feat(skills): add 5 skills from vercel-labs/agent-skills#589
Merged
Conversation
…skills Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Upstream SKILL.md frontmatter declares license: MIT. React composition patterns that scale — compound components, lifted state, internal composition — for avoiding boolean prop proliferation. Verified locally via `dockhand validate-skill` (Status: VALID, 14 files).
…skills Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Upstream SKILL.md frontmatter declares license: MIT. React and Next.js performance optimization guidelines from Vercel Engineering (70 rules across 8 categories, prioritized by impact). Verified locally via `dockhand validate-skill` (Status: VALID, 76 files).
…kills Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Upstream SKILL.md frontmatter declares license: MIT. React Native and Expo best practices for performant mobile apps — 16 rules across 7 sections (performance, layout, animation, images, state, architecture, platform). Verified locally via `dockhand validate-skill` (Status: VALID, 42 files).
…t-skills Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Upstream SKILL.md frontmatter declares license: MIT. Implement smooth, native-feeling animations with React`s View Transition API (`<ViewTransition>`, `addTransitionType`, CSS view transition pseudo-elements, Next.js integration). Verified locally via `dockhand validate-skill` (Status: VALID, 8 files).
Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Deploy applications and websites to Vercel — preview by default, with a path to a long-term git-push deploy setup. Allowlists MANIFEST_MISSING_LICENSE because vercel-labs/agent-skills declares MIT in README.md but does not include a LICENSE file at the repository root, and this skill`s SKILL.md frontmatter does not embed an SPDX license identifier. Verified locally via `dockhand validate-skill` (Status: VALID, 4 files).
Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Deploy and manage Vercel projects via the CLI using token-based auth instead of `vercel login`. Allowlists MANIFEST_MISSING_LICENSE because vercel-labs/agent-skills declares MIT in README.md but does not include a LICENSE file at the repository root, and this skill`s SKILL.md frontmatter does not embed an SPDX license identifier. Verified locally via `dockhand validate-skill` (Status: VALID, 1 file).
Pin to commit ce3e64e468f8fa09a2d075d102771838061fdac0 (main as of 2026-04-30) at dockyard version 0.1.0. Review UI code for Web Interface Guidelines compliance — accessibility, focus states, forms, animation, typography, images, performance, navigation/state, dark mode, touch interaction, and i18n. Allowlists MANIFEST_MISSING_LICENSE because vercel-labs/agent-skills declares MIT in README.md but does not include a LICENSE file at the repository root, and this skill`s SKILL.md frontmatter does not embed an SPDX license identifier. Verified locally via `dockhand validate-skill` (Status: VALID, 1 file).
🛡️ Skill Security Scan Results✅ vercel-cli-with-tokens
✅ vercel-composition-patterns
✅ vercel-react-best-practices
✅ vercel-react-native-skills
✅ vercel-react-view-transitions
Summary: Scanned 5 skill(s), all passed security checks. ✅ |
…ercel-labs set CI`s skill-security-scan surfaced blocking findings on two of the seven specs that are structural rather than allowlistable false positives: - deploy-to-vercel: upstream ships an Archive.zip that contains executable scripts (deploy.sh, deploy-codex.sh) plus macOS resource-fork metadata (__MACOSX/._*.sh). Triggers HIDDEN_EXECUTABLE_SCRIPT (x2), ARCHIVE_CONTAINS_EXECUTABLE (x2), and LOW_ANALYZABILITY because 5/11 files are opaque to the scanner. - web-design-guidelines: upstream SKILL.md delegates its rules to https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md via WebFetch, with no version pin and no allowed-tools declaration. Triggers LLM_PROMPT_INJECTION (CRITICAL), LLM_SUPPLY_CHAIN_ATTACK, and LLM_UNAUTHORIZED_TOOL_USE. Drop both rather than allowlist findings that flag genuine supply-chain risk; revisit if upstream removes the bundled archive (deploy-to-vercel) and pins the fetched URL with WebFetch scoped via allowed-tools (web-design-guidelines).
samuv
changed the title
JAORMX
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add packaging specs for 5 of the 7 skills shipped by vercel-labs/agent-skills (MIT-licensed via
README.md), pinned to commitce3e64e468f8fa09a2d075d102771838061fdac0(mainas of 2026-04-30) at dockyard version0.1.0. Each spec follows the existingmattpocock/skillstemplate (e.g.skills/tdd/spec.yaml).Skills added
vercel-composition-patterns,vercel-react-best-practices,vercel-react-native-skills,vercel-react-view-transitionsvercel-cli-with-tokensSkill names match the
name:field in each upstreamSKILL.mdfrontmatter to avoid ambiguity in the agent`s skill list and to mirror what Vercel publishes.Skills intentionally excluded
CI's
skill-security-scansurfaced structural (non-allowlistable) blocking findings on two upstream skills, dropped in a follow-up commit:deploy-to-vercel: upstream ships anArchive.zipcontaining executable scripts (deploy.sh,deploy-codex.sh) plus macOS resource-fork metadata. TriggersHIDDEN_EXECUTABLE_SCRIPT,ARCHIVE_CONTAINS_EXECUTABLE,LOW_ANALYZABILITY.web-design-guidelines: upstreamSKILL.mddelegates rules to amain-branch GitHub raw URL viaWebFetchwith no version pin and noallowed-tools. TriggersLLM_PROMPT_INJECTION(CRITICAL),LLM_SUPPLY_CHAIN_ATTACK,LLM_UNAUTHORIZED_TOOL_USE.Both can be revisited once upstream removes the bundled archive and pins/scopes the fetched URL respectively.
The upstream
README.mdalso referencesvercel-deploy-claimableandreact-native-guidelines, but those folders dont actually exist at this commit (the README is slightly stale). The functional replacement for the latter —react-native-skills` — is included.Allowlist
vercel-labs/agent-skillsdeclares MIT inREADME.mdbut does not ship aLICENSEfile at the repository root. Four of the five remaining skills (vercel-composition-patterns,vercel-react-best-practices,vercel-react-native-skills,vercel-react-view-transitions) embedlicense: MITdirectly in theirSKILL.mdfrontmatter, so they ship without an allowlist entry.vercel-cli-with-tokensallowlistsMANIFEST_MISSING_LICENSEwith a rationale thats explicit about the missing rootLICENSE` file.Test plan
dockhand validate-skill --config skills/<name>/spec.yamlfor all 5 retained specs (Status: VALIDacross the board, file counts match upstream).skill-security-scanpasses on the 5 retained specs (4 clean, 1 with allowlistedMANIFEST_MISSING_LICENSE).validate-skillsmatrix passes for the 5 retained configs.build-skill-artifacts(dry-run on PR) succeeds.Made with Cursor