feat(skills): adopt write-skill from JuliusBrussee/awesome-claude-skills (Apache-2.0)#84
Merged
Conversation
Adapts the upstream `skill-creator` skill (Apache-2.0, JuliusBrussee/awesome-claude-skills @ commit 5380239) into a new framework skill at `.claude/skills/write-skill/`. The upstream flow shape (anatomy of a skill, progressive disclosure, 6-step creation process) is preserved; the framework-specific shape and the security patterns from the 2026-05 audit are baked in as defaults so future skills authored through this flow inherit the lessons rather than rediscovering them. Substantial adaptations versus upstream: - Renamed `skill-creator` → `write-skill` to match the framework's verb-prefixed naming convention. - Frontmatter rewritten to the framework schema: `license: Apache-2.0` (exact string), `when_to_use` alongside `description`, SPDX header + placeholder-convention comment. - Step 3 (initialisation) uses the adapted `init_skill.py` that scaffolds the framework's expected preamble: Adopter overrides, Snapshot drift, placeholder convention, SPDX header, plus conditional placeholders for the injection-guard callout and the Privacy-LLM gate-check. - Step 5 (packaging) dropped — the framework distributes skills via the snapshot model, not zip artefacts. The upstream's `package_skill.py` and `quick_validate.py` are not included; validation is via the framework's existing `tools/skill-validator/`. - New Step 5 (security checklist) — a hard walk-through of the nine prompt-injection-defence patterns from the gist audit. The patterns live in `.claude/skills/write-skill/security-checklist.md`. This is the load-bearing adaptation: it ensures any new skill written through this flow inherits the audit's lessons. Attribution per ASF licensing-howto: - LICENSE.txt copied verbatim from upstream into the skill directory. - Project root NOTICE gets a "Third-party content" entry crediting Julius Brussee and the upstream repo. - SKILL.md § "Provenance" pins the exact upstream commit and enumerates the adaptations. Generated-by: Claude Code (Claude Opus 4.7)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Stacked on top of #81 (security-audit fixes). Once #81 merges, this PR's base auto-rebases to
main.Summary
Adapts the upstream
skill-creatorskill fromJuliusBrussee/awesome-claude-skills(Apache-2.0) into a new framework skill at.claude/skills/write-skill/. The upstream flow shape (anatomy of a skill, progressive disclosure, 6-step creation process) is preserved; the framework-specific shape and the prompt-injection-defence patterns from the 2026-05 audit are baked in as defaults so future skills authored through this flow inherit those lessons rather than rediscovering them in a future audit.Substantial adaptations vs. upstream
skill-creator→write-skilllicense: Apache-2.0exact string,when_to_usealongsidedescription, SPDX comment, placeholder-convention comment)scripts/init_skill.pypackage_skill.pyandquick_validate.pynot includeddocs/setup/install-recipes.md, not zip artefacts. Validation is via the existingtools/skill-validator/..claude/skills/write-skill/security-checklist.md.Attribution (per ASF licensing-howto)
.claude/skills/write-skill/LICENSE.txt.SKILL.md§ Provenance pins the exact upstream commit (5380239b) and enumerates the adaptations so a future maintainer can diff against the upstream cleanly.What lives in the new skill directory
Test plan
prek run --all-filesclean against PR fix(security): address 2026-05 prompt-injection audit (issues 1-9) #81's tip.python3 .claude/skills/write-skill/scripts/init_skill.py test-skill --path /tmp/test-skillscaffolds the expected layout.tools/skill-validator/run against the scaffolded SKILL.md should pass once the TODO markers are filled — confirm on the first real use.Out of scope
package_skill.pyfrom upstream — the framework doesn't distribute via zip, so the script has no place to land.