39
Chapter 39 · 9 min read
Part VI — The Frontier and the Tier · see the journey →

Skills You Should Steal (and the Three You Should Write Yourself)

A tour of the 1M-skill ecosystem, the 73% that's broken, and the gaps an operator can fill

community skillsgstack73% problemvertical skill librarypublishing gap-filling skillsprovider-neutral harness skill

Saturday, 10:42 AM, six tabs#

It’s Saturday morning, May 9, 2026. Coffee on the desk, no calls until Monday, and I’m doing the thing I told myself I’d do for a month — sit down and audit the community ecosystem I’d been hearing about every other podcast. Six tabs open. Six skills installed back-to-back from repos with five-figure star counts. I picked them by reputation, not by reading the file.

The first one — a “weekly retro” skill from a 12k-star library — fires but produces nothing. The description is fourteen words of marketing copy. The trigger phrases don’t match how anyone actually talks. Two of the six install but never fire on their stated invocation. One fires when I didn’t want it to, mid-newsletter draft, and rewrites three paragraphs into a generic LinkedIn voice. Another has allowed-tools: ["*"] in its frontmatter and I notice that line about ninety seconds too late — more on that at the end of this chapter.

Four out of six broken on first invocation. From repos with combined 60k+ stars. That ratio matched a number I’d been carrying around in my head for two months: a dev.to audit from March that put a hard receipt on what every operator suspected. The 73% problem.

This chapter is what I wish someone had handed me before I opened those six tabs.

Quickstart: install your first community skill in ten minutes#

Three commands, two files to read, one habit that keeps your vault intact.

Step 1 — clone (60 seconds). Skills live at ~/.claude/skills/. Pick one library from the tier list. Clone into a named subdirectory:

git clone https://github.com/garrytan/gstack ~/.claude/skills/gstack

That’s the install. No package manager, no registry, no npm install. Claude Code scans ~/.claude/skills/**/SKILL.md on session start.

Step 2 — read SKILL.md before activation (3 minutes). Open the SKILL.md of the first skill you plan to use. Four lines decide whether it fires safely:

Step 3 — smoke-test (3 minutes). Restart your Claude Code session so the new skill registers. Run one prompt that matches the description’s trigger phrase verbatim. Watch the response: does it use the skill’s structure (named sections, expected output shape), or fall back to generic prose? Generic prose means the matcher missed — the description needs a trigger-phrase edit or the skill is broken.

Step 4 — if it misfires. Move it out of the active path: mv ~/.claude/skills/<library>/<broken-skill>/ ~/.claude/skills-archive/. Don’t rm — the SKILL.md might be a useful starting point for your own version. The audit habit: read every imported SKILL.md before the next session start. Eight seconds per skill. Saves the Saturday I had.

Pair a vetted skill install with Ch 38/goal style runs let the skill compose into autonomous loops.

First 10 minutes — bootstrap script#

A reader who finishes this chapter should be able to run this and have a working skill library by minute 11.

#!/usr/bin/env bash
# first-10-minutes.sh — bootstrap a clean claude-code skill library
# read every line before running. this clones four repos and copies
# selected skills into ~/.claude/skills/.

set -euo pipefail

SKILLS_DIR="$HOME/.claude/skills"
STAGING="$(mktemp -d)"
mkdir -p "$SKILLS_DIR"

# 1. clone the four S/A-tier libraries at a known SHA each
git clone --depth 1 https://github.com/anthropics/skills "$STAGING/anthropics"
git clone --depth 1 https://github.com/garrytan/gstack    "$STAGING/gstack"
git clone --depth 1 https://github.com/trailofbits/skills "$STAGING/trailofbits"
git clone --depth 1 https://github.com/alirezarezvani/claude-skills "$STAGING/rezvani"

# 2. record the SHAs so you can pin / diff later
(cd "$STAGING/anthropics"  && git rev-parse HEAD) > "$STAGING/sha.anthropics"
(cd "$STAGING/gstack"      && git rev-parse HEAD) > "$STAGING/sha.gstack"
(cd "$STAGING/trailofbits" && git rev-parse HEAD) > "$STAGING/sha.trailofbits"
(cd "$STAGING/rezvani"     && git rev-parse HEAD) > "$STAGING/sha.rezvani"

# 3. scan for the wildcard pattern before any copy happens
echo "=== skills with allowed-tools: \"*\" — DO NOT INSTALL ==="
grep -rln 'allowed-tools: *\["\*"\]' "$STAGING" || echo "none found, proceed."

