The secure, validated skill registry for professional AI coding agents
In an ecosystem where over 13% of marketplace skills contain critical vulnerabilities, Agent Skills stands apart as a hardened library of verified, tested, and safe capabilities. Extend Antigravity, Claude Code, Cursor, and more with absolute confidence.
https://tech-leads-club.github.io/agent-skills/
- ✨ What are Skills?
- 🛡️ Security & Trust
- 🤖 Supported Agents
- 🌟 Featured Skills
- 🚀 Quick Start
- ⚡ How It Works
- 🛠 For Contributors
- 📁 Project Structure
- 📝 Skill Structure
- 🔒 Security Scan
- 🔄 Release Process
- 🤝 Contributing
- 📄 License
Skills are packaged instructions and resources that extend AI agent capabilities. Think of them as plugins for your AI assistant — they teach your agent new workflows, patterns, and specialized knowledge.
packages/skills-catalog/skills/
(category-name)/
skill/
SKILL.md ← Main instructions
templates/ ← File templates
references/ ← On-demand documentation
Your environment's safety is our top priority. Unlike open marketplaces where 13.4% of skills contain critical issues, agent-skills is a managed, hardened library.
We directly address the threats identified in the Snyk 2026 Agent Threat Report:
| Threat | Public Marketplaces | Agent Skills Guarantee |
|---|---|---|
| Malicious Payloads | Obfuscated code, binaries, or "black box" instructions | 100% Open Source: No binaries, fully readable text/code. Every line is auditable. |
| Credential Theft | Skills silently exfiltrating env vars to remote servers | Static Analysis: CI/CD pipeline blocks skills with suspicious network calls or secret access. |
| Supply Chain Attacks | Authors pushing malicious updates to existing skills | Immutable Integrity: Lockfiles and content-hashing ensure code never changes without your explicit upgrade. |
| Prompt Injection | Hidden instructions to hijack agent behavior ("jailbreaks") | Human Curation: Every prompt is manually code-reviewed by maintainers for safety boundaries. |
The installer itself implements strict technical controls:
- Filesystem Isolation: Recursive path traversal protection preventing access outside target directories.
- Input Sanitization: Strict validation of skill names and paths to neutralize injection vectors.
- Symlink Guard: Safe handling of symbolic links to prevent aliasing attacks.
- Integrity Verification: Lockfile-based validation ensuring reproducible and authorized skill management.
- Automated Auditing: All skills undergo continuous security scanning with mcp-scan.
Install skills to any of these AI coding agents:
| Tier 1 (Popular) | Tier 2 (Rising) | Tier 3 (Enterprise) |
|---|---|---|
| Claude Code | Aider | Amazon Q |
| Cline | Antigravity | Augment |
| Cursor | Gemini CLI | Droid (Factory.ai) |
| GitHub Copilot | Kilo Code | OpenCode |
| Windsurf | Kiro | Sourcegraph Cody |
| OpenAI Codex | Tabnine | |
| Roo Code | ||
| TRAE |
Missing your favorite agent? Open an issue and we'll add support!
A glimpse of what's available in our growing catalog:
| Skill | Category | Description |
|---|---|---|
| tlc-spec-driven | Development | Project and feature planning with 4 phases: Specify → Design → Tasks → Implement. Creates atomic tasks with verification criteria and maintains persistent memory across sessions. |
| aws-advisor | Cloud | Expert AWS Cloud Advisor for architecture design, security review, and implementation guidance. Leverages AWS MCP tools for documentation-backed answers. |
| playwright-skill | Automation | Complete browser automation with Playwright. Test pages, fill forms, take screenshots, validate UX, and automate any browser task. |
| figma | Design | Fetch design context from Figma and translate nodes into production code. Design-to-code implementation with MCP integration. |
| security-best-practices | Security | Language and framework-specific security reviews. Detect vulnerabilities, generate reports, and suggest secure-by-default fixes. |
npx @tech-leads-club/agent-skillsThis launches an interactive wizard:
- Choose Action — "Install skills" or "Update installed skills"
- Browse & Select — Filter by category or search
- Choose agents — Pick target agents (Cursor, Claude Code, etc.)
- Installation method — Copy (recommended) or Symlink
- Scope — Global (user home) or Local (project only)
Each step shows a ← Back option to return and revise your choices.
Note: You can use either
npx @tech-leads-club/agent-skillsor install globally and useagent-skillsdirectly.
