Three months ago this didn’t exist.
Today there are over 90,000 installable skills for your AI agent, a leaderboard tracking the most popular ones, a dozen competing marketplaces, and a coordinated malware campaign that already hit thousands of users before anyone noticed.
Welcome to the agent skills ecosystem. It grew faster than npm. And it’s already getting messy.
What Is an Agent Skill?
If you use Claude Code, Cursor, Codex, Windsurf, or any AI coding agent, you already know the problem. Every time you open a new session you have to re-explain your project. Your tech stack. Your preferences. Your standards. Over and over.
Agent skills fix that.
A skill is a folder containing a simple file called SKILL.md that holds instructions, context, and procedural knowledge your AI agent can load automatically when it needs them. Install a skill for React best practices and your agent stops making the same React mistakes every session. Install a skill for your company’s coding standards and every developer on the team gets consistent behavior without anyone copying and pasting a prompt into every chat window.
One install command. Done.
npx skills add owner/repoThe agent finds the skill, loads it when relevant, and applies it automatically. You don’t have to think about it again.
The analogy that keeps coming up in developer circles: this is npm for AI agents. And like npm, it started with one company’s idea and became something much bigger, much faster, than anyone expected.
Where skills.sh Fits In
Vercel launched skills.sh on January 20, 2026 as the official directory and leaderboard for agent skill packages.
The project introduces what Vercel describes as an open agent skills ecosystem, where developers can define, share, and run discrete operations that agents can invoke as part of their workflows. The goal was to separate agent reasoning from execution. Instead of letting AI agents figure out how to do things on the fly, skills give them a defined, auditable set of instructions to follow every time.
Skills.sh supports 19 different AI agents including Claude Code, Cursor, Codex, GitHub Copilot, Windsurf, Gemini, and more. It tracks actual install counts rather than just listing what’s been published, which means the leaderboard tells you what the community actually trusts and uses rather than just what exists.
The open standard underneath all of this is SKILL.md, originally published by Anthropic in December 2025 and subsequently adopted by OpenAI. One skill file, multiple agents. That interoperability is a big part of why the ecosystem grew so fast.
As Vercel put it in their own documentation: skills are the “npm moment” for context. Instead of copy-pasting long instructions into every session, you install once and let the agent load it when relevant.
What’s Actually Popular Right Now
The skills.sh leaderboard is public and updated in real time based on install telemetry. As of March 2026 the top skills by total installs are:
find-skills by Vercel Labs — 579,000+ installs. Helps agents discover and recommend the right skill when you ask “how do I do X.” Meta but genuinely useful.
vercel-react-best-practices — 216,000+ installs. Encodes over 40 React and Next.js performance rules across 8 categories, ordered by impact. One install and your agent stops writing slow React.
web-design-guidelines — 171,000+ installs. Over 100 rules covering accessibility, typography, images, dark mode, and UX. Great for anyone building interfaces with AI agents.
frontend-design by Anthropic — 164,000+ installs. This one is genuinely special. It gives Claude a design philosophy before it touches any code, pushing it away from the predictable Inter font, purple gradient, white background output that makes AI-generated UIs instantly recognizable. Installs with npx skills add anthropics/skills --skill frontend-design.
remotion-best-practices — 150,000+ installs. Remotion is a framework that lets you create videos using React. This skill let people describe a video in plain language and have Claude Code generate the whole thing. The demo hit 6 million views on X in 48 hours.
azure-ai by Microsoft — 137,000+ installs. Microsoft showed up early and hard to this ecosystem, with a full suite of Azure skills covering AI, observability, compute, and more.
Anthropic maintains an official skills repository on GitHub covering document skills (Word, PDF, Excel, PowerPoint), design, development, and enterprise workflows. These are the safest skills to install since they come directly from the company that built the standard.
The Ecosystem Exploded Overnight
Here’s the number that should make your jaw drop.
npm took a decade to reach 350,000 packages. The AI agent skills ecosystem did it in about two months.
December 2025: a few thousand skills. January 2026: tens of thousands. February 2026: the line went vertical. That kind of growth happens when the right infrastructure meets the right timing and right now AI agents are the timing.
It’s not just indie developers either. Vercel, Prisma, Supabase, Stripe, Remotion, Coinbase, and Microsoft all shipped official agent skills before Q1 2026 ended. When that many infrastructure companies move at once, something structural is happening. These aren’t experiments. They’re distribution plays.
The logic mirrors what happened with npm packages. Stripe’s stripe package, Prisma’s prisma package, Vercel’s next package weren’t just utilities. They were distribution channels that put products into the developer’s dependency tree before the developer ever visited their websites. Agent skills are the 2026 version of that play. The install command is different but the strategy is identical.
The Competing Marketplaces
Skills.sh isn’t the only place to find agent skills. The ecosystem fragmented fast and now there are several competing directories with very different philosophies.
SkillsMP is the biggest by raw numbers with over 500,000 skills aggregated from GitHub. It’s an independent community project, not affiliated with Anthropic or Vercel. The tradeoff is quality: it filters out repos with fewer than 2 GitHub stars which is basically no bar at all. Wide net, thin vetting.
SkillHub takes the opposite approach. Around 7,000 skills, all AI-evaluated on five dimensions: practicality, clarity, automation, quality, and impact. An S-rank means exceptional (9.0+), A-rank is excellent (8.0+). Smaller catalog, much higher signal. Also has pre-configured skill stacks for specific workflows you can preview before installing.
agentskill.sh sits at 44,000+ skills and runs two-layer security scanning on everything in the directory. It’s the most security-conscious of the major platforms and defaults to showing only grade-A skills. The best option if security is your first concern.
LobeHub Skills grew out of the broader AI tools ecosystem and has over 100,000 skills with strong community curation and detailed ratings. Heavy overlap with the OpenClaw ecosystem.
SkillsDirectory runs automated security analysis on every skill using 50+ rules covering prompt injection, credential theft, data exfiltration, and malware. One of the few platforms that takes security as a first-class feature rather than an afterthought.
awesome-agent-skills on GitHub is a curated community list that links to all the major marketplaces, research papers on skills security, and guides for building your own.
All of these platforms use the same open SKILL.md standard, so a skill that works on one works on all of them. The difference is curation, security vetting, and how you discover what’s available.
The Part Nobody Is Talking About
Here’s where it gets uncomfortable. And it’s important enough that VU isn’t going to skip it.
Snyk security researchers completed the first comprehensive audit of the agent skills ecosystem in February 2026, scanning 3,984 skills. The findings were stark: 13.4% of all skills contained at least one critical-level security issue including malware distribution, prompt injection attacks, and exposed secrets. Expand to any severity and over a third of the ecosystem is affected.
Over a third. In two months.
Here’s why that matters more than a typical software vulnerability. Unlike traditional code packages that execute in isolated contexts, agent skills operate with the full permissions of the AI agent they extend. When you install a skill for Claude Code or OpenClaw, that skill inherits everything your agent can access. Your filesystem. Your API keys. Your credentials. Your ability to run shell commands. Your email if you’ve connected it.
The attack that already happened: in late January 2026, a coordinated malware campaign hit ClawHub, the marketplace for OpenClaw skills. Over 335 malicious skills shared a single command-and-control IP. Targets included exchange API keys, wallet private keys, SSH credentials, and browser passwords. One actor uploaded over 350 malicious packages in an automated blitz. The malware delivered Atomic macOS Stealer. By the time the platform caught it, thousands of users had potentially installed the malicious code.
Research published in February 2026 found that today’s agents are highly vulnerable to skill-based attacks, with up to 80% attack success rate with frontier models, often executing harmful instructions including data exfiltration, destructive actions, and ransomware-like behavior.
The barrier to publishing on most skill marketplaces? A SKILL.md file and a GitHub account that’s a week old. No code signing. No security review by default.
This isn’t a reason to avoid the ecosystem. It’s a reason to be smart about it.
How to Use Agent Skills Without Getting Wrecked
The same rules that apply to installing npm packages apply here, except the stakes are higher because your agent has more access than a Node module ever did.
Only install from sources you trust. Vercel’s official agent-skills repo, Anthropic’s official skills repo, and skills from companies you recognize are your safest starting point. The leaderboard on skills.sh gives you install count signal but popularity isn’t the same as safety.
Read the SKILL.md before you install. It’s a markdown file. It takes 30 seconds. If the instructions don’t match what the skill claims to do, don’t install it.
Use security-vetted directories. agentskill.sh and SkillsDirectory both run automated security scanning. If you’re pulling skills from SkillsMP or similar unvetted sources, treat them like untrusted code.
Prefer skills with 1,000+ installs from known authors. The skills.sh leaderboard is your friend here. A skill from a company with a real GitHub presence and thousands of installs has a lot more trust signal than something from a one-week-old account.
Use the allowed-tools field when available. This limits what tools the skill can invoke and reduces the blast radius if something goes wrong.
For anything work-related or production, stick to official packages from established companies. The community-built stuff is great for experimentation. You probably don’t want it running with access to your AWS credentials.
Why Regular People Should Care
You don’t have to be a developer to care about this.
If you use Claude Code, Cursor, or any AI coding agent and you install skills from the internet, you’re participating in this ecosystem whether you realize it or not. The skills installed on your machine run with your agent’s permissions. That includes whatever files, credentials, and systems your agent can touch.
The upside is real. The right skills make your AI agent dramatically more useful. Consistent behavior. Domain expertise baked in. Less time re-explaining the same context. Vercel’s React skills, Anthropic’s document skills, Remotion’s video skills. This is genuinely some of the most useful AI infrastructure that’s dropped in 2026.
Just don’t install random skills from random people without reading what they actually do.
The agent skills ecosystem is npm circa 2013. Massive growth, real utility, and a supply chain security problem the industry hasn’t fully caught up to yet. The developers who understand this now have a real advantage. The ones who don’t are one bad SKILL.md file away from handing a stranger shell access to their machine.