# 4. operator decides which to copy. nothing is auto-installed.
echo "=== staged at $STAGING ==="
echo "review SKILL.md by hand, then: cp -r $STAGING/<lib>/<skill> $SKILLS_DIR/"
echo "SHAs recorded in $STAGING/sha.* — paste into your skill-pin manifest."

The chapter implies “read every line before activation” but the literal grep in step 3 is the one-line defense against the Saturday-morning vault-deletion story.

The 73% problem#

On March 26, 2026, an auditor publishing as @thestack_ai on dev.to ran 214 community skills through a quality scorer built against the SKILL.md spec — description length, trigger-phrase quality, version field, allowed-tools posture, body structure, examples present. The headline: 73% scored below 60 out of 100.

The failure modes converged:

The audit gave the ecosystem its first quality benchmark. It also gave operators a reason to stop treating star count as a signal. Star count measures how many people clicked “I want this.” It does not measure whether the thing fires.

Tier list — May 2026 community libraries#

The cadence here matches Chapter 24’s tier list, narrowed to one domain: where to actually steal from. All star counts are verbatim from the survey pulled May 14, 2026.

S — install the whole thing, prune to what fires#

A — wire these into the discovery loop#

B — narrow but worth knowing#

Operators worth following#

Five people doing the curation work, plus one auditor:

Bonus: @thestack_ai on dev.to — author of the 214-skill audit and the MIT-licensed pulser CLI that scores skills against the spec. The reason any of us have a number to put on the broken-skills problem at all.

Over-saturated — skip these, write something else#

Six categories where the bar to publish is now so high you should not bother:

The opportunity cost is real. Every hour spent publishing a seventh commit-message generator is an hour not spent publishing the skill nobody else has written. Which brings us to:

The three under-served gaps — write these yourself#

I run each of these privately. None of them exist in the public ecosystem in May 2026.

Gap 1 — Portfolio-CEO daily briefing#

The setup: I run five companies. Every morning, I want one Slack DM that pulls HubSpot deal motion across all five, Gong signals from yesterday’s calls, calendar conflicts for today, Stripe anomalies overnight, and any Sentry / Vercel deploy receipts that drifted red. Not a generic standup. A portfolio-shaped read.

My private version stitches health-pulse + daily + closeday against MCP connectors. The SKILL.md sketch:

name: portfolio-daily-briefing
description: Morning brief across N companies — pulls HubSpot deal stage
  changes, Gong call signals, calendar conflicts, Stripe MRR motion, and
  CI/deploy health. Outputs ONE Slack DM, not a dashboard. Use when user
  says 'morning brief', 'daily', 'how does today look across the portfolio'.
version: 1.0.0
allowed-tools: ["mcp__hubspot__*", "mcp__gong__*", "mcp__stripe__list_*",
                "mcp__slack__slack_send_message"]

Operator profile: portfolio CEO, holding-company operator, multi-product founder. The closest public analogs (SyncGTM, Summit53) are CRM-only and assume one company. The portfolio shape is the gap.

Gap 2 — Mentoring lifecycle#

The setup: I run a paid mentorship cadence weekly. Each session has pre-session prep (last week’s notes, action tracker, patterns file, agenda generation), during-session capture (structured notes against a four-frame template), post-session fan-out (summary, action tracker update, patterns refresh, next session scheduled). One skill, four modes selected by context.

Public ecosystem coverage of this: zero. The mentoring-lifecycle pattern referenced in Chapter 5 has no installable counterpart on any of the top six libraries I surveyed. Mentees, coaches, advisors, agencies — anyone running a recurring 1:1 against an evolving file set — would install this immediately.

Why nobody’s filled it: the developer-shaped majority of skill authors don’t run paid coaching practices. The shape of the workflow is invisible to them.

Gap 3 — Cross-trio audit#

The setup: every paid product I ship has three customer-touching surfaces — the landing page (where money moves), the day-one fulfillment page (what they see after purchase), the welcome email (what hits their inbox). These three drift constantly. Tier names rename, prices update on the landing page but not the email, refund windows say 14 days on one and 7 on another. I built a private skill to read all three side-by-side and catch contradictions before any preorder Stripe link goes live.

Public versions: none. Functional audits and value audits each look at one artifact at a time. Cross-trio drift only surfaces when you read all three together.

name: cross-trio-audit
description: Audit consistency across landing page + day-1 fulfillment page
  + welcome email before a paid product ships. Catches tier-name, price,
  refund-window, cadence drift. Use when user says 'audit the trio',
  'pre-launch check', 'check before the Stripe link goes live'.
version: 1.0.0

Why nobody’s filled it: the shape is launch-ops, not engineering. Developer skill authors don’t think in terms of “the three documents a buyer touches.” Operators do.

The Trail of Bits vertical pattern#

The most underrated repo on the tier list above is trailofbits/skills at 5.2k stars — an order of magnitude below the aggregators. The reason it earns a B-tier spot anyway: it’s the first credible vendor-vertical skill library. Ten skills, all security-research-shaped, all derived from work the firm already does for paying clients. Smart-contract audit. Semgrep rule creation. Differential review. YARA authoring.

The lesson is the publishing model, not the topic. “We already do this professionally. Here’s the skill version.” That’s the move the rest of the ecosystem has not yet copied.

Operator-vertical libraries that don’t exist yet but could:

The publisher wins inbound from a focused audience. The audience gets a library shaped to their actual workflow rather than another generic kitchen sink.

What this Saturday cost me#

Back to the cold open. Of the six skills I installed that Saturday morning, one had allowed-tools: ["*"] in its frontmatter — wildcard tool access, the default-permit posture. I missed it on the install. Two prompts later, in a session where I’d asked Claude to clean up some scratch files, the skill fired against a phrase that wasn’t in its description, picked up a Bash(rm) it had no reason to invoke, and ran it against a path inside my Obsidian vault before I caught it on the receipts. Two markdown files gone. Vault git history saved them.

The lesson lives in Chapter 9 but it deserves to land here too: every imported skill gets read line-by-line before activation. The frontmatter especially. allowed-tools: ["*"] is the same energy as chmod 777 — you don’t ship it, you don’t install it, you don’t trust the maintainer who did. Star count is not a security signal. A 95k-star repo and a 95-star repo both run with your permissions once they fire.

The audit move: opening SKILL.md in the terminal before installing
The audit move: opening SKILL.md in the terminal before installing terminal screenshot — `cat` of a SKILL.md frontmatter block, with allowed-tools and version field highlighted. Two-column compare ideal: a 'good' frontmatter next to a wildcarded one.

If you want the build-side of the workflow, Chapter 11 walks the morning-briefing skill end-to-end. If you want the tier-list cadence applied to tools and connectors rather than libraries, Chapter 24 is the sibling. This chapter is just the curation receipt — the nine libraries to steal from, the three gaps to fill, the one audit habit that keeps your vault intact.

The ecosystem will look different in six months. Half the star counts above will move. Two of these libraries will be acquired or stop maintaining. Some operator I’ve never heard of will publish the portfolio-CEO briefing skill and I’ll install it before I finish mine. The receipts will update. The audit habit won’t.

Spotted something wrong, missing, or sharper? Email Vlad with feedback on this chapter →
Stay close

The next edition lands when this list says it does.

No course. No paywall. Operator playbooks weekly. 10K+ subscribers.