Skip to content

feat(skills): adopt write-skill from JuliusBrussee/awesome-claude-skills (Apache-2.0)#84

Merged
potiuk merged 1 commit into
mainfrom
feat/write-skill
May 6, 2026
Merged

feat(skills): adopt write-skill from JuliusBrussee/awesome-claude-skills (Apache-2.0)#84
potiuk merged 1 commit into
mainfrom
feat/write-skill

Conversation

@potiuk

@potiuk potiuk commented May 6, 2026

Copy link
Copy Markdown
Member

Note

Stacked on top of #81 (security-audit fixes). Once #81 merges, this PR's base auto-rebases to main.

Summary

Adapts the upstream skill-creator skill from JuliusBrussee/awesome-claude-skills (Apache-2.0) into a new framework skill at .claude/skills/write-skill/. The upstream flow shape (anatomy of a skill, progressive disclosure, 6-step creation process) is preserved; the framework-specific shape and the prompt-injection-defence patterns from the 2026-05 audit are baked in as defaults so future skills authored through this flow inherit those lessons rather than rediscovering them in a future audit.

Substantial adaptations vs. upstream

Adaptation Why
Renamed skill-creatorwrite-skill Matches the framework's verb-prefixed naming convention.
Frontmatter rewritten to framework schema (license: Apache-2.0 exact string, when_to_use alongside description, SPDX comment, placeholder-convention comment) Framework's existing skills follow this shape; the validator enforces it.
Step 3 uses the adapted scripts/init_skill.py Scaffolds Adopter overrides, Snapshot drift, placeholder convention, SPDX header, plus conditional placeholders for the injection-guard callout (Pattern 4) and Privacy-LLM gate-check (Pattern 6).
Step 5 (packaging) dropped — package_skill.py and quick_validate.py not included The framework distributes skills via the snapshot model documented in docs/setup/install-recipes.md, not zip artefacts. Validation is via the existing tools/skill-validator/.
New Step 5 (security checklist) — hard walk-through of the 9 prompt-injection-defence patterns The load-bearing adaptation. Patterns live in .claude/skills/write-skill/security-checklist.md.

Attribution (per ASF licensing-howto)

  • LICENSE.txt copied verbatim from upstream into .claude/skills/write-skill/LICENSE.txt.
  • NOTICE updated with a "Third-party content" section crediting Julius Brussee and the upstream repo.
  • SKILL.md § Provenance pins the exact upstream commit (5380239b) and enumerates the adaptations so a future maintainer can diff against the upstream cleanly.

What lives in the new skill directory

.claude/skills/write-skill/
├── LICENSE.txt              # Apache-2.0, kept from upstream
├── SKILL.md                 # adapted, ~330 lines
├── security-checklist.md    # 9 audit patterns + recipes, ~190 lines
└── scripts/
    └── init_skill.py        # adapted scaffolder, ~210 lines

Test plan

  • prek run --all-files clean against PR fix(security): address 2026-05 prompt-injection audit (issues 1-9) #81's tip.
  • Smoke-test: python3 .claude/skills/write-skill/scripts/init_skill.py test-skill --path /tmp/test-skill scaffolds the expected layout.
  • After merge, write a real skill through this flow on a small task and confirm the scaffolded SKILL.md needs only filling in (no structural surgery). The next "I want a skill that does X" request is the natural test case.
  • After merge, the tools/skill-validator/ run against the scaffolded SKILL.md should pass once the TODO markers are filled — confirm on the first real use.

Out of scope

  • Wiring the security-checklist patterns into existing skills as automated checks — the patterns are documented expectations met by the skill author, not mechanically enforced. PR fix(security): address 2026-05 prompt-injection audit (issues 1-9) #81 already audited the existing skills against these patterns; this PR ensures new skills inherit them by default.
  • Adapting package_skill.py from upstream — the framework doesn't distribute via zip, so the script has no place to land.

@choo121600 choo121600 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool 👍

Base automatically changed from fix/security-audit-prompt-injection to main May 6, 2026 23:26
Adapts the upstream `skill-creator` skill (Apache-2.0,
JuliusBrussee/awesome-claude-skills @ commit 5380239) into a new
framework skill at `.claude/skills/write-skill/`. The upstream
flow shape (anatomy of a skill, progressive disclosure, 6-step
creation process) is preserved; the framework-specific shape and
the security patterns from the 2026-05 audit are baked in as
defaults so future skills authored through this flow inherit
the lessons rather than rediscovering them.

Substantial adaptations versus upstream:

- Renamed `skill-creator` → `write-skill` to match the
  framework's verb-prefixed naming convention.
- Frontmatter rewritten to the framework schema:
  `license: Apache-2.0` (exact string), `when_to_use` alongside
  `description`, SPDX header + placeholder-convention comment.
- Step 3 (initialisation) uses the adapted `init_skill.py` that
  scaffolds the framework's expected preamble: Adopter
  overrides, Snapshot drift, placeholder convention, SPDX
  header, plus conditional placeholders for the
  injection-guard callout and the Privacy-LLM gate-check.
- Step 5 (packaging) dropped — the framework distributes skills
  via the snapshot model, not zip artefacts. The upstream's
  `package_skill.py` and `quick_validate.py` are not included;
  validation is via the framework's existing
  `tools/skill-validator/`.
- New Step 5 (security checklist) — a hard walk-through of the
  nine prompt-injection-defence patterns from the gist audit.
  The patterns live in
  `.claude/skills/write-skill/security-checklist.md`. This is
  the load-bearing adaptation: it ensures any new skill
  written through this flow inherits the audit's lessons.

Attribution per ASF licensing-howto:

- LICENSE.txt copied verbatim from upstream into the skill
  directory.
- Project root NOTICE gets a "Third-party content" entry
  crediting Julius Brussee and the upstream repo.
- SKILL.md § "Provenance" pins the exact upstream commit and
  enumerates the adaptations.

Generated-by: Claude Code (Claude Opus 4.7)
@potiuk potiuk force-pushed the feat/write-skill branch from 7408020 to 344fe5e Compare May 6, 2026 23:44
@potiuk potiuk merged commit c2275c4 into main May 6, 2026
11 checks passed
@potiuk potiuk deleted the feat/write-skill branch May 6, 2026 23:46
@andreahlert andreahlert added the mode:platform Substrate / infra — not a mode (sandbox, CI, validators) label May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mode:platform Substrate / infra — not a mode (sandbox, CI, validators)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants