Agent Skills: The 'App Store' for AI Coding Tools, but the Market is Getting Crowded

2026-03-16 | ProductHunt | Official Site

Screenshot Breakdown: The agentskill.sh landing page features a dark background and a pixel-art cursor logo. The core selling point is clear: a directory of 110,000+ skills covering Claude, Cursor, Copilot, and more, with installation handled by a single /learn command. The design style is geek-oriented, targeting the developer community.

30-Second Verdict

What is this?: A search engine for finding "skill sets" for AI coding assistants (Claude Code, Cursor, Copilot, etc.). Your AI Agent doesn't know SEO? Install a skill, and now it does. Can't write cold emails? There's a skill for that too. agentskill.sh helps you find reliable skills from a pool of 110,000+, providing security scans to ensure you don't install malicious code.

Is it worth your time?: The track is right, but the product itself lacks presence. It only has 2 votes on PH, and the space is already occupied by strong competitors like Vercel's skills.sh (with Snyk+Socket security backing) and SkillsMP (500K+ skills). It's a useful reference for understanding the Agent Skills ecosystem, but this specific product isn't the category winner.

Three Key Questions

Is it for me?

Target Audience: Developers who use Claude Code, Cursor, or Copilot daily.

Do I fit? You are the target user if:

• You use Claude Code or Cursor but feel the AI isn't professional enough in certain areas (testing, deployment, SEO, copywriting, etc.).
• You want your AI Agent to "self-evolve" and automatically acquire new capabilities.
• You're worried about security risks when installing random SKILL.md files from GitHub.

When would I use it?:

• Setting up a new project → Use /learn to find tech-stack-related skills (Next.js, Prisma, Stripe, etc.).
• When you want the Agent to do non-coding tasks → Find skills for SEO, content creation, or legal compliance.
• When NOT to use it → You already have your own custom skills, or you prefer Vercel's skills.sh.

Is it useful?

ROI Judgment: If you're constantly looking for skills, it's worth 5 minutes to try it out. However, Vercel's skills.sh has stronger security partners (Snyk, Socket), and npx skills add is just as simple. Both are free, so why not try both?

What's to love?

The Highlights:

• Auto-Recommendations: Run /learn without parameters, and it scans your package.json and git branch to recommend relevant skills. On a feat/stripe-checkout branch? It'll suggest Stripe skills.
• Security Score: Every skill has a 0-100 security rating. Anything below 30 requires manual confirmation to install, helping you avoid traps.

Real User Feedback:

"Security scanning is the real differentiator; a 20% malicious rate is crazy but not surprising." — ProductHunt Comment

"Discovering good skills feels like searching GitHub back in 2010." — ProductHunt Comment

"Over $100,000 spent now on Claw Mart. Agents selling skills & personas is a serious business." — @nateliason (176 likes)

For Indie Developers

Tech Stack

• Core Format: SKILL.md (Released by Anthropic in Oct 2025, opened as an industry standard in Dec).
• Security Layer: Two-tier scanning — server-side 12-category threat detection + client-side local verification.
• Version Management: Content SHA version locking; the Agent prompts you when updates are available.
• Installation: Claude Code Plugin or git clone to ~/.claude/skills/learn/.

Core Implementation

agentskill.sh is essentially a skills aggregation engine + security scanning service. The backend crawls SKILL.md files on GitHub, extracts YAML frontmatter (name, description, compatibility, etc.), and indexes them. The security layer performs 12 types of static analysis (command injection, data exfiltration, credential harvesting, etc.) to provide a 0-100 score. The frontend is a directory website. The /learn command itself is installed as an Agent Skill in your coding tool, handling search, installation, and version tracking.

The SKILL.md standard is simple: a directory contains a SKILL.md file with YAML frontmatter for metadata and instructions below. The Agent only loads metadata (approx. 100 tokens/skill) at startup, loading the full text only when needed (progressive disclosure).

Open Source Status

• SKILL.md Standard: Fully open source, led by Anthropic — github.com/anthropics/skills
• /learn Command: Open source — github.com/agentskill-sh/learn
• agentskill.sh Website: Closed source
• Security Scanner (Competitor): Cisco AI Defense Skill Scanner is open source — github.com/cisco-ai-defense/skill-scanner
• Build Difficulty: Medium. Aggregating SKILL.md isn't hard (GitHub crawling), and while security scanning is the key differentiator, Cisco already provides an open-source solution. An MVP could likely be built by one person in 2-3 weeks.

Business Model

• Current: Completely free.
• Monetization: Unclear. Potential directions: certified authors, enterprise security SaaS, premium skills marketplace.
• Reference: Vercel's skills.sh is also free, tied to their own ecosystem.

Giant Risk

Extremely High. Vercel has already launched skills.sh and partnered with Snyk and Socket for security. Anthropic has an official skills repo. GitHub Copilot has built-in skills support. OpenAI's Codex also supports them natively. For an independent product, competing with these giants in the "skills discovery" space is incredibly difficult.

For Product Managers

Pain Point Analysis

• Core Pain Point: As the Agent Skills ecosystem explodes, good skills are scattered across thousands of GitHub repos, making searching and comparing them extremely difficult.
• Security Pain Point: The Jan 2026 ClawHub incident — 20% of the skills in the OpenClaw marketplace were malicious, containing prompt injections, credential theft, and reverse shells.
• Severity: High-frequency essential need. 85% of developers are already using AI coding assistants; skills are the standard way to boost Agent capabilities.

