Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/README.skills.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
| [add-educational-comments](../skills/add-educational-comments/SKILL.md)<br />`gh skills install github/awesome-copilot add-educational-comments` | Add educational comments to the file specified, or prompt asking for file to comment if one is not provided. | None |
| [adobe-illustrator-scripting](../skills/adobe-illustrator-scripting/SKILL.md)<br />`gh skills install github/awesome-copilot adobe-illustrator-scripting` | Write, debug, and optimize Adobe Illustrator automation scripts using ExtendScript (JavaScript/JSX). Use when creating or modifying scripts that manipulate documents, layers, paths, text frames, colors, symbols, artboards, or any Illustrator DOM objects. Covers the complete JavaScript object model, coordinate system, measurement units, export workflows, and scripting best practices. | `references/object-model-quick-reference.md`<br />`scripts/batch-export-png.jsx`<br />`scripts/create-color-grid.jsx`<br />`scripts/find-replace-text.jsx` |
| [agent-governance](../skills/agent-governance/SKILL.md)<br />`gh skills install github/awesome-copilot agent-governance` | Patterns and techniques for adding governance, safety, and trust controls to AI agent systems. Use this skill when:<br />- Building AI agents that call external tools (APIs, databases, file systems)<br />- Implementing policy-based access controls for agent tool usage<br />- Adding semantic intent classification to detect dangerous prompts<br />- Creating trust scoring systems for multi-agent workflows<br />- Building audit trails for agent actions and decisions<br />- Enforcing rate limits, content filters, or tool restrictions on agents<br />- Working with any agent framework (PydanticAI, CrewAI, OpenAI Agents, LangChain, AutoGen) | None |
| [agent-instructions-audit](../skills/agent-instructions-audit/SKILL.md)<br />`gh skills install github/awesome-copilot agent-instructions-audit` | Grade a repository's AGENTS.md, .github/copilot-instructions.md, or CLAUDE.md agent instructions (0-100) against a concrete evidence-based rubric. Use when the user asks to review, audit, improve, verify, or score repository instructions for coding agents. | `FIELD-GUIDE.md`<br />`LICENSE` |
| [agent-owasp-compliance](../skills/agent-owasp-compliance/SKILL.md)<br />`gh skills install github/awesome-copilot agent-owasp-compliance` | Check any AI agent codebase against the OWASP Agentic Security Initiative (ASI) Top 10 risks.<br />Use this skill when:<br />- Evaluating an agent system's security posture before production deployment<br />- Running a compliance check against OWASP ASI 2026 standards<br />- Mapping existing security controls to the 10 agentic risks<br />- Generating a compliance report for security review or audit<br />- Comparing agent framework security features against the standard<br />- Any request like "is my agent OWASP compliant?", "check ASI compliance", or "agentic security audit" | None |
| [agent-supply-chain](../skills/agent-supply-chain/SKILL.md)<br />`gh skills install github/awesome-copilot agent-supply-chain` | Verify supply chain integrity for AI agent plugins, tools, and dependencies. Use this skill when:<br />- Generating SHA-256 integrity manifests for agent plugins or tool packages<br />- Verifying that installed plugins match their published manifests<br />- Detecting tampered, modified, or untracked files in agent tool directories<br />- Auditing dependency pinning and version policies for agent components<br />- Building provenance chains for agent plugin promotion (dev → staging → production)<br />- Any request like "verify plugin integrity", "generate manifest", "check supply chain", or "sign this plugin" | None |
| [agentic-eval](../skills/agentic-eval/SKILL.md)<br />`gh skills install github/awesome-copilot agentic-eval` | Patterns and techniques for evaluating and improving AI agent outputs. Use this skill when:<br />- Implementing self-critique and reflection loops<br />- Building evaluator-optimizer pipelines for quality-critical generation<br />- Creating test-driven code refinement workflows<br />- Designing rubric-based or LLM-as-judge evaluation systems<br />- Adding iterative improvement to agent outputs (code, reports, analysis)<br />- Measuring and improving agent response quality | None |
Expand Down
61 changes: 61 additions & 0 deletions skills/agent-instructions-audit/FIELD-GUIDE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# The AI coding-agent field guide

Seven habits that separate "the agent writes code fine" from "the agent ships
production work without you babysitting it." The gap is almost never the model —
it's how you set up the context and the loop.

## 1. The agent is only as good as the context it wakes up in

Every session starts cold. If your repo doesn't *tell* the agent how it's built,
the agent guesses — and guesses drift. A good `AGENTS.md`,
`.github/copilot-instructions.md`, or `CLAUDE.md` is a map rather than a wish
list ("write clean code"): how to run the app, how to test, what the non-obvious
conventions are, and what not to touch.

