| name | skills-curator |
| description | Use when the user mentions a skill or plugin by name, asks "should I install X?", asks "what skills fit this project?", asks to audit installed skills, asks whether a skill is safe to use, or wants to customize an external skill for their stack. Evaluates skills against the user's actual project (pros / cons / conflicts / ADOPT-PARTIAL-SKIP verdict), recommends what fits, scans for security red flags before adoption, persists every decision to a registry the user keeps in Project Knowledge, and forks stack-mismatched skills into project-tailored versions. Decide once, never re-decide.
|
| license | MIT |
| metadata | {"version":"1.0.0","edition":"claude.ai","plugin_version":"4.6.0","author":"captkernel","homepage":"https://github.com/captkernel/Skills_Curator","derived_from":"skills-curator-lite"} |
Skills Curator (claude.ai edition)
Decide once. Re-decide never.
The intelligence layer for Claude skills, adapted for claude.ai (web + desktop). Same judgment model as the Claude Code version — evaluate before installing, persist decisions, recommend by project fit, customize stack-mismatched skills — re-architected for claude.ai's sandbox-per-conversation runtime.
| Claude Code | claude.ai (this edition) |
|---|
| Persistence | ~/.claude/skills/registry.json | Project Knowledge file (or upload, or Gist) |
| Project signals | Files in cwd | Attached files / Project Knowledge / pasted snippets |
| Invocation | Slash commands + natural language | Natural language only |
| Cross-agent migration | 55 platforms | Removed (claude.ai isn't a CLI agent) |
| Customize output | Written to ~/.claude/skills/<fork>/ | Written to /mnt/user-data/outputs/<fork>.zip |
First activation in a session
The first time the skill activates in a conversation, open with this two-line orientation before answering, then continue with whatever was asked:
🧭 Skills Curator loaded — your intelligence layer for Claude skills (claude.ai edition).
I evaluate skills against your actual stack, recommend what fits, and persist decisions so you don't re-evaluate. Working on your request now.
Skip the orientation if you're about to surface concrete picks from a registry the user has already pinned — those are more useful than a generic intro. Don't repeat in later turns of the same conversation.
How persistence works on claude.ai
The sandbox is fresh every conversation. There's no ~/.claude/skills/registry.json that survives across sessions. Three modes, picked in this order based on what the user has set up:
- Project Knowledge (recommended) —
skills_registry.json in Project Knowledge is auto-read at session start. After updates, the skill writes /mnt/user-data/outputs/skills_registry.json so the user can download and swap.
- Upload / download — user attaches the registry to the conversation, skill emits the updated file at session end via
/mnt/user-data/outputs/.
- Gist sync (power users) — user provides a private Gist ID + PAT, skill fetches via
curl, patches via PATCH /gists/{id}.
Deep dive: references/persistence.md. Schema is v3.0 (matches Claude Code version, so the same registry can be used on both):
{
"version": "3.0",
"last_updated": "YYYY-MM-DD",
"skills": [{"id": "...", "name": "...", "evaluations": [...], "tags": [...], ...}]
}
Writing the registry
When a decision is made, write the updated JSON to /mnt/user-data/outputs/skills_registry.json via the code-execution tool, then tell the user:
"Updated registry written to skills_registry.json (download link above). Replace the file in Project Knowledge to persist this decision."
Never paste the full registry back into chat — large registries blow context. Use the file flow.
Project context on claude.ai
claude.ai has no working directory. The "project" is whatever the user has made visible:
- Files attached to the current message (manifests, CLAUDE.md, source files)
- Files in Project Knowledge (persistent for the Project)
- Pasted snippets in chat (treat as virtual files using the declared filename)
If none are present and you need them for ranking, ask once per session:
"To recommend skills that actually fit, I need to see your project's manifest. Paste your package.json / pyproject.toml / requirements.txt / CLAUDE.md, or attach them. Or say 'no project context' for general-purpose recommendations."
Don't ask repeatedly. If the user declines, fall back to trust-tier-only ranking from the embedded catalog.
Project label
Ask once per session: "What should I call this project in the registry? (Used to tag evaluations — could be a repo name, app name, or 'default'.)" Reuse the label across all evaluations in the session. If the user attached a package.json with a name field, use that as the suggested default.
The five verbs
Removed from this edition: PLATFORMS and MIGRATE (claude.ai isn't installing to CLI agents). All five are invoked by natural language.
1. RECOMMEND — "what skills fit this project?"
- Gather project signals (attached / Project Knowledge / pasted). Extract tags via
references/signals.md.
- Read the registry (Project Knowledge → upload → Gist). Skip skills already evaluated.
