Curated registry of installable skills for the
openclaudeCLI.
Skills are reusable, opinionated workflows that teach openclaude how to
handle a specific kind of task — reviewing a pull request, auditing code
for security risks, debugging a runtime error, writing tests. Instead of
re-prompting from scratch every time, you install a skill once and the
agent knows how to do that job.
This repo is the source of truth. The CLI reads registry.json. The
Skill Hub website renders
the same data as a browsable catalog.
┌──────────────────────────────────────┐
│ Gitlawb/openclaude-skills (this) │
│ │
│ skills/<name>/SKILL.md ─► registry.json
└──────────────────────────────────────┘
│
┌───────────────┴────────────────┐
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ openclaude CLI │ │ openclaude-site │
│ installs skills │ │ browses catalog │
└─────────────────────┘ └─────────────────────┘
registry.jsonis built fromskills/<name>/SKILL.mdfiles- Every entry is validated by
@gitlawb/skill-validator - GitHub serves
registry.jsonat a stable raw URL — no backend, no server, no API - Non-community trust must be backed by
.maintainers/trust.json; frontmatter alone cannot self-promote a skill revocations.jsonis reserved as the kill-switch list for compromised or withdrawn skill versions
openclaude skills install gitlawb/<name>
For example:
openclaude skills install gitlawb/pr-review
After install, start a new openclaude session. The skill becomes available the next time you ask the agent something that matches the skill's "Use this skill when" rules.
| Skill | Category | Description |
|---|---|---|
ci-fix |
ci | Diagnoses and fixes CI pipeline failures. |
codeql-fix |
security | Reads a CodeQL or static-analysis finding and produces a targeted fix. |
commit-message-craft |
code-review | Writes commit messages that follow the repo's existing conventions. |
database-review |
database | Reviews database schema changes, migrations, and queries. |
debugging |
debugging | Helps diagnose and fix runtime errors, crashes, and unexpected behavior. |
dockerfile-review |
ci | Reviews Dockerfiles for size, security, caching, and reproducibility issues. |
docs-writer |
docs | Writes or updates documentation that matches the project's voice and structure. |
error-message-decode |
debugging | Decodes cryptic error messages, stack traces, and panics into actual causes and fix paths. |
frontend-implementation |
frontend | Implements frontend components following project conventions. |
git-conflict-resolve |
code-review | Resolves merge and rebase conflicts by preserving both sides' intent. |
local-model-picker |
provider | Recommends Ollama or LM Studio models based on hardware and goal. |
loop-task-author |
provider | Writes .openclaude/loop.md files for openclaude's scheduled maintenance loop. |
mcp-server-pick |
provider | Recommends and configures MCP servers for openclaude based on the user's described workflow. |
nextjs-hydration-fix |
frontend | Diagnoses Next.js hydration mismatches and proposes the smallest fix that resolves them. |
pr-description-writer |
code-review | Writes pull request descriptions with Problem / Fix / Verification structure. |
pr-review |
code-review | Reviews pull requests for correctness, style, and risks. |
provider-debug |
provider | Diagnoses openclaude provider configuration problems and proposes fixes. |
provider-setup |
provider | Configures openclaude to route through OpenAI-compatible providers. |
refactor-plan |
refactor | Plans multi-file refactors with clear steps and risk assessment. |
regex-craft |
general | Writes regex patterns from natural-language descriptions, with test cases and pitfall warnings. |
release-maintainer |
release | Prepares releases — version bumps, changelogs, release notes. |
security-audit |
security | Reviews code changes for common security risks. |
stripe-webhook-setup |
ci | Sets up Stripe webhooks correctly with signature verification, idempotency, and local testing. |
subagent-design |
provider | Writes custom openclaude subagent definitions in .openclaude/agents/. |
supabase-rls-audit |
security | Audits Supabase Row Level Security policies for missing tables, inverted logic, and anonymous access leaks. |
test-writer |
testing | Writes unit, integration, and end-to-end tests for existing or new code. |
vercel-build-fail-decode |
ci | Reads Vercel build logs, finds the actual error among the noise, and proposes a fix. |
Every skill is a folder under skills/ with a SKILL.md file:
skills/pr-review/
├── SKILL.md # the skill itself: frontmatter + procedure
└── README.md # short description for people browsing GitHub
SKILL.md is plain markdown with YAML frontmatter:
---
name: pr-review
title: PR Review
description: Reviews pull requests for correctness, style, and risks.
category: code-review
tags: [review, github, quality]
trust: official
version: 0.1.0
license: MIT
tools_required: [Read, Bash]
min_openclaude_version: 0.10.0
---
# PR Review
## Use this skill when
- The user asks to review a pull request or diff...
## Procedure
1. Get the diff with `gh pr diff <number>`...See skills/pr-review/SKILL.md for the full
reference structure.
See CONTRIBUTING.md for the full guide and
REVIEW_POLICY.md for the rules every PR is reviewed
against. The short version:
- Create
skills/<your-skill>/SKILL.md— copy the structure fromskills/pr-review/. - Validate it locally:
bun install bun run scripts/validate-skill.ts skills/<your-skill>/ - Rebuild the registry:
bun run build:registry - Open a PR using the "new skill" template.
First-time contributors should set trust: community in frontmatter.
Maintainer-reviewed skills become verified. official is reserved
for skills authored by Gitlawb maintainers. Maintainers promote a skill
by adding the matching gitlawb/<name>@<version> entry to
.maintainers/trust.json; contributors should not self-promote in the
skill file. See DECISIONS.md for the trust tier
definitions.
| Tier | Who authors it | Review requirement |
|---|---|---|
official |
Gitlawb maintainers | 2-maintainer review |
verified |
Third-party | 1-maintainer review, same quality bar as official |
community |
Third-party | Automated checks only; "review before enabling" warning in CLI |
deprecated |
Any | Maintainer marked as replaced/abandoned; visible but discouraged |
trust in SKILL.md is validated for readability, but registry output is
controlled by .maintainers/trust.json. If a PR adds a new skill with
trust: official and no maintainer policy entry, bun run build:registry
fails. This prevents social-engineering PRs from gaining official or
verified badges by editing frontmatter.
The validator scans every line of a skill body, including fenced code blocks. It rejects hidden Unicode instructions, HTML comments, fake chat role markers, prompt-injection phrasing, sensitive credential paths, common exfiltration endpoints, unsafe fetch helpers, encoded eval patterns, and confirmation-bypass language. Authors documenting a dangerous pattern should describe it in prose or obfuscate the risky literal.
Skills are prompt content, not executable packages. Skill folders may only
contain SKILL.md, optional README.md, and the reserved .skill-meta.json.
No scripts, binaries, nested folders, or postinstall behavior are allowed.
The validator is published to npm as
@gitlawb/skill-validator.
Its source lives at packages/validator/ in this
repo. The CLI, CI workflows, and any third-party tooling depend on the
published package rather than re-implementing the rules.
Gitlawb/openclaude— the CLI that installs and runs skills.Gitlawb/openclaude-site— the public Skill Hub website. Reads this repo'sregistry.jsonat build time and renders it as a browsable catalog.
MIT. See LICENSE.