If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/openai/skills shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Missing license — unclear to depend on

• Last commit today
• 33+ active contributors
• Distributed ownership (top contributor 17% of recent commits)
• Tests present
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live openai/skills repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/openai/skills.

What it runs against: a local clone of openai/skills — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in openai/skills | Confirms the artifact applies here, not a fork | | 2 | Default branch main exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 30 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of openai/skills. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/openai/skills.git
#   cd skills
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of openai/skills and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "openai/skills(\\.git)?\\b" \\
  && ok "origin remote is openai/skills" \\
  || miss "origin remote is not openai/skills (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "README.md" \\
  && ok "README.md" \\
  || miss "missing critical file: README.md"
test -f "skills/.curated/aspnet-core/SKILL.md" \\
  && ok "skills/.curated/aspnet-core/SKILL.md" \\
  || miss "missing critical file: skills/.curated/aspnet-core/SKILL.md"
test -f "skills/.curated/cloudflare-deploy/agents/openai.yaml" \\
  && ok "skills/.curated/cloudflare-deploy/agents/openai.yaml" \\
  || miss "missing critical file: skills/.curated/cloudflare-deploy/agents/openai.yaml"
test -f "contributing.md" \\
  && ok "contributing.md" \\
  || miss "missing critical file: contributing.md"
test -f "skills/.curated/aspnet-core/references/_sections.md" \\
  && ok "skills/.curated/aspnet-core/references/_sections.md" \\
  || miss "missing critical file: skills/.curated/aspnet-core/references/_sections.md"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 30 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~0d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/openai/skills"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

openai/skills is a catalog of reusable Agent Skills—packaged bundles of instructions, scripts, and resources—that enable AI agents (specifically Codex) to discover and execute specialized tasks. Each skill lives in skills/.curated/, skills/.system/, or skills/.experimental/ and contains a SKILL.md descriptor, agents/openai.yaml configuration, reference documentation, and optional scripts. Skills act as write-once, use-everywhere capability modules that standardize how agents tackle domain-specific problems like ASP.NET Core development, ChatGPT app building, or Cloudflare deployment. Multi-skill monorepo: skills/.curated/ contains production-ready skills (aspnet-core, chatgpt-apps, cloudflare-deploy, cli-creator), each with consistent structure: SKILL.md overview, agents/openai.yaml agent config, references/ markdown documentation, optional scripts/ utilities, and assets/ (logos, diagrams). skills/.system/ holds built-ins; skills/.experimental/ holds bleeding-edge. Python dominates (444KB), with JavaScript (55KB) and Shell scripts (11KB) supporting automation.

AI agent developers and platform engineers who build or integrate Codex-compatible systems, and domain experts (e.g., C# developers, DevOps engineers, web app builders) who contribute specialized skills. Codex users install skills to extend agent capabilities without writing custom integrations each time.

Actively developed: the repo contains well-structured curated skills (aspnet-core, chatgpt-apps, cloudflare-deploy, cli-creator) with full documentation and agent configurations, suggesting production use. However, no explicit commit recency, test suite metadata, or CI pipeline details are visible in the provided snapshot, so assume collaborative maturity rather than enterprise hardening.

Risk is moderate: the decentralized skill-per-directory model means quality and maintenance ownership varies by skill (each has its own LICENSE.txt). Single-skill abandonment won't block the catalog, but there's no visible automated testing or schema validation across all skills. The reliance on agents/openai.yaml files suggests tight coupling to Codex's agent format—breaking changes to that schema could invalidate many skills.

Unable to determine from snapshot alone—no recent commit timestamps, PR list, or milestone data provided. The presence of well-maintained skills like cloudflare-deploy (with Agents SDK docs under references/) and chatgpt-apps (with scaffolding scripts like scaffold_node_ext_apps.mjs) suggests ongoing evolution. Likely areas of work: expanding skill catalog, refining agent YAML schema, and improving cross-skill documentation standards.

git clone https://github.com/openai/skills.git
cd skills
# Review the catalog: ls -la skills/.curated/
# Read the main guide: cat README.md
# Explore a specific skill: cat skills/.curated/aspnet-core/SKILL.md

No npm install or package manager setup needed to browse; to use skills in Codex, refer to Codex documentation.

Daily commands: This is a documentation/catalog repository, not a runnable service. To use skills: open Codex and run $skill-installer gh-address-comments or $skill-installer install https://github.com/openai/skills/tree/main/skills/.experimental/create-plan. To contribute or edit skills: clone the repo, modify SKILL.md and agents/openai.yaml files, and submit a PR. To preview skill structure: cat skills/.curated/aspnet-core/agents/openai.yaml and cat skills/.curated/aspnet-core/SKILL.md.

• README.md — Entry point explaining the skill catalog purpose, installation methods, and core concepts—essential for understanding the entire repository structure
• skills/.curated/aspnet-core/SKILL.md — Exemplar skill definition showing the standard structure, metadata, and documentation format that all curated skills must follow
• skills/.curated/cloudflare-deploy/agents/openai.yaml — Agent configuration template defining how skills are discovered and invoked by AI agents—core orchestration contract
• contributing.md — Contributor guide establishing submission standards, skill validation criteria, and review process for new skills
• skills/.curated/aspnet-core/references/_sections.md — Reference index pattern showing how curated skills organize documentation into navigable knowledge sections
• skills/.curated/chatgpt-apps/references/repo-contract-and-validation.md — Schema validation rules and repository contracts that all skills must satisfy for integration with Codex

• SKILL.md Manifest (Markdown) — Declares skill identity, human-readable description, license, and usage instructions for catalog display
  • Failure mode: Missing or malformed manifest prevents skill from appearing in UI; unclear descriptions reduce discoverability
• agents/openai.yaml (YAML, OpenAI Plugin Spec) — Maps skill to OpenAI agent plugin protocol; defines agent capabilities, functions, and parameter schemas
  • Failure mode: Malformed YAML or schema mismatch causes agent invocation failures; missing functions make skill inaccessible
• References (Markdown Modules) (Markdown, GitHub-flavored) — Provides domain knowledge, API details, patterns, and gotchas that agents use to generate correct implementations
  • Failure mode: Incomplete or outdated references cause agents to generate incorrect code

Add a New Curated Skill

1. Create skill directory in skills/.curated/ with descriptive name (skills/.curated/{skill-name}/)
2. Create SKILL.md manifest with title, description, and usage overview (skills/.curated/{skill-name}/SKILL.md)
3. Create agents/openai.yaml binding so Codex can discover and invoke the skill (skills/.curated/{skill-name}/agents/openai.yaml)
4. Create references/_sections.md index pointing to all knowledge modules (skills/.curated/{skill-name}/references/_sections.md)
5. Add reference markdown files explaining concepts, APIs, and patterns (e.g., getting-started.md, api.md, patterns.md) (skills/.curated/{skill-name}/references/{topic}.md)
6. Add logo/assets to assets/ folder for catalog display (skills/.curated/{skill-name}/assets/{logo}.png)

Document a Complex Feature within a Skill

1. Add feature subdirectory under references/ to group related docs (skills/.curated/{skill-name}/references/{feature}/)
2. Create README.md with feature overview and use-case introduction (skills/.curated/{skill-name}/references/{feature}/README.md)
3. Create api.md documenting available endpoints, methods, and parameters (skills/.curated/{skill-name}/references/{feature}/api.md)
4. Create configuration.md with setup examples and environment variables (skills/.curated/{skill-name}/references/{feature}/configuration.md)
5. Create patterns.md and gotchas.md for best practices and known pitfalls (skills/.curated/{skill-name}/references/{feature}/patterns.md)

Create a Skill Scaffolding Script

1. Add new .mjs Node script to skills/{category}/scripts/ directory (skills/.curated/{skill-name}/scripts/scaffold_{feature}.mjs)
2. Script should generate boilerplate SKILL.md, agents/openai.yaml, and reference stubs (skills/.curated/{skill-name}/scripts/scaffold_{feature}.mjs)
3. Reference the scaffold script in the skill's SKILL.md so users can invoke it (skills/.curated/{skill-name}/SKILL.md)

• YAML Agent Configuration (agents/openai.yaml) — Declarative, human-readable format for defining agent-skill bindings that Codex can parse without custom code
• Markdown for Documentation (references/) — Version-control friendly, renderable in GitHub/web, easy for humans and LLMs to consume for knowledge grounding
• Directory-based Organization (skills/.curated/, .system, .experimental) — Enables progressive skill maturity and simple installation mechanics via path-based skill discovery
• Node.js Scaffolding Scripts (.mjs) — Platform-agnostic automation for generating boilerplate skills and reducing contributor friction

• Directory structure over centralized skill registry database

  • Why: Simplifies distribution, versioning, and Git-based collaboration without requiring a backend service
  • Consequence: Skill discovery relies on file enumeration rather than indexed queries; scales well to ~500 skills but may need indexing for ~5000+

• Static markdown references over interactive/searchable docs

  • Why: Markdown is Git-friendly, offline-accessible, and easily embedded in LLM context windows
  • Consequence: Users navigate via _sections.md indices and file-system exploration; no full-text search or dynamic filtering

• Optional scaffolding scripts rather than mandatory generators

  • Why: Reduces tooling dependency and allows skills to define custom scaffolding suited to their domain
  • Consequence: No guarantee of consistent boilerplate across all skills; requires clear contributing guidelines

• Does not provide a runtime environment for executing skills—Codex agents invoke skills, not this repo
• Does not include authentication or access control—all skills are publicly discoverable
• Does not enforce real-time synchronization or webhooks between skill definitions and external systems
• Not a package manager—does not manage semantic versioning, dependencies, or breaking changes across skills

1. Agent YAML schema coupling: agents/openai.yaml format is tightly bound to Codex's agent discovery. Changes to Codex's schema may require bulk skill updates; no version pinning visible. 2. No centralized test suite: Each skill is self-contained; there's no CI pipeline visible to validate SKILL.md format or YAML syntax across the catalog. 3. Skill installer context: The $skill-installer command is a Codex-specific CLI tool not included in this repo; skills are passive assets that must be pulled by the Codex runtime. 4. License fragmentation: Each skill has its own LICENSE.txt (see aspnet-core/LICENSE.txt, cloudflare-deploy/LICENSE.txt), so legal review is per-skill, not repo-wide. 5. Documentation format: SKILL.md and references/ are free-form Markdown with no schema validation; consistency depends on contributor discipline.

• Agent Skills Standard (agentskills.io) — Defines the SKILL.md descriptor format and agents/openai.yaml contract that all skills in this repo conform to; understanding this spec is essential to creating or modifying skills.
• Skill Discovery & Dynamic Binding — Codex agents discover skills by scanning the .curated/, .system/, and .experimental/ directories and binding to them via agents/openai.yaml; this decentralized model lets skills be added without recompiling Codex.
• YAML as Agent Configuration Language — Each skill's agents/openai.yaml file declaratively defines its capabilities, inputs, outputs, and runtime behavior; YAML is the contract between skill and agent.
• Skill Curator Model (System / Curated / Experimental) — The repo organizes skills into three maturity tiers: .system/ (built-in, stable), .curated/ (validated, production-ready), and .experimental/ (bleeding-edge); this tiering strategy manages quality and stability.
• Documentation-as-Code (references/ Markdown) — Each skill bundles its domain knowledge as versioned Markdown files in references/ (e.g., aspnet-core/references/security-and-identity.md); this makes guides discoverable by agents and searchable in version control.
• Scaffold Scripts & Templating (Node.js, Shell) — Some skills include scripts/ with automation utilities (e.g., scaffold_node_ext_apps.mjs) that generate boilerplate or project templates; this pattern reduces agent & user friction for skill adoption.
• Asset Bundling & Brand Continuity — Skills include assets/ (logos, diagrams) that are served alongside skill metadata; this enables consistent UI/UX when agents or dashboards surface skills to users.

• openai/gpt-pilot — Companion Codex ecosystem tool for agentic code generation; shares the same agent-driven architecture and likely consumes skills.
• agentskills-org/agentskills — Maintains the open Agent Skills standard (agentskills.io) that this repo implements; defines the SKILL.md and YAML contract specs.
• microsoft/semantic-kernel — Alternative skill/plugin system for LLM orchestration; different implementation but solves the same 'capability discovery and reuse' problem for agents.
• langchain-ai/langchain — Ecosytem companion: LangChain agents can be augmented with skills-like tool definitions; bridges Codex skills to broader LLM app frameworks.
• vercel/ai — Related toolkit for building AI-powered apps; many ChatGPT app skills in this repo would pair with Vercel AI's SDK for deployment and inference.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Create SKILL.md template and validation schema for consistency

Each skill in skills/.curated/ has a SKILL.md file, but there's no documented standard format or validation. A new contributor could create a SKILL.md.template file at the root and add a JSON schema (e.g., skill-schema.json) that validates the structure of all SKILL.md files across curated, experimental, and system skills. This would ensure consistency and make it easier for contributors to author new skills.

• [ ] Audit existing SKILL.md files (aspnet-core, chatgpt-apps, cli-creator, cloudflare-deploy) to document the common structure
• [ ] Create skills/SKILL.md.template with clear sections and examples
• [ ] Create a skill-manifest-schema.json or similar to validate SKILL.md frontmatter/structure
• [ ] Add a pre-commit hook or GitHub Action to validate new skills against this schema

Add agents/openai.yaml schema documentation and examples

Every curated skill has agents/openai.yaml, but there's no documentation of what fields are valid, required, or what patterns are supported. A contributor could document the openai.yaml schema by creating agents/AGENT_CONFIG.md at the root level with examples from existing skills (aspnet-core, chatgpt-apps, cloudflare-deploy), field descriptions, and validation rules.

