Skip to content
mpak

SKILL.md Reference

Every skill needs a SKILL.md file with YAML frontmatter describing the skill and markdown content containing the instructions.

Minimal Example

Section titled “Minimal Example”
---
name: code-reviewer
description: Expert code review with security and performance focus
---


# Code Review Guidelines


When reviewing code, analyze for:


1. **Security vulnerabilities** - Check for injection, XSS, auth issues
2. **Performance** - Look for N+1 queries, unnecessary allocations
3. **Maintainability** - Ensure code is readable and well-structured

Full Schema

Section titled “Full Schema”
---
name: code-reviewer
description: Expert code review with security and performance focus


# Optional fields
license: MIT
compatibility: Claude Code only
allowed-tools: Read Grep Bash


# Discovery metadata (recommended)
metadata:
  version: 1.0.0
  category: development
  tags:
    - code-review
    - security
    - best-practices
  triggers:
    - "review this code"
    - "check for bugs"
    - "code review"
  surfaces:
    - claude-code
  author:
    name: Your Name
    url: https://github.com/yourname
---


# Code Review Guidelines


...skill instructions...

Fields from Agent Skills Spec

Section titled “Fields from Agent Skills Spec”

These fields are defined by the Agent Skills Specification:

Required

Section titled “Required”
FieldDescription
nameSkill identifier. Max 64 chars, lowercase letters, numbers, hyphens. Must match directory name.
descriptionWhat the skill does and when to use it. Max 1024 chars.

Optional

Section titled “Optional”
FieldDescription
licenseSPDX license identifier (e.g., MIT, Apache-2.0)
compatibilityEnvironment requirements (intended product, system packages, network access)
allowed-toolsSpace-separated list of tools the skill can use (experimental)
metadataKey-value mapping for additional properties

mpak Registry Fields

Section titled “mpak Registry Fields”

These fields are used by mpak for discovery and publishing. They go inside the metadata section:

FieldDescriptionRequired for mpak?
metadata.versionSemantic version (e.g., 1.0.0)Yes
metadata.categoryCategory for filtering: development, writing, research, etc.Recommended
metadata.tagsArray of tags for discoveryRecommended
metadata.triggersPhrases that activate this skillRecommended
metadata.surfacesWhere the skill runs: claude-code, chat, etc.Optional
metadata.author.nameAuthor nameOptional
metadata.author.urlAuthor URL (GitHub, website)Optional

The Markdown Content

Section titled “The Markdown Content”

After the frontmatter, write the skill instructions in markdown:

---
name: code-reviewer
description: ...
---


# Code Review Guidelines


## When to Use This Skill


Use this skill when the user asks you to review code, check for bugs,
or analyze code quality.


## Review Process


1. **Read the code** - Understand what it does
2. **Check for security issues** - SQL injection, XSS, etc.
3. **Check for performance** - N+1 queries, memory leaks
4. **Check for maintainability** - Naming, structure, complexity


## Common Issues to Flag


### Security
- Unsanitized user input
- Hardcoded credentials
- Missing authentication checks


### Performance
- Unnecessary database queries
- Large memory allocations
- Blocking operations in async code

Best Practices

Section titled “Best Practices”

Write Clear Instructions

Section titled “Write Clear Instructions”

Be specific about what the skill should do:

✓ Good:
"When reviewing code, always check for SQL injection by looking for
string concatenation in database queries."


✗ Vague:
"Check for security issues."

Include Examples

Section titled “Include Examples”

Show the agent what good output looks like:

## Example Review


For this code:
\`\`\`python
query = f"SELECT * FROM users WHERE id = {user_id}"
\`\`\`


Flag as: **Security Issue - SQL Injection**
Suggest: Use parameterized queries instead.

Define Scope

Section titled “Define Scope”

Tell the agent when to use (and not use) the skill:

## When to Use


- User asks to "review this code"
- User asks to "check for bugs"
- User asks about code quality


## When NOT to Use


- Writing new code (use a different skill)
- Explaining existing code (just explain normally)

Use Allowed Tools

Section titled “Use Allowed Tools”

If your skill needs specific tools, declare them:

allowed-tools: Read Grep Bash

This tells the agent which tools are available when using this skill.

Validation

Section titled “Validation”

The skill-pack action validates your SKILL.md:

  • Required fields present
  • Name matches directory
  • Valid YAML syntax
  • Version format (if specified)

Run with fail-on-warning: true to catch issues early.