_label)}</Label>
+            <Input value={candidate.root || candidate.label} readOnly className="font-mono text-xs" />
+          </div>
+        </div>
+        <div className="mt-3 space-y-1">
+          <Label className="text-xs text-muted-foreground">{t(($) => $.upload_import.description_label)}</Label>
+          <Textarea
+            value={candidate.description}
+            onChange={(event) => onChange({ description: event.target.value })}
+            rows={2}
+            className="resize-none text-sm"
+          />
+        </div>
+        <PreviewMeta candidate={candidate} />
+      </div>
+    </div>
+  );
+}
+
+function MultiSkillPreview({
+  candidates,
+  selectedCount,
+  onChange,
+}: {
+  candidates: LocalSkillCandidate[];
+  selectedCount: number;
+  onChange: (id: string, patch: Partial<LocalSkillCandidate>) => void;
+}) {
+  const { t } = useT("skills");
+  return (
+    <div className="space-y-2">
+      {candidates.map((candidate) => (
+        <div
+          key={candidate.id}
+          className={`rounded-lg border p-3 ${candidate.valid ? "bg-card" : "bg-muted/30 opacity-70"}`}
+        >
+          <div className="flex items-start gap-3">
+            <Checkbox
+              checked={candidate.selected}
+              disabled={!candidate.valid || (!candidate.selected && selectedCount >= MAX_LOCAL_SKILL_IMPORT_BATCH)}
+              onCheckedChange={(checked) => onChange(candidate.id, { selected: checked === true })}
+              className="mt-1"
+            />
+            <div className="min-w-0 flex-1 space-y-2">
+              <div className="grid gap-2 sm:grid-cols-2">
+                <Input
+                  value={candidate.name}
+                  disabled={!candidate.valid}
+                  onChange={(event) => onChange(candidate.id, { name: event.target.value })}
+                  aria-label={t(($) => $.upload_import.name_label)}
+                />
+                <Input
+                  value={candidate.description}
+                  disabled={!candidate.valid}
+                  onChange={(event) => onChange(candidate.id, { description: event.target.value })}
+                  aria-label={t(($) => $.upload_import.description_label)}
+                />
+              </div>
+              <PreviewMeta candidate={candidate} />
+            </div>
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+}
+
+function PreviewMeta({ candidate }: { candidate: LocalSkillCandidate }) {
+  const { t } = useT("skills");
+  const reasonLabels = useResultReasonLabels();
+  return (
+    <div className="mt-3 flex flex-wrap items-center gap-2 text-xs text-muted-foreground">
+      <Badge variant="outline">{t(($) => $.upload_import.primary_file_badge)}</Badge>
+      <Badge variant="secondary">
+        {t(($) => $.upload_import.files_count, { count: candidate.fileCount })}
+      </Badge>
+      {candidate.skipped.length > 0 && (
+        <Badge variant="outline">
+          {t(($) => $.upload_import.skipped_count, { count: candidate.skipped.length })}
+        </Badge>
+      )}
+      {candidate.skipped.length > 0 && (
+        <div className="basis-full space-y-1 pt-1">
+          {candidate.skipped.map((item) => (
+            <div key={`${item.path}-${item.reason}`} className="truncate">
+              {item.path}: {resultReasonLabel(item.reason, reasonLabels)}
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
+
+function ResultSummary({ summary }: { summary: ImportSummary }) {
+  const reasonLabels = useResultReasonLabels();
+  return (
+    <div className="mt-3 space-y-2">
+      {summary.created.map((item) => (
+        <ResultLine key={`created-${item.skill.id}`} name={item.skill.name} reason={reasonLabels.imported} ok />
+      ))}
+      {summary.skipped.map((item) => (
+        <ResultLine key={`skipped-${item.name}`} name={item.name} reason={resultReasonLabel(item.reason, reasonLabels)} />
+      ))}
+      {summary.failed.map((item) => (
+        <ResultLine key={`failed-${item.name}`} name={item.name} reason={resultReasonLabel(item.reason, reasonLabels)} />
+      ))}
+    </div>
+  );
+}
+
+function ResultLine({ name, reason, ok = false }: { name: string; reason: string; ok?: boolean }) {
+  return (
+    <div className="flex items-center gap-2 rounded-md border px-3 py-2 text-xs">
+      {ok ? (
+        <CheckCircle2 className="h-3.5 w-3.5 text-success" />
+      ) : (
+        <AlertCircle className="h-3.5 w-3.5 text-warning" />
+      )}
+      <span>{name} {reason}</span>
+    </div>
+  );
+}
+
+function AlertMessage({ children }: { children: React.ReactNode; tone: "destructive" }) {
+  return (
+    <div
+      role="alert"
+      className="mb-3 flex items-start gap-2 rounded-md bg-destructive/10 px-3 py-2 text-xs text-destructive"
+    >
+      <AlertCircle className="mt-0.5 h-3.5 w-3.5 shrink-0" />
+      {children}
+    </div>
+  );
+}
+
+function rootLabel(path: string): string {
+  return path.replace(/\\/g, "/").split("/").filter(Boolean)[0] || "upload";
+}
+
+function limitSelectedCandidates(candidates: LocalSkillCandidate[]): LocalSkillCandidate[] {
+  let selectedValidCount = 0;
+  return candidates.map((candidate) => {
+    if (!candidate.valid) return candidate;
+    selectedValidCount += 1;
+    if (selectedValidCount <= MAX_LOCAL_SKILL_IMPORT_BATCH) return candidate;
+    return { ...candidate, selected: false };
+  });
+}
+
+function isZipFile(file: File): boolean {
+  return file.name.toLowerCase().endsWith(".zip") || file.type === "application/zip";
+}
+
+function useResultReasonLabels(): ResultReasonLabels {
+  const { t } = useT("skills");
+  return {
+    already_exists: t(($) => $.upload_import.result_reasons.already_exists),
+    missing_skill_md: t(($) => $.upload_import.result_reasons.missing_skill_md),
+    invalid_file_path: t(($) => $.upload_import.result_reasons.invalid_file_path),
+    hidden_file: t(($) => $.upload_import.result_reasons.hidden_file),
+    metadata_file: t(($) => $.upload_import.result_reasons.metadata_file),
+    absolute_path: t(($) => $.upload_import.result_reasons.absolute_path),
+    path_traversal: t(($) => $.upload_import.result_reasons.path_traversal),
+    file_too_large: t(($) => $.upload_import.result_reasons.file_too_large),
+    binary_file: t(($) => $.upload_import.result_reasons.binary_file),
+    too_many_files: t(($) => $.upload_import.result_reasons.too_many_files),
+    bundle_too_large: t(($) => $.upload_import.result_reasons.bundle_too_large),
+    imported: t(($) => $.upload_import.result_reasons.imported),
+  };
+}
+
+function resultReasonLabel(reason: string, labels: ResultReasonLabels): string {
+  return reason in labels ? labels[reason as keyof ResultReasonLabels] : reason.replaceAll("_", " ");
+}
diff --git a/packages/views/skills/components/skill-columns.tsx b/packages/views/skills/components/skill-columns.tsx
index 2b0cbdae44..e36d662d65 100644
--- a/packages/views/skills/components/skill-columns.tsx
+++ b/packages/views/skills/components/skill-columns.tsx
@@ -209,6 +209,11 @@ function SourceCell({
   } else if (origin.type === "github") {
     icon = <Download className="h-3 w-3 shrink-0" />;
     label = t(($) => $.table.source_github);
+  } else if (origin.type === "uploaded_bundle") {
+    icon = <Download className="h-3 w-3 shrink-0" />;
+    label = origin.label
+      ? t(($) => $.table.source_uploaded_bundle_named, { label: origin.label })
+      : t(($) => $.table.source_uploaded_bundle);
   }
 
   return (
diff --git a/packages/views/skills/components/skill-detail-page.tsx b/packages/views/skills/components/skill-detail-page.tsx
index afd585a501..5c2cd28d7d 100644
--- a/packages/views/skills/components/skill-detail-page.tsx
+++ b/packages/views/skills/components/skill-detail-page.tsx
@@ -201,7 +201,9 @@ function OriginSidebarCard({
         ? t(($) => $.detail.origin_card.imported_clawhub)
         : origin.type === "github"
           ? t(($) => $.detail.origin_card.imported_github)
-          : t(($) => $.detail.origin_card.imported_skills_sh);
+          : origin.type === "uploaded_bundle"
+            ? t(($) => $.detail.origin_card.imported_uploaded_bundle)
+            : t(($) => $.detail.origin_card.imported_skills_sh);
 
   return (
     <div className="rounded-md border bg-muted/30 p-3">
@@ -228,6 +230,11 @@ function OriginSidebarCard({
           {origin.source_url}
         </div>
       )}
+      {origin.label && (
+        <div className="mt-1 break-all font-mono text-xs text-foreground">
+          {origin.label}
+        </div>
+      )}
       {origin.provider && (
         <div className="mt-1 font-mono text-xs text-muted-foreground">
           {t(($) => $.detail.origin_card.provider, { provider: origin.provider })}
@@ -547,6 +554,11 @@ export function SkillDetailPage({ skillId }: { skillId: string }) {
     if (origin.type === "clawhub") return t(($) => $.detail.subline.origin_clawhub);
     if (origin.type === "skills_sh") return t(($) => $.detail.subline.origin_skills_sh);
     if (origin.type === "github") return t(($) => $.detail.subline.origin_github);
+    if (origin.type === "uploaded_bundle") {
+      return origin.label
+        ? t(($) => $.detail.subline.origin_uploaded_bundle_named, { label: origin.label })
+        : t(($) => $.detail.subline.origin_uploaded_bundle);
+    }
     return t(($) => $.detail.subline.origin_workspace);
   })();
 
diff --git a/packages/views/skills/lib/origin.test.ts b/packages/views/skills/lib/origin.test.ts
new file mode 100644
index 0000000000..6c8ecdc8f1
--- /dev/null
+++ b/packages/views/skills/lib/origin.test.ts
@@ -0,0 +1,21 @@
+import { describe, expect, it } from "vitest";
+
+import { readOrigin } from "./origin";
+
+describe("readOrigin", () => {
+  it("preserves uploaded bundle origins", () => {
+    expect(
+      readOrigin({
+        config: {
+          origin: {
+            type: "uploaded_bundle",
+            label: "team.zip/review-helper",
+          },
+        },
+      } as never),
+    ).toEqual({
+      type: "uploaded_bundle",
+      label: "team.zip/review-helper",
+    });
+  });
+});
diff --git a/packages/views/skills/lib/origin.ts b/packages/views/skills/lib/origin.ts
index 46ca49b2bf..02e02e4c83 100644
--- a/packages/views/skills/lib/origin.ts
+++ b/packages/views/skills/lib/origin.ts
@@ -7,7 +7,14 @@ import type { Skill, SkillSummary } from "@multica/core/types";
  * `{ type: "manual" }` for them to keep the consumer code uniform.
  */
 export type OriginInfo = {
-  type: "runtime_local" | "clawhub" | "skills_sh" | "github" | "manual";
+  type:
+    | "runtime_local"
+    | "clawhub"
+    | "skills_sh"
+    | "github"
+    | "uploaded_bundle"
+    | "manual";
+  label?: string;
   provider?: string;
   runtime_id?: string;
   source_path?: string;
@@ -22,6 +29,7 @@ export function readOrigin(skill: SkillSummary): OriginInfo {
   if (raw?.type === "clawhub") return raw;
   if (raw?.type === "skills_sh") return raw;
   if (raw?.type === "github") return raw;
+  if (raw?.type === "uploaded_bundle") return raw;
   return { type: "manual" };
 }
 