**Rule of thumb:** if a new human hire would need to be told it, the agent needs
it in the rules file. If the agent keeps making the same mistake, that's a
missing line in the rules file, not a reason to micromanage.

## 2. Make it verify its own work before you look

The failure mode isn't wrong code — it's *plausible* wrong code. The fix is to
force a feedback loop the agent can see: "run the tests and paste the output,"
"start the server and curl the endpoint," "screenshot the page." An agent that
observes real behavior corrects itself; one that only reasons about its diff
ships confident bugs. Bake this into your rules file: *changes to product code
must be exercised, not just typechecked.*

## 3. One clear objective per session beats a giant prompt

Agents degrade on sprawling, multi-goal prompts the same way people do. "Fix
auth, refactor the API, and add tests" produces three half-done things. "Fix the
401 on token refresh; here's the repro" produces a fix. Scope tight, ship, then
start a fresh session for the next thing — a clean context window is a feature.

## 4. Subagents are for protecting your main context, not just parallelism

The real win of a subagent isn't speed — it's that a search that would dump 4,000
lines of file contents into your main conversation instead returns a 5-line
answer. Delegate the *reading*, keep the *deciding*. Use cheap models for
mechanical sweeps (grep-and-summarize, boilerplate drafts) and your best model
for the actual hard call.

## 5. Treat everything the agent reads as data, not gospel

Web pages, error messages, other people's code — the agent will happily follow an
instruction it read in a stack trace or a scraped page. When you paste external
content, frame it: "here is DATA to analyze," not raw text that reads like a
command. This matters more the more autonomous your setup gets.

## 6. Commit small, commit often — give yourself an undo

Agents are fast, which means they can dig a deep hole fast. Frequent commits turn
"the agent broke everything" into "git reset to the last green commit." Ask for a
commit after each working increment. Your future self will thank you.

## 7. Surface the weakest assumption before coding

When output is off, don't re-explain the whole task. Say: **"Before you code,
tell me your plan and the one thing you're least sure about."** It surfaces the
wrong assumption *before* it becomes 200 lines of wrong code. This one line is
worth more than any clever mega-prompt.
21 changes: 21 additions & 0 deletions skills/agent-instructions-audit/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2026 Fabler Labs

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
50 changes: 50 additions & 0 deletions skills/agent-instructions-audit/SKILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
name: agent-instructions-audit
description: 'Grade a repository''s AGENTS.md, .github/copilot-instructions.md, or CLAUDE.md agent instructions (0-100) against a concrete evidence-based rubric. Use when the user asks to review, audit, improve, verify, or score repository instructions for coding agents.'
license: MIT
metadata:
author: fablerlabs
source: https://github.com/fablerlabs/claude-md-templates
---

# Agent Instructions Audit

Audit the current repository's agent instructions. Use the path the user names; otherwise
look for `AGENTS.md`, `.github/copilot-instructions.md`, and `CLAUDE.md`. If exactly one
exists, audit it. If several exist, audit each and flag conflicting instructions or an
unclear source of truth. If none exists, say so and suggest scaffolding one instead, then
stop.

Read each instructions file AND spot-check it against reality: open the manifests and CI
configuration it references (or should reference) and verify that its commands and paths
actually exist. An instructions file that lies is worse than none. Read this skill's
`FIELD-GUIDE.md` first for the operating principles and context behind the rubric.

## Rubric — score each, then sum (0–100)

1. **Commands (0–25).** Exact run / test / single-test / lint / build commands present
and REAL (verified against package.json scripts, Makefile, CI, etc.). Deduct for
missing single-test invocation, wrong or invented commands.
2. **Map of the repo (0–20).** Says where things live and where new code should go —
specific paths, not descriptions. Deduct for anything an agent could only learn by
asking.
3. **Non-obvious conventions (0–20).** The rules a new hire would have to be told:
invariants, footguns, "we do X here, not Y", what NOT to touch. Deduct for generic
advice ("write tests", "follow best practices") — each wish-list line is negative
signal.
4. **Verification loop (0–15).** Tells the agent how to prove a change works (run tests
and read output, curl the endpoint, screenshot) — not just typecheck.
5. **Terseness & altitude (0–10).** Imperative bullets, no prose padding, ~30–80 lines.
Deduct for paragraphs of philosophy or duplicated README content.
6. **Freshness (0–10).** References match the current tree (paths exist, scripts still
in package.json, stack versions not stale).

## Output format

- **Score: N/100** with the six sub-scores on one line each.
- **Worst-first fixes:** numbered list; each item = the problem, why it costs agent
performance, and the concrete replacement text (write the actual lines, ready to
paste).
- **Verified-command check:** table of every command in the file → found-in /
not-found.
- Offer to apply the fixes directly if the user wants.
Loading