Turns any folder of code, docs, papers, images, or videos into a queryable knowledge graph with AST-based extraction for 25 languages, LLM subagent semantic extraction, Leiden community detection, and interactive HTML visualization
Well-engineered knowledge graph skill with SSRF protection, sensitive file detection, and download size caps. Primary risk surface is the install command writing PreToolUse hooks and config files across multiple platform directories in the home folder, plus skill.md instructing LLMs to run pip install with --break-system-packages. Doc/paper/image content is sent to external LLM APIs for semantic extraction.
Behavioral guidelines derived from Andrej Karpathy's observations on LLM coding pitfalls — Think Before Coding, Simplicity First, Surgical Changes, and Goal-Driven Execution
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Purely natural language guidelines in 6 Markdown/JSON files with no executable code, no dependencies, and no network access. Only adds behavioral instructions to Claude's context encouraging careful, minimal, assumption-surfacing coding practices.
AI-powered job search system with 14 skill modes, A-F scoring across 10 dimensions, ATS-optimized PDF resume generation, career portal scanning via Playwright, and batch processing with claude sub-agents
Feature-rich job search system with clear, well-structured code and a thoughtful data contract separating user files from system files. However, has a built-in auto-updater that overwrites CLAUDE.md, mode files, scripts, and package.json from upstream on every session start, and its batch runner uses --dangerously-skip-permissions. Users should understand upstream changes could modify agent behavior.
Token-saving skill that makes Claude talk like a caveman, cutting 65-75% of output tokens while keeping full technical accuracy. Three intensity levels (lite, full, ultra) plus a companion markdown compressor
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt-based skill that modifies Claude's output style to reduce token usage. The core installed component is a single markdown file with no executable code, no network calls, and no dependencies. Optional companion tools (caveman-compress, benchmarks) are clearly separated and only run when explicitly invoked.
Transforms vague requests into optimized prompts for 30+ AI platforms with auto-selected templates, clarifying questions, and token efficiency audits
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt instructions in a single SKILL.md. Detects target AI platform, extracts intent across 9 dimensions, routes to 12 prompt templates (RTF, CO-STAR, RISEN, etc.), and audits for 35 token-wasting patterns. No executable code, no network calls.
Universal SEO skill with 19 sub-skills, 12 subagents, and Google API integration - technical audits, content analysis, schema markup, AI search optimization, and PDF report generation
Comprehensive SEO toolkit with 21 Python scripts that make external API calls (Google Search Console, PageSpeed, GA4, Moz, Bing Webmaster, YouTube). Reads Google API credentials from env vars and config files. PostToolUse hook runs schema validation. Install script clones repo and installs pip packages. Powerful but requires trust in the author due to broad network and credential access.
·
git clone https://github.com/AgriciDaniel/claude-seo.git && cd claude-seo && bash install.sh
Turn Claude Code into a full game dev studio with 48 AI agents and 36 workflows
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
48 agent definitions in markdown with bash hooks for commit/push validation. Settings explicitly deny rm -rf, force push, and .env access. No network calls.
Skills that turn any codebase into an interactive knowledge base
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
TypeScript monorepo with tree-sitter analysis, React dashboard, and multi-agent pipeline. Writes to .understand-anything/ in project directory. npm dependencies via pnpm.
MCP server indexing codebase into Zilliz Cloud vector database using OpenAI embeddings. Requires OPENAI_API_KEY and MILVUS_TOKEN. Sends code chunks to external APIs.
Warcraft III Peon voice notifications for Claude Code, Codex, and Gemini CLI
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update●External deps
Voice notification hooks playing sound files via system audio (afplay/paplay). Install writes hooks to ~/.claude/hooks/peon-ping/. No data sent externally.
GEO-first SEO skill with comprehensive AI search optimization
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update●External deps
Python scripts using requests, BeautifulSoup, and Playwright for SEO/GEO auditing. Fetches user-specified URLs only. Stores prospect data in ~/.geo-prospects/.
734+ structured cybersecurity skills for AI agents with MITRE ATT&CK mapping
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
753 structured SKILL.md files covering cybersecurity domains with MITRE ATT&CK mapping. Includes helper Python scripts for forensics. All skills are instructional markdown.
Claude Code guide covering setup, commands, workflows, agents, skills and tips
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Comprehensive reference documentation in a single large README.md. Command cheatsheets, configuration examples, and troubleshooting guides. No executable code.
Obsidian plugin embedding full Claude Code CLI. Executes arbitrary bash, supports MCP servers, sends content to Anthropic API. Has YOLO mode that auto-approves all tool calls. Includes command blocklist safety.
MCP integration between AI agents (Cursor, Claude Code) and Figma for design-to-code
●Runs scripts✓No data sent✓Local only✓No creds●Auto-updates●External deps
MCP server communicating with Figma via local WebSocket on port 3055. Requires Figma plugin running locally. bunx @latest pulls newest version. No external network calls.
Multi-model MCP server routing prompts to Gemini, OpenAI, Grok, Azure, Ollama, and OpenRouter APIs. Reads API keys from .env. Sends code and conversation context to multiple external LLM providers.
Deep-dive tutorial on agent harness engineering - build a Claude Code-like agent from scratch with tools, context management, and permissions
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Educational repo teaching agent harness engineering with Python + Next.js. Reads ANTHROPIC_API_KEY for standard SDK calls. No telemetry, no home directory writes.
Cross-platform desktop app for managing Claude Code, Codex, Gemini CLI, OpenCode, and OpenClaw sessions
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Desktop app that manages and proxies API keys across 5 AI CLI tools. Local proxy intercepts all API traffic for format conversion. Cloud sync and deep link import are additional attack vectors. Code-signed binaries.
·
Download from https://github.com/farion1231/cc-switch/releases
Comprehensive best practices guide covering agents, commands, skills, hooks, workflows, and orchestration patterns
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Best practices guide with hook scripts (Python subprocess for sound playback), broad permissions (WebFetch, WebSearch), and MCP server configs (Reddit, Tavily, weather API). Not purely documentation.
28-skill framework with opt-in Supabase telemetry. The /browse skill enables arbitrary web access and /setup-browser-cookies imports local browser cookies. Auto-upgrade via git pull. Telemetry schema is publicly auditable.
·
git clone https://github.com/garrytan/gstack.git ~/.claude/skills/gstack && cd ~/.claude/skills/gstack && ./setup
Principle-based UI design system that stores design decisions and component patterns for consistent interfaces across sessions
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure Markdown prompt instructions — zero executable code. Stores design decisions in a project-local system.md file. Every file is human-readable and auditable in 15 minutes. Clean.
AI-powered semantic security analysis detecting OWASP Top 10 vulnerabilities, injection attacks, auth flaws, and data exposure in code changes
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Official Anthropic security review GitHub Action. Calls Claude API for semantic vulnerability analysis of PR diffs. Warns it is NOT hardened against prompt injection.
·
Built-in /security-review command, or copy security-review.md to .claude/commands/
6 reusable skills and 2 agents for React, GraphQL, testing, and debugging with hooks and GitHub Actions automation
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update✓Self-contained
Skills + hooks with MCP integrations to 6 external services (Jira, GitHub, Linear, Sentry, Slack, Postgres). Reads multiple API tokens. Hook scripts run on every prompt.
Highly customizable statusline for Claude Code CLI with widgets for tokens, git, context window, costs, and Powerline themes
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Terminal statusline widget reading Claude Code session files and making API calls to Anthropic for usage data. No telemetry. Read-heavy with minimal write surface.
Browser automation logging into Google NotebookLM via Patchright (anti-detection Playwright fork). Stores Google session cookies locally. Sends user queries to Google servers.
Manage multiple AI coding agents in isolated git workspaces
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Compiled Go binary managing multiple Claude Code agents in isolated git worktrees. Executes arbitrary commands via tmux/pty. No telemetry. AGPL-3.0 licensed.
GitHub Action for AI code review and implementation on PRs
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Official Anthropic GitHub Action running Claude Code on PRs. Requires API keys and GitHub tokens. Well-maintained (143 releases, 81 contributors). MIT licensed.
·
Add anthropics/claude-code-action to your GitHub workflow YAML
Multi-agent orchestration spawning Claude/Codex/Gemini in tmux. Sends notifications to Telegram/Discord/Slack/OpenClaw webhooks. Writes to ~/.omc and ~/.claude.
·
git clone https://github.com/Yeachan-Heo/oh-my-claudecode && cd oh-my-claudecode && ./install.sh
Autonomous dev loop with intelligent exit detection and rate limiting
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Autonomous development loop running Claude Code CLI repeatedly with rate limiting and circuit breaker. Reads API keys from env vars. 556 tests passing.
·
git clone https://github.com/frankbria/ralph-claude-code && cd ralph-claude-code && ./install.sh
MCP server providing AI access to n8n documentation and workflow execution. Connects to n8n instances via API key. Sends workflow data to external n8n server.
Kanban board with Rust backend. PostHog analytics present but defaults to disabled. SSH tunneling and Cloudflare/ngrok exposure can expose local project state to the network.
·
git clone https://github.com/BloopAI/vibe-kanban && cd vibe-kanban && npm install
Route Claude Code requests to different LLM providers and models with plugin system
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
API proxy routing Claude Code requests to alternative LLM providers. Custom JS transformer plugin system allows loading arbitrary JS files. Forces localhost binding when no API key is set.