diff --git a/packages/views/skills/utils/local-skill-upload.test.ts b/packages/views/skills/utils/local-skill-upload.test.ts
new file mode 100644
index 0000000000..225d23ae62
--- /dev/null
+++ b/packages/views/skills/utils/local-skill-upload.test.ts
@@ -0,0 +1,525 @@
+import { describe, expect, it } from "vitest";
+import JSZip from "jszip";
+import {
+  buildLocalSkillCandidates,
+  normalizeUploadPath,
+  parseSkillFrontmatter,
+  readZipFile,
+} from "./local-skill-upload";
+
+describe("local skill upload parser", () => {
+  it("parses yaml frontmatter defaults", () => {
+    expect(parseSkillFrontmatter("---\nname: Code Review\ndescription: Reviews PRs\n---\nBody")).toEqual({
+      name: "Code Review",
+      description: "Reviews PRs",
+    });
+  });
+
+  it("groups a selected root folder that contains SKILL.md", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("review-helper/SKILL.md", "---\nname: Review Helper\n---\nBody"),
+        file("review-helper/templates/check.md", "check"),
+      ],
+      "review-helper",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      root: "review-helper",
+      label: "review-helper",
+      valid: true,
+      name: "Review Helper",
+      fileCount: 2,
+    });
+    expect(candidates[0]?.files).toEqual([{ path: "templates/check.md", content: "check" }]);
+  });
+
+  it("keeps supporting files for root-level skill bundles", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("SKILL.md", "---\nname: Root Skill\n---\nBody"),
+        file("templates/check.md", "check"),
+      ],
+      "root-skill.zip",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      root: "",
+      label: "root-skill.zip",
+      valid: true,
+      name: "Root Skill",
+      fileCount: 2,
+    });
+    expect(candidates[0]?.files).toEqual([{ path: "templates/check.md", content: "check" }]);
+  });
+
+  it("uses the source label for unnamed root-level skill bundles", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [file("SKILL.md", "# Review Helper")],
+      "review-helper.zip",
+    );
+
+    expect(candidates[0]).toMatchObject({
+      root: "",
+      label: "review-helper.zip",
+      valid: true,
+      name: "review-helper.zip",
+    });
+  });
+
+  it("counts SKILL.md in the displayed file count", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [file("review-helper/SKILL.md", "# Review Helper")],
+      "review-helper",
+    );
+
+    expect(candidates[0]).toMatchObject({
+      valid: true,
+      fileCount: 1,
+    });
+    expect(candidates[0]?.files).toEqual([]);
+  });
+
+  it("groups multiple child skill roots", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("team/review/SKILL.md", "# Review"),
+        file("team/docs/SKILL.md", "# Docs"),
+        file("team/notes.txt", "ignored"),
+      ],
+      "team",
+    );
+
+    expect(candidates.map((c) => c.root)).toEqual(["team/docs", "team/review"]);
+    expect(candidates.map((c) => c.label)).toEqual(["team/docs", "team/review"]);
+  });
+
+  it("keeps zip source labels before skill roots", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [file("team/review/SKILL.md", "# Review")],
+      "team.zip",
+    );
+
+    expect(candidates[0]?.label).toBe("team.zip/team/review");
+  });
+
+  it("keeps nested SKILL.md files inside an already detected parent skill", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("team/top/SKILL.md", "---\nname: Top\n---\n# Top"),
+        file("team/top/templates/SKILL.md", "# Template"),
+        file("team/release/reporter/SKILL.md", "---\nname: Release Reporter\n---\n# Reporter"),
+      ],
+      "team",
+    );
+
+    expect(candidates.map((c) => c.root)).toEqual(["team/release/reporter", "team/top"]);
+    expect(candidates.find((c) => c.root === "team/top")?.files).toEqual([
+      { path: "templates/SKILL.md", content: "# Template" },
+    ]);
+  });
+
+  it("skips hidden, binary, oversized, and traversal files", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("review/SKILL.md", "# Review"),
+        file("review/.DS_Store", "ignored"),
+        file("review/../secret.md", "bad"),
+        file("review/binary.dat", "hello\u0000world"),
+        file("review/large.txt", "x".repeat(1024 * 1024 + 1)),
+      ],
+      "review",
+    );
+
+    expect(candidates[0]?.files).toEqual([]);
+    expect(candidates[0]?.skipped.map((s) => s.reason)).toEqual([
+      "hidden_file",
+      "path_traversal",
+      "binary_file",
+      "file_too_large",
+    ]);
+  });
+
+  it("skips files with invalid UTF-8 bytes", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("review/SKILL.md", "# Review"),
+        bytesFile("review/binary.dat", [0xff, 0xfe, 0xfd]),
+      ],
+      "review",
+    );
+
+    expect(candidates[0]?.files).toEqual([]);
+    expect(candidates[0]?.skipped).toEqual([
+      { path: "review/binary.dat", reason: "binary_file" },
+    ]);
+  });
+
+  it("surfaces an oversized primary SKILL.md selection", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [file("review/SKILL.md", "x".repeat(1024 * 1024 + 1))],
+      "review",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      valid: false,
+      reason: "unreadable_skill_md",
+      fileCount: 0,
+      files: [],
+      skipped: [{ path: "review/SKILL.md", reason: "file_too_large" }],
+    });
+  });
+
+  it("surfaces an unreadable primary SKILL.md selection", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [bytesFile("review/SKILL.md", [0xff, 0xfe, 0xfd])],
+      "review",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      valid: false,
+      reason: "unreadable_skill_md",
+      fileCount: 0,
+      files: [],
+      skipped: [{ path: "review/SKILL.md", reason: "binary_file" }],
+    });
+  });
+
+  it("counts aggregate bundle size in UTF-8 bytes", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [
+        file("review/SKILL.md", "# Review"),
+        ...Array.from({ length: 9 }, (_, index) =>
+          file(`review/templates/${index}.md`, "你".repeat(340_000)),
+        ),
+      ],
+      "review",
+    );
+
+    expect(candidates[0]?.files).toHaveLength(8);
+    expect(candidates[0]?.skipped).toEqual([
+      { path: "review/templates/8.md", reason: "bundle_too_large" },
+    ]);
+  });
+
+  it("does not read folder files past the per-skill file cap", async () => {
+    const counter = { reads: 0 };
+    const candidates = await buildLocalSkillCandidates(
+      [
+        countedFile("review/SKILL.md", "# Review", counter),
+        ...Array.from({ length: 130 }, (_, index) =>
+          countedFile(`review/templates/${index}.md`, `template-${index}`, counter),
+        ),
+      ],
+      "review",
+    );
+
+    expect(counter.reads).toBe(129);
+    expect(candidates[0]?.files).toHaveLength(128);
+    expect(candidates[0]?.skipped).toEqual([
+      { path: "review/templates/128.md", reason: "too_many_files" },
+      { path: "review/templates/129.md", reason: "too_many_files" },
+    ]);
+  });
+
+  it("does not read folder files past the per-skill byte budget", async () => {
+    const counter = { reads: 0 };
+    const candidates = await buildLocalSkillCandidates(
+      [
+        countedFile("review/SKILL.md", "# Review", counter),
+        ...Array.from({ length: 10 }, (_, index) =>
+          countedFile(`review/templates/${index}.md`, "你".repeat(340_000), counter),
+        ),
+      ],
+      "review",
+    );
+
+    expect(counter.reads).toBeLessThan(11);
+    expect(candidates[0]?.files.length).toBeLessThanOrEqual(8);
+    const skippedBundleLarge = candidates[0]?.skipped.filter(
+      (s) => s.reason === "bundle_too_large",
+    );
+    expect(skippedBundleLarge?.length).toBeGreaterThan(0);
+  });
+
+  it("reports unreadable primary SKILL.md with a specific reason", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [bytesFile("review/SKILL.md", [0xff, 0xfe, 0xfd])],
+      "review",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      valid: false,
+      reason: "unreadable_skill_md",
+    });
+  });
+
+  it("reports oversized primary SKILL.md with a specific reason", async () => {
+    const candidates = await buildLocalSkillCandidates(
+      [file("review/SKILL.md", "x".repeat(1024 * 1024 + 1))],
+      "review",
+    );
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      valid: false,
+      reason: "unreadable_skill_md",
+    });
+  });
+
+  it("reports oversized SKILL.md from zip with a specific reason", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "x".repeat(1024 * 1024 + 1));
+    const blob = await zip.generateAsync({ type: "blob", compression: "DEFLATE" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      valid: false,
+      reason: "unreadable_skill_md",
+    });
+  });
+
+  it("rejects absolute and traversal paths during normalization", () => {
+    expect(normalizeUploadPath("/tmp/SKILL.md")).toEqual({ ok: false, reason: "absolute_path" });
+    expect(normalizeUploadPath("skill/../../secret.md")).toEqual({
+      ok: false,
+      reason: "path_traversal",
+    });
+  });
+
+  it("rejects zip entries whose original name contains traversal", async () => {
+    const zip = new JSZip();
+    zip.file("skill/../SKILL.md", "# Traversal");
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    await expect(readZipFile(new File([blob], "skill.zip"))).rejects.toThrow("path_traversal");
+  });
+
+  it("marks oversized zip entries without inflating them", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    zip.file("templates/large.md", "x".repeat(1024 * 1024 + 1));
+    const blob = await zip.generateAsync({ type: "blob", compression: "DEFLATE" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(entries.find((entry) => entry.path === "templates/large.md")?.file).toBeUndefined();
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      root: "",
+      valid: true,
+      fileCount: 1,
+    });
+    expect(candidates[0]?.files).toEqual([]);
+    expect(candidates[0]?.skipped).toEqual([
+      { path: "templates/large.md", reason: "file_too_large" },
+    ]);
+  });
+
+  it("surfaces an oversized primary SKILL.md from a zip", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "x".repeat(1024 * 1024 + 1));
+    const blob = await zip.generateAsync({ type: "blob", compression: "DEFLATE" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(entries).toEqual([{ path: "SKILL.md", skippedReason: "file_too_large" }]);
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      root: "",
+      label: "skill.zip",
+      valid: false,
+      reason: "unreadable_skill_md",
+      fileCount: 0,
+      files: [],
+      skipped: [{ path: "SKILL.md", reason: "file_too_large" }],
+    });
+  });
+
+  it("keeps oversized zip SKILL.md markers alongside valid skills", async () => {
+    const zip = new JSZip();
+    zip.file("review/SKILL.md", "# Review");
+    zip.file("broken/SKILL.md", "x".repeat(1024 * 1024 + 1));
+    const blob = await zip.generateAsync({ type: "blob", compression: "DEFLATE" });
+
+    const entries = await readZipFile(new File([blob], "skills.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skills.zip");
+
+    expect(entries.find((entry) => entry.path === "broken/SKILL.md")).toEqual({
+      path: "broken/SKILL.md",
+      skippedReason: "file_too_large",
+    });
+    expect(candidates.map((candidate) => candidate.root)).toEqual(["broken", "review"]);
+    expect(candidates.find((candidate) => candidate.root === "broken")).toMatchObject({
+      valid: false,
+      skipped: [{ path: "broken/SKILL.md", reason: "file_too_large" }],
+    });
+    expect(candidates.find((candidate) => candidate.root === "review")).toMatchObject({
+      valid: true,
+      fileCount: 1,
+    });
+  });
+
+  it("allows zip imports with multiple skills under the per-skill file cap", async () => {
+    const zip = new JSZip();
+    zip.file("review/SKILL.md", "# Review");
+    zip.file("docs/SKILL.md", "# Docs");
+    for (let index = 0; index < 70; index += 1) {
+      zip.file(`review/templates/${index}.md`, "review");
+      zip.file(`docs/templates/${index}.md`, "docs");
+    }
+    const blob = await zip.generateAsync({ type: "blob" });
+    const buffer = await blob.arrayBuffer();
+
+    await expect(readZipFile(new File([buffer], "skills.zip"))).resolves.toHaveLength(142);
+  });
+
+  it("marks excess zip entries without rejecting the skill", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    for (let index = 0; index < 130; index += 1) {
+      zip.file(`templates/${index}.md`, "template");
+    }
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]).toMatchObject({
+      root: "",
+      valid: true,
+      fileCount: 129,
+    });
+    expect(candidates[0]?.files).toHaveLength(128);
+    expect(candidates[0]?.skipped).toEqual([
+      { path: "templates/128.md", reason: "too_many_files" },
+      { path: "templates/129.md", reason: "too_many_files" },
+    ]);
+  });
+
+  it("does not let skipped zip entries consume the supporting file budget", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    for (let index = 0; index < 128; index += 1) {
+      zip.file(`.hidden/${index}.md`, "ignored");
+    }
+    zip.file("templates/real.md", "real content");
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]?.files).toEqual([{ path: "templates/real.md", content: "real content" }]);
+    expect(candidates[0]?.skipped).toHaveLength(128);
+    expect(candidates[0]?.skipped.every((item) => item.reason === "hidden_file")).toBe(true);
+  });
+
+  it("does not let binary zip files consume the supporting file budget", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    for (let index = 0; index < 128; index += 1) {
+      zip.file(`templates/${index}.bin`, new Uint8Array([0xff, 0xfe, 0xfd]));
+    }
+    zip.file("templates/real.md", "real content");
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+    const candidates = await buildLocalSkillCandidates(entries, "skill.zip");
+
+    expect(candidates).toHaveLength(1);
+    expect(candidates[0]?.files).toEqual([{ path: "templates/real.md", content: "real content" }]);
+    const binarySkipped = candidates[0]?.skipped.filter((s) => s.reason === "binary_file");
+    expect(binarySkipped).toHaveLength(128);
+  });
+
+  it("enforces per-root byte budget before inflating zip entries", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    for (let index = 0; index < 10; index += 1) {
+      zip.file(`templates/${index}.md`, "x".repeat(1_000_000));
+    }
+    const blob = await zip.generateAsync({ type: "blob", compression: "DEFLATE" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+
+    const inflatedCount = entries.filter((e) => e.file).length;
+    const skippedBundleLarge = entries.filter((e) => e.skippedReason === "bundle_too_large");
+    expect(inflatedCount).toBeLessThan(12);
+    expect(skippedBundleLarge.length).toBeGreaterThan(0);
+  });
+
+  it("skips hidden zip entries without inflating them", async () => {
+    const zip = new JSZip();
+    zip.file("SKILL.md", "# Review");
+    zip.file(".hidden/secret.md", "x".repeat(500_000));
+    zip.file("templates/real.md", "real content");
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+
+    const hiddenEntry = entries.find((e) => e.path === ".hidden/secret.md");
+    expect(hiddenEntry?.file).toBeUndefined();
+    expect(hiddenEntry?.skippedReason).toBe("hidden_file");
+    const realEntry = entries.find((e) => e.path === "templates/real.md");
+    expect(realEntry?.file).toBeDefined();
+  });
+
+  it("ignores zip entries outside detected skill roots", async () => {
+    const zip = new JSZip();
+    zip.file("skill/SKILL.md", "# Review");
+    zip.file("skill/templates/real.md", "real content");
+    zip.file("unrelated/large.txt", "x".repeat(1024 * 1024));
+    const blob = await zip.generateAsync({ type: "blob" });
+
+    const entries = await readZipFile(new File([blob], "skill.zip"));
+
+    expect(entries.map((entry) => entry.path).sort()).toEqual([
+      "skill/SKILL.md",
+      "skill/templates/real.md",
+    ]);
+  });
+});
+
+function file(path: string, content: string): File & { webkitRelativePath: string } {
+  const value = new File([content], path.split("/").at(-1) ?? "file.txt", { type: "text/plain" });
+  Object.defineProperty(value, "webkitRelativePath", { value: path });
+  return value as File & { webkitRelativePath: string };
+}
+
+function bytesFile(path: string, bytes: number[]): File & { webkitRelativePath: string } {
+  const buffer = new ArrayBuffer(bytes.length);
+  new Uint8Array(buffer).set(bytes);
+  const value = new File([buffer], path.split("/").at(-1) ?? "file.bin", {
+    type: "application/octet-stream",
+  });
+  Object.defineProperty(value, "webkitRelativePath", { value: path });
+  return value as File & { webkitRelativePath: string };
+}
+
+function countedFile(
+  path: string,
+  content: string,
+  counter: { reads: number },
+): File & { webkitRelativePath: string } {
+  const value = file(path, content);
+  const originalArrayBuffer = value.arrayBuffer.bind(value);
+  Object.defineProperty(value, "arrayBuffer", {
+    value: async () => {
+      counter.reads += 1;
+      return originalArrayBuffer();
+    },
+  });
+  return value;
+}
diff --git a/packages/views/skills/utils/local-skill-upload.ts b/packages/views/skills/utils/local-skill-upload.ts
new file mode 100644
index 0000000000..2f7ea902d6
--- /dev/null
+++ b/packages/views/skills/utils/local-skill-upload.ts
@@ -0,0 +1,506 @@
+import JSZip from "jszip";
+import type { ImportLocalSkillRequest } from "@multica/core/types";
+
+export const MAX_SKILL_FILE_BYTES = 1024 * 1024;
+export const MAX_SKILL_FILES = 128;
+export const MAX_SKILL_ACCEPTED_BYTES = 8 * 1024 * 1024;
+export const MAX_LOCAL_SKILL_IMPORT_BATCH = 16;
+
+export interface LocalSkillInputFile {
+  path: string;
+  file?: File;
+  skippedReason?: SkippedLocalSkillFileReason;
+}
+
+export type SkippedLocalSkillFileReason =
+  | "hidden_file"
+  | "metadata_file"
+  | "absolute_path"
+  | "path_traversal"
+  | "file_too_large"
+  | "binary_file"
+  | "too_many_files"
+  | "bundle_too_large";
+
+export interface SkippedLocalSkillFile {
+  path: string;
+  reason: SkippedLocalSkillFileReason;
+}
+
+export interface LocalSkillCandidate {
+  id: string;
+  root: string;
+  label: string;
+  valid: boolean;
+  reason?: "missing_skill_md" | "unreadable_skill_md" | "all_files_skipped";
+  name: string;
+  description: string;
+  content: string;
+  fileCount: number;
+  files: { path: string; content: string }[];
+  skipped: SkippedLocalSkillFile[];
+  selected: boolean;
+}
+
+interface InvalidSkillGroup {
+  root: string;
+  skipped: SkippedLocalSkillFile[];
+}
+
+type NormalizedUploadPath =
+  | { ok: true; path: string }
+  | { ok: false; reason: "absolute_path" | "path_traversal" };
+
+interface ReadUploadFile {
+  path: string;
+  content: string;
+}
+
+interface SkillGroup {
+  root: string;
+  skillFile: ReadUploadFile;
+  files: ReadUploadFile[];
+  skipped: SkippedLocalSkillFile[];
+}
+
+const metadataFiles = new Set(["thumbs.db", "desktop.ini"]);
+const textEncoder = new TextEncoder();
+const utf8Decoder = new TextDecoder("utf-8", { fatal: true });
+
+export function parseSkillFrontmatter(content: string): { name?: string; description?: string } {
+  const match = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!match) return {};
+
+  const result: { name?: string; description?: string } = {};
+  const frontmatter = match[1] ?? "";
+  for (const line of frontmatter.split(/\r?\n/)) {
+    const field = line.match(/^(name|description):\s*(.+?)\s*$/);
+    if (!field) continue;
+    const key = field[1] as "name" | "description";
+    result[key] = (field[2] ?? "").replace(/^["']|["']$/g, "").trim();
+  }
+  return result;
+}
+
+export function normalizeUploadPath(path: string): NormalizedUploadPath {
+  const normalized = path.replace(/\\/g, "/").replace(/^\.\/+/, "");
+  if (normalized.startsWith("/") || /^[a-zA-Z]:\//.test(normalized)) {
+    return { ok: false, reason: "absolute_path" };
+  }
+  const parts = normalized.split("/").filter(Boolean);
+  if (parts.includes("..")) {
+    return { ok: false, reason: "path_traversal" };
+  }
+  return { ok: true, path: parts.join("/") };
+}
+
+export async function buildLocalSkillCandidates(
+  files: File[] | LocalSkillInputFile[],
+  sourceLabel: string,
+): Promise<LocalSkillCandidate[]> {
+  const skipped: SkippedLocalSkillFile[] = [];
+  const normalizedInputs: LocalSkillInputFile[] = [];
+
+  for (const item of files) {
+    const input = toInputFile(item);
+    const normalized = normalizeUploadPath(input.path);
+    if (!normalized.ok) {
+      skipped.push({ path: input.path, reason: normalized.reason });
+      continue;
+    }
+    if (isHiddenPath(normalized.path)) {
+      skipped.push({ path: normalized.path, reason: "hidden_file" });
+      continue;
+    }
+    if (isMetadataFile(normalized.path)) {
+      skipped.push({ path: normalized.path, reason: "metadata_file" });
+      continue;
+    }
+    normalizedInputs.push({ ...input, path: normalized.path });
+  }
+
+  const skillRoots = normalizedInputs
+    .filter((input) =>
+      basename(input.path) === "SKILL.md" &&
+      (input.skippedReason !== undefined ||
+        (!!input.file && input.file.size <= MAX_SKILL_FILE_BYTES)),
+    )
+    .map((input) => dirname(input.path))
+    .sort()
+    .filter((root, index, roots) => !hasAncestorSkillRoot(root, roots.slice(0, index)));
+
+  const readFiles: ReadUploadFile[] = [];
+  const supportingFileCountsByRoot = new Map<string, number>();
+  const bytesByRoot = new Map<string, number>();
+
+  for (const input of normalizedInputs) {
+    if (input.skippedReason) {
+      skipped.push({ path: input.path, reason: input.skippedReason });
+      continue;
+    }
+    if (!input.file) continue;
+    const root = nearestSkillRoot(input.path, skillRoots);
+    if (root === null) {
+      if (basename(input.path) === "SKILL.md" && input.file.size > MAX_SKILL_FILE_BYTES) {
+        skipped.push({ path: input.path, reason: "file_too_large" });
+      }
+      continue;
+    }
+    if (input.file.size > MAX_SKILL_FILE_BYTES) {
+      skipped.push({ path: input.path, reason: "file_too_large" });
+      continue;
+    }
+
+    const isSupportingFile = input.path !== joinPath(root, "SKILL.md");
+    if (isSupportingFile && (supportingFileCountsByRoot.get(root) ?? 0) >= MAX_SKILL_FILES) {
+      skipped.push({ path: input.path, reason: "too_many_files" });
+      continue;
+    }
+    if (isSupportingFile && (bytesByRoot.get(root) ?? 0) >= MAX_SKILL_ACCEPTED_BYTES) {
+      skipped.push({ path: input.path, reason: "bundle_too_large" });
+      continue;
+    }
+
+    const content = await readUtf8Text(input.file);
+    if (content === null) {
+      skipped.push({ path: input.path, reason: "binary_file" });
+      continue;
+    }
+    if (content.includes("\u0000")) {
+      skipped.push({ path: input.path, reason: "binary_file" });
+      continue;
+    }
+    if (isSupportingFile) {
+      supportingFileCountsByRoot.set(root, (supportingFileCountsByRoot.get(root) ?? 0) + 1);
+    }
+    const fileBytes = utf8ByteLength(content);
+    bytesByRoot.set(root, (bytesByRoot.get(root) ?? 0) + fileBytes);
+    readFiles.push({ path: input.path, content: content.replaceAll("\u0000", "") });
+  }
+
+  if (skillRoots.length === 0) {
+    const hasSkippedSkillMd = skipped.some(
+      (s) => basename(s.path) === "SKILL.md" && (s.reason === "binary_file" || s.reason === "file_too_large"),
+    );
+    return [
+      {
+        id: "missing-skill-md",
+        root: sourceLabel,
+        label: sourceLabel,
+        valid: false,
+        reason: hasSkippedSkillMd ? "unreadable_skill_md" : "missing_skill_md",
+        name: folderName(sourceLabel),
+        description: "",
+        content: "",
+        fileCount: 0,
+        files: [],
+        skipped,
+        selected: false,
+      },
+    ];
+  }
+
+  const groups = new Map<string, SkillGroup>();
+  const invalidGroups = new Map<string, InvalidSkillGroup>();
+  for (const root of skillRoots) {
+    const skillFile = readFiles.find((file) => file.path === joinPath(root, "SKILL.md"));
+    if (skillFile) {
+      groups.set(root, { root, skillFile, files: [], skipped: [] });
+    } else {
+      invalidGroups.set(root, { root, skipped: [] });
+    }
+  }
+
+  for (const file of readFiles) {
+    const root = nearestSkillRoot(file.path, skillRoots);
+    if (root === null) continue;
+    if (file.path === joinPath(root, "SKILL.md")) continue;
+    groups.get(root)?.files.push({
+      path: relativePath(root, file.path),
+      content: file.content,
+    });
+  }
+
+  for (const item of skipped) {
+    const root = nearestSkillRoot(item.path, skillRoots);
+    if (root !== null) {
+      groups.get(root)?.skipped.push(item);
+      invalidGroups.get(root)?.skipped.push(item);
+    }
+  }
+
+  return [
+    ...Array.from(groups.values()).map((group) => buildCandidate(group, sourceLabel)),
+    ...Array.from(invalidGroups.values()).map((group) => buildInvalidCandidate(group, sourceLabel)),
+  ].sort((a, b) => a.root.localeCompare(b.root));
+}
+
+export function candidateToImportRequest(candidate: LocalSkillCandidate): ImportLocalSkillRequest {
+  return {
+    name: candidate.name,
+    description: candidate.description,
+    content: candidate.content,
+    files: candidate.files,
+    source: { type: "uploaded_bundle", label: candidate.label },
+  };
+}
+
+export async function readZipFile(file: File): Promise<LocalSkillInputFile[]> {
+  const zip = await JSZip.loadAsync(await file.arrayBuffer());
+  const entries: LocalSkillInputFile[] = [];
+  const fileEntries = Object.values(zip.files).filter((entry) => !entry.dir);
+  const normalizedEntries: {
+    entry?: JSZip.JSZipObject;
+    path: string;
+    skippedReason?: SkippedLocalSkillFileReason;
+  }[] = [];
+
+  for (const entry of fileEntries) {
+    const unsafeName = (entry as typeof entry & { unsafeOriginalName?: string }).unsafeOriginalName ?? entry.name;
+    const original = normalizeUploadPath(unsafeName);
+    if (!original.ok) {
+      throw new Error(original.reason);
+    }
+    const normalized = normalizeUploadPath(entry.name);
+    if (!normalized.ok) {
+      throw new Error(normalized.reason);
+    }
+    if (zipEntryUncompressedSize(entry) > MAX_SKILL_FILE_BYTES) {
+      normalizedEntries.push({
+        path: normalized.path,
+        skippedReason: "file_too_large",
+      });
+      continue;
+    }
+    normalizedEntries.push({ entry, path: normalized.path });
+  }
+
+  const skillRoots = normalizedEntries
+    .filter((item) => basename(item.path) === "SKILL.md" && (item.entry || item.skippedReason))
+    .map((item) => dirname(item.path))
+    .sort()
+    .filter((root, index, roots) => !hasAncestorSkillRoot(root, roots.slice(0, index)));
+
+  const bytesByRoot = new Map<string, number>();
+  const fileCountsByRoot = new Map<string, number>();
+  for (const { entry, path, skippedReason } of normalizedEntries) {
+    const root = nearestSkillRoot(path, skillRoots);
+    if (root === null) continue;
+    if (skippedReason) {
+      entries.push({ path, skippedReason });
+      continue;
+    }
+    if (!entry) continue;
+    if (isHiddenPath(path) || isMetadataFile(path)) {
+      entries.push({
+        path,
+        skippedReason: isHiddenPath(path) ? "hidden_file" : "metadata_file",
+      });
+      continue;
+    }
+    const isSupportingFile = path !== joinPath(root, "SKILL.md");
+    if (isSupportingFile && (bytesByRoot.get(root) ?? 0) >= MAX_SKILL_ACCEPTED_BYTES) {
+      entries.push({ path, skippedReason: "bundle_too_large" });
+      continue;
+    }
+    if (isSupportingFile && (fileCountsByRoot.get(root) ?? 0) >= MAX_SKILL_FILES * 2) {
+      entries.push({ path, skippedReason: "too_many_files" });
+      continue;
+    }
+    const blob = await entry.async("blob");
+    bytesByRoot.set(root, (bytesByRoot.get(root) ?? 0) + zipEntryUncompressedSize(entry));
+    if (isSupportingFile) {
+      fileCountsByRoot.set(root, (fileCountsByRoot.get(root) ?? 0) + 1);
+    }
+    entries.push({
+      path,
+      file: new File([blob], basename(path)),
+    });
+  }
+  return entries;
+}
+
+function zipEntryUncompressedSize(entry: JSZip.JSZipObject): number {
+  const withData = entry as JSZip.JSZipObject & {
+    _data?: { uncompressedSize?: number };
+  };
+  return withData._data?.uncompressedSize ?? 0;
+}
+
+export async function filesFromDataTransfer(items: DataTransferItemList): Promise<LocalSkillInputFile[]> {
+  const files: LocalSkillInputFile[] = [];
+  for (const item of Array.from(items)) {
+    const entry = getDroppedEntry(item);
+    if (entry) {
+      files.push(...(await readEntry(entry, "")));
+      continue;
+    }
+    const file = item.getAsFile();
+    if (file) files.push({ path: file.name, file });
+  }
+  return files;
+}
+
+function buildCandidate(group: SkillGroup, sourceLabel: string): LocalSkillCandidate {
+  const defaults = parseSkillFrontmatter(group.skillFile.content);
+  const acceptedFiles = group.files.slice(0, MAX_SKILL_FILES);
+  const skipped = [...group.skipped];
+
+  if (group.files.length > MAX_SKILL_FILES) {
+    for (const file of group.files.slice(MAX_SKILL_FILES)) {
+      skipped.push({ path: joinPath(group.root, file.path), reason: "too_many_files" });
+    }
+  }
+
+  let total = utf8ByteLength(group.skillFile.content);
+  const sizeLimitedFiles: { path: string; content: string }[] = [];
+  for (const file of acceptedFiles) {
+    const fileBytes = utf8ByteLength(file.content);
+    if (total + fileBytes > MAX_SKILL_ACCEPTED_BYTES) {
+      skipped.push({ path: joinPath(group.root, file.path), reason: "bundle_too_large" });
+      continue;
+    }
+    total += fileBytes;
+    sizeLimitedFiles.push(file);
+  }
+
+  const name = defaults.name || folderName(group.root || sourceLabel);
+  return {
+    id: group.root || sourceLabel,
+    root: group.root,
+    label: sourceLabelForGroup(group.root, sourceLabel),
+    valid: true,
+    name,
+    description: defaults.description || "",
+    content: group.skillFile.content,
+    fileCount: 1 + sizeLimitedFiles.length,
+    files: sizeLimitedFiles,
+    skipped,
+    selected: true,
+  };
+}
+
+function buildInvalidCandidate(group: InvalidSkillGroup, sourceLabel: string): LocalSkillCandidate {
+  const skillMdPath = joinPath(group.root, "SKILL.md");
+  const skillMdSkipped = group.skipped.some(
+    (s) => s.path === skillMdPath && (s.reason === "binary_file" || s.reason === "file_too_large"),
+  );
+  return {
+    id: group.root || sourceLabel,
+    root: group.root,
+    label: sourceLabelForGroup(group.root, sourceLabel),
+    valid: false,
+    reason: skillMdSkipped ? "unreadable_skill_md" : "missing_skill_md",
+    name: folderName(group.root || sourceLabel),
+    description: "",
+    content: "",
+    fileCount: 0,
+    files: [],
+    skipped: group.skipped,
+    selected: false,
+  };
+}
+
+function sourceLabelForGroup(root: string, sourceLabel: string): string {
+  if (!root) return sourceLabel;
+  if (!sourceLabel) return root;
+  if (root === sourceLabel || root.startsWith(`${sourceLabel}/`)) return root;
+  return `${sourceLabel}/${root}`;
+}
+
+function utf8ByteLength(value: string): number {
+  return textEncoder.encode(value).byteLength;
+}
+
+async function readUtf8Text(file: File): Promise<string | null> {
+  try {
+    return utf8Decoder.decode(await file.arrayBuffer());
+  } catch {
+    return null;
+  }
+}
+
+function toInputFile(item: File | LocalSkillInputFile): LocalSkillInputFile {
+  if ("path" in item && ("file" in item || "skippedReason" in item)) return item;
+  const file = item as File & { webkitRelativePath?: string };
+  return { path: file.webkitRelativePath || file.name, file };
+}
+
+function isHiddenPath(path: string): boolean {
+  return path.split("/").some((part) => part.startsWith("."));
+}
+
+function isMetadataFile(path: string): boolean {
+  return metadataFiles.has(basename(path).toLowerCase());
+}
+
+function basename(path: string): string {
+  return path.split("/").filter(Boolean).at(-1) || "";
+}
+
+function dirname(path: string): string {
+  const parts = path.split("/").filter(Boolean);
+  return parts.slice(0, -1).join("/");
+}
+
+function folderName(path: string): string {
+  return basename(path) || "Untitled Skill";
+}
+
+function joinPath(root: string, path: string): string {
+  return root ? `${root}/${path}` : path;
+}
+
+function relativePath(root: string, path: string): string {
+  if (!root) return path;
+  return path.startsWith(`${root}/`) ? path.slice(root.length + 1) : path;
+}
+
+function nearestSkillRoot(path: string, roots: string[]): string | null {
+  const sorted = [...roots].sort((a, b) => b.length - a.length);
+  return sorted.find((root) => path === root || path.startsWith(`${root}/`) || (!root && path)) ?? null;
+}
+
+function hasAncestorSkillRoot(root: string, previousRoots: string[]): boolean {
+  return previousRoots.some((candidate) => candidate === "" || root.startsWith(`${candidate}/`));
+}
+
+type DroppedEntry = FileSystemFileEntry | FileSystemDirectoryEntry;
+
+function getDroppedEntry(item: DataTransferItem): DroppedEntry | null {
+  const withEntry = item as DataTransferItem & {
+    webkitGetAsEntry?: () => FileSystemEntry | null;
+  };
+  const entry = withEntry.webkitGetAsEntry?.() ?? null;
+  if (!entry) return null;
+  return entry as DroppedEntry;
+}
+
+async function readEntry(entry: DroppedEntry, prefix: string): Promise<LocalSkillInputFile[]> {
+  if (entry.isFile) {
+    const file = await fileFromEntry(entry as FileSystemFileEntry);
+    return [{ path: joinPath(prefix, file.name), file }];
+  }
+
+  const directory = entry as FileSystemDirectoryEntry;
+  const children = await readAllDirectoryEntries(directory);
+  const childPrefix = joinPath(prefix, directory.name);
+  const nested = await Promise.all(children.map((child) => readEntry(child, childPrefix)));
+  return nested.flat();
+}
+
+function fileFromEntry(entry: FileSystemFileEntry): Promise<File> {
+  return new Promise((resolve, reject) => entry.file(resolve, reject));
+}
+
+async function readAllDirectoryEntries(entry: FileSystemDirectoryEntry): Promise<DroppedEntry[]> {
+  const reader = entry.createReader();
+  const entries: DroppedEntry[] = [];
+  while (true) {
+    const batch = await new Promise<DroppedEntry[]>((resolve, reject) => {
+      reader.readEntries((items) => resolve(items as DroppedEntry[]), reject);
+    });
+    if (batch.length === 0) return entries;
+    entries.push(...batch);
+  }
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 4c83bc9a3b..e860e45db5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -48,6 +48,9 @@ catalogs:
     jsdom:
       specifier: ^29.0.1
       version: 29.0.1
+    jszip:
+      specifier: ^3.10.1
+      version: 3.10.1
     katex:
       specifier: ^0.16.45
       version: 0.16.45
@@ -512,7 +515,7 @@ importers:
         version: 1.369.3
       react-i18next:
         specifier: 'catalog:'
-        version: 17.0.6(i18next@26.0.8(typescript@5.9.3))(react-dom@19.2.3(react@19.2.3))(react@19.2.3)(typescript@5.9.3)
+        version: 17.0.6(i18next@26.0.8(typescript@5.9.3))(react@19.2.3)(typescript@5.9.3)
       zod:
         specifier: 'catalog:'
         version: 4.3.6
@@ -784,6 +787,9 @@ importers:
       i18next:
         specifier: 'catalog:'
         version: 26.0.8(typescript@5.9.3)
+      jszip:
+        specifier: 'catalog:'
+        version: 3.10.1
       katex:
         specifier: 'catalog:'
         version: 0.16.45
@@ -4971,6 +4977,9 @@ packages:
     engines: {node: '>=16.x'}
     hasBin: true
 
