renatocaliari/cali-skill-validator
skills/local/cali-skill-validator/SKILL.md
Validate agent skills against industry best practices from AgentSkills Spec, Microsoft Learn, Claude API Docs, Perplexity Research, and Trail of Bits. Triggers when: user says 'validate skills', 'check skills', 'skill quality', 'skill audit', 'are my skills good', 'skill criteria', or when creating/publishing a new skill. Covers: 10-rule validation of frontmatter, description, progressive disclosure, examples, edge cases, test cases, and directory structure.
$ install --global
skillsauthnpx skillsauth add renatocaliari/agent-sync-public-skills cali-skill-validatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 4:17 AM78.1s2 files scanned
SKILL.md
- name:
- cali-skill-validator
- description:
- Validate agent skills against industry best practices from AgentSkills Spec, Microsoft Learn, Claude API Docs, Perplexity Research, and Trail of Bits. Triggers when: user says 'validate skills', 'check skills', 'skill quality', 'skill audit', 'are my skills good', 'skill criteria', or when creating/publishing a new skill. Covers: 10-rule validation of frontmatter, description, progressive disclosure, examples, edge cases, test cases, and directory structure.
- frequency:
- monthly
- category:
- meta
- context-cost:
- low
Skill Validator
Validate skills against 10 criteria from industry best practices.
Contents
| Section | What | When to consult | |---------|------|------------------| | Sources | Which standards this implements | When citing criteria | | 10 Rules | The validation criteria | When understanding checks | | Run Validator | Execute the validation script | Before publishing skills | | Fix Common Issues | How to fix each failure | When a check fails | | Test Cases | Prompts that should/shouldn't activate | When testing trigger accuracy |
Sources
| Source | What it defines | |--------|----------------| | AgentSkills Spec (19.5k ⭐) | Open specification: frontmatter, directory structure, progressive disclosure | | Microsoft Learn | Enterprise guidance: when to create skills, portable packages | | Addy Osmani | Directory layout, SKILL.md anatomy, references/ pattern | | Perplexity Research | 3-tier disclosure, description optimization, testing with evals | | OpenAI Skills | name + description as routing mechanism | | Claude API Docs | Trigger conditions, degrees of freedom, test with all models | | Trail of Bits | 500-line rule, what goes where | | Lalit Madan | "Operating manual for repeatable work" | | agentskills.io | Description optimization |
10 Rules
| # | Rule | Source | Severity |
|---|------|--------|----------|
| R1 | SKILL.md exists | AgentSkills spec | FAIL |
| R2 | Frontmatter has name + description | AgentSkills spec, OpenAI | FAIL |
| R3 | Description has keywords, <1024 chars | agentskills.io, Perplexity | FAIL/WARN |
| R4 | SKILL.md < 500 lines | Trail of Bits | FAIL |
| R5 | references/ exists when SKILL.md > 50 lines | Addy Osmani | WARN |
| R6 | Examples section with I/O | Claude API, Open Agent Skills | FAIL |
| R7 | Edge cases / failure handling | Claude API, Perplexity | FAIL |
| R8 | Test cases (should/shouldn't activate) | Perplexity, agentskills.io | WARN |
| R9 | "When to use" section in body | Claude API | WARN |
| R10 | Clean directory (no loose files) | AgentSkills spec | WARN |
Run Validator
# Validate all skills in default directory
bash references/validate.sh
# Validate specific directory
bash references/validate.sh /path/to/skills
# Validate single skill
bash references/validate.sh /path/to/skills/my-skill
Output: per-skill checks with ✅/❌/⚠️ and summary with pass/fail/warn counts.
Fix Common Issues
R3: Description too short / no keywords
Bad: description: Helps with PDFs.
Good: description: Extracts text and tables from PDF files, fills PDF forms, and merges multiple PDFs. Triggers when: user says "extract PDF", "fill PDF form", "merge PDFs", or mentions PDF documents.
R4: SKILL.md > 500 lines
Move detailed content to references/:
my-skill/
├── SKILL.md # < 500 lines (core workflow)
└── references/
├── detailed-guide.md # Heavy docs loaded on demand
└── recipes.md # Concrete examples
R6: No examples
Add section with input → output:
## Examples
### Example 1: Extract text from PDF
**Input:** "Extract text from report.pdf"
**Steps:**
1. Run: `python scripts/extract_text.py report.pdf`
2. Return extracted text
**Output:** "Extracted 3 pages, 2,847 characters"
R7: No edge cases
Add section with failure modes:
## Edge Cases
### File doesn't exist
- Check if file path is absolute or relative
- Ask user to verify path
### PDF is password-protected
- Ask user for password
- Run: `python scripts/extract_text.py --password <pwd> file.pdf`
R8: No test cases
Add section with activation prompts:
## Test Cases
### Should activate
- "Extract text from report.pdf"
- "Fill out the tax form"
- "Merge invoice1.pdf and invoice2.pdf"
### Should NOT activate
- "Convert PDF to Word" (different skill)
- "Read this text file" (not a PDF)
Test Cases
Should activate
- "Validate my skills"
- "Check if my skills are good"
- "Run skill audit"
- "Are my skills following best practices?"
Should NOT activate
- "Create a skill" (use skill-creator)
- "Edit SKILL.md" (use edit tool)
- "What is a skill?" (general question)
Related Skills
renatocaliari/cali-lat-md-seed
tools
VerifiedTrustedCommunity
Auto-initialize structured documentation for any project using lat.md (knowledge graph of markdown files with [[wiki links]], // @lat: code refs, and semantic search). Detects cali-product-workflow artifacts (spec-product.md, spec-tech.md, critiques) and uses them as seed material. Falls back to extracting business rules, architecture, and design decisions directly from the codebase. Use when a project lacks structured documentation or when lat.md/ is missing. After seeding, lat.md extension hooks keep documentation alive automatically.
1SKILL.mdUpdated Jun 2, 2026
renatocaliari/cali-ops-server-security
testing
VerifiedTrustedCommunity
[Cali] Server security audit and hardening for private servers behind Tailscale. Use when: auditing server security, hardening SSH/firewall/Docker, checking for vulnerabilities, setting up fail2ban, reviewing port exposure, or responding to security alerts. Covers 6 layers: CloudFlare, UFW, Tailscale, SSH, Docker, Application. Triggers: "server security", "security audit", "harden server", "SSH hardening", "firewall rules", "UFW config", "fail2ban", "port security", "Docker security", "vulnerability check", "security review".
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-package-audit
tools
VerifiedTrustedCommunity
Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-github-releases
tools
VerifiedTrustedCommunity
Create GitHub releases following project conventions. Triggers when: user says 'release', 'create release', 'push release', 'deploy to main', 'merge to main', user merges a PR to main, or when git push to main is detected. Also triggers on mentions of: gh release, semver, version bump, changelog, release-please. Covers: config-driven (read .release.yml and execute) and fallback (gh CLI) release flows, versioning rules, tag management, and the mandatory release-on-merge convention.
1SKILL.mdUpdated May 30, 2026