# Interactive mode (default)
npx @tech-leads-club/agent-skills
# or: agent-skills (if installed globally)
# List available skills
agent-skills list
agent-skills ls # Alias
# Install one skill
agent-skills install -s tlc-spec-driven
# Install multiple skills at once
agent-skills install -s aws-advisor coding-guidelines docs-writer
# Install to specific agents
agent-skills install -s my-skill -a cursor claude-code
# Install multiple skills to multiple agents
agent-skills install -s aws-advisor nx-workspace -a cursor windsurf cline
# Install globally (to ~/.gemini, ~/.claude, etc.)
agent-skills install -s my-skill -g
# Use symlink instead of copy
agent-skills install -s my-skill --symlink
# Force re-download (bypass cache)
agent-skills install -s my-skill --force
# Update a specific skill
agent-skills update -s my-skill
# Update all installed skills
agent-skills update
# Remove one skill
agent-skills remove -s my-skill
# Remove multiple skills at once
agent-skills remove -s skill1 skill2 skill3
agent-skills rm -s my-skill # Alias
# Remove from specific agents
agent-skills remove -s my-skill -a cursor windsurf
# Force removal (bypass lockfile check)
agent-skills remove -s my-skill --force
# Manage cache
agent-skills cache --clear # Clear all cache
agent-skills cache --clear-registry # Clear only registry
agent-skills cache --path # Show cache location
# View audit log
agent-skills audit # Show recent operations
agent-skills audit -n 20 # Show last 20 entries
agent-skills audit --path # Show audit log location
# Show contributors and credits
agent-skills credits
# Show help
agent-skills --helpnpm install -g @tech-leads-club/agent-skills
agent-skills # Use 'agent-skills' instead of 'npx @tech-leads-club/agent-skills'The CLI fetches skills on-demand from our CDN:
- Browse — The CLI fetches the skills catalog (~45KB)
- Select — You choose the skills you need
- Download — Selected skills are downloaded and cached locally
- Install — Skills are installed to your agent's configuration
Downloaded skills are cached in ~/.cache/agent-skills/ for offline use.
# Clear the cache
rm -rf ~/.cache/agent-skills- Node.js ≥ 22
- npm (comes with Node.js)
git clone https://github.com/tech-leads-club/agent-skills.git
cd agent-skills
npm ci
npm run build| Command | Description |
|---|---|
npm run start:dev |
Run CLI locally (interactive mode) |
npm run g <name> |
Generate a new skill |
npm run build |
Build all packages |
npm run test |
Run all tests |
npm run lint |
Lint codebase |
npm run format |
Format code with Prettier |
npm run scan |
Run incremental security scan |
# With category (recommended)
nx g @tech-leads-club/skill-plugin:skill my-skill --category=development
# Full options
nx g @tech-leads-club/skill-plugin:skill my-skill \
--description="What my skill does" \
--category=development \
--author="github.com/username" \
--skillVersion="1.0.0"The generator creates:
packages/skills-catalog/skills/(development)/my-skill/SKILL.md
agent-skills/
├── packages/
│ ├── cli/ # @tech-leads-club/agent-skills CLI
│ └── skills-catalog/ # Skills collection
│ └── skills/ # All skill definitions
│ ├── (category-name)/ # Categorized skills
│ └── _category.json # Category metadata
├── tools/
│ └── skill-plugin/ # Nx skill generator
├── skills-registry.json # Auto-generated catalog
├── .github/
│ └── workflows/ # CI/CD pipelines
└── nx.json # Nx configuration
packages/skills-catalog/skills/
├── (category-name)/ # Category folder
│ └── my-skill/ # Skill folder
│ ├── SKILL.md # Required: main instructions
│ ├── scripts/ # Optional: executable scripts
│ ├── templates/ # Optional: file templates
│ └── references/ # Optional: on-demand docs
└── _category.json # Category metadata
---
name: my-skill
description: What this skill does. Use when user says "trigger phrase".
metadata:
version: 1.0.0
author: github.com/username
---
# My Skill
Brief description.
## Process
1. Step one
2. Step two_category.json:
{
"(development)": {
"name": "Development",
"description": "Skills for software development",
"priority": 1
}
}- Keep SKILL.md under 500 lines — use
references/for detailed docs - Write specific descriptions — include trigger phrases
- Assume the agent is smart — only add what it doesn't already know
- Prefer scripts over inline code — reduces context window usage
Every skill is scanned with mcp-scan before publishing. The scan is incremental — only skills whose content changed since the last run are re-scanned.
npm run scan # Incremental (default)
npm run scan -- --force # Force full re-scanEach skill has a SHA-256 content hash (computed from all its files). Results are cached in .security-scan-cache.json (gitignored). On the next run, skills whose hash hasn't changed skip re-scanning and load results from cache.
Content hash unchanged → load from cache (fast)
Content hash changed → re-scan with mcp-scan
If mcp-scan flags a finding that is intentional (e.g. a first-party MCP server integration), add it to the allowlist:
packages/skills-catalog/security-scan-allowlist.yaml
version: '1.0.0'
entries:
- skill: my-skill
code: W011
reason: >
Fetches from trusted first-party API — expected behavior.
allowedBy: github.com/username
allowedAt: '2026-01-01'
expiresAt: '2027-01-01' # Optional but recommended- Match is by
skill + code— no re-scan needed after adding an entry expiresAtis optional but recommended — forces periodic review- Expired entries re-activate the finding automatically
- Use YAML for better readability, comments, and cleaner diffs
The allowlist is committed to the repo and reviewable in PRs.
This project uses Conventional Commits for automated versioning:
| Commit Prefix | Version Bump | Example |
|---|---|---|
feat: |
Minor (0.X.0) | feat: add new skill |
fix: |
Patch (0.0.X) | fix: correct symlink path |
feat!: |
Major (X.0.0) | feat!: breaking API change |
docs: |
No bump | docs: update README |
chore: |
No bump | chore: update deps |
Releases are automated via GitHub Actions when merging to main.
- Fork the repository
- Create a feature branch (
git checkout -b feat/amazing-skill) - Commit with conventional commits (
git commit -m "feat: add amazing skill") - Push to your fork (
git push origin feat/amazing-skill) - Open a Pull Request
This repository is a collection of curated skills intended to benefit the community. We deeply respect the intellectual property and wishes of all creators.
If you are the author of any content included here and would like it removed or updated, please open an issue or contact the maintainers.
MIT © Tech Leads Club
Built with ❤️ by the Tech Leads Club community