Reference library of production-tested infrastructure with auto-activating skills via hooks, modular skill patterns, and 10 specialized agents
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Reference library of hooks, skills, agents, and slash commands. Includes bash hook scripts for skill auto-activation and TypeScript checking. Project-scoped.
Plugin implementing compound engineering where each unit of work makes future work easier - plan/work/review/compound cycles with worktree support
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Plugin with brainstorm-plan-work-review-compound workflow cycle. Includes Bun/TS CLI for cross-tool conversion. Writes to multiple AI tool config dirs.
713+ agentic skills in universal SKILL.md format that works across Claude Code, Gemini CLI, Codex, Cursor, and more
●Runs scripts✓No data sent●External calls✓No creds●Auto-updates●External deps
1,326+ markdown skill playbooks with built-in security scanning for high-risk patterns. Author states skills are "not safe by default." CI validation and automated review checks are positive mitigations.
Lightweight spec-driven development system with meta-prompting and context engineering that solves context rot
●Runs scripts✓No data sent●External calls●Reads creds●Auto-updates●External deps
Spec-driven multi-agent orchestration that writes configs to 9+ AI editor directories. No telemetry, but automatic git commits and @latest npm install pattern are notable.
Configuration framework with 30 slash commands, 16 agents, 7 behavioral modes, and 8 MCP server integrations
●Runs scripts✓No data sent●External calls✓No creds●Auto-updates●External deps
Meta-programming framework installing 30 slash commands and optional MCP servers into ~/.claude via pip/pipx. Deep research mode makes external web calls.
Comprehensive plugin with 15+ agents, 30+ skills, 30+ commands, hooks, and rules from an Anthropic hackathon winner
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
29 lifecycle hooks and multi-language rules. Uses npx to fetch packages, has MCP server integrations, and reads ANTHROPIC_API_KEY and GITHUB_TOKEN from env. No telemetry sending data home.
73 focused plugins with 112 specialized agents, 146 skills, and 16 workflow orchestrators optimized for minimal token usage
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update●External deps
72 markdown agent definitions plus Python tools (yt-design-extractor) that download YouTube videos and run OCR. Makefile installs system tools. Core plugins are prompt-only but tools/ has real scripts.
AI image prompt generation with 1,246+ elements across portrait, design, and art domains - supports 200k+ style combinations
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Offline prompt generation with 1,246+ elements in local SQLite database. Python scripts query local DB and YAML configs. No network calls, no credentials.
Video editing skill using FFmpeg and Volcano Engine speech-to-text. Uploads audio to uguu.se (public file host) for transcription. Sends user audio to two external services.
Multi-platform research skill accessing 8+ services with 10+ API keys. Vendored X/Twitter GraphQL client using cookie-based auth. Extensive credential surface.
Convert browser actions to MCP commands with visual recording and LLM-powered extraction
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Full browser automation platform with HTTP API, LLM integration, and MCP support. Executes arbitrary browser commands including form filling. High risk from combined scope.
Word document creation and editing with tracked changes support
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Generates and edits Word documents by writing and running Python scripts and invoking LibreOffice for conversion. All scripts are vendored in the skill. No network calls or credential access.
PDF manipulation including extraction, merging, splitting, and form handling
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Instructs Claude to write Python scripts using PyPDF2/pdfplumber. Scripts run in your project directory with standard tool approval. No network calls, no credential access. Requires pip packages.
PowerPoint presentation creation with layouts and automation
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Creates and edits PowerPoint files by running bundled Python scripts and JS with pptxgenjs. Uses LibreOffice and Poppler for QA. Requires external tools but makes no network calls.
Excel spreadsheet operations with formulas and data analysis
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Creates and edits Excel spreadsheets with a bundled recalc script for formula validation. Uses shared office pack/unpack utilities. No network calls or credential access.
Create distinctive, production-grade frontend interfaces with bold design choices
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt instructions — no code execution, no network calls, no credential access. Generates production-grade React + Tailwind with genuine design taste. Safe to install.
Generate algorithmic art using p5.js with particle systems and flow fields
✓No code exec✓No data sent●External calls✓No creds✓No auto-update✓Self-contained
Pure prompt instructions for generating HTML files with inline p5.js art. Output HTML loads p5.js from CDN at runtime. The skill itself executes no code.
Create visual art in PNG and PDF formats using design philosophy
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Creates PNG/PDF designs by running Python scripts with Pillow. Bundles 81 OFL-licensed font files for local typography. Fully offline with no network calls.
Create animated GIFs optimized for Slack with proper constraints
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Generates animated GIFs by running Python scripts using Pillow, imageio, and numpy. Includes a core library with validators and easing helpers. No network calls.