- Load catalog from
references/catalog.yaml (the curated seed). Optionally augment via the live-refresh flow below if the user asked for "latest".
- Match: for each catalog entry, count tag overlap with project tags.
- Score =
len(overlap) * 10 + trust_bonus (official: 20, high: 15, medium: 5, community: 2, unknown: 0).
- Sort descending, top 5, grouped by capability vs preference.
- Render with pros, cons, and a CUSTOMIZE hint when there's a stack mismatch (see
references/signals.md § Tag rivals).
Render template:
═══════════════════════════════════════════════════════════
Recommendations for: <project>
═══════════════════════════════════════════════════════════
⚡ CAPABILITY — new abilities
01. <trust-icon> <Name>
Why : [<top-3 overlapping tags>]
What : <one-line description>
Trust : <official | high | medium | community | unknown>
✓ Pro : <pro 1>
✓ Pro : <pro 2>
✗ Con : <con 1>
✗ Con : <con 2>
💡 Tip : <customize hint, only when stack mismatch>
Install : <command for the user's target runtime>
🎨 PREFERENCE — better defaults
...
Trust icons: 🏛️ official · ✅ high · 🟡 medium · ⬜ community · ❓ unknown.
2. EVALUATE — "should I install this skill?"
- Registry first. If the skill id has a prior verdict, surface it: "You already evaluated this on for with verdict . Re-evaluate, or reuse?"
- Security scan (see
references/security-patterns.md). If the source is a GitHub repo, fetch via:
curl -sL "https://raw.githubusercontent.com/<owner>/<repo>/main/SKILL.md" -o /tmp/source.md
Run the patterns over the fetched (or attached) content. Any HIGH / CRITICAL match → halt and report before producing a verdict.
- Read project context. Ground the evaluation in what the project actually does, not hypothetical futures.
- Produce the evaluation in this exact format (it's also what users paste into PRs and ADRs):
## Skill Evaluation: <Name>
Project: <project>
Type: Capability Uplift | Encoded Preference
### ✅ Pros
- <specific, tied to project goals>
### ⚠️ Cons
- <specific cost or limitation>
### 🔴 Conflicts
- <existing skill or pattern that overlaps; "None" if clean>
### 🎯 Verdict: ADOPT | PARTIAL | SKIP
<one or two sentences with the core reason>
### 📦 Adoption Plan
- Adopt: <which features>
- Skip: <which features>
- Pairs with: <skill-id or "nothing">
- Persist. Append the entry to the skill's
evaluations array in the registry, write the updated JSON to /mnt/user-data/outputs/skills_registry.json, point the user at the download.
The evaluation block is PR-ready — offer it as an Artifact for easy copy if the user is heading to GitHub.
3. SCAN — "is this skill safe?" (quick verb)
Lighter than EVALUATE. Runs only the security patterns from references/security-patterns.md, returns a findings table, no verdict. Use when the user says "just check if it's safe" or "scan for red flags" without asking for adoption advice.
Skill: <name>
Source: <path or url>
| Severity | Finding | Pattern |
|---|---|---|
| <S> | <line excerpt> | <pattern name> |
Result: ✅ Clean | ⚠️ <n> findings to review | 🔴 Stop — <n> CRITICAL
If clean, offer to follow up with a full EVALUATE. If flagged, halt and let the user decide.
4. AUDIT — "review my installed skills"
Run four checks over the registry in one pass:
- Duplicates — pairs with > 60% tag overlap, flag possible redundancy.
- Preference conflicts —
type: preference skills with contradictory rules (two style guides, two commit-message conventions).
- Security gaps —
security_scan missing or empty. Recommend re-scan.
- Stale evaluations — last evaluated > 6 months ago.
Present as a triaged punch list. End with: "Want me to re-evaluate any of these? Paste the source or attach the SKILL.md."
5. CUSTOMIZE — fork an external skill for this project (the headline capability)
This is what makes Skills Curator different: when a recommended skill ships examples from a stack the user doesn't use, fork it as a project-tailored version instead of installing as-is. Lead with this whenever RECOMMEND surfaces a stack-mismatched pick.
- Acquire the source SKILL.md. Either attached, or fetched via curl.
- Scan project context to get the tag set.
- Parse SKILL.md into sections (split on
^## headings). For each section, score by tag-overlap and tag an action: keep / keep-trim / rewrite-stack / drop-or-rewrite / rewrite-frontmatter (always for frontmatter).
- Emit the customization plan as a markdown table — inline, so the user can sanity-check before the rewrite.
- Rewrite each section in place per the action column.
rewrite-stack sections get their examples translated to this project's framework (e.g., Vue → React).
