If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/ComposioHQ/awesome-claude-skills shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Missing license — unclear to depend on

• Last commit 2d ago
• 26+ active contributors
• Distributed ownership (top contributor 49% of recent commits)
• CI configured
• ⚠ No license — legally unclear to depend on
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live ComposioHQ/awesome-claude-skills repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/ComposioHQ/awesome-claude-skills.

What it runs against: a local clone of ComposioHQ/awesome-claude-skills — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in ComposioHQ/awesome-claude-skills | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | Last commit ≤ 32 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of ComposioHQ/awesome-claude-skills. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/ComposioHQ/awesome-claude-skills.git
#   cd awesome-claude-skills
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of ComposioHQ/awesome-claude-skills and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "ComposioHQ/awesome-claude-skills(\\.git)?\\b" \\
  && ok "origin remote is ComposioHQ/awesome-claude-skills" \\
  || miss "origin remote is not ComposioHQ/awesome-claude-skills (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 32 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~2d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/ComposioHQ/awesome-claude-skills"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A curated registry of 1000+ Claude Skills and plugins that extend Claude AI's capabilities to perform real-world actions (send emails, create GitHub issues, post to Slack) across 500+ integrated apps via Composio's action orchestration platform. It provides production-ready skill templates, building tools, and a plugin system that bridges Claude with external services through OAuth and API automation. Flat monorepo structure: each skill lives as a standalone directory (e.g., artifacts-builder/, canvas-design/, brand-guidelines/) with its own SKILL.md metadata file, optional LICENSE.txt, and self-contained scripts/resources (e.g., canvas-design/canvas-fonts/ for typography assets). The repo root README.md serves as the single index. Build tooling lives in artifacts-builder/scripts/ with shell-based bundling (bundle-artifact.sh, init-artifact.sh).

AI engineers and Claude users who want to move beyond text generation to build Claude agents that take actions across SaaS platforms; skill developers creating reusable Claude plugins; teams deploying Claude Code and agentic workflows that require email, issue management, or Slack integration without building custom integrations.

Actively developed and production-ready. The repo contains 500+ curated, pre-tested skills with proper licensing (Apache 2.0), CI workflows (label-ready-skill.yml), and clear contribution guidelines (CONTRIBUTING.md). Recent GitHub Actions automation for skill labeling and the structured SKILL.md format in each directory indicate ongoing maintenance and a mature community curation process.

Low risk for skill consumption, but medium risk for skill contribution: the project relies heavily on external Composio API availability (no fallback mechanism visible), has no test suite in the file list, and relies on community-submitted skills with varying quality gates. Single source of truth for skill metadata (README.md) could become a bottleneck; no semver strategy visible for breaking changes in the Composio SDK itself.

The repo is actively accepting skill contributions with automated GitHub Actions for labeling (label-ready-skill.yml workflow). Recent focus on structured skill metadata (SKILL.md format enforced across directories), bundling tools for artifact packaging, and brand/design consistency guidelines. The creation of dedicated brand-guidelines/ and canvas-design/ skills suggests expansion into design-focused automation.

git clone https://github.com/ComposioHQ/awesome-claude-skills.git
cd awesome-claude-skills
# Review CONTRIBUTING.md for skill submission guidelines
# Install Claude CLI plugin: claude --plugin-dir ./connect-apps-plugin
# For local skill development, use: ./artifacts-builder/scripts/init-artifact.sh [skill-name]

Daily commands: This repo is not a runnable application; it is a registry. To use skills: claude --plugin-dir ./connect-apps-plugin then /connect-apps:setup with an API key from dashboard.composio.dev. To develop a new skill: ./artifacts-builder/scripts/init-artifact.sh my-skill to scaffold, then populate my-skill/SKILL.md and any required assets.

• README.md: Single source of truth for skill discovery; contains the structured index of 1000+ skills, quickstart for connect-apps plugin, and routing to all skill categories (Document Processing, Development, Data, Business).
• CONTRIBUTING.md: Defines submission standards for new skills, metadata requirements, licensing expectations, and validation rules for the awesome-claude-skills curated list.
• .github/workflows/label-ready-skill.yml: Automated validation and labeling CI pipeline; enforces skill metadata format and prevents malformed submissions from merging.
• artifacts-builder/scripts/init-artifact.sh: Scaffolding tool for new skill developers; generates boilerplate directory structure, SKILL.md template, and bundling configuration to accelerate contribution.
• artifacts-builder/scripts/bundle-artifact.sh: Packaging tool that compresses and validates skills for distribution; handles artifact versioning and Composio plugin compatibility checks.
• canvas-design/SKILL.md: Example of a mature, well-documented skill with typography assets; serves as a reference template for design-focused skill contributions.
• connect-apps-plugin: The actual Claude plugin that bridges Claude to 500+ apps; handles OAuth setup (/connect-apps:setup) and action execution routing through Composio.

