Skip to content

Commit 38aaa0f

Browse files
dguidoclaude
dguido
and
claude
committed
Move skill/agent authoring and publishing to Usage section
Writing and publishing skills is a workflow activity, not a one-time configuration task. Move both subsections from Configuration > Plugins and Skills into Usage, between Commands and Recommended Skills. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 30ea6ce commit 38aaa0f

1 file changed

Lines changed: 21 additions & 20 deletions

File tree

README.md

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ Then inside the session, run `/trailofbits:config`. It walks you through install
3636
- [Web Browsing](#web-browsing)
3737
- [Fast Mode](#fast-mode)
3838
- [Commands](#commands)
39+
- [Writing Skills and Agents](#writing-skills-and-agents)
3940
- [Recommended Skills](#recommended-skills)
4041
- [Recommended MCP Servers](#recommended-mcp-servers)
4142

@@ -345,26 +346,6 @@ The `agent-browser` CLI (installed in [Prerequisites](#tools)) ships its own mar
345346
/plugin install agent-browser@agent-browser
346347
```
347348

348-
#### Publishing skills
349-
350-
Where to publish depends on the audience:
351-
352-
- **Public and open source** -- submit a PR to [trailofbits/skills](https://github.com/trailofbits/skills).
353-
- **Internal to Trail of Bits** -- submit a PR to [trailofbits/skills-internal](https://github.com/trailofbits/skills-internal).
354-
- **Third-party skill you want approved** -- submit a PR to [trailofbits/skills-curated](https://github.com/trailofbits/skills-curated) with attribution to the original source. Every PR gets code review.
355-
356-
#### Writing skills and agents
357-
358-
When you find yourself repeating the same multi-step workflow, extract it into a skill or agent. Read Anthropic's [skill authoring best practices](https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices) first for guidance on structure, descriptions, and progressive disclosure.
359-
360-
**Skills vs. agents.** Skills load instructions into the current session. They're guidance: conventions, checklists, decision trees that enhance whatever the user is already doing. Agents run in their own context window with a dedicated system prompt. They're specialists you hand a job to and get results back from. Use an agent when the work benefits from a focused persona, would bloat the main session with context, needs a constrained tool set, or should run in parallel with other work.
361-
362-
**Agent personas for security work.** Agents are underused in our plugins. A "senior auditor who's triaged hundreds of reentrancy bugs" approaches code differently than a "fuzzing engineer thinking about coverage and crash triage." The system prompt shapes what the agent notices and prioritizes, not just what steps it follows. When you have deep expertise in a vulnerability class or analysis methodology, encode it as an agent persona, not just a skill checklist.
363-
364-
**Tooling.** The `plugin-dev` plugin (from `claude-plugins-official`) has workflows for both. `/plugin-dev:skill-development` walks you through a 6-step process for skills. `/plugin-dev:agent-development` does the same for agents. For a full plugin with multiple components, use `/plugin-dev:create-plugin` to orchestrate the process.
365-
366-
**Quality.** For security skills and agents, don't just describe the workflow. Bundle the reference material that makes it expert-level: analysis checklists, vulnerability patterns, example outputs, and the decision logic an experienced auditor would apply. Keep the SKILL.md lean (under 2,000 words) and move detailed content into `references/` files.
367-
368349
### MCP Servers
369350

370351
Everyone at Trail of Bits should set up at least **Context7** and **Exa** as global MCP servers.
@@ -539,6 +520,26 @@ cp commands/fix-issue.md ~/.claude/commands/
539520

540521
Once a workflow is a command, it's not just faster for you -- it's something an agent can run too. You can point `/fix-issue` at 50 issues in parallel across worktrees, run `/review-pr` on every open PR in a repo, or schedule either as part of CI. Commands turn manual workflows into scalable operations.
541522

523+
## Writing Skills and Agents
524+
525+
When you find yourself repeating the same multi-step workflow, extract it into a skill or agent. Read Anthropic's [skill authoring best practices](https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices) first for guidance on structure, descriptions, and progressive disclosure.
526+
527+
**Skills vs. agents.** Skills load instructions into the current session. They're guidance: conventions, checklists, decision trees that enhance whatever the user is already doing. Agents run in their own context window with a dedicated system prompt. They're specialists you hand a job to and get results back from. Use an agent when the work benefits from a focused persona, would bloat the main session with context, needs a constrained tool set, or should run in parallel with other work.
528+
529+
**Agent personas for security work.** Agents are underused in our plugins. A "senior auditor who's triaged hundreds of reentrancy bugs" approaches code differently than a "fuzzing engineer thinking about coverage and crash triage." The system prompt shapes what the agent notices and prioritizes, not just what steps it follows. When you have deep expertise in a vulnerability class or analysis methodology, encode it as an agent persona, not just a skill checklist.
530+
531+
**Tooling.** The `plugin-dev` plugin (from `claude-plugins-official`) has workflows for both. `/plugin-dev:skill-development` walks you through a 6-step process for skills. `/plugin-dev:agent-development` does the same for agents. For a full plugin with multiple components, use `/plugin-dev:create-plugin` to orchestrate the process.
532+
533+
**Quality.** For security skills and agents, don't just describe the workflow. Bundle the reference material that makes it expert-level: analysis checklists, vulnerability patterns, example outputs, and the decision logic an experienced auditor would apply. Keep the SKILL.md lean (under 2,000 words) and move detailed content into `references/` files.
534+
535+
### Publishing skills
536+
537+
Where to publish depends on the audience:
538+
539+
- **Public and open source** -- submit a PR to [trailofbits/skills](https://github.com/trailofbits/skills).
540+
- **Internal to Trail of Bits** -- submit a PR to [trailofbits/skills-internal](https://github.com/trailofbits/skills-internal).
541+
- **Third-party skill you want approved** -- submit a PR to [trailofbits/skills-curated](https://github.com/trailofbits/skills-curated) with attribution to the original source. Every PR gets code review.
542+
542543
## Recommended Skills
543544

544545
Skills come from plugins you install via the Trail of Bits marketplaces and third-party marketplaces. Here are the ones worth knowing about from each.

0 commit comments

Comments
 (0)