+  immediate@3.0.6:
+    resolution: {integrity: sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==}
+
   immer@10.2.0:
     resolution: {integrity: sha512-d/+XTN3zfODyjr89gM3mPq1WNX2B8pYsu7eORitdwyA2sBubnTl3laYlBk4sXY5FUa5qTZGBDPJICVbvqzjlbw==}
 
@@ -5210,6 +5219,9 @@ packages:
     resolution: {integrity: sha512-e6rvdUCiQCAuumZslxRJWR/Doq4VpPR82kqclvcS0efgt430SlGIk05vdCN58+VrzgtIcfNODjozVielycD4Sw==}
     engines: {node: '>=16'}
 
+  isarray@1.0.0:
+    resolution: {integrity: sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==}
+
   isarray@2.0.5:
     resolution: {integrity: sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==}
 
@@ -5304,6 +5316,9 @@ packages:
     resolution: {integrity: sha512-ZZow9HBI5O6EPgSJLUb8n2NKgmVWTwCvHGwFuJlMjvLFqlGG6pjirPhtdsseaLZjSibD8eegzmYpUZwoIlj2cQ==}
     engines: {node: '>=4.0'}
 
+  jszip@3.10.1:
+    resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==}
+
   katex@0.16.45:
     resolution: {integrity: sha512-pQpZbdBu7wCTmQUh7ufPmLr0pFoObnGUoL/yhtwJDgmmQpbkg/0HSVti25Fu4rmd1oCR6NGWe9vqTWuWv3GcNA==}
     hasBin: true
@@ -5339,6 +5354,9 @@ packages:
     resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
     engines: {node: '>= 0.8.0'}
 
+  lie@3.3.0:
+    resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==}
+
   lightningcss-android-arm64@1.32.0:
     resolution: {integrity: sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==}
     engines: {node: '>= 12.0.0'}
@@ -6067,6 +6085,9 @@ packages:
   package-manager-detector@1.6.0:
     resolution: {integrity: sha512-61A5ThoTiDG/C8s8UMZwSorAGwMJ0ERVGj2OjoW5pAalsNOg15+iQiPzrLJ4jhZ1HJzmC2PIHT2oEiH3R5fzNA==}
 
+  pako@1.0.11:
+    resolution: {integrity: sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==}
+
   parent-module@1.0.1:
     resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==}
     engines: {node: '>=6'}
@@ -6275,6 +6296,9 @@ packages:
     resolution: {integrity: sha512-Azwzvl90HaF0aCz1JrDdXQykFakSSNPaPoiZ9fm5qJIMHioDZEi7OAdRwSm6rSoPtY3Qutnm3L7ogmg3dc+wbQ==}
     engines: {node: ^18.17.0 || >=20.5.0}
 
+  process-nextick-args@2.0.1:
+    resolution: {integrity: sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==}
+
   progress@2.0.3:
     resolution: {integrity: sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==}
     engines: {node: '>=0.4.0'}
@@ -6541,6 +6565,9 @@ packages:
     resolution: {integrity: sha512-BNg9EN3DD3GsDXX7Aa8O4p92sryjkmzYYgmgTAc6CA4uGLEDzFfxOxugu21akOxpcXHiEgsYkC6nPsQvLLLmEg==}
     hasBin: true
 
+  readable-stream@2.3.8:
+    resolution: {integrity: sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==}
+
   readable-stream@3.6.2:
     resolution: {integrity: sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==}
     engines: {node: '>= 6'}
@@ -6734,6 +6761,9 @@ packages:
     resolution: {integrity: sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==}
     engines: {node: '>=0.4'}
 
+  safe-buffer@5.1.2:
+    resolution: {integrity: sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==}
+
   safe-buffer@5.2.1:
     resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==}
 
@@ -6808,6 +6838,9 @@ packages:
     resolution: {integrity: sha512-RJRdvCo6IAnPdsvP/7m6bsQqNnn1FCBX5ZNtFL98MmFF/4xAIJTIg1YbHW5DC2W5SKZanrC6i4HsJqlajw/dZw==}
     engines: {node: '>= 0.4'}
 
+  setimmediate@1.0.5:
+    resolution: {integrity: sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==}
+
   setprototypeof@1.2.0:
     resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==}
 
@@ -6978,6 +7011,9 @@ packages:
     resolution: {integrity: sha512-UXSH262CSZY1tfu3G3Secr6uGLCFVPMhIqHjlgCUtCCcgihYc/xKs9djMTMUOb2j1mVSeU8EU6NWc/iQKU6Gfg==}
     engines: {node: '>= 0.4'}
 
+  string_decoder@1.1.1:
+    resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==}
+
   string_decoder@1.3.0:
     resolution: {integrity: sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==}
 
@@ -10570,8 +10606,7 @@ snapshots:
 
   core-js@3.49.0: {}
 
-  core-util-is@1.0.2:
-    optional: true
+  core-util-is@1.0.2: {}
 
   cors@2.8.6:
     dependencies:
@@ -12155,6 +12190,8 @@ snapshots:
 
   image-size@2.0.2: {}
 
+  immediate@3.0.6: {}
+
   immer@10.2.0: {}
 
   immer@11.1.4: {}
@@ -12357,6 +12394,8 @@ snapshots:
     dependencies:
       is-inside-container: 1.0.0
 
+  isarray@1.0.0: {}
+
   isarray@2.0.5: {}
 
   isbinaryfile@4.0.10: {}
@@ -12460,6 +12499,13 @@ snapshots:
       object.assign: 4.1.7
       object.values: 1.2.1
 
+  jszip@3.10.1:
+    dependencies:
+      lie: 3.3.0
+      pako: 1.0.11
+      readable-stream: 2.3.8
+      setimmediate: 1.0.5
+
   katex@0.16.45:
     dependencies:
       commander: 8.3.0
@@ -12494,6 +12540,10 @@ snapshots:
       prelude-ls: 1.2.1
       type-check: 0.4.0
 
+  lie@3.3.0:
+    dependencies:
+      immediate: 3.0.6
+
   lightningcss-android-arm64@1.32.0:
     optional: true
 
@@ -13532,6 +13582,8 @@ snapshots:
 
   package-manager-detector@1.6.0: {}
 
+  pako@1.0.11: {}
+
   parent-module@1.0.1:
     dependencies:
       callsites: 3.1.0
@@ -13734,6 +13786,8 @@ snapshots:
 
   proc-log@5.0.0: {}
 
+  process-nextick-args@2.0.1: {}
+
   progress@2.0.3: {}
 
   promise-retry@2.0.1:
@@ -13947,6 +14001,16 @@ snapshots:
       react-dom: 19.2.3(react@19.2.3)
       typescript: 5.9.3
 