- Package the fork. Write to
/mnt/user-data/outputs/:
mkdir -p /tmp/<fork-name>
cd /tmp && zip -r /mnt/user-data/outputs/<fork-name>.zip <fork-name>/
Tell the user: "Your customized skill is at <fork-name>.zip (download link above) — unzip, then upload via claude.ai → Settings → Capabilities → Skills, or move to ~/.claude/skills/<fork-name>/ if you're on Claude Code."
Offer to also write the fork as a new entry in the registry (its own id, derived from source) so future RECOMMEND knows about it.
Project signal extraction
Framework keywords, goal keywords, and Tag-rivals (stack-mismatch detector) → references/signals.md. Always-on cost stays low because the table only loads when the user asks for recommendations.
Embedded catalog
20 curated entries with hand-written pros / cons / tags / trust tier → references/catalog.yaml. Read on demand during RECOMMEND.
Security scan patterns
15 severity-tagged regex patterns → references/security-patterns.md. Read on demand during EVALUATE / SCAN.
Persistence deep dive
Three modes (Project Knowledge / upload / Gist), initial registry shape, troubleshooting → references/persistence.md.
Symptom → skill mapping
When the user describes a problem instead of naming a skill, match against this table and search the catalog by tag.
| User says (substring) | Look for skills tagged |
|---|
slow test, tests are slow | testing, performance |
failing ci, ci is broken | ci-cd, github-actions |
ugly ui, design is bad, ai-slop | frontend-design, design-system, ui |
manual deploy, deploys are manual | ci-cd, deploy |
no docs, missing docs | docs, docgen |
messy commits, bad commit messages | commit-writer, conventional-commits |
slow build, build takes forever | build-tools, performance |
auth broken, login issue | auth, session-management |
scraping broken, browser auth | scraping, browser-automation |
accessibility, a11y | accessibility, ui |
pr review takes, slow code review | pr-review, code-review |
forget context, no memory | memory, personalization |
mcp server | mcp, integration |
mobile app, ios bug, android bug | mobile, react-native |
video render, animation | video, animation, remotion |
data extraction, parse pdf | documents, data-extraction |
hardcoded keys, security audit | security, audit |
Live catalog refresh (optional)
When the user asks for "latest skills" or "refresh the catalog", augment the embedded catalog with live entries from GitHub topic search. The sandbox has internet, so:
for topic in claude-skill claude-code-skill agent-skill; do
curl -sL \
-H "Accept: application/vnd.github+json" \
-H "User-Agent: skills-curator-claudeai" \
"https://api.github.com/search/repositories?q=topic:$topic&sort=stars&per_page=20" \
> /tmp/topic-$topic.json
done
Parse each JSON, classify trust by author (anthropics / vercel-labs / microsoft / google → official; ComposioHQ / supermemoryai / remotion-dev / firecrawl → high; obra → medium; else unknown), build catalog entries with empty pros/cons. Curated entries from references/catalog.yaml win on id collision — never overwrite hand-written pros/cons.
Unauthenticated GitHub API rate-limit: 60 req/hr per IP. If hit, fall back to embedded catalog and warn the user.
Optionally cache the merged catalog to /mnt/user-data/outputs/catalog.json so the user can pin it in Project Knowledge.
Common mistakes
| Mistake | What to do instead |
|---|
| Pasting the full registry JSON back into chat | Write to /mnt/user-data/outputs/skills_registry.json and link the download — registries grow, chat tokens don't |
| Recommending a medium/unknown-trust skill without scanning first | Trust gate is non-negotiable — fetch or ask for the SKILL.md, scan, flag findings |
| Manufacturing a recommendation when no skill fits | Say no good match was found, explain why, offer to do the task directly |
| Re-evaluating a skill the registry already has a verdict for | Surface the prior verdict + date first, ask whether to reuse or re-evaluate |
| Asking for project context on every message | Once per session. If declined, fall back to trust-tier-only ranking |
| Pretending PLATFORMS / MIGRATE exist | Removed from this edition — point users at the Claude Code version if they need cross-agent migration |
| Loading every reference file every turn | References load on demand for the verb that needs them — don't pre-load |
When to recommend the Claude Code version instead
A few capabilities only exist in the Claude Code editions and can't be replicated here:
- Cross-agent migration to 55 platforms (Cursor, Codex, Gemini CLI, etc.) — there's no equivalent target on claude.ai
--auto proactive activation with project fingerprinting against a real working directory
- Single-pass speed on 100+ skills — the Python engine is faster than agent-driven evaluation at that scale
If the user has Claude Code installed and any of those matter, point them at:
npx skills add captkernel/Skills_Curator
The editions don't conflict — they target different runtimes, and the registry JSON schema is shared so a user can sync between them via a Gist.