Skill Guardian

86,948 agent skills exist. Under 3% are worth installing.

English | 中文

---

The Problem

The agent skill ecosystem is an ocean of noise. The numbers tell the story:

What we found	Number	Source
Total skills indexed	86,948	skills.sh dashboard, Mar 2026
Empty shells (no real content)	12%	pradeep.md analysis, 4,784 skills
Duplicates of other skills	28%	pradeep.md
Contain security vulnerabilities	36.8%	Snyk ToxicSkills, 3,984 skills
Fail basic spec validation	33%	Dachary Carey analysis, 234 skills
Score 90+ on quality (out of 100)	only 31%	pradeep.md
Confirmed malicious payloads	76	Snyk ToxicSkills

Stack these filters and under 3% survive — roughly 2,600 skills out of nearly 87,000.

The install distribution confirms it. It follows a brutal power law:

#1   find-skills          479,600 installs
#10  azure-diagnostics    125,500
#50  copywriting           31,000
#100 launch-strategy       15,800
#200 skill-standardization 10,000
      ─── leaderboard ends here ───
#201 – #86,948             not even shown

The top 200 skills (0.23%) account for virtually all usage. The other 86,748 sit in the dark.

It gets worse

Installing too many skills — even decent ones — actively degrades your agent:

• Context bloat: every installed skill's metadata consumes your context window before you type a single word (agenteer.com)
• Hallucination spike: more skills loaded = more confused agent = more hallucinated responses (zaynkorai)
• Worse results: Vercel's own engineering team discovered that adding more tools made their agent worse, not better (Suleiman Tawil)

The bottom line: you should install the fewest, best skills possible. Skill Guardian helps you do exactly that.

---

What Skill Guardian Does

A pure SKILL.md agent skill — zero dependencies, zero code. It redefines your agent's installation behavior through instructions alone.

When you (or your agent) try to install a skill, Skill Guardian intercepts and runs a 4-step gate:

"Install the X skill"
        │
        ▼
┌───────────────────────┐
│  1. Security Scan     │  snyk-agent-scan + skills.sh audit
│                       │  Critical issues → BLOCK
└───────────┬───────────┘
            │ pass
            ▼
┌───────────────────────┐
│  2. Necessity Check   │  Already have a duplicate?
│                       │  MCP tool already covers this?
│                       │  Quality signals look bad?
└───────────┬───────────┘
            │ pass
            ▼
┌───────────────────────┐
│  3. Report & Confirm  │  Show findings, recommendation
│                       │  YOU decide — agent cannot auto-install
└───────────┬───────────┘
            │ you confirm
            ▼
┌───────────────────────┐
│  4. Install           │  npx skills add → verify
└───────────────────────┘

It also offers a cleanup mode — audit your installed skills for redundancy, outdated sources, and new security issues on demand.

What makes this different

Tool	What it does	Gap
snyk-agent-scan	Scans after install	Too late
skills.sh /audits	Lists audit results	Passive — user has to go look
Snyk Agent Guard	Runtime defense for Cursor only	One agent, runtime only
Skill Guardian	Pre-install gate + necessity check + cleanup	—

---

Install

Ask your agent to install it (recommended)

Just tell your agent:

Install this skill for me: https://github.com/0xtresser/skill-guardian

One-click install

npx skills add 0xtresser/skill-guardian

The skills CLI auto-detects your agent environment and copies the skill to the correct path. No npm install, no config — it's a single SKILL.md file.

Manual install by agent

If you prefer not to use the skills CLI, copy the SKILL.md directly:

Claude Code

mkdir -p .claude/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .claude/skills/skill-guardian/SKILL.md

OpenCode / Cursor / Codex / Cline

mkdir -p .agents/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .agents/skills/skill-guardian/SKILL.md

Windsurf

mkdir -p .windsurf/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .windsurf/skills/skill-guardian/SKILL.md

Verify installation

Ask your agent:

"Help me install the find-skills skill."

If Skill Guardian is active, the agent will run a security scan and necessity check before installing — instead of installing directly.

Uninstall

npx skills remove skill-guardian

Or delete the skill-guardian/ directory from your agent's skills folder.

License

MIT

---

---

问题

Agent skill 生态是一片噪音的海洋。数据说明一切：

发现	数字	来源
总 skill 数量	86,948	skills.sh dashboard，2026 年 3 月
空壳（没有实际内容）	12%	pradeep.md 分析，4,784 个 skill
与其他 skill 重复	28%	pradeep.md
包含安全漏洞	36.8%	Snyk ToxicSkills，3,984 个 skill
未通过基本规范验证	33%	Dachary Carey 分析，234 个 skill
质量评分 90+ 的（满分 100）	仅 31%	pradeep.md
确认含恶意载荷的	76 个	Snyk ToxicSkills

把这些过滤条件叠加起来，不到 3% 能存活 — 87,000 个 skill 里大概只有 2,600 个值得装。

安装量分布更能说明问题。经典的幂律分布：

#1   find-skills          479,600 次安装
#10  azure-diagnostics    125,500
#50  copywriting           31,000
#100 launch-strategy       15,800
#200 skill-standardization 10,000
      ─── 排行榜到此为止 ───
#201 – #86,948             连展示都没有

前 200 个 skill（0.23%）占了几乎所有安装量。剩下的 86,748 个躺在黑暗里。

还有更糟的

装太多 skill — 哪怕是不错的 skill — 会反过来让你的 agent 变差：

• 上下文膨胀：每个已安装 skill 的元数据在你打第一个字之前就占据了上下文窗口 (agenteer.com)
• 幻觉飙升：加载的 skill 越多，agent 越混乱，幻觉越多 (zaynkorai)
• 效果变差：Vercel 自己的工程团队发现，给 agent 加更多工具反而让它变差了 (Suleiman Tawil)

结论很简单：你应该装最少的、最好的 skill。 Skill Guardian 就是帮你做这件事的。

---

Skill Guardian 做什么

一个纯 SKILL.md agent skill — 零依赖、零代码。通过指令重新定义 agent 的安装行为。

当你（或你的 agent）尝试安装 skill 时，Skill Guardian 自动拦截并执行 4 步检查：

"帮我装 X skill"
        │
        ▼
┌───────────────────────┐
│  1. 安全扫描          │  snyk-agent-scan + skills.sh 审计
│                       │  发现严重问题 → 阻止
└───────────┬───────────┘
            │ 通过
            ▼
┌───────────────────────┐
│  2. 必要性检查        │  是否已有重复 skill？
│                       │  MCP 工具是否已覆盖？
│                       │  质量信号是否堪忧？
└───────────┬───────────┘
            │ 通过
            ▼
┌───────────────────────┐
│  3. 报告确认          │  展示全部发现和建议
│                       │  由你决定 — agent 不能自动安装
└───────────┬───────────┘
            │ 你确认
            ▼
┌───────────────────────┐
│  4. 执行安装          │  npx skills add → 验证
└───────────────────────┘

另外提供清理模式 — 随时审计已安装的 skill，检查冗余、过时来源或新安全问题。

和现有方案的区别

工具	做什么	缺什么
snyk-agent-scan	安装之后扫描	来不及了
skills.sh /audits	展示审计结果	被动 — 用户得自己去看
Snyk Agent Guard	仅限 Cursor 的运行时防护	只支持一个 agent
Skill Guardian	安装前拦截 + 必要性评估 + 清理	—

---

安装

让你的 agent 帮你安装（推荐）

直接对你的 agent 说：

帮我安装这个 skill: https://github.com/0xtresser/skill-guardian

一键安装

npx skills add 0xtresser/skill-guardian

skills CLI 会自动检测你的 agent 环境，将 skill 复制到正确路径。不需要 npm install，不需要配置 — 整个 skill 就是一个 SKILL.md 文件。

按 agent 手动安装

如果不想用 skills CLI，直接下载 SKILL.md 到对应目录：

Claude Code

mkdir -p .claude/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .claude/skills/skill-guardian/SKILL.md

OpenCode / Cursor / Codex / Cline

mkdir -p .agents/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .agents/skills/skill-guardian/SKILL.md

Windsurf

mkdir -p .windsurf/skills/skill-guardian
curl -fsSL https://raw.githubusercontent.com/0xtresser/skill-guardian/main/skill-guardian/SKILL.md \
  -o .windsurf/skills/skill-guardian/SKILL.md

验证安装

对你的 agent 说：

“帮我安装 find-skills 这个 skill。”

如果 Skill Guardian 已生效，agent 会先跑安全扫描和必要性检查，而不是直接安装。

卸载

npx skills remove skill-guardian

或者直接删除 agent skills 目录下的 skill-guardian/ 文件夹。

许可证

MIT