User Persona

• Primary User: Full-stack developers using Claude Code / Cursor / Copilot daily.
• Secondary User: DevOps engineers, tech bloggers, indie hackers.
• Usage Scenario: Finding skills during new project setup → Searching when an Agent feels inadequate → Standardizing skill configs for a team.

Feature Breakdown

Competitive Differentiation

Key Takeaways

1. "/learn without parameters" for auto-recommendations: Scanning project files to suggest skills is a very smart interaction design.
2. Dual-layer security model: Centralized server scanning + local client verification is a solid reference model.
3. Security Score (0-100) + 30-point threshold: Quantifying security risk lowers the user's cognitive load.

For Tech Bloggers

Founder Story

• Founder: Identity undisclosed. No public members in the agentskill-sh GitHub org.
• Background: Just launched on ProductHunt, very early stage, minimal team info.
• Origin: Emerged from the Agent Skills ecosystem boom (Q4 2025 - Q1 2026).

Controversies / Discussion Angles

• The "npm moment" for Agent Skills: The ClawHub incident proves the skills ecosystem is facing supply chain attacks similar to early npm. A 20% malicious rate, 1,184 malicious skills, Atomic Stealer stealing crypto and SSH credentials — this isn't hypothetical; it happened.
• "Who audits the auditors?": Security scanning itself is a skill. What if the scanning tool is compromised?
• Are Skills the "New Plugin War"?: ChatGPT Plugins failed in 2023. Will Agent Skills follow suit or find a different path?
• Memory Poisoning: The scariest part of the ClawHub attack was targeting OpenClaw's persistent memory files (SOUL.md, MEMORY.md), turning a one-time attack into a permanent backdoor.

Traction Data

• PH Ranking: Only 2 votes, almost no heat.
• Ecosystem Heat: SKILL.md spec repo has 13.1K stars; awesome-agent-skills has 22K+ stars.
• Industry Heat: Anthropic, OpenAI, Microsoft, Vercel, Snyk, and Cisco have all entered the fray.
• Search Trends: Agent Skills-related searches are rising steadily in Q1 2026.

Content Suggestions

• Best Angle: Don't just write about agentskill.sh (it's too small); write about the full Agent Skills ecosystem — from the birth of the standard to the security crisis and the competitive landscape.
• Riding the Hype: The ClawHub security incident is a perfect hook: "Your AI Agent might have already been poisoned."

For Early Adopters

Pricing Analysis

Quick Start Guide

• Setup Time: 5 minutes.
• Learning Curve: Very low.
• Steps:
  1. Ensure Claude Code >= 1.0.33.
  2. In Claude Code, run: /plugin marketplace add https://agentskill.sh/marketplace.json.
  3. Install /learn: /plugin install learn@agentskill-sh.
  4. Search with /learn nextjs → Select → Installation complete.
  5. Or simpler: /learn (no parameters for auto-recommendations).

Pitfalls and Gripes

1. Security scanning isn't a silver bullet: 12-category detection has limited coverage; complex prompt injections can bypass it. Manual audits are still needed for critical skills.
2. Inconsistent skill quality: Many of the 110K+ skills are low-quality or outdated; use your judgment.
3. Anonymous founders: For a tool handling security scans, team transparency is vital for trust.

Security and Privacy

• Data Storage: Skills are stored locally (e.g., ~/.claude/skills/).
• Security Scanning: Server-side scanning means agentskill.sh can see what you install.
• Privacy Policy: No clear privacy policy found.
• Security Audit: No third-party audits (unlike Vercel's skills.sh, which is backed by Snyk and Socket).

Alternatives

For Investors

Market Analysis

• AI Coding Tools: $7.4B-$34.6B by 2026 (varying sources), $24B-$91B by 2030, CAGR 17-27%.
• AI Agents: $10.9B by 2026, $183B by 2033, CAGR 49.6%.
• Drivers: 85% of developers use AI assistants; Gartner predicts 40% of enterprise apps will include AI Agents by late 2026.

Competitive Landscape

Timing Analysis

• Why now?: Anthropic opened the standard in Dec 2025 → ClawHub security incident in Jan 2026 → Explosion in demand for security + discovery.
• Tech Maturity: The SKILL.md standard is adopted by all major platforms; infrastructure is ready.
• Market Readiness: High. But the window is short, and Vercel is already leading.

Team Background

• Founders: Undisclosed.
• Core Team: Unknown.
• Track Record: Unknown.
• Risk: Extremely low transparency is a major red flag for a security tool.

Funding Status

• Raised: Unknown.
• AI Agent Sector Overall: $3.8B raised in 2024, nearly 3x year-over-year growth.

Conclusion

Agent Skills is one of the hottest AI developer ecosystems of 2026, but agentskill.sh specifically is not the category winner. Vercel's skills.sh has stronger security partners and brand backing, while SkillsMP offers a larger directory. agentskill.sh's "/learn auto-recommendation" and "In-Agent loop" are good differentiators, but it lags significantly in team transparency and industry partnerships.

If you're interested in the Agent Skills ecosystem, the focus shouldn't be on a specific marketplace, but on the SKILL.md standard itself. Learning to write skills and building an internal skills library for your team is more valuable than relying on any third-party directory.

Resource Links

2026-03-16 | Trend-Tracker v7.3