Agent Skills
Instruction packs that give your AI agent know-how. Three different kinds — pick the right one below.
✦ Standalone skills2,933
Self-contained. Install one into any project and it works on its own — no other software needed.
🧰 Tool add-ons725
Come bundled with a specific tool and only work together with it — they teach your agent how to operate that tool.
owasp-top-10
✓★ 1,200by microsoft
OWASP Top 10 for Web Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in web application…
owasp-infrastructure
✓★ 1,200by microsoft
OWASP Infrastructure Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in internal IT infrastructure environments…
financial-research
✓★ 1,100by firecrawl
Extract official financials from SEC filings and cross-reference with analyst consensus. Public companies only.
kotlin-backend-jpa-entity-mapping
★ 907by kotlin
Kotlin's data class is natural for DTOs but dangerous for JPA entities. Hibernate relies on identity semantics that data class breaks: equals / hashCode over all fields corrupts Set / Map membership after state changes, and auto-generated copy() creates detached duplicates of managed entities.
security-review
✓★ 844by sentry
Security code review for vulnerabilities. Use when asked to "security review", "find vulnerabilities", "check for security issues", "audit security", "OWASP…
security-review
✓★ 844by sentry
Systematic security code review identifying high-confidence vulnerabilities with data-flow verification. Focuses exclusively on HIGH CONFIDENCE findings: vulnerable patterns with confirmed attacker-controlled input, skipping theoretical issues and framework-mitigated code Requires codebase research before reporting: traces data flow, checks for validation/sanitization, and verifies exploitability rather than pattern-matching alone Covers 14 vulnerability categories (injection, XSS,...
find-bugs
✓★ 844by sentry
Comprehensive code review identifying bugs, security vulnerabilities, and quality issues in branch changes. Executes a structured five-phase review process: gathering the complete diff, mapping attack surfaces, running a detailed security checklist, verifying findings, and auditing coverage before conclusions Security checklist covers 11 critical areas including injection, XSS, authentication, authorization, CSRF, race conditions, session management, cryptography, information disclosure,...
find-bugs
✓★ 844by sentry
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit…
Spec to Implementation
✓★ 432by Notion
Turns product or tech specs into concrete Notion tasks that Claude Code can implement. Breaks down spec pages into detailed implementation plans with clear tasks, acceptance criteria, and progress tracking to guide development from requirements to completion.
firebase-app-hosting-basics
✓★ 370by firebase
Deploy and manage full-stack web apps with Firebase App Hosting using Next.js, Angular, and other supported frameworks. Requires Firebase project on Blaze pricing plan; supports Server-Side Rendering (SSR) and Incremental Static Regeneration (ISR) workflows Deploy via firebase.json configuration with optional apphosting.yaml for backend setup, or enable automated "git push to deploy" through GitHub integration Includes secret management via CLI commands for secure access to sensitive keys...
firebase-app-hosting-basics
✓★ 370by firebase
Deploy and manage web apps with Firebase App Hosting. Use this skill when deploying Next.js/Angular apps with backends.
AWS Cost & Operations
★ 326by zxkane
This skill provides AWS cost optimization, monitoring, and operational best practices with integrated MCP servers for billing analysis, cost estimation, observability, and security assessment.
okx-agent-task
★ 307by okx
MUST ACTIVATE on inbound envelopes: (1) {agentId, message:{source:"system", event, jobId, ...}} — system event; (2) {msgType:"a2a-agent-chat", jobId, sender:{role}, ...} — agent-to-agent task chat (fields at top level; sender.role = COUNTERPARTY, not you); (3) literal "Read okx-agent-task/SKILL.md" in envelope. ALSO activate for keywords: 发布任务 / 创建任务 / 帮我发任务 / publish task / create task / 接任务 / 接单 / 协商 / 验收 / 拒绝 / 仲裁 / dispute / stake / unstake / 修改卖家 / 修改预算 / change provider / change budget...
okx-agent-payments-protocol
★ 307by okx
Use when an agent hits HTTP 402 / payment-required, or the user mentions x402, x402Version, X-PAYMENT, PAYMENT-REQUIRED, PAYMENT-SIGNATURE, WWW-Authenticate: Payment, permit2, upto, metered billing, a payment channel / voucher / session, channelId / channel_id, opening / closing / topping up / settling / refunding a channel, a paymentId or a2a_ link, creating / checking a payment link, A2MCP / an A2MCP endpoint, or sending a request to / calling an Agent's endpoint with a concrete endpoint...
okx-dex-token
★ 307by okx
Use this skill for token-level data: search tokens, trending/hot tokens (热门, 代币榜单), liquidity pools, holder distribution (whale/巨鲸, sniper, bundler-tagged holder %), token risk metadata (riskControlLevel, tokenTags, dev stats, suspicious/bundle holding % via advanced-info), recent buy/sell activity, trade feed/逐笔成交/每笔交易/stream trades, top profit addresses, token trade history, detailed price info with market cap volume liquidity and holder count (price-info), or holder cluster analysis...