Create high-quality MCP servers for external API integration
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Guides creation of MCP servers with bundled evaluation scripts. Evaluation calls the Anthropic API and connects to MCP servers via stdio/SSE/HTTP. Reads env vars for auth.
Test web applications using Playwright with screenshots and assertions
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update●External deps
Automates local web app testing by running Python Playwright scripts. Includes server lifecycle management. Network calls are localhost-only. Requires Playwright.
Manus-style persistent markdown planning - the workflow behind the $2B acquisition
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Plugin creating markdown planning files in the project directory. Includes bash/PowerShell hook scripts for plan re-reading and completion verification. No network calls.
IoT pentesting skills and custom tooling for hybrid hardware security testing
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Offensive IoT pentesting toolkit with network scanners, default credential wordlists, and UART automation. High risk by design — this is a security testing tool.
Go language skills with support for OpenAI and other LLMs as subagents
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Go-based skill runner with web UI executing arbitrary Python/shell code via built-in tools. Integrates with OpenAI/DeepSeek APIs. Downloads skills to ~/.goskills/.
RED-GREEN-REFACTOR cycle with testing anti-patterns reference
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Methodology guide for red-green-refactor cycle. Instructs Claude to run project test suites. Self-contained markdown with one companion file. No network calls, no credentials.
4-phase root cause process with tracing and defense techniques
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Four-phase debugging methodology. Includes a bash bisection script for test isolation. Shell execution limited to project test commands. No network calls or data transmission.
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update✓Self-contained
Design-before-implementation workflow with optional local Node.js preview server (127.0.0.1 only). Server auto-exits after 30 min idle. All network activity is localhost. No telemetry.
Create detailed implementation plans before coding
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure process skill that guides writing implementation plans as markdown files. No shell commands executed. Single SKILL.md with one companion file for self-review.
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Orchestration skill that loads a plan file, creates a checklist, and executes tasks with verification. Runs whatever test commands the plan specifies. No standalone scripts.
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Coordination pattern for dispatching independent sub-agents. Single SKILL.md with no companion files. Shell execution comes from sub-agent tasks, not the skill itself.
138 scientific skills across bioinformatics, cheminformatics, ML, and more
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update✓Self-contained
170+ SKILL.md files for scientific disciplines referencing 250+ databases. Skills instruct Claude to query external scientific APIs. No bundled executables.
Write internal communications using company formats
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt skill with templates for internal communications — updates, newsletters, FAQs. Markdown only. No code execution, no network calls, no dependencies.
Context management using hooks, ledgers, and isolated context windows
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Agent orchestration framework with Docker stack, PostgreSQL, 32 agents, 109 skills, and 30 hooks. Modifies home directory Claude config. High complexity surface.
·
git clone https://github.com/parcadei/Continuous-Claude-v3 && cd Continuous-Claude-v3 && ./install-global.sh
Real-time monitoring dashboard with 12 Python hooks sending lifecycle events to local Bun server. Data stays local (SQLite + WebSocket). Reads multiple API keys.
Anthropic-managed directory of high quality Claude Code plugins
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Anthropic-maintained plugin directory with internal and vetted external plugins. Individual plugin security varies. Plugins may include MCP servers and agents.
Persistent memory with local SQLite + Chroma vector storage. curl-pipe-bash installer from cmem.ai is highest risk. OpenClaw mode can stream session data to Telegram/Discord/Slack via webhooks.
Customizable status line display showing context, tokens, and session info
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Statusline plugin parsing stdin JSON and transcript JSONL for context usage and tool activity display. Writes config to ~/.claude/plugins. No network calls.
Catches destructive git and filesystem commands before they execute
●Runs scripts✓No data sent✓No network●Reads creds✓No auto-update●External deps
Defensive hook blocking destructive git/filesystem commands before execution. AST-based command parsing. Single runtime dependency. Very low risk — this is a protective tool.
Interactive Q&A tool for building new Claude skills
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update✓Self-contained
Meta-skill for building other skills. Runs bundled Python scripts that invoke Claude CLI as subprocesses to test trigger rates. Reads CLAUDECODE env var. Inherits session auth.
Python app with MCP integration for skill discovery, install, and management. Connects to external APIs and skill registries. Writes to ~/.claude and Docker containers.
·
git clone https://github.com/yusufkaraaslan/Skill_Seekers && cd Skill_Seekers && ./setup_mcp.sh
Comprehensive plugin with 15+ agents, 30+ skills, 30+ commands, hooks, and rules from an Anthropic hackathon winner
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
29 lifecycle hooks and multi-language rules. Uses npx to fetch packages, has MCP server integrations, and reads ANTHROPIC_API_KEY and GITHUB_TOKEN from env. No telemetry sending data home.
