简体中文 · Security audit · Examples · Contributing
Build the smallest useful stack of AI Agent Skills for an end-to-end goal.
Once explicitly invoked—or routed by a host from a shaped end-to-end request—Agent Skill Stack derives a workflow from the outcome, reuses local capabilities, discovers direct and indirect helper Skills, compares real-world adoption, checks safety and conflicts, and creates a project-specific stack with a runtime activation gate.
npx skills add neilchen2000-pixel/agent-skill-stack --skill agent-skill-stack -g -yThe curator itself is useful across projects, so the one-command setup installs it at user scope. The task-specific Skills it recommends should still be installed per project whenever the client supports project Skills.
GitHub Copilot users with GitHub CLI 2.90.0 or later can install the tagged release with:
gh skill install neilchen2000-pixel/agent-skill-stack agent-skill-stack@v0.3.0The Agent Skill Stack itself collects no telemetry. The third-party
skillsCLI uses anonymous installation telemetry for its public leaderboard by default. SetDISABLE_TELEMETRY=1before the install command to opt out.
The portable first prompt is explicit because not every Agent host performs implicit Skill matching in the same way:
Use $agent-skill-stack to help me promote this open-source project on Xiaohongshu for one week.
The Skill will break the result into capabilities, find and verify the smallest useful stack, install only after consent, and create project routes for later work. Once the host consults that profile, natural follow-up requests can select the correct domain primary and helpers. A profile cannot force a host that never invoked Agent Skill Stack to discover it, and a single bounded request such as “rewrite this title” should go directly to the relevant domain Skill.
Finding one Skill is easy. Building a compatible workflow from dozens of unknown Skills is not.
Common failure modes include:
- assuming an installed Skill will be implicitly selected before the host has indexed or routed it;
- searching a broad goal as one keyword and accepting loosely related results;
- installing many overlapping Skills globally and reducing routing precision;
- missing indirect helpers such as humanizers, fact checking, copyright review, or data validation;
- indexing or installing the right helper but never loading it when the real task runs;
- silently continuing when a selected workflow names a helper that is not actually installed;
- trusting stars or search snippets without reading the actual Skill and scripts;
- installing an automated tool before understanding its account access and side effects.
Agent Skill Stack treats discovery as a decision problem, not a download problem.
It is an open-source Agent Skills discovery, evaluation, conflict-audit, routing, and project-profile workflow for people using Codex, Claude Code, GitHub Copilot, Cursor, Gemini CLI, OpenCode, or Hermes.
| Capability | Generic finder | Skill manager | Agent Skill Stack |
|---|---|---|---|
| Find one Skill by keyword | Yes | Yes | Yes |
| Derive a workflow from an end goal | No | No | Yes |
| Discover indirect helper Skills | Limited | No | Yes |
| Compare adoption and verified fit | Limited | Varies | 25% community evidence + full verification |
| Inspect local duplicates and conflicts | No | Yes | Yes, including routing and permission conflicts |
| Create a minimal project-specific stack | No | Limited | Yes |
| Prove primary and helper Skills can be loaded at runtime | No | No | Yes, with dependency blocking |
| Require consent before installation | Varies | Varies | Yes |
| Store prompt or routing feedback | Varies | Varies | No |
- Start from observable success. Do not force a social-media, coding, research, or publishing template onto a different goal.
- Derive capability nodes. Split only when actions, outputs, permissions, or success conditions differ.
- Search locally first. Reuse installed Skills and project profiles before adding more.
- Search with four lenses. Cover the direct need, underlying operation, supporting outcome, and connection method.
- Verify every candidate. Read the canonical Skill and reachable scripts; record adoption, permissions, dependencies, safe-trial evidence, and freshness.
- Resolve conflicts. Choose one primary Skill per responsibility and narrow helper handoffs.
- Recommend the smallest stack. Classify items as required, helpful, alternative, or not recommended.
- Install only after approval. Preview exact changes and refuse silent overwrites.
- Close the runtime handoff. Re-index, resolve the project route into an ordered activation plan, and block external writes if any required helper is missing or ambiguous.
The examples are outputs from the same dynamic method, not reusable domain templates.
| Goal | Result |
|---|---|
| Build a safer crypto research and backtesting workflow | Reuse read-only market data; add backtesting and risk controls; exclude live execution by default |
| Turn research sources into a cited decision brief | Separate source discovery, extraction, evidence checking, synthesis, and artifact delivery |
| Create a support knowledge-base improvement loop | Separate private-data handling, clustering, knowledge drafting, quality checks, approval, and measurement |
Recommendations can be rendered as dependency-free SVG cards:
python3 skills/agent-skill-stack/scripts/render_stack_card.py \
--input examples/cards/crypto-research.json \
--output crypto-research-card.svgExample:
The renderer accepts a title, goal, up to eight Skills, plain-language roles and statuses, safety boundaries, and a verification date. It refuses to overwrite an existing file unless --force is provided.
The repository includes a reproducible public security audit. The bundled Python scripts:
- use only the Python standard library;
- do not make network requests;
- do not read browser profiles, keychains, SSH keys, cloud credentials, or environment secrets;
- never execute an installed or candidate Skill;
- resolve runtime Skill paths without executing them and block incomplete dependency handoffs;
- default to previews for project profiles and installation;
- refuse to overwrite an existing Skill destination;
- store no prompts, routing feedback, or usage history.
The Skill may ask the host agent to search GitHub, registries, or OpenCLI when local capabilities are insufficient. Those external reads remain subject to the host's permission model. Logging in, enabling connectors, installing Skills, or writing to an external account always requires user approval.
agent-skill-stack/
├── skills/agent-skill-stack/ # Installable Agent Skill
│ ├── SKILL.md
│ ├── agents/openai.yaml
│ ├── references/
│ └── scripts/
├── examples/ # Cross-domain demonstrations and cards
├── assets/ # README and social visuals
├── tests/ # Reproducible validation and safe trials
├── README.md
├── README.zh-CN.md
└── SECURITY_AUDIT.md
The Skill follows the open Agent Skills folder format: a SKILL.md with optional scripts and references. It is designed for Agent-Skills-compatible hosts including Codex, Claude Code, GitHub Copilot, Cursor, Gemini CLI, OpenCode, and Hermes. Exact install locations and tool permissions vary by host.
Run the local checks:
python3 tests/validate_skill.py
python3 -m unittest discover -s tests -v
python3 -m compileall -q skills/agent-skill-stack/scripts testsBug reports, portability fixes, new safe trials, and evidence-backed discovery improvements are welcome. Read CONTRIBUTING.md before opening a pull request.
Please do not submit hard-coded workflow templates, unverified marketplace entries, telemetry collection, silent installation, or instructions that weaken the approval boundary.