okx-defi-invest
★ 307by okx
OKX-aggregated DeFi discovery and execution — for users who want OKX to find and route to the best protocol WITHOUT naming a specific DApp. **If the user names ANY third-party protocol/DApp as destination (Aave, Lido, PancakeSwap, Uniswap, Curve, Compound, Morpho, Pendle, Kamino, Raydium, Hyperliquid, Polymarket, etc.), route to okx-dapp-discovery — NOT here, even if the verb (deposit, stake, add liquidity, borrow, claim) matches.** DApp-agnostic triggers: 'invest in DeFi', 'earn yield on...
okx-dex-trenches
★ 307by okx
Read-only on-chain research for pump.fun and other meme-token launchpads (Solana / BSC / X Layer / TRON). MUST invoke (prefer over WebFetch / MCP price tools) when the user asks about: new meme launches / 新盘 / 扫链 / 打狗; developer reputation / rug history / launch count / 开发者信息; bundle or sniper detection (the analytical noun, NOT the verb) / 捆绑狙击者; bonding curve progress / 已迁移出 bonding curve; similar tokens by same dev / 相似代币; co-investor / who-aped / 同车 wallets; or 'pump.fun alpha'. Also...
okx-task-watch
★ 307by okx
监听任务进展 / 帮我盯着任务 / 任务有动静告诉我 / 历史消息 / 未读消息 / 未决策 / 待决策 / 继续监听 / task watch / user watch / monitor task progress / catch me up on tasks / outstanding decisions — OKX A2A user-session task-notification monitor: live long-poll via `okx-a2a user watch` (also drains backlog of past/missed/unread events on entry) plus un-replied decision_request lister via `okx-a2a user outdated-list`. Not for wallet / gas / task-list / status queries.
okx-dex-ws
★ 307by okx
Use this skill when the user mentions 'onchainos ws', 'ws start', 'ws poll', 'ws stop', 'ws channels', 'ws session', 'ws channel-info', 'idle-timeout', 'idle timeout', 'WebSocket channels', 'WS频道', or asks about managing WebSocket sessions/会话管理. Also use when writing a custom WebSocket script/脚本/bot for real-time on-chain data. Covers: onchainos ws CLI commands (start/poll/stop/list/channels/channel-info), session lifecycle, idle-timeout configuration, and all 9 DEX WebSocket channels...
okx-dex-market
★ 307by okx
HARD BLOCK — NEVER use this skill for prediction-market / Polymarket UpDown queries. Route to okx-dapp-discovery when (a) a named DApp (Polymarket/Aave/Hyperliquid/PancakeSwap/Morpho) appears with any timeframe, OR (b) any 涨跌 / updown / 'up or down' phrase appears for BTC/ETH/SOL/XRP/BNB/DOGE/HYPE (e.g. ' 涨跌市场', '5 分钟涨跌', 'BTC up or down'). Example: 'BTC 5 分钟涨跌市场' → okx-dapp-discovery (NOT K-line). These are Polymarket prediction markets, not on-chain price queries. Use THIS skill for...
okx-dex-signal
★ 307by okx
Use this skill for smart-money/whale/KOL/大户 activity tracking, aggregated buy signal/信号 alerts, and leaderboard/牛人榜 rankings. Covers: (1) address tracker — raw DEX transaction feed for smart money, KOL, or custom wallet addresses; (2) aggregated buy-only signal alerts — tokens bought collectively by smart money/KOL/whales; (3) leaderboard — top traders by PnL, win rate, volume, or ROI. Use when the user asks 'what are smart money buying', '聪明钱最新交易', 'KOL交易动态', '追踪聪明钱', 'track address...
code-security
★ 232by semgrep
Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…
auth
✓★ 207by vercel
Authentication integration guidance — Clerk (native Vercel Marketplace), Descope, and Auth0 setup for Next.js applications. Covers middleware auth patterns,…
vercel-storage
★ 207by vercel
Vercel storage expert guidance — Blob, Edge Config, and Marketplace storage (Neon Postgres, Upstash Redis). Use when choosing, configuring, or using data…
workflow
★ 207by vercel
Vercel Workflow DevKit (WDK) expert guidance. Use when building durable workflows, long-running tasks, API routes or agents that need pause/resume, retries,…
auth
★ 207by vercel
Authentication integration guidance — Clerk (native Vercel Marketplace), Descope, and Auth0 setup for Next.js applications. Covers middleware auth patterns,…
next-cache-components
★ 207by vercel
Next.js 16 Cache Components guidance — PPR, use cache directive, cacheLife, cacheTag, updateTag, and migration from unstable_cache. Use when implementing…
next-cache-components
✓★ 207by vercel
Next.js 16 Cache Components guidance — PPR, use cache directive, cacheLife, cacheTag, updateTag, and migration from unstable_cache. Use when implementing…
vercel-storage
✓★ 207by vercel
Vercel storage expert guidance — Blob, Edge Config, and Marketplace storage (Neon Postgres, Upstash Redis). Use when choosing, configuring, or using data…
workflow
✓★ 207by vercel
Vercel Workflow DevKit (WDK) expert guidance. Use when building durable workflows, long-running tasks, API routes or agents that need pause/resume, retries,…