Addy Osmani Agent Skills
Addy Osmani's production-grade Agent Skills pack for AI coding agents, with lifecycle slash commands, engineering workflow skills, review personas, quality gates, and cross-agent setup guidance for Claude Code, Cursor, Gemini CLI, Antigravity CLