Skills/oss
Personal collection  ·  MIT Licensed  ·  No guarantees

Skills I use when coding with AI agents. Shared in case they help you too.

These are my personal collection of skills that I use which have given me some good results over the time and I am just doing this so that they may be useful to someone else out there like me. They in no way guarantee any protection but they can help you get there.

Browse the repository View skills →
Why I made these

AI writes the happy path. I kept getting burned by the rest.

I noticed my AI agent was great at making things work — and pretty bad at thinking about what happens when they don't. These skills are my attempt to close that gap. They're not a silver bullet, but they've made me a more careful builder.

01

I kept getting generic, shallow reviews.

A security-focused prompt gives you different thinking than a reliability one. I wrote separate skills for each domain so the agent could switch mental models rather than give me the same surface-level checks every time.

02

The agent trusted its own code too much.

These skills ask it to re-read its own output with a more critical eye — like a second reviewer who's actively looking for what could go wrong, not just confirming what's there.

03

The bugs were always at the edges.

Race conditions, missing retries, unsigned webhooks. The stuff that doesn't show up in happy-path tests. I kept hitting the same patterns, so I wrote them down as things to always check.

The collection

Six key areas. Six specialized skills I actually use.

Each skill is a plain Markdown file — just paste it into your agent's context when the domain is relevant. None of them guarantee anything, but they give the agent a better starting point than a blank slate.

What I keep coming back to

Things I remind myself — and the agent — every time.

These aren't rules handed down from on high. They're just patterns I've found myself thinking about repeatedly, so I baked them into the skills.

"Think like a real security engineer, not a tutorial."

Reason about the system as an attacker would. Assume credentials leak, tokens get replayed, and inputs are crafted, not typed.

"Test sad paths, not just happy paths."

Every new function deserves at least three failure tests: wrong input, missing dependency, partial success. The happy path is the easy one.

"Never trust the browser as a security boundary."

Client validation is UX. Server validation is the contract. Authorisation is checked on every read, every write, every join.

"Production-grade means recoverable, not perfect."

Assume something will break. Skills emphasise observability, graceful degradation, and reversible deploys over heroic correctness.

Real things I've caught

Issues that would have shipped without a second look.

A few examples of the kinds of things these skills have helped surface in my own work. Not because the agent is careless — but because it needed a more specific lens to look through.

SEC-014

IDOR hiding behind a UUID.

The agent shipped GET /invoices/:id using a UUID and assumed "unguessable" was equivalent to "authorised". The Security Audit skill re-reads every route and flags any handler that loads a resource without checking it belongs to the calling tenant.
caught by security-audit · authz-review
REL-022

Retry storms on a transient 5xx.

A naive retry: 5 with no backoff and no jitter turned a 30-second upstream blip into a self-inflicted DDoS. The Reliability skill expects exponential backoff, a circuit breaker, and an explicit budget on every outbound call.
caught by reliability · sre-readiness
SCALE-007

N+1 dressed up as "clean code."

A list endpoint mapped over results and called user.org.plan inside the loop — fine on the seed database, lethal on a real one. The Scalability skill instruments every list handler with an expected-query-count budget.
caught by scalability · db-readiness
PAY-003

Webhook trusted without signature verification.

A payment webhook was parsed and credited without checking the provider's HMAC signature. The Payments & Fraud skill refuses to consider a webhook "handled" until the signature is verified, the body is treated as raw bytes, and the event ID is checked for replay.
caught by payments-fraud · webhooks
SUPPLY-011

A "small helper" with 412 transitive dependencies.

The agent added a single utility import that pulled in a deprecated maintainer's package graph. The Dependency & Supply Chain skill checks every new dependency against age, maintainer count, install scripts and known advisory feeds.
caught by supply-chain · dep-audit
How I use them

Drop one in when it's relevant. That's it.

Install using npx commands — no SDK, no account. I usually load a skill right before a focused review, or keep a couple in my system prompt when I'm working in a sensitive area.

i.

Add the skill using npx.

Use npx skills add to bring individual skills into .claude/, .cursor/, or wherever your agent reads prompts from. Take only what's useful to you.

ii.

Load it when the domain is relevant.

I usually reach for a skill right before a focused pass — security before merging auth changes, reliability before a new async worker. Or drop it in your system prompt if you want it always on.

iii.

Adapt it to your context.

These work best as starting points. Edit them, combine them, strip out the parts that don't fit your stack. If you find something that works better, I'd love to know.

Free · MIT · No strings

Take what's useful. Leave what isn't.

Everything is on GitHub. These are my skills — no team behind them, no roadmap, no promises. If something here saves you from a bad deploy or a security headache, that's good enough for me.

Browse on GitHub See what's in there →
Skills
6
Focus Areas
6
License
MIT
Guarantee
None