+  react-i18next@17.0.6(i18next@26.0.8(typescript@5.9.3))(react@19.2.3)(typescript@5.9.3):
+    dependencies:
+      '@babel/runtime': 7.29.2
+      html-parse-stringify: 3.0.1
+      i18next: 26.0.8(typescript@5.9.3)
+      react: 19.2.3
+      use-sync-external-store: 1.6.0(react@19.2.3)
+    optionalDependencies:
+      typescript: 5.9.3
+
   react-is@16.13.1: {}
 
   react-is@17.0.2: {}
@@ -14052,6 +14116,16 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  readable-stream@2.3.8:
+    dependencies:
+      core-util-is: 1.0.2
+      inherits: 2.0.4
+      isarray: 1.0.0
+      process-nextick-args: 2.0.1
+      safe-buffer: 5.1.2
+      string_decoder: 1.1.1
+      util-deprecate: 1.0.2
+
   readable-stream@3.6.2:
     dependencies:
       inherits: 2.0.4
@@ -14369,6 +14443,8 @@ snapshots:
       has-symbols: 1.1.0
       isarray: 2.0.5
 
+  safe-buffer@5.1.2: {}
+
   safe-buffer@5.2.1: {}
 
   safe-push-apply@1.0.0:
@@ -14463,6 +14539,8 @@ snapshots:
       es-errors: 1.3.0
       es-object-atoms: 1.1.1
 
+  setimmediate@1.0.5: {}
+
   setprototypeof@1.2.0: {}
 
   shadcn@4.1.0(@types/node@25.5.0)(typescript@5.9.3):
@@ -14735,6 +14813,10 @@ snapshots:
       define-properties: 1.2.1
       es-object-atoms: 1.1.1
 
+  string_decoder@1.1.1:
+    dependencies:
+      safe-buffer: 5.1.2
+
   string_decoder@1.3.0:
     dependencies:
       safe-buffer: 5.2.1
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 31e0c248e2..4c5bd02224 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -33,6 +33,7 @@ catalog:
   rehype-katex: "^7.0.1"
   remark-math: "^6.0.0"
   mermaid: "^11.14.0"
+  jszip: "^3.10.1"
 
