Top 10 AI Agent Skills in 2026 (and What to Verify)
- An Agent Skill is a
SKILL.mdfile of instructions and workflows that an AI coding agent loads or invokes by name with/name, and it is now an open standard indexed at agentskills.io that the same format runs under in both Claude Code and OpenAI Codex. - Community directories already index 12,000+ skills, so the skills your developers pull in are portable, shareable, and almost always adopted without a review step.
- The skills you will see most often group by job: design and frontend, testing and code quality, building an agent's own tooling, document generation, workflow discipline, media, and team and SaaS workflows.
- A skill is not just prose - it can carry code, hidden instructions, and pull in dependencies - which is why every installed skill is a security surface, not a convenience.
- For any skill, verify three things: its source, the permissions or tools it invokes, and whether it ships executable code rather than instructions alone.
- You can't govern what you can't see, so a continuous skill inventory across every endpoint is the prerequisite for governing any of them.
AI agent skills are the newest unreviewed artifact layer inside your developer tools. A skill is a small package - at its core a SKILL.md file - that tells an AI coding agent how to do a specific job, and a developer adds one with a single command and no security gate in the way. In the last year skills went from a Claude Code convenience to an open standard, and the same skill now runs across more than one agent, so a skill adopted on one laptop can spread across a team and across tools without anyone reviewing what it actually does. This guide is a curated reference to the AI agent skills developers reach for most, grouped by the job they do, and the three things a security team should verify before allowing any of them.
Two ground rules first, borrowed from how we approach every artifact layer. There is no official ranking of skills by usage, so this is not a leaderboard - it names only real, published skills and groups them by function. And the point of the list is not the list; it is the pattern. Once you can read a skill as source plus permissions plus code, you can evaluate any skill you meet, including ones not named here. For the security foundations, start with our agent skills security primer and the OWASP agentic skills top 10.
What exactly is an Agent Skill?
An Agent Skill is a folder containing a SKILL.md file - a set of instructions and workflows written for an AI agent - optionally bundled with helper scripts and reference material. When a task matches, the agent loads the skill into its context, or a developer invokes it explicitly with a slash command such as /name. The skill does not run in isolation: it is loaded into an agent that already holds file access, a shell, and network reach, so whatever a skill instructs or executes runs with the agent's authority.
The format is now an open standard, published and indexed at agentskills.io. It began in Claude Code, and OpenAI Codex adopted the same specification, which means one SKILL.md package is portable between agents rather than locked to a single tool. That portability is why community directories already index 12,000+ skills - a real, citable figure and the only stated number in this guide. It is also the reason a skill is easy to share and hard to govern: the same artifact travels across tools, teams, and endpoints, usually with no approval step. The categories below cover the skills you will encounter most.
Design and frontend skills
The most-loaded skills help an agent build interfaces. frontend-design is Anthropic's official skill that guides an agent to produce distinctive, production-grade UI instead of generic output; it is instruction-heavy and steers how the agent writes frontend code. artifacts-builder is the official skill for assembling self-contained, single-file web pages (Claude Artifacts) - it directs the agent to inline everything into one deliverable. Both are legitimate and widely used, and both still cause the agent to write and sometimes run code, so the thing to verify is the source and version, not whether design help is dangerous.
Testing and code-quality skills
This group hands the agent quality workflows. webapp-testing is Anthropic's official skill that drives a real browser through Playwright to exercise a web app - navigate, click, fill forms, assert - which means it invokes browser automation and executes code, not just instructions. The bundled code-review and debug skills package a systematic review and debugging discipline the agent follows over a diff or a failing test. Because a testing skill can drive a browser and run commands, treat it the way you would any tool with execution reach: verify what it invokes and scope it to the project at hand. The same execution discipline applies across securing AI coding agents and CLIs.
Skills that build your tooling
Some skills produce more agent surface. mcp-builder is Anthropic's official skill that scaffolds a working MCP server from a description - it generates code that then becomes its own artifact your team has to govern. skill-creator is the official skill for authoring new skills, which makes it a meta-artifact: a skill that produces skills. Both are useful, and both mean the output needs the same review as anything hand-written, because a generated MCP server or a generated skill inherits no vetting by default. When mcp-builder produces a server, that server belongs in your MCP inventory - see top 10 MCP servers in 2026.
Document generation skills
Anthropic publishes an official document skills family for creating and editing Office and PDF files - a docx, pptx, xlsx, and pdf set. These are among the clearest examples of skills that ship executable code: they bundle helper scripts that manipulate document files programmatically, so the agent is not just writing prose, it is running file-processing routines the skill supplies. That makes the source and the shipped code the two things to check, since a document skill reaches into files and runs logic on the endpoint. Handling of any sensitive content those documents contain is where this class intersects data-exposure risk.
