skills-discovery

Find community skills and plugins, evaluate quality and safety before use.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skills-discovery" with this command: npx skills add outfitter-dev/agents/outfitter-dev-agents-skills-discovery

Skills Discovery

Find community skills and plugins, evaluate quality and safety before use.

<when_to_use>

  • Searching for existing skills before building from scratch

  • Evaluating community plugins for safety and quality

  • Finding inspiration for skill design patterns

  • Auditing plugins before installation

NOT for: creating new skills (use skills-dev), validating your own skills (use skills-dev)

</when_to_use>

Discovery Workflow

  • Search — Find candidates via GitHub topics or code search

  • Filter — Apply quality heuristics to shortlist

  • Audit — Security review before installation

  • Adapt — Customize or extract patterns for your use

GitHub Discovery

Topic Pages

High-signal discovery starting points:

Topic Content URL

claude-code-plugin

Plugins https://github.com/topics/claude-code-plugin

claude-code-plugin-marketplace

Marketplaces https://github.com/topics/claude-code-plugin-marketplace

claude-code-skills

Skill packs https://github.com/topics/claude-code-skills

claude-code-skill

Individual skills https://github.com/topics/claude-code-skill

Code Search Patterns

Precise searches for specific artifacts:

Find SKILL.md files in .claude/skills paths

filename:SKILL.md path:.claude/skills

Find marketplace configurations

".claude-plugin/marketplace.json"

Find plugin manifests

".claude-plugin/plugin.json"

Find hook configurations

"PreToolUse" AND hooks

Find skills with specific features

filename:SKILL.md "context: fork" filename:SKILL.md "allowed-tools" filename:SKILL.md "disable-model-invocation"

Recency Filters

Focus on actively maintained projects (adjust dates as needed):

Updated in last 90 days (calculate: date -v-90d +%Y-%m-%d)

pushed:>YYYY-MM-DD

Updated since plugins era (Oct 2025+)

pushed:>2025-10-01

Official Sources

Source Trust Level Notes

anthropics/claude-plugins-official High Curated, reviewed

agentskills/agentskills High Spec + reference skills

platform.claude.com docs High Official patterns

Community topics Medium Popularity ≠ quality

"Awesome" lists Low-Medium Curated but not audited

Quality Heuristics

Real Usage Signals

Signal Good Suspicious

Updates Recent commits, active issues Stale for 6+ months

Stars Steady growth Sudden spike (star farming)

Issues/PRs Open and being addressed Many open, no responses

Install docs Uses official commands "curl | bash" installs

Dependencies Minimal, explained Many unexplained deps

Content Quality

Check Good Bad

Description Clear WHAT + WHEN + TRIGGERS Vague "helps with files"

allowed-tools

Minimal, justified Full tool access

disable-model-invocation

Used for side effects Missing for deploy/commit

Scripts Documented, minimal Obfuscated, complex

Hooks Obvious purpose Hidden network calls

Marketplaces

Good Sign Red Flag

Version pinning Floating branches

Listed sources visible Opaque references

Clear update policy Silent auto-updates

Curated with criteria "Everything goes"

Security Audit

Threat Model

Installing skills/plugins = running code. Treat with same care as npm packages.

Surface Risk Mitigation

Skills with Bash Command execution Review allowed-tools

Hooks Lifecycle interception Review hook scripts

MCP servers External connections Review endpoints

Preprocessing !

Shell before thinking Review commands

Audit Checklist

Before installing, review:

For Skills:

  • Read SKILL.md frontmatter (allowed-tools , disable-model-invocation )

  • Check for scripts/ directory — review any scripts

  • Search for ! ` preprocessing commands

  • Verify no secrets/credentials in files

For Plugins:

  • Read .claude-plugin/plugin.json

  • Check for hooks/ — review hook scripts

  • Check for .mcp.json — review MCP endpoints

  • Review all referenced skill SKILL.md files

For Hooks:

  • Understand exit code semantics (0=allow, 2=block)

  • Check for network calls in hook scripts

  • Verify no data exfiltration patterns

Sandboxing

When running untrusted skills:

  • Restrict tools — Start with minimal allowed-tools , expand as needed

  • Isolate context — Use context: fork to limit blast radius

  • Block side effects — Add disable-model-invocation: true initially

  • Monitor first run — Watch tool calls on first execution

Safe First Run

Test skill in restricted mode:

name: untrusted-skill-test allowed-tools: Read, Grep, Glob # read-only first context: fork # isolated disable-model-invocation: true # explicit only

Expand permissions only after reviewing behavior.

Use Case Catalog

Common skill categories with examples (for inspiration, not endorsement):

Workflow Automation

Pattern What It Does Key Features

PR workflows Summarize, review, update PRs Preprocessing with gh

Issue pipelines Triage → implement → ship Artifact-based state

Release automation Preflight → deploy → verify Side-effect gates

Code Quality

Pattern What It Does Key Features

Spec gates Verify scope before coding Fork for clean analysis

Adversarial review Security-focused code review Threat model in artifacts

Refactor loops Safe read-only explore first Tool restrictions

Domain Skills

Pattern What It Does Key Features

Framework-specific Rails, React, etc conventions Nested skill discovery

DB-aware Schema injection for queries Preprocessing with psql

Platform integrations Jira, Linear, GitHub MCP or API wrappers

Safety & Guardrails

Pattern What It Does Key Features

Safety nets Block irreversible operations PreToolUse hooks

Hardstops Require human acknowledgment Exit code blocking

Test gates Enforce tests before commit Hook enforcement

Context Management

Pattern What It Does Key Features

Memory plugins Persist across sessions MCP-backed storage

Context ledgers Rolling state in files Hook-driven updates

Constraint files Minimal "always load" context Shared conventions

Extraction Patterns

When you find a useful skill, extract patterns rather than copying wholesale:

  • Identify the pattern — What makes it work?

  • Adapt to your context — Match your conventions

  • Minimize scope — Take only what you need

  • Document provenance — Note where the pattern came from

ALWAYS:

  • Verify recency (prefer active projects)

  • Review security surfaces before install

  • Start with restricted permissions

  • Document what you installed and why

NEVER:

  • Blindly install from unknown sources

  • Trust stars as quality signal

  • Run obfuscated scripts

  • Skip hook script review

  • discovery-patterns.md — Detailed GitHub search patterns

  • security-checklist.md — Full audit checklist

  • use-cases.md — Extended use case catalog

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

codebase-recon

No summary provided by upstream source.

Repository SourceNeeds Review
-63
outfitter-dev
Coding

graphite-stacks

No summary provided by upstream source.

Repository SourceNeeds Review
-55
outfitter-dev
Coding

code-review

No summary provided by upstream source.

Repository SourceNeeds Review
-31
outfitter-dev