To add a new skill: (1) Create a new directory at repo root following the pattern of existing skills (e.g., my-skill/); (2) add SKILL.md with metadata using the canvas-design/SKILL.md or artifacts-builder/SKILL.md as templates; (3) include LICENSE.txt (Apache 2.0 preferred based on repo badge); (4) add any scripts or resources to a skills/ subdirectory (or fonts/ for design skills); (5) test the skill with ./artifacts-builder/scripts/bundle-artifact.sh my-skill/; (6) submit PR with updated root README.md linking to your skill.

No environment variables are explicitly documented in the repo, but users must obtain an API key from dashboard.composio.dev and provide it during /connect-apps:setup—this is a hard dependency. The Claude CLI plugin system expects a specific directory structure (--plugin-dir flag); skill developers should use init-artifact.sh to avoid path errors. Bundle scripts (.sh files) are Bash-specific and may fail on Windows without WSL or Git Bash. The README links to composio.dev/toolkits as source of truth for supported apps, creating a runtime dependency on external Composio infrastructure; no offline fallback is visible. Font licensing (.OFL.txt files in canvas-fonts/) must be reviewed for each font; reusing fonts across skills without license compliance is a legal risk.

• Composio Action Orchestration — Core concept underlying every skill in this repo; understanding how Composio maps OAuth tokens, API endpoints, and tool definitions to Claude action calls is essential for skill development and debugging integration failures.
• Claude Tool Use & Function Calling — Skills rely on Claude's native tool/function calling API to expose Composio actions as callable tools; knowing how Claude selects, validates, and executes tool calls is required to design well-scoped skill capabilities.
• OAuth 2.0 Authorization Code Flow — The /connect-apps:setup flow uses OAuth to authorize Claude to act on behalf of the user with third-party apps (Gmail, GitHub, Slack); understanding token storage, refresh, and scoping is critical for skill security and user privacy.
• Plugin Architecture (CLI/LLM) — Skills are packaged as Claude plugins that extend the CLI; understanding how plugins register, discover commands (/connect-apps:), and receive context from the Claude runtime is required for testing and distribution.
• Skill Metadata & Discovery — Every skill declares capabilities, required permissions, and dependencies in SKILL.md; understanding how this metadata drives runtime behavior (e.g., which OAuth scopes to request) is essential for skill composition and conflict detection.
• Artifact Bundling & Distribution — Scripts like bundle-artifact.sh compress skills with dependencies into distributable packages; understanding versioning, manifest structure, and dependency resolution prevents broken skill installations in Claude environments.
• CI/CD for LLM Plugins (GitHub Actions) — The label-ready-skill.yml workflow validates skill submissions at scale; understanding how to write validators that check metadata, license compliance, and security (no hardcoded API keys) is critical as the community grows.

• ComposioHQ/composio — The underlying SDK and API orchestration engine that every skill in this repo depends on; needed to understand how action routing, OAuth, and app integrations actually work.
• anthropics/anthropic-sdk-python — The core Claude Python SDK; skills that interact with Claude models directly (not just as a plugin) will use this for message handling and tool definitions.
• openai/swiftui-chatgpt — Reference implementation of an AI agent with plugin system; shows patterns for skill discovery, tool registration, and capability advertising similar to awesome-claude-skills architecture.
• langchain-ai/langchain — Ecosystem companion for agentic workflows; many Claude skills leverage LangChain for tool composition, memory, and multi-step reasoning beyond Composio's action primitives.
• vercel-labs/ai — Vercel's framework for building AI apps with SDK components; used by some Claude skill developers building Next.js-based frontends for skill UI and testing.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Create a skill validation and metadata schema with automated checks

Each skill directory (artifacts-builder, brand-guidelines, canvas-design, etc.) contains a SKILL.md file, but there's no visible schema validation or automated checks to ensure consistency. Create a JSON schema for skill metadata and add a GitHub Action to validate all skills meet requirements (name, description, license, dependencies, etc.). This ensures quality across community contributions.

• [ ] Create a .github/schemas/skill-schema.json file defining required fields (name, description, version, license, maintainer, etc.)
• [ ] Add a .github/workflows/validate-skills.yml GitHub Action that runs on PRs to validate each SKILL.md against the schema
• [ ] Create a scripts/validate-skill.js (or similar) that parses SKILL.md frontmatter and checks against schema
• [ ] Update CONTRIBUTING.md with the schema requirements for new skill submissions

Add automated font license compliance checker for canvas-design skill

The canvas-design directory contains 30+ font files with individual OFL.txt license files, but there's no automated verification that all fonts have accompanying licenses or that licenses are valid. Add a script to ensure license compliance and prevent accidental addition of unlicensed fonts in future PRs.

