Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

datashaman/skills/specify

Name: skills/specify
Author: datashaman

skills/specify/SKILL.md

npx skillsauth add datashaman/agentfiles skills/specify

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

name: specify

description: Turn a GitHub issue, ticket, or chat into scope, testable acceptance criteria, and concrete API/data/UI contracts for spec.json. Stop and consult the human stakeholder whenever anything is ambiguous or the source material is broken—never guess. Use before any implementation.

Specify

When to use

Spec Agent (or anyone) must produce spec.json from messy input.
You need a single source of truth for what “done” means before code changes.

Consult the stakeholder (do not skip)

Any ambiguity, conflict, or problem with the source—and you must involve the human who owns the request (issue author, PM, product owner, or whoever filed the ticket)—before you treat the spec as final.

Stop and ask when, for example:

Requirements are vague, contradictory, or could be read multiple ways.
Scope, priority, or “MVP vs later” is unclear.
Auth, data, compliance, or security expectations are missing or assumed.
The issue/ticket is empty, in the wrong place, duplicated, or missing context you need.
Picking an option would materially change behavior, cost, or risk and nobody has chosen.

Record what you asked and what they decided (in the ticket thread, open_questions, or spec notes). Do not invent answers to fill gaps so implementation can start sooner.

Inputs (gather explicitly)

Primary request (issue body, ticket, Slack/Chat thread).
Stack hints: package.json, composer.json, pyproject.toml, or README “Tech stack” section.
Auth model: how users are identified (session cookie, JWT header, SSO). If unknown, record as an open question.

Steps (do in order)

Stakeholder & job-to-be-done — One paragraph: who acts and what outcome they need.
Requirements list — Bullet list labeled functional vs non-functional (latency, accessibility, offline, etc.).
Scope table — Two columns: In MVP | Out of MVP with explicit “won’t do” items (prevents scope creep).
Acceptance criteria — For each requirement, one row:

ID (e.g. AC-3)
Given / When / Then (observable; avoid “should be fast”; use numbers where possible).
Negative case (validation error, permission denied, empty state).

Contracts (fill spec.json contracts)

API: HTTP method + path, request/response JSON shape, status codes for success and errors (e.g. 400 validation, 401/403 auth, 409 conflict).
Data: entity names, fields, unknown → open_questions in spec, not guessed columns.
UI states: loading / success / error / empty (what the user sees).

Assumptions & open questions — Anything that would change API or security if answered differently. If anything material is still open after this pass, consult the stakeholder; do not ship a spec.json that pretends those decisions are made.

Output

Valid spec.json (see schemas/spec.schema.json and examples/spec.example.json).
Optional: paste a summary back to the GitHub issue with link to runs/issue-<n>/spec.json if you use issue-linked runs.

Anti-patterns

Guessing or silently resolving ambiguity instead of consulting the stakeholder.
Vague AC (“user can use feature”) without Given/When/Then.
Missing error behavior and HTTP semantics for web APIs.
Implementing before Out of MVP is written.

datashaman/skills/specify

skills/specify/SKILL.md

--- ## name: specify description: Turn a GitHub issue, ticket, or chat into scope, testable acceptance criteria, and concrete API/data/UI contracts for spec.json. Stop and consult the human stakeholder whenever anything is ambiguous or the source material is broken—never guess. Use before any implementation. # Specify ### When to use - Spec Agent (or anyone) must produce `spec.json` from messy input. - You need a **single source of truth** for what “done” means before code changes. ### Con

development

Updated Apr 20, 2026

$ install --global

skillsauth

npx skillsauth add datashaman/agentfiles skills/specify

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 20, 2026, 3:00 PM15.5s1 file scanned

SKILL.md

name: specify

Specify

When to use

Spec Agent (or anyone) must produce spec.json from messy input.
You need a single source of truth for what “done” means before code changes.

Consult the stakeholder (do not skip)

Stop and ask when, for example:

Requirements are vague, contradictory, or could be read multiple ways.
Scope, priority, or “MVP vs later” is unclear.
Auth, data, compliance, or security expectations are missing or assumed.
The issue/ticket is empty, in the wrong place, duplicated, or missing context you need.
Picking an option would materially change behavior, cost, or risk and nobody has chosen.

