There's a project on Addy Osmani's GitHub that gained 11,732 stars last week.
It's not a model. It's not a framework. It's a collection of "engineering skills" files—teaching AI coding agents how to do code reviews, write secure code, and optimize performance.
agent-skills now has 41,324 stars, 189 commits, and supports four platforms: Claude Code, Gemini CLI, Codex, and OpenCode.
This isn't a tool. It's a shift in methodology.
From "Writing Prompts" to "Installing Skills"
Before, if you wanted Claude Code to review your code, you had to write a pile of rules in your prompt every single time: check boundary conditions, watch for memory leaks, look for hardcoded values...
agent-skills takes those rules and packages them into standardized skill files, placed in a .claude/skills/ directory. The agent loads them automatically on startup—no need to repeat yourself in every conversation.
It's no different from installing browser extensions. Except these extensions are for agents.
The skills in the project cover:
- Code Review: systematic checks covering security, performance, maintainability
- Security: OWASP Top 10, common vulnerability patterns
- Performance: profiling, optimization patterns, benchmarking
- Testing: testing strategy, coverage requirements, mocking patterns
- Accessibility: WCAG compliance, semantic HTML
- Architecture: design patterns, system architecture decisions
Each skill is a Markdown file describing the rules and checklists the agent should follow—in natural language.
Why This Model Is Taking Off
Simple: prompts are disposable, skills are reusable.
Writing a high-quality code review prompt might take 30 minutes. But if you save it as a skill, the marginal cost of using it next time is zero.
The core value of agent-skills isn't the skills it ships with—you can write your own. Its value is establishing a standardized format that lets skills be shared, combined, and iterated across the community.
The project supports the .claude-plugin format, which means skills can be distributed like npm packages. Someone writes a React-specific code review skill. Someone else writes a Rust memory safety check skill. You install what you need.
It's Not Perfect
This model has problems worth noting.
Skills can conflict. Your security skill says escape all input. Your performance skill says skip unnecessary processing. Who does the agent listen to? The docs mention that user-defined personas can override plugin versions—but that means users have to figure out priorities themselves.
Natural language rules are fuzzy. Skill files are written in Markdown, not code. "Watch for memory leaks"—what does that actually mean for the agent? Different agents will interpret it differently.
Maintenance cost. Tech stacks change. Best practices evolve. A security skill written six months ago might already be outdated. Who maintains it? Who updates it?
How I Use It
I've installed a few skills in my projects:
code-review: runs automatically on each PR, saving me about 60% of manual review timesecurity: not a silver bullet, but catches some low-hanging fruittesting: auto-generates test scaffolding when I write new modules
The effect is real—not "code quality improved 300%" kind of real, but "I no longer forget to write edge case tests" kind of real. Small things that compound.
The Bigger Picture
agent-skills going viral signals that AI coding workflows are entering phase two.
Phase one was "give the agent a prompt, let it work." Phase two is "give the agent a skill set, let it work with domain expertise."
The difference is like "configuring your environment manually every time" versus "using a Dockerfile."
What's next? I'd guess skill orchestration—not individual skills, but pipelines of skills that auto-load based on project type, language, and framework.
Primary Sources:
- GitHub - addyosmani/agent-skills — 41,324 stars, 189 commits
- GitHub Trending Weekly — 11,732 star growth this week