Workflow and discipline skills
Beyond single tasks, developers adopt skill collections that shape how the agent works. Superpowers is a well-known community collection of coding-discipline skills - brainstorming, test-driven development, systematic debugging, writing and executing plans - that an agent pulls in to follow a rigorous process. As a community package rather than a vendor skill, it is a good illustration of why source matters: a bundle of many skills from a third-party author is convenient and also a larger surface to review than a single official skill. Vet the collection as a whole and pin the version, the way the vetting and approving playbook describes.
Media and creative skills
Skills increasingly cover creative output too. Remotion is a skill that helps an agent produce video programmatically, generating and running code that renders frames. It is a clear case of a skill whose value is the code it ships and executes, not the instructions it carries. As with any code-bearing skill, the questions are the same: where did it come from, what does it run, and what dependencies does it pull in - the exact supply-chain surface behind skilljacking and abandoned-skill dependency takeover.
Team and SaaS workflow skills
The last common group connects the agent to where teams collaborate. Slack and canvas-style workflow skills help an agent draft announcements, summarize channel activity, build Block Kit layouts, and create shared canvases. Because these skills reach a real SaaS account, what matters is the permissions and tools they invoke - whether a skill can only read a channel or can also post to it, and which connection or MCP server it drives to do so. Treat a skill that acts inside a SaaS workspace as holding that workspace's reach, and verify its scopes accordingly.
A quick-reference table
The table pairs each skill with what it does and what to verify: the source it came from, the permissions or tools it invokes, and whether it ships executable code. Names are real, published skills used as examples of their category, not a ranked or exhaustive list.
| Skill | What it does | What to verify: source, permissions/tools, ships code? |
|---|---|---|
| frontend-design (official) | Guides the agent to build distinctive, production-grade UI | Official Anthropic source; invokes code writing; instruction-led, minimal shipped code |
| artifacts-builder (official) | Assembles self-contained single-file web pages | Official source; writes and can run page code; primarily instructions |
| webapp-testing (official) | Drives a browser via Playwright to test web apps | Official source; invokes browser automation and shell; executes code |
| code-review / debug (bundled) | Applies review and systematic-debugging workflows | Bundled source; reads diffs and runs commands; workflow instructions |
| mcp-builder (official) | Scaffolds a working MCP server from a description | Official source; generates code that becomes a new artifact; ships and produces code |
| skill-creator (official) | Authors new skills (a skill that makes skills) | Official source; writes skill packages; produces new artifacts to re-vet |
| document skills - docx/pptx/xlsx/pdf (official) | Creates and edits Office and PDF documents | Official source; runs file-processing scripts; ships executable helper code |
| Superpowers (community) | Collection of coding-discipline skills | Community source - vet whole bundle and pin version; multiple skills; mixed instructions and scripts |
| Remotion (community) | Produces video programmatically | Community source; generates and runs render code; ships code and dependencies |
| Slack / canvas workflow skills | Drafts, summarizes, and posts in team workspaces | Verify SaaS scopes and which connection it drives; read vs write; instruction-led |
Why a skill is a security surface
It is tempting to read a skill as documentation - a helpful note the agent follows. It is more than that, in three ways, and each is a distinct risk.
- A skill can carry code. Many skills bundle scripts the agent runs - document processors, test drivers, render pipelines. That code executes on the endpoint with the agent's access, so a skill is a code-distribution channel, not just text.
- A skill can carry hidden or indirect instructions. Because the whole
SKILL.mdis loaded into the agent's context, instructions inside it steer behavior. A crafted skill can nudge an agent toward actions the user never asked for - the class of problem documented in malicious agent skills and hidden payloads. - A skill can pull in dependencies. A skill that declares or fetches third-party packages inherits that supply chain, including abandoned or hijacked ones - the takeover path covered in skilljacking.
Put together, an installed skill is an unreviewed unit of instructions and code running inside a privileged agent, portable across tools thanks to the open standard, and installed with no gate. That is precisely why source, permissions, and shipped code are the three checks, and why detection tooling such as the NVIDIA Skillspector agent-skill scanner exists. The scoping discipline is the same one in least privilege for agent skills.
How Anomity inventories and governs agent skills
Every check in this guide assumes you can see the skills installed across your fleet, and most organizations cannot - skills are added per-developer, with no central record. Anomity closes that gap. Its category is agentic endpoint security, built on one principle: you can't govern what you can't see.
A lightweight, unprivileged Endpoint Sensor runs on every managed endpoint (Windows, macOS, and Linux) and discovers eight AI artifact types: AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. For each skill it records the source, the version, and what the skill invokes - the registry this guide argues you need, populated automatically instead of by hand. A skill that is newly installed, upgraded, or modified surfaces as a change event. The sensor sends metadata only over HTTPS to the Anomity Cloud; never source code, never prompts, and any secrets are redacted on the endpoint. You can see how this fits your existing stack on the features overview and the AI security framework.
At runtime, on agents that expose a hook - such as the Claude Code PreToolUse hook - Anomity evaluates each tool call a skill would trigger and returns allow, deny, or log before it runs, so a shell command, file write, or network fetch that a skill sets in motion can be denied rather than executed. Continuous policy means a skill that gains a new capability or a changed dependency shows up, violations route to your SIEM, Slack, email, and Jira, and every skill added, changed, or removed lands in a queryable 90-day audit trail. Anomity is SOC 2 Type II and complements your EDR/XDR, DLP, network, and GRC controls rather than replacing them. See how governance runs at the hook on runtime governance and the outcomes it drives.
You can't govern what you can't see.The Anomity principle
The bottom line
The AI agent skills developers load most are not exotic - design and frontend, testing, tooling builders, document generation, workflow discipline, media, and team workflows cover the majority of setups. What matters is that each skill is an unreviewed unit of instructions and often code, running with the agent's authority and portable across Claude Code, OpenAI Codex, and any tool that adopts the agentskills.io standard. The same three questions govern all of them: what is the source, what permissions and tools does it invoke, and does it ship code. Answer those for every skill, vet before you allow, scope to the task, and do it from a place you can actually see - because a skill you have never inventoried is one you cannot check. Compare your options on the approach comparison and read the product docs, and to see your own skill posture across the fleet, book a 30-minute demo.
Frequently asked questions
What is an AI agent skill?
An AI agent skill is a packaged unit of instructions and workflows - at minimum a SKILL.md file - that an AI coding agent loads into its context or invokes by name with a slash command. The skill tells the agent how to perform a job, such as designing a frontend, testing a web app, or building an MCP server, and it can bundle scripts and reference files alongside the instructions. Because a skill is loaded into an agent that already holds file, shell, and network access, it runs with the agent's authority. For the foundations, see our agent skills security primer.
Are agent skills an open standard now?
Yes. The skill format is published as an open standard at agentskills.io, and the same SKILL.md package now runs unchanged across multiple agents - it started in Claude Code, and OpenAI Codex adopted the agentskills.io specification, so one skill is portable between them. That portability is the reason community directories can index 12,000-plus skills: a skill written once works in more than one agent. It is also why a review step matters, because a skill can spread across tools and teams with no gate. See vetting and approving AI agent skills.
Which AI agent skills do developers use most?
There is no authoritative usage ranking, so treat any list as qualitative. In practice you see the official Anthropic skills most often - frontend-design, webapp-testing, mcp-builder, skill-creator, the document family for docx, pptx, xlsx and pdf, and artifacts-builder - plus community collections like Superpowers, media skills such as Remotion, team workflow skills for Slack and canvases, and the bundled code-review and debug skills. This guide names only real, published skills and describes what each does rather than inventing install counts.
Why is an installed skill a security surface?
Because a skill is more than text. It can ship executable scripts that the agent runs, it can carry hidden or indirect instructions that steer the agent toward actions the user never asked for, and it can declare dependencies that pull in third-party code. A skill loaded into an agent with file, shell, and network reach inherits all of it. That is the mechanism behind the malicious-skill research and the skilljacking supply-chain risk we cover in malicious agent skills and hidden payloads and skilljacking.
What should I verify before allowing an AI agent skill?
Three things. First, source: who published the skill, whether it is an official vendor skill or a community package, and whether the version installed matches a known-good one. Second, permissions and tools: what the skill instructs the agent to do and which tools it invokes - shell commands, file writes, network fetches, or an MCP server. Third, whether it ships code: instructions alone are lower risk than a skill bundling scripts or dependencies. The framework is in least privilege for agent skills and the OWASP agentic skills top 10.
How is a skill different from an MCP server?
A skill is guidance and workflow the agent loads to know how to do a job; an MCP server is a running program that exposes tools the agent calls to actually do it. They are complementary artifact types and both belong in your inventory - a skill such as mcp-builder can even write a new MCP server. Anomity discovers both as distinct artifact types. For the server side, see top 10 MCP servers in 2026; for the agents that load skills, see top 10 AI agents for the enterprise.
How does Anomity inventory and govern agent skills?
Skills are one of the eight AI artifact types Anomity's lightweight Endpoint Sensor discovers on every managed endpoint, alongside AI agents, MCP servers, extensions, plugins, secrets, hooks, and CLIs. For each skill it records the source, version, and what the skill invokes, so a new or changed skill surfaces as a change event. On agents that expose a hook, such as the Claude Code PreToolUse hook, Anomity returns allow, deny, or log before a tool call a skill triggers actually runs, and every skill added, changed, or removed lands in a queryable 90-day audit trail. It sends metadata only over HTTPS, never source or prompts, with secrets redacted on the endpoint.
Where should I start if I have never inventoried agent skills?
Start with discovery. Build a registry of every skill installed across your endpoints - name, source, version, what it invokes, and whether it ships code - before you write any policy, because you cannot vet or restrict a skill you have never seen. From there, apply a source-and-permissions vetting gate and least-privilege scoping. The practical walkthroughs are in the vetting and approving playbook and least privilege for agent skills.