Record what you asked and what they decided (in the ticket thread, open_questions, or spec notes). Do not invent answers to fill gaps so implementation can start sooner.

Inputs (gather explicitly)

Primary request (issue body, ticket, Slack/Chat thread).
Stack hints: package.json, composer.json, pyproject.toml, or README “Tech stack” section.
Auth model: how users are identified (session cookie, JWT header, SSO). If unknown, record as an open question.

Steps (do in order)

Stakeholder & job-to-be-done — One paragraph: who acts and what outcome they need.
Requirements list — Bullet list labeled functional vs non-functional (latency, accessibility, offline, etc.).
Scope table — Two columns: In MVP | Out of MVP with explicit “won’t do” items (prevents scope creep).
Acceptance criteria — For each requirement, one row:

ID (e.g. AC-3)
Given / When / Then (observable; avoid “should be fast”; use numbers where possible).
Negative case (validation error, permission denied, empty state).

Contracts (fill spec.json contracts)

API: HTTP method + path, request/response JSON shape, status codes for success and errors (e.g. 400 validation, 401/403 auth, 409 conflict).
Data: entity names, fields, unknown → open_questions in spec, not guessed columns.
UI states: loading / success / error / empty (what the user sees).

Assumptions & open questions — Anything that would change API or security if answered differently. If anything material is still open after this pass, consult the stakeholder; do not ship a spec.json that pretends those decisions are made.

Output

Valid spec.json (see schemas/spec.schema.json and examples/spec.example.json).
Optional: paste a summary back to the GitHub issue with link to runs/issue-<n>/spec.json if you use issue-linked runs.

Anti-patterns

Guessing or silently resolving ambiguity instead of consulting the stakeholder.
Vague AC (“user can use feature”) without Given/When/Then.
Missing error behavior and HTTP semantics for web APIs.
Implementing before Out of MVP is written.

Related Skills

datashaman/skills/verify

testing

VerifiedTrustedCommunity

--- ## name: verify description: Run the project’s quality gates, map results to spec acceptance criteria, and produce verification_report.json with evidence and severities. # Verify ### When to use - Verifier Agent after a change is claimed ready for review. - You need a **pass/fail** tied to evidence, not gut feel. ### Part A — Automated gates (use the repo’s real commands) Run what this repository already defines (examples—substitute from `package.json` scripts, `Makefile`, CI config):

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/verify

datashaman/skills/ship

testing

VerifiedTrustedCommunity

--- ## name: ship description: Cut a versioned release, run CI/deploy with health verification, and document rollback—output release_report.json aligned to your platform (Fly, Vercel, k8s, etc.). # Ship ### When to use - Release Agent after `review_decision.json` is **approve** and CI is green on the merging branch. ### Preconditions - You know **where** production runs and how deploys are triggered (GitHub Action, Git push tag, `fly deploy`, `vercel --prod`, etc.). - **Health check** URL

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/ship

datashaman/skills/review

development

VerifiedTrustedCommunity

--- ## name: review description: Produce an approve or block decision with reviewer-grade checks—maintainability, team policy, and OWASP-style web review—captured in review_decision.json. # Review ### When to use - Reviewer Agent (or human) after `verification_report.json` is **pass** for merge-worthy work—or **fail** with documented risk acceptance (rare; usually fix first). ### Inputs - `verification_report.json`, diff, team standards (CONTRIBUTING, security doc, ADRs). ### Review seque

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/review

datashaman/skills/implement

development

VerifiedTrustedCommunity

--- ## name: implement description: Implement features with minimal surface area—match repo conventions, honor spec contracts, add focused tests, open a reviewable pull request, and record deviations in build_report.json. The finished artifact is a PR, not merely a local branch. # Implement ### When to use - Builder Agent (or developer) is turning an approved `spec.json` into a **pull request** reviewers can land (code + tests + PR description), not just a private branch. ### Preconditions

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/implement

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/datashaman/agentfiles.git

# Copy into Claude Code skills folder (global)
cp -r agentfiles/skills/specify ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

datashaman/agentfiles

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT