mdskills
← Docs

Skill Advisor

Every skill, plugin, and MCP server on mdskills.ai is reviewed by the Skill Advisor — an AI-powered evaluation that scores listings on capabilities, quality, and security. The goal is to help you quickly assess whether a skill is well-built, safe to use, and worth installing.

What we evaluate

The Skill Advisor analyzes the SKILL.md content (and README when available) against three dimensions:

1. Capabilities

What does this skill actually enable an agent to do? Is it useful and well-scoped, or shallow and trivial? Are the instructions specific enough that an agent could execute them reliably without guessing?

2. Quality

Is the SKILL.md well-structured? Does it have clear trigger conditions, step-by-step instructions, examples, and edge case handling? Does it use progressive disclosure? Would an agent or human understand exactly what this does out of the box?

3. Security

Are the declared permissions appropriate for what the skill actually does? Are there unvalidated shell commands, unconstrained file writes, or credential handling concerns? Could a malicious input trick an agent into running dangerous commands through this skill?

How scoring works

Each skill receives a score from 1 to 10, along with specific strengths and weaknesses. The score reflects overall quality across all three dimensions:

ScoreMeaning
7- 10Strong — actionable, well-structured, and immediately usable by an agent
4- 6Decent — functional but could improve in specificity, examples, or permissions
1- 3Weak — missing actionable instructions or not usable by an agent as-is

Scores of 9 or 10 are rare and reserved for skills that excel in all three dimensions. A score of 7 is good. Security concerns — especially undeclared permissions or prompt injection risk — significantly impact the score.

What we flag

  • Permission mismatches — a skill that uses shell commands but doesn't declare shell execution
  • Over-scoped permissions — requesting filesystem write, shell, and network when only read is needed
  • Missing instructions — a skill that describes what it does but not how to do it
  • No trigger conditions — no clear “when to use this skill” section
  • Prompt injection surface — instructions that could be exploited by malicious file content
  • Credential handling — secrets stored in plaintext or passed unsafely

How reviews are generated

Reviews are generated by Claude (Anthropic's AI) using a structured evaluation prompt. The reviewer analyzes the skill's SKILL.md content, README, and declared permissions. Reviews are generated when a skill is first imported and can be regenerated when the skill content is updated.

The Skill Advisor is not a popularity metric. It doesn't consider GitHub stars, install counts, or community sentiment. It evaluates the skill file itself — its structure, clarity, security posture, and usefulness to an AI agent.

Limitations

  • Reviews are AI-generated and may occasionally miss nuances or produce false positives
  • The review evaluates the skill file, not the underlying tool or service it wraps
  • Security analysis is based on content inspection, not runtime testing
  • Scores may vary slightly if a review is regenerated
Want to improve your score? Read the SKILL.md Best Practices guide — especially the security section on permissions, shell safety, and credential handling.

Have feedback?

If you think a review is inaccurate or unfair, let us know. We're continuously improving the evaluation criteria to be more helpful and precise.

Open an issue on GitHub →