RED-GREEN-REFACTOR cycle with testing anti-patterns reference
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Methodology guide for red-green-refactor cycle. Instructs Claude to run project test suites. Self-contained markdown with one companion file. No network calls, no credentials.
4-phase root cause process with tracing and defense techniques
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Four-phase debugging methodology. Includes a bash bisection script for test isolation. Shell execution limited to project test commands. No network calls or data transmission.
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update✓Self-contained
Design-before-implementation workflow with optional local Node.js preview server (127.0.0.1 only). Server auto-exits after 30 min idle. All network activity is localhost. No telemetry.
Create detailed implementation plans before coding
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure process skill that guides writing implementation plans as markdown files. No shell commands executed. Single SKILL.md with one companion file for self-review.
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Orchestration skill that loads a plan file, creates a checklist, and executes tasks with verification. Runs whatever test commands the plan specifies. No standalone scripts.
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Coordination pattern for dispatching independent sub-agents. Single SKILL.md with no companion files. Shell execution comes from sub-agent tasks, not the skill itself.
Word document creation and editing with tracked changes support
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Generates and edits Word documents by writing and running Python scripts and invoking LibreOffice for conversion. All scripts are vendored in the skill. No network calls or credential access.
PDF manipulation including extraction, merging, splitting, and form handling
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Instructs Claude to write Python scripts using PyPDF2/pdfplumber. Scripts run in your project directory with standard tool approval. No network calls, no credential access. Requires pip packages.
PowerPoint presentation creation with layouts and automation
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Creates and edits PowerPoint files by running bundled Python scripts and JS with pptxgenjs. Uses LibreOffice and Poppler for QA. Requires external tools but makes no network calls.
Excel spreadsheet operations with formulas and data analysis
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Creates and edits Excel spreadsheets with a bundled recalc script for formula validation. Uses shared office pack/unpack utilities. No network calls or credential access.
Create distinctive, production-grade frontend interfaces with bold design choices
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt instructions — no code execution, no network calls, no credential access. Generates production-grade React + Tailwind with genuine design taste. Safe to install.
Generate algorithmic art using p5.js with particle systems and flow fields
✓No code exec✓No data sent●External calls✓No creds✓No auto-update✓Self-contained
Pure prompt instructions for generating HTML files with inline p5.js art. Output HTML loads p5.js from CDN at runtime. The skill itself executes no code.
Create visual art in PNG and PDF formats using design philosophy
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Creates PNG/PDF designs by running Python scripts with Pillow. Bundles 81 OFL-licensed font files for local typography. Fully offline with no network calls.
Create animated GIFs optimized for Slack with proper constraints
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Generates animated GIFs by running Python scripts using Pillow, imageio, and numpy. Includes a core library with validators and easing helpers. No network calls.
Create high-quality MCP servers for external API integration
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Guides creation of MCP servers with bundled evaluation scripts. Evaluation calls the Anthropic API and connects to MCP servers via stdio/SSE/HTTP. Reads env vars for auth.
Test web applications using Playwright with screenshots and assertions
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update●External deps
Automates local web app testing by running Python Playwright scripts. Includes server lifecycle management. Network calls are localhost-only. Requires Playwright.
Write internal communications using company formats
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt skill with templates for internal communications — updates, newsletters, FAQs. Markdown only. No code execution, no network calls, no dependencies.
Interactive Q&A tool for building new Claude skills
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update✓Self-contained
Meta-skill for building other skills. Runs bundled Python scripts that invoke Claude CLI as subprocesses to test trigger rates. Reads CLAUDECODE env var. Inherits session auth.
28-skill framework with opt-in Supabase telemetry. The /browse skill enables arbitrary web access and /setup-browser-cookies imports local browser cookies. Auto-upgrade via git pull. Telemetry schema is publicly auditable.
·
git clone https://github.com/garrytan/gstack.git ~/.claude/skills/gstack && cd ~/.claude/skills/gstack && ./setup
Persistent memory with local SQLite + Chroma vector storage. curl-pipe-bash installer from cmem.ai is highest risk. OpenClaw mode can stream session data to Telegram/Discord/Slack via webhooks.
Deep-dive tutorial on agent harness engineering - build a Claude Code-like agent from scratch with tools, context management, and permissions
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Educational repo teaching agent harness engineering with Python + Next.js. Reads ANTHROPIC_API_KEY for standard SDK calls. No telemetry, no home directory writes.
Lightweight spec-driven development system with meta-prompting and context engineering that solves context rot
●Runs scripts✓No data sent●External calls●Reads creds●Auto-updates●External deps
Spec-driven multi-agent orchestration that writes configs to 9+ AI editor directories. No telemetry, but automatic git commits and @latest npm install pattern are notable.