   # Icons
   lucide-react: "^1.0.1"
diff --git a/server/cmd/server/router.go b/server/cmd/server/router.go
index 0f996878f6..1a340405a1 100644
--- a/server/cmd/server/router.go
+++ b/server/cmd/server/router.go
@@ -553,6 +553,7 @@ func NewRouterWithOptions(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus
 				r.Get("/", h.ListSkills)
 				r.Post("/", h.CreateSkill)
 				r.Post("/import", h.ImportSkill)
+				r.Post("/import-local", h.ImportLocalSkills)
 				r.Route("/{id}", func(r chi.Router) {
 					r.Get("/", h.GetSkill)
 					r.Put("/", h.UpdateSkill)
diff --git a/server/internal/handler/skill_import_local.go b/server/internal/handler/skill_import_local.go
new file mode 100644
index 0000000000..b67df7c5e1
--- /dev/null
+++ b/server/internal/handler/skill_import_local.go
@@ -0,0 +1,207 @@
+package handler
+
+import (
+	"encoding/json"
+	"net/http"
+	"path/filepath"
+	"strings"
+
+	"github.com/multica-ai/multica/server/pkg/protocol"
+)
+
+const (
+	maxLocalUploadedSkills            = 16
+	maxLocalUploadedSkillFiles        = 128
+	maxLocalUploadedSkillFileBytes    = 1024 * 1024
+	maxLocalUploadedSkillTotalBytes   = 8 * 1024 * 1024
+	maxLocalUploadedSkillRequestBytes = 32 * 1024 * 1024
+)
+
+type ImportLocalSkillSourceRequest struct {
+	Type  string `json:"type"`
+	Label string `json:"label"`
+}
+
+type ImportLocalSkillRequest struct {
+	Name        string                        `json:"name"`
+	Description string                        `json:"description"`
+	Content     string                        `json:"content"`
+	Files       []CreateSkillFileRequest      `json:"files,omitempty"`
+	Source      ImportLocalSkillSourceRequest `json:"source"`
+}
+
+type ImportLocalSkillsRequest struct {
+	Skills []ImportLocalSkillRequest `json:"skills"`
+}
+
+type ImportLocalSkillCreated struct {
+	Skill       SkillWithFilesResponse `json:"skill"`
+	SourceLabel string                 `json:"source_label"`
+}
+
+type ImportLocalSkillResult struct {
+	Name   string `json:"name"`
+	Reason string `json:"reason"`
+}
+
+type ImportLocalSkillsResponse struct {
+	Created []ImportLocalSkillCreated `json:"created"`
+	Skipped []ImportLocalSkillResult  `json:"skipped"`
+	Failed  []ImportLocalSkillResult  `json:"failed"`
+}
+
+var metadataFileNames = map[string]bool{
+	"thumbs.db":   true,
+	"desktop.ini": true,
+}
+
+func normalizeLocalUploadedSkillFilePath(path string) (string, bool) {
+	path = strings.ReplaceAll(filepath.ToSlash(path), "\\", "/")
+	if path == "" || strings.HasPrefix(path, "/") || strings.Contains(path, "\x00") || isWindowsAbsPath(path) {
+		return "", false
+	}
+	parts := strings.Split(path, "/")
+	for _, part := range parts {
+		if part == "" || part == "." || part == ".." {
+			return "", false
+		}
+		if strings.HasPrefix(part, ".") {
+			return "", false
+		}
+	}
+	cleaned := strings.Join(parts, "/")
+	if cleaned == "SKILL.md" {
+		return "", false
+	}
+	if metadataFileNames[strings.ToLower(parts[len(parts)-1])] {
+		return "", false
+	}
+	return cleaned, true
+}
+
+func isWindowsAbsPath(path string) bool {
+	return len(path) >= 3 && path[1] == ':' && path[2] == '/' &&
+		((path[0] >= 'a' && path[0] <= 'z') || (path[0] >= 'A' && path[0] <= 'Z'))
+}
+
+func validateLocalImportSkill(skill ImportLocalSkillRequest) string {
+	if strings.TrimSpace(skill.Name) == "" {
+		return "missing_name"
+	}
+	if strings.TrimSpace(skill.Content) == "" {
+		return "missing_skill_md"
+	}
+	if len(skill.Content) > maxLocalUploadedSkillFileBytes {
+		return "file_too_large"
+	}
+	if len(skill.Files) > maxLocalUploadedSkillFiles {
+		return "too_many_files"
+	}
+
+	total := len(skill.Content)
+	for _, f := range skill.Files {
+		if _, ok := normalizeLocalUploadedSkillFilePath(f.Path); !ok {
+			return "invalid_file_path"
+		}
+		if len(f.Content) > maxLocalUploadedSkillFileBytes {
+			return "file_too_large"
+		}
+		total += len(f.Content)
+	}
+	if total > maxLocalUploadedSkillTotalBytes {
+		return "bundle_too_large"
+	}
+	return ""
+}
+
+func decodeImportLocalSkillsRequest(w http.ResponseWriter, r *http.Request, maxBytes int64) (ImportLocalSkillsRequest, bool) {
+	var req ImportLocalSkillsRequest
+	r.Body = http.MaxBytesReader(w, r.Body, maxBytes)
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return req, false
+	}
+	return req, true
+}
+
+func (h *Handler) ImportLocalSkills(w http.ResponseWriter, r *http.Request) {
+	workspaceID := h.resolveWorkspaceID(r)
+	creatorID, ok := requireUserID(w, r)
+	if !ok {
+		return
+	}
+	workspaceUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace_id")
+	if !ok {
+		return
+	}
+	creatorUUID := parseUUID(creatorID)
+
+	req, ok := decodeImportLocalSkillsRequest(w, r, int64(maxLocalUploadedSkillRequestBytes))
+	if !ok {
+		return
+	}
+	if len(req.Skills) == 0 {
+		writeError(w, http.StatusBadRequest, "skills is required")
+		return
+	}
+	if len(req.Skills) > maxLocalUploadedSkills {
+		writeError(w, http.StatusBadRequest, "too many skills")
+		return
+	}
+
+	resp := ImportLocalSkillsResponse{
+		Created: []ImportLocalSkillCreated{},
+		Skipped: []ImportLocalSkillResult{},
+		Failed:  []ImportLocalSkillResult{},
+	}
+	for _, item := range req.Skills {
+		item.Name = sanitizeNullBytes(strings.TrimSpace(item.Name))
+		item.Description = sanitizeNullBytes(item.Description)
+		item.Content = sanitizeNullBytes(item.Content)
+		item.Source.Label = sanitizeNullBytes(item.Source.Label)
+		for i := range item.Files {
+			item.Files[i].Path = sanitizeNullBytes(item.Files[i].Path)
+			item.Files[i].Content = sanitizeNullBytes(item.Files[i].Content)
+		}
+
+		if reason := validateLocalImportSkill(item); reason != "" {
+			resp.Failed = append(resp.Failed, ImportLocalSkillResult{Name: item.Name, Reason: reason})
+			continue
+		}
+		for i := range item.Files {
+			item.Files[i].Path, _ = normalizeLocalUploadedSkillFilePath(item.Files[i].Path)
+		}
+
+		created, err := h.createSkillWithFiles(r.Context(), skillCreateInput{
+			WorkspaceID: workspaceUUID,
+			CreatorID:   creatorUUID,
+			Name:        item.Name,
+			Description: item.Description,
+			Content:     item.Content,
+			Config: map[string]any{
+				"origin": map[string]any{
+					"type":  "uploaded_bundle",
+					"label": item.Source.Label,
+				},
+			},
+			Files: item.Files,
+		})
+		if err != nil {
+			if isUniqueViolation(err) {
+				resp.Skipped = append(resp.Skipped, ImportLocalSkillResult{Name: item.Name, Reason: "already_exists"})
+				continue
+			}
+			resp.Failed = append(resp.Failed, ImportLocalSkillResult{Name: item.Name, Reason: "create_failed"})
+			continue
+		}
+
+		actorType, actorID := h.resolveActor(r, creatorID, workspaceID)
+		h.publish(protocol.EventSkillCreated, workspaceID, actorType, actorID, map[string]any{"skill": created})
+		resp.Created = append(resp.Created, ImportLocalSkillCreated{
+			Skill:       created,
+			SourceLabel: item.Source.Label,
+		})
+	}
+
+	writeJSON(w, http.StatusOK, resp)
+}
diff --git a/server/internal/handler/skill_import_local_test.go b/server/internal/handler/skill_import_local_test.go
new file mode 100644
index 0000000000..0e46356052
--- /dev/null
+++ b/server/internal/handler/skill_import_local_test.go
@@ -0,0 +1,439 @@
+package handler
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestImportLocalSkillsCreatesValidSkillAndFiles(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	name := "Uploaded Review " + time.Now().Format("150405.000000000")
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":        name,
+			"description": "Reviews pull requests",
+			"content":     "# Uploaded Review",
+			"files": []map[string]any{{
+				"path":    "templates/review.md",
+				"content": "review body",
+			}},
+			"source": map[string]any{
+				"type":  "uploaded_bundle",
+				"label": "team.zip/uploaded-review",
+			},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Created) != 1 || resp.Created[0].Skill.Name != name {
+		t.Fatalf("created = %#v", resp.Created)
+	}
+	if len(resp.Created[0].Skill.Files) != 1 || resp.Created[0].Skill.Files[0].Path != "templates/review.md" {
+		t.Fatalf("files = %#v", resp.Created[0].Skill.Files)
+	}
+}
+
+func TestImportLocalSkillsSkipsDuplicateAndContinues(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	name := "Duplicate Upload " + time.Now().Format("150405.000000000")
+	createSkillForLocalImportTest(t, name)
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{
+			{"name": name, "content": "# Duplicate"},
+			{"name": name + " Fresh", "content": "# Fresh"},
+		},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Created) != 1 || resp.Created[0].Skill.Name != name+" Fresh" {
+		t.Fatalf("created = %#v", resp.Created)
+	}
+	if len(resp.Skipped) != 1 || resp.Skipped[0].Reason != "already_exists" {
+		t.Fatalf("skipped = %#v", resp.Skipped)
+	}
+}
+
+func TestImportLocalSkillsRejectsInvalidPathAndLimits(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Bad Path " + time.Now().Format("150405.000000000"),
+			"content": "# Bad",
+			"files": []map[string]any{{
+				"path":    "../secret.md",
+				"content": "no",
+			}},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "invalid_file_path" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsSingleOversizedSupportingFile(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Large File " + time.Now().Format("150405.000000000"),
+			"content": "# Large File",
+			"files": []map[string]any{{
+				"path":    "templates/large.md",
+				"content": strings.Repeat("a", 2*1024*1024),
+			}},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "file_too_large" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsOversizedPrimarySkillFile(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Large Skill " + time.Now().Format("150405.000000000"),
+			"content": strings.Repeat("a", 2*1024*1024),
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "file_too_large" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsCleanedSkillMDPath(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Bad Clean Path " + time.Now().Format("150405.000000000"),
+			"content": "# Bad",
+			"files": []map[string]any{{
+				"path":    "templates/../SKILL.md",
+				"content": "would overwrite the primary skill file",
+			}},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Created) != 0 {
+		t.Fatalf("created = %#v", resp.Created)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "invalid_file_path" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsOversizedRequestBodyBeforeDecode(t *testing.T) {
+	w := httptest.NewRecorder()
+	body := io.MultiReader(
+		strings.NewReader(`{"skills":[{"name":"Too Large","content":"`),
+		io.LimitReader(repeatedByteReader('a'), 65),
+		strings.NewReader(`"}]}`),
+	)
+	req := httptest.NewRequest(http.MethodPost, "/api/skills/import-local", body)
+	req.Header.Set("Content-Type", "application/json")
+
+	if _, ok := decodeImportLocalSkillsRequest(w, req, 64); ok {
+		t.Fatal("expected oversized request body to fail before decode")
+	}
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for oversized request body, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestImportLocalSkillRequestCapStaysBelowHundredsOfMiB(t *testing.T) {
+	maxCap := 32 * 1024 * 1024
+	if maxLocalUploadedSkillRequestBytes > maxCap {
+		t.Fatalf("request cap = %d, want at most %d", maxLocalUploadedSkillRequestBytes, maxCap)
+	}
+}
+
+func TestImportLocalSkillsRejectsHugeDecodedPayloadBeforeDecode(t *testing.T) {
+	w := httptest.NewRecorder()
+	body := io.MultiReader(
+		strings.NewReader(`{"skills":[{"name":"Too Large","content":"`),
+		io.LimitReader(repeatedByteReader('a'), int64(maxLocalUploadedSkillRequestBytes+1)),
+		strings.NewReader(`"}]}`),
+	)
+	req := httptest.NewRequest(http.MethodPost, "/api/skills/import-local", body)
+	req.Header.Set("Content-Type", "application/json")
+
+	if _, ok := decodeImportLocalSkillsRequest(w, req, int64(maxLocalUploadedSkillRequestBytes)); ok {
+		t.Fatal("expected huge decoded payload to fail before decode")
+	}
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for huge decoded payload, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestImportLocalSkillsRejectsTooManySkills(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	skills := []map[string]any{}
+	for i := 0; i < maxLocalUploadedSkills+1; i++ {
+		skills = append(skills, map[string]any{
+			"name":    "Batch Item " + time.Now().Format("150405.000000000") + "-" + string(rune('A'+i)),
+			"content": "# Batch Item",
+		})
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": skills,
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for too many skills, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestImportLocalSkillsAllowsEscapedJSONWithinDecodedBundleLimit(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Escaped Bundle " + time.Now().Format("150405.000000000"),
+			"content": "# Escaped",
+			"files": []map[string]any{
+				{"path": "templates/quotes-1.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-2.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-3.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-4.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-5.md", "content": strings.Repeat(`"`, 900*1024)},
+			},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 for escaped JSON under decoded limit, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Created) != 1 {
+		t.Fatalf("created = %#v failed = %#v", resp.Created, resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsAllowsEscapedJSONForMultipleDecodedBundles(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	skills := []map[string]any{}
+	for i := 0; i < 3; i++ {
+		skills = append(skills, map[string]any{
+			"name":    "Escaped Batch " + time.Now().Format("150405.000000000") + "-" + string(rune('A'+i)),
+			"content": "# Escaped Batch",
+			"files": []map[string]any{
+				{"path": "templates/quotes-1.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-2.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-3.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-4.md", "content": strings.Repeat(`"`, 900*1024)},
+				{"path": "templates/quotes-5.md", "content": strings.Repeat(`"`, 900*1024)},
+			},
+		})
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": skills,
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 for escaped JSON batch under decoded limit, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Created) != 3 {
+		t.Fatalf("created = %#v failed = %#v", resp.Created, resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsHiddenFilePaths(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Hidden File " + time.Now().Format("150405.000000000"),
+			"content": "# Hidden File",
+			"files": []map[string]any{
+				{"path": ".env", "content": "SECRET=foo"},
+				{"path": "templates/.DS_Store", "content": "binary"},
+			},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "invalid_file_path" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestImportLocalSkillsRejectsMetadataFilePaths(t *testing.T) {
+	if testHandler == nil {
+		t.Skip("database not available")
+	}
+
+	w := httptest.NewRecorder()
+	req := newRequestAsUser(testUserID, http.MethodPost, "/api/skills/import-local", map[string]any{
+		"skills": []map[string]any{{
+			"name":    "Metadata File " + time.Now().Format("150405.000000000"),
+			"content": "# Metadata File",
+			"files": []map[string]any{
+				{"path": "Thumbs.db", "content": "binary"},
+			},
+		}},
+	})
+
+	testHandler.ImportLocalSkills(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected structured 200, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp ImportLocalSkillsResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if len(resp.Failed) != 1 || resp.Failed[0].Reason != "invalid_file_path" {
+		t.Fatalf("failed = %#v", resp.Failed)
+	}
+}
+
+func TestNormalizeLocalUploadedSkillFilePathRejectsBackslashTraversal(t *testing.T) {
+	if _, ok := normalizeLocalUploadedSkillFilePath(`templates\..\SKILL.md`); ok {
+		t.Fatal("expected Windows-style traversal to be rejected")
+	}
+}
+
+type repeatedByteReader byte
+
+func (r repeatedByteReader) Read(p []byte) (int, error) {
+	for i := range p {
+		p[i] = byte(r)
+	}
+	return len(p), nil
+}
+
+func createSkillForLocalImportTest(t *testing.T, name string) {
+	t.Helper()
+
+	w := httptest.NewRecorder()
+	req := newRequest(http.MethodPost, "/api/skills", map[string]any{
+		"name":    name,
+		"content": "# Existing",
+	})
+	testHandler.CreateSkill(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create existing skill: expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+}