• [ ] Create scripts/validate-fonts.sh that scans canvas-design/canvas-fonts/ and ensures every .ttf file has a corresponding license file
• [ ] Add a GitHub Action .github/workflows/validate-font-licenses.yml that runs this script on PRs modifying the fonts directory
• [ ] Generate a fonts-manifest.json listing all fonts with their license types and validation status
• [ ] Document the font license requirements in CONTRIBUTING.md

Create a skill discovery and indexing system with searchable metadata

Currently the repo is a flat list of skills with no programmatic way to query, filter, or discover skills by category, tags, or dependencies. Build a JSON index file and script that automatically generates it from skill metadata, enabling future tooling and better discoverability.

• [ ] Create scripts/build-skill-index.js that scans all skill directories, parses SKILL.md files, and generates a skills-index.json with normalized metadata (name, description, tags, category, maintainer, license)
• [ ] Add a GitHub Action .github/workflows/update-skill-index.yml that regenerates the index on each merge to main
• [ ] Update README.md with a searchable skill table that references the generated index
• [ ] Add validation that the index stays in sync with actual skills in the repo

• Add unit tests for bundle-artifact.sh and init-artifact.sh scripts (currently no test suite visible); a new contributor could create a tests/ directory with shell test harness (e.g., bats or shunit2) to validate script output and error handling for malformed skill directories.
• Create a SKILL.md template validator in Python (using jsonschema or pydantic) that GitHub Actions can invoke before merge; currently label-ready-skill.yml exists but no visible schema definition—formalizing the SKILL.md structure would catch missing required fields (name, description, capabilities) earlier in the PR process.
• Document Composio API rate limits and error codes in a TROUBLESHOOTING.md file; users report setup failures but the repo has no FAQ or error reference—adding concrete examples ('Error 401: invalid API key', 'Error 429: rate limit exceeded after 50 actions') would reduce support burden.

The repository demonstrates reasonable security practices overall. It is a curated skills/resources list with minimal code execution risk. Primary concerns are: (1) lack of visibility into GitHub Actions workflows which could have misconfigurations, (2) presence of binary artifacts (compressed archive and font files) that complicate auditing, and (3) missing security disclosure policy. The codebase itself appears to be primarily documentation and resource listings with low injection or credential exposure risk. No critical vulnerabilities detected, but process improvements in dependency management and security policy documentation are recommended.

• Low · Bundled Compressed Archives in Repository — artifacts-builder/scripts/shadcn-components.tar.gz. The file 'artifacts-builder/scripts/shadcn-components.tar.gz' contains a compressed archive committed to the repository. This makes it difficult to audit dependencies and could potentially contain malicious or outdated code without visibility. Fix: Extract and audit the contents of the archive. Consider removing the binary archive and instead documenting the build process or using package managers for dependency management. Commit source files instead of compiled/compressed artifacts.
• Low · Font Files in Repository — canvas-design/canvas-fonts/. Multiple font files (.ttf files) are committed directly to the repository. While generally low-risk, binary font files increase repository size and should ideally be served from CDN or font service (e.g., Google Fonts). Fix: Consider using a font service CDN like Google Fonts or hosting fonts separately. If fonts must be included, ensure they come from trusted sources with proper licenses (currently OFL licenses are present).
• Medium · GitHub Actions Workflow Present Without Visibility — .github/workflows/label-ready-skill.yml. A GitHub Actions workflow file exists at '.github/workflows/label-ready-skill.yml' but its content is not provided for analysis. Workflows can potentially execute arbitrary code or expose secrets if misconfigured. Fix: Review the workflow file to ensure: (1) No hardcoded secrets or credentials, (2) Proper permission scoping with 'permissions:' field, (3) Use of secrets management for sensitive data, (4) Verification of external actions used, (5) No use of dangerous inputs in shell commands.
• Low · No Dependency Lock File Provided — Repository root. The dependency/package file content was not provided. Without lock files (package-lock.json, yarn.lock, Gemfile.lock, etc.), there is risk of non-reproducible builds and potential supply chain vulnerabilities. Fix: Ensure all dependency lock files are committed to version control and regularly updated. Implement dependency scanning tools (e.g., Dependabot, Snyk) to monitor for vulnerable dependencies.
• Low · Missing Security Policy — Repository root. No SECURITY.md file is visible in the repository structure. This prevents users from reporting security vulnerabilities responsibly through private channels. Fix: Create a SECURITY.md file at the repository root with: (1) Instructions for reporting security vulnerabilities, (2) Contact information for security team, (3) Expected response timeline, (4) Disclosure policy.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.