Cross-platform desktop app for managing Claude Code, Codex, Gemini CLI, OpenCode, and OpenClaw sessions
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Desktop app that manages and proxies API keys across 5 AI CLI tools. Local proxy intercepts all API traffic for format conversion. Cloud sync and deep link import are additional attack vectors. Code-signed binaries.
·
Download from https://github.com/farion1231/cc-switch/releases
Comprehensive best practices guide covering agents, commands, skills, hooks, workflows, and orchestration patterns
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Best practices guide with hook scripts (Python subprocess for sound playback), broad permissions (WebFetch, WebSearch), and MCP server configs (Reddit, Tavily, weather API). Not purely documentation.
Behavioral guidelines derived from Andrej Karpathy's observations on LLM coding pitfalls — Think Before Coding, Simplicity First, Surgical Changes, and Goal-Driven Execution
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Purely natural language guidelines in 6 Markdown/JSON files with no executable code, no dependencies, and no network access. Only adds behavioral instructions to Claude's context encouraging careful, minimal, assumption-surfacing coding practices.
AI-powered job search system with 14 skill modes, A-F scoring across 10 dimensions, ATS-optimized PDF resume generation, career portal scanning via Playwright, and batch processing with claude sub-agents
Feature-rich job search system with clear, well-structured code and a thoughtful data contract separating user files from system files. However, has a built-in auto-updater that overwrites CLAUDE.md, mode files, scripts, and package.json from upstream on every session start, and its batch runner uses --dangerously-skip-permissions. Users should understand upstream changes could modify agent behavior.
73 focused plugins with 112 specialized agents, 146 skills, and 16 workflow orchestrators optimized for minimal token usage
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update●External deps
72 markdown agent definitions plus Python tools (yt-design-extractor) that download YouTube videos and run OCR. Makefile installs system tools. Core plugins are prompt-only but tools/ has real scripts.
713+ agentic skills in universal SKILL.md format that works across Claude Code, Gemini CLI, Codex, Cursor, and more
●Runs scripts✓No data sent●External calls✓No creds●Auto-updates●External deps
1,326+ markdown skill playbooks with built-in security scanning for high-risk patterns. Author states skills are "not safe by default." CI validation and automated review checks are positive mitigations.
Token-saving skill that makes Claude talk like a caveman, cutting 65-75% of output tokens while keeping full technical accuracy. Three intensity levels (lite, full, ultra) plus a companion markdown compressor
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt-based skill that modifies Claude's output style to reduce token usage. The core installed component is a single markdown file with no executable code, no network calls, and no dependencies. Optional companion tools (caveman-compress, benchmarks) are clearly separated and only run when explicitly invoked.
Route Claude Code requests to different LLM providers and models with plugin system
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
API proxy routing Claude Code requests to alternative LLM providers. Custom JS transformer plugin system allows loading arbitrary JS files. Forces localhost binding when no API key is set.
Multi-agent orchestration spawning Claude/Codex/Gemini in tmux. Sends notifications to Telegram/Discord/Slack/OpenClaw webhooks. Writes to ~/.omc and ~/.claude.
·
git clone https://github.com/Yeachan-Heo/oh-my-claudecode && cd oh-my-claudecode && ./install.sh
Turns any folder of code, docs, papers, images, or videos into a queryable knowledge graph with AST-based extraction for 25 languages, LLM subagent semantic extraction, Leiden community detection, and interactive HTML visualization
Well-engineered knowledge graph skill with SSRF protection, sensitive file detection, and download size caps. Primary risk surface is the install command writing PreToolUse hooks and config files across multiple platform directories in the home folder, plus skill.md instructing LLMs to run pip install with --break-system-packages. Doc/paper/image content is sent to external LLM APIs for semantic extraction.
Kanban board with Rust backend. PostHog analytics present but defaults to disabled. SSH tunneling and Cloudflare/ngrok exposure can expose local project state to the network.
·
git clone https://github.com/BloopAI/vibe-kanban && cd vibe-kanban && npm install
Configuration framework with 30 slash commands, 16 agents, 7 behavioral modes, and 8 MCP server integrations
●Runs scripts✓No data sent●External calls✓No creds●Auto-updates●External deps
Meta-programming framework installing 30 slash commands and optional MCP servers into ~/.claude via pip/pipx. Deep research mode makes external web calls.
Multi-platform research skill accessing 8+ services with 10+ API keys. Vendored X/Twitter GraphQL client using cookie-based auth. Extensive credential surface.
Customizable status line display showing context, tokens, and session info
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Statusline plugin parsing stdin JSON and transcript JSONL for context usage and tool activity display. Writes config to ~/.claude/plugins. No network calls.
Manus-style persistent markdown planning - the workflow behind the $2B acquisition
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Plugin creating markdown planning files in the project directory. Includes bash/PowerShell hook scripts for plan re-reading and completion verification. No network calls.
138 scientific skills across bioinformatics, cheminformatics, ML, and more
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update✓Self-contained
170+ SKILL.md files for scientific disciplines referencing 250+ databases. Skills instruct Claude to query external scientific APIs. No bundled executables.
MCP server providing AI access to n8n documentation and workflow execution. Connects to n8n instances via API key. Sends workflow data to external n8n server.
Anthropic-managed directory of high quality Claude Code plugins
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Anthropic-maintained plugin directory with internal and vetted external plugins. Individual plugin security varies. Plugins may include MCP servers and agents.
Plugin implementing compound engineering where each unit of work makes future work easier - plan/work/review/compound cycles with worktree support
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
Plugin with brainstorm-plan-work-review-compound workflow cycle. Includes Bun/TS CLI for cross-tool conversion. Writes to multiple AI tool config dirs.
Python app with MCP integration for skill discovery, install, and management. Connects to external APIs and skill registries. Writes to ~/.claude and Docker containers.
·
git clone https://github.com/yusufkaraaslan/Skill_Seekers && cd Skill_Seekers && ./setup_mcp.sh
Multi-model MCP server routing prompts to Gemini, OpenAI, Grok, Azure, Ollama, and OpenRouter APIs. Reads API keys from .env. Sends code and conversation context to multiple external LLM providers.
Turn Claude Code into a full game dev studio with 48 AI agents and 36 workflows
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
48 agent definitions in markdown with bash hooks for commit/push validation. Settings explicitly deny rm -rf, force push, and .env access. No network calls.
Reference library of production-tested infrastructure with auto-activating skills via hooks, modular skill patterns, and 10 specialized agents
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Reference library of hooks, skills, agents, and slash commands. Includes bash hook scripts for skill auto-activation and TypeScript checking. Project-scoped.
Autonomous dev loop with intelligent exit detection and rate limiting
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Autonomous development loop running Claude Code CLI repeatedly with rate limiting and circuit breaker. Reads API keys from env vars. 556 tests passing.
·
git clone https://github.com/frankbria/ralph-claude-code && cd ralph-claude-code && ./install.sh
Skills that turn any codebase into an interactive knowledge base
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update●External deps
TypeScript monorepo with tree-sitter analysis, React dashboard, and multi-agent pipeline. Writes to .understand-anything/ in project directory. npm dependencies via pnpm.
Obsidian plugin embedding full Claude Code CLI. Executes arbitrary bash, supports MCP servers, sends content to Anthropic API. Has YOLO mode that auto-approves all tool calls. Includes command blocklist safety.
Highly customizable statusline for Claude Code CLI with widgets for tokens, git, context window, costs, and Powerline themes
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Terminal statusline widget reading Claude Code session files and making API calls to Anthropic for usage data. No telemetry. Read-heavy with minimal write surface.
GitHub Action for AI code review and implementation on PRs
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Official Anthropic GitHub Action running Claude Code on PRs. Requires API keys and GitHub tokens. Well-maintained (143 releases, 81 contributors). MIT licensed.
·
Add anthropics/claude-code-action to your GitHub workflow YAML
Manage multiple AI coding agents in isolated git workspaces
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Compiled Go binary managing multiple Claude Code agents in isolated git worktrees. Executes arbitrary commands via tmux/pty. No telemetry. AGPL-3.0 licensed.
MCP integration between AI agents (Cursor, Claude Code) and Figma for design-to-code
●Runs scripts✓No data sent✓Local only✓No creds●Auto-updates●External deps
MCP server communicating with Figma via local WebSocket on port 3055. Requires Figma plugin running locally. bunx @latest pulls newest version. No external network calls.
GEO-first SEO skill with comprehensive AI search optimization
●Runs scripts✓No data sent●External calls✓No creds✓No auto-update●External deps
Python scripts using requests, BeautifulSoup, and Playwright for SEO/GEO auditing. Fetches user-specified URLs only. Stores prospect data in ~/.geo-prospects/.
MCP server indexing codebase into Zilliz Cloud vector database using OpenAI embeddings. Requires OPENAI_API_KEY and MILVUS_TOKEN. Sends code chunks to external APIs.
Browser automation logging into Google NotebookLM via Patchright (anti-detection Playwright fork). Stores Google session cookies locally. Sends user queries to Google servers.