• [ ] Analyze all agents/openai.yaml files in skills/.curated/ to extract common fields and patterns
• [ ] Create agents/AGENT_CONFIG.md documenting the schema (required fields, optional fields, examples)
• [ ] Create a agents-schema.json file to formally validate openai.yaml structure
• [ ] Add validation to contributing.md workflow

Add GitHub Action to validate skill structure on pull requests

Currently there's no automated validation that new skills follow the expected directory structure (LICENSE.txt, SKILL.md, agents/openai.yaml, references/, assets/). A contributor could create .github/workflows/validate-skill-structure.yml that runs on PRs to ensure all new skills in skills/.curated/ and skills/.experimental/ meet minimum requirements.

• [ ] Create .github/workflows/validate-skill-structure.yml
• [ ] Define required files per skill: LICENSE.txt, SKILL.md, agents/openai.yaml
• [ ] Define required directories: agents/, references/
• [ ] Add check for valid YAML in openai.yaml files
• [ ] Reference this workflow in contributing.md

• Add automated SKILL.md schema validation: Create a Python script (in the repo root or skills/.ci/) that validates each skill's SKILL.md against a standard structure (title, description, prerequisites, examples, links) and runs in CI. Currently no tooling ensures consistency across skills/.curated/, skills/.experimental/, and skills/.system/.: Medium: Prevents documentation drift and makes onboarding clearer.
• Expand chatgpt-apps skill references: The chatgpt-apps/references/ folder is sparse (7 markdown files). Add missing topics like 'error-handling-and-retry-logic.md', 'performance-optimization.md', and 'testing-strategies.md' to match the depth of aspnet-core/references/ (11 files).: Medium: Closes a documentation gap for a high-value skill.
• Create a skill template generator script: Write a shell or Node.js script (e.g., skills/.templates/generate-skill.sh) that scaffolds a new skill directory with stub SKILL.md, agents/openai.yaml, references/, and assets/ folders. Document it in contributing.md.: Low: Lowers friction for new contributors and ensures consistent structure.

The Skills Catalog repository has a reasonable security posture but lacks some foundational security practices. Primary concerns include missing vulnerability disclosure policy, potential information disclosure through documentation, and insufficient input validation in executable scripts. The repository structure itself is clean and organized. Recommendations focus on establishing security processes (SECURITY.md, CI/CD security scanning) and enhancing script security with input validation. No critical vulnerabilities detected in the current file structure, but runtime security depends heavily on how these skills are executed and what code they reference.

• Medium · Potential Information Disclosure via Documentation Files — skills/.curated/*/references/ directory structure. The repository contains extensive documentation and reference files that may inadvertently expose implementation details, API patterns, and architectural information that could be leveraged by attackers for reconnaissance. Files like 'security-and-identity.md' and configuration documentation could reveal sensitive architectural details. Fix: Review all reference documentation for sensitive implementation details. Consider marking security-related documentation as internal-only and implement access controls if this is hosted publicly.
• Medium · Missing Security Policy and Vulnerability Disclosure Process — Repository root - missing SECURITY.md. The repository contains contributing.md but no SECURITY.md or vulnerability disclosure policy. This makes it difficult for security researchers to responsibly report vulnerabilities found in the skills catalog. Fix: Create a SECURITY.md file with a responsible disclosure policy, security contact information, and guidelines for reporting vulnerabilities.
• Low · Incomplete Gitignore Configuration — .gitignore. While a .gitignore file exists, without visibility into its contents, there's a risk of accidentally committing sensitive files (environment variables, API keys, credentials) that developers might add to skills or scripts. Fix: Ensure .gitignore includes entries for: .env, .env., *.key, *.pem, .DS_Store, node_modules/, dist/, and any local configuration files. Add pre-commit hooks to prevent credential leaks.
• Low · Executable Scripts Lack Explicit Safety Validation — skills/.curated/chatgpt-apps/scripts/scaffold_node_ext_apps.mjs and similar script files. The repository contains executable scripts (e.g., skills/.curated/chatgpt-apps/scripts/scaffold_node_ext_apps.mjs) without visible input validation or security checks. Scripts executed by AI agents should have strict input validation. Fix: Implement input validation and sanitization in all executable scripts. Add safety guards to prevent path traversal, command injection, and unauthorized file operations. Document script security requirements.
• Low · No License Consistency Verification — skills/.curated/*/LICENSE.txt files. Each skill directory contains individual LICENSE.txt files, but there's no apparent mechanism to verify license compatibility or prevent GPL/AGPL code from inadvertently being included in proprietary distributions. Fix: Implement automated license scanning tools (e.g., SPDX, FOSSA, or WhiteSource) in CI/CD pipeline to detect license conflicts and ensure compliance.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.