-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Add agentskill-learn: Community skills marketplace #801
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
romainsimon
wants to merge
4
commits into
github:staged
Choose a base branch
from
romainsimon:add-agentskill-sh
base: staged
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+129
−0
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| --- | ||
| name: agentskill-learn | ||
| description: "Discover, install, and manage AI agent skills from agentskill.sh marketplace. Search 44,000+ community skills by keyword, install mid-session with security scanning, and rate skills after use. Use when asked to find skills, extend capabilities, or learn new tools." | ||
| --- | ||
|
|
||
| # AgentSkill Learn — Community Skills Marketplace | ||
|
|
||
| This skill transforms your agent into a self-improving system capable of discovering and installing new capabilities during active sessions. It connects to [agentskill.sh](https://agentskill.sh), a community marketplace with 44,000+ AI agent skills. | ||
|
|
||
| > Maintained at [github.com/agentskill-sh/learn](https://github.com/agentskill-sh/learn) — check there for the latest version. | ||
|
|
||
| ## Core Commands | ||
|
|
||
| - **`/learn <query>`** — Search for skills matching a query | ||
| - **`/learn @<owner>/<slug>`** — Install a specific skill directly | ||
| - **`/learn <url>`** — Install from agentskill.sh URL | ||
| - **`/learn`** — Context-aware recommendations based on current project | ||
| - **`/learn trending`** — Display trending skills | ||
| - **`/learn feedback <slug> <score> [comment]`** — Rate installed skills | ||
| - **`/learn list`** — Show all installed skills | ||
| - **`/learn update`** — Check and apply skill updates | ||
| - **`/learn remove <slug>`** — Uninstall a skill | ||
| - **`/learn scan <path>`** — Audit skill security | ||
| - **`/learn config autorating <on|off>`** — Toggle automatic ratings | ||
|
|
||
| ## Installation Flow | ||
|
|
||
| When a user requests a skill install: | ||
|
|
||
| 1. Fetch skill content from the API | ||
| 2. Run multi-phase security scanning | ||
| 3. Display security results and request confirmation | ||
| 4. Write skill file with metadata header | ||
| 5. Track install event | ||
| 6. Show post-install summary | ||
|
|
||
| ## Security Scanning (Two-Layer Model) | ||
|
|
||
| **Registry-side (agentskill.sh):** All skills pre-scanned using automated pattern detection before publication. | ||
|
|
||
| **Client-side:** Pre-computed security scores displayed before install. Scores below 70 block installation; scores 70-89 require acknowledgment. | ||
|
|
||
| ### Scanning Phases | ||
|
|
||
| 1. **Automated Tools** — Run mcp-scan, trufflehog, gitleaks if available | ||
| 2. **Metadata & Structure** — Validate SKILL.md and folder contents | ||
| 3. **Static Text Analysis** — Detect prompt injection, RCE, obfuscation, secrets, persistence mechanisms | ||
| 4. **Secret & Dependency Scan** — Check for hardcoded credentials and suspicious packages | ||
| 5. **Script Analysis** — Examine Python/shell scripts for dangerous functions | ||
| 6. **Dynamic Analysis** — Optional sandbox execution for high-value targets | ||
|
|
||
| ### Scoring | ||
|
|
||
| ``` | ||
| Score = 100 - (CRITICAL x 20) - (HIGH x 10) - (MEDIUM x 3) - (LOW x 1) | ||
| Minimum = 0 | ||
| ``` | ||
|
|
||
| | Score | Rating | Action | | ||
| |-------|--------|-------------------------------------| | ||
| | 90-100 | SAFE | Allow installation | | ||
| | 70-89 | REVIEW | Show issues, require acknowledgment | | ||
| | <70 | DANGER | Block installation | | ||
|
|
||
| Critical patterns include: prompt injection ("ignore previous"), remote code execution (curl|bash), credential exfiltration, reverse shells, destructive commands (rm -rf). | ||
|
|
||
| ## Platform Detection | ||
|
|
||
| Detect where to install based on directory presence: | ||
|
|
||
| - `.github/copilot/` — GitHub Copilot | ||
| - `.claude/` — Claude Code / Claude Desktop | ||
| - `.cursor/` — Cursor | ||
| - `.windsurf/` — Windsurf | ||
| - `.cline/` — Cline | ||
| - `.codex/` — Codex | ||
| - `.opencode/` — OpenCode | ||
| - `.aider/` — Aider | ||
| - `.gemini/` — Gemini CLI | ||
| - `.amp/` — Amp | ||
| - `.goose/` — Goose | ||
| - `.roo-code/` — Roo Code | ||
| - `.trae/` — Trae | ||
|
|
||
| Install path format: `<platform-dir>/skills/<slug>.md` | ||
|
|
||
| ## Automatic Skill Rating (Opt-Out) | ||
|
|
||
| After using an installed skill, auto-rate it using a 1-5 scoring rubric: | ||
|
|
||
| - **5** — Task completed perfectly; clear, accurate instructions | ||
| - **4** — Successful completion with minor improvements possible | ||
| - **3** — Completed with friction; instruction gaps requiring interpretation | ||
| - **2** — Partial completion; significant issues or outdated information | ||
| - **1** — Failed or misleading; instructions incorrect or harmful | ||
|
|
||
| Users receive a notification before submission and can disable auto-rating with `/learn config autorating off`. | ||
|
|
||
| ## Output Formatting | ||
|
|
||
| - Use markdown tables for skill listings | ||
| - Use `AskUserQuestion` tool for interactive selections | ||
| - Format headers with `##` for scannability | ||
| - Bold skill names and important values | ||
| - Truncate descriptions to ~80 characters in tables | ||
| - Show full descriptions in detail views | ||
|
|
||
| ## Error Handling | ||
|
|
||
| - **API unreachable:** Direct users to browse at agentskill.sh | ||
| - **No results:** Suggest alternate keywords | ||
| - **Install failures:** Note permission issues or write errors | ||
| - **Self-update failures:** Continue silently with current version | ||
| - **Security blocks:** Display full report without proceeding | ||
|
|
||
| ## API Endpoints | ||
|
|
||
| All calls to `https://agentskill.sh`: | ||
|
|
||
| - `GET /api/agent/search?q=<query>&limit=5` — Search | ||
| - `GET /api/agent/skills/<slug>/install` — Fetch content | ||
| - `GET /api/agent/skills/<slug>/version` — Check version | ||
| - `POST /api/skills/<slug>/install` — Track install | ||
| - `POST /api/skills/<slug>/agent-feedback` — Submit rating | ||
|
|
||
| ## Self-Update Protocol | ||
|
|
||
| Before executing commands, check if `/learn` itself is current by comparing local `contentSha` with remote version. Fetch and scan new versions before updating; proceed silently if API is unreachable. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The skill defined here does not match the skill from your repo. Would it not make sense for them to be aligned?
But this raises another question, if we have a copy of the skill from the agentskill-sh/learn repo in here, won't there be a maintenance burden in that you have to always know to update in multiple places to avoid drift in the implementation? Since agentskill-sh/learn is a plugin marketplace, and can be installed into copilot with
/plugin marketplace add agentskill-sh/learndoes duplicating across multiple locations really make sense? Wouldn't it be preferable for people to go via your repo/marketplace directly to ensure they are always using the most up to date version?