6 reusable skills and 2 agents for React, GraphQL, testing, and debugging with hooks and GitHub Actions automation
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update✓Self-contained
Skills + hooks with MCP integrations to 6 external services (Jira, GitHub, Linear, Sentry, Slack, Postgres). Reads multiple API tokens. Hook scripts run on every prompt.
Transforms vague requests into optimized prompts for 30+ AI platforms with auto-selected templates, clarifying questions, and token efficiency audits
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure prompt instructions in a single SKILL.md. Detects target AI platform, extracts intent across 9 dimensions, routes to 12 prompt templates (RTF, CO-STAR, RISEN, etc.), and audits for 35 token-wasting patterns. No executable code, no network calls.
Universal SEO skill with 19 sub-skills, 12 subagents, and Google API integration - technical audits, content analysis, schema markup, AI search optimization, and PDF report generation
Comprehensive SEO toolkit with 21 Python scripts that make external API calls (Google Search Console, PageSpeed, GA4, Moz, Bing Webmaster, YouTube). Reads Google API credentials from env vars and config files. PostToolUse hook runs schema validation. Install script clones repo and installs pip packages. Powerful but requires trust in the author due to broad network and credential access.
·
git clone https://github.com/AgriciDaniel/claude-seo.git && cd claude-seo && bash install.sh
Principle-based UI design system that stores design decisions and component patterns for consistent interfaces across sessions
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Pure Markdown prompt instructions — zero executable code. Stores design decisions in a project-local system.md file. Every file is human-readable and auditable in 15 minutes. Clean.
Warcraft III Peon voice notifications for Claude Code, Codex, and Gemini CLI
●Runs scripts✓No data sent✓Local only✓No creds✓No auto-update●External deps
Voice notification hooks playing sound files via system audio (afplay/paplay). Install writes hooks to ~/.claude/hooks/peon-ping/. No data sent externally.
734+ structured cybersecurity skills for AI agents with MITRE ATT&CK mapping
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
753 structured SKILL.md files covering cybersecurity domains with MITRE ATT&CK mapping. Includes helper Python scripts for forensics. All skills are instructional markdown.
AI-powered semantic security analysis detecting OWASP Top 10 vulnerabilities, injection attacks, auth flaws, and data exposure in code changes
●Runs scripts✓No data sent●External calls●Reads creds✓No auto-update●External deps
Official Anthropic security review GitHub Action. Calls Claude API for semantic vulnerability analysis of PR diffs. Warns it is NOT hardened against prompt injection.
·
Built-in /security-review command, or copy security-review.md to .claude/commands/
Claude Code guide covering setup, commands, workflows, agents, skills and tips
✓No code exec✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Comprehensive reference documentation in a single large README.md. Command cheatsheets, configuration examples, and troubleshooting guides. No executable code.
Context management using hooks, ledgers, and isolated context windows
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Agent orchestration framework with Docker stack, PostgreSQL, 32 agents, 109 skills, and 30 hooks. Modifies home directory Claude config. High complexity surface.
·
git clone https://github.com/parcadei/Continuous-Claude-v3 && cd Continuous-Claude-v3 && ./install-global.sh
Video editing skill using FFmpeg and Volcano Engine speech-to-text. Uploads audio to uguu.se (public file host) for transcription. Sends user audio to two external services.
Real-time monitoring dashboard with 12 Python hooks sending lifecycle events to local Bun server. Data stays local (SQLite + WebSocket). Reads multiple API keys.
Catches destructive git and filesystem commands before they execute
●Runs scripts✓No data sent✓No network●Reads creds✓No auto-update●External deps
Defensive hook blocking destructive git/filesystem commands before execution. AST-based command parsing. Single runtime dependency. Very low risk — this is a protective tool.
AI image prompt generation with 1,246+ elements across portrait, design, and art domains - supports 200k+ style combinations
●Runs scripts✓No data sent✓No network✓No creds✓No auto-update✓Self-contained
Offline prompt generation with 1,246+ elements in local SQLite database. Python scripts query local DB and YAML configs. No network calls, no credentials.
Convert browser actions to MCP commands with visual recording and LLM-powered extraction
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Full browser automation platform with HTTP API, LLM integration, and MCP support. Executes arbitrary browser commands including form filling. High risk from combined scope.
IoT pentesting skills and custom tooling for hybrid hardware security testing
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Offensive IoT pentesting toolkit with network scanners, default credential wordlists, and UART automation. High risk by design — this is a security testing tool.
Go language skills with support for OpenAI and other LLMs as subagents
✕Arbitrary code✓No data sent●External calls●Reads creds✓No auto-update●External deps
Go-based skill runner with web UI executing arbitrary Python/shell code via built-in tools. Integrates with OpenAI/DeepSeek APIs. Downloads skills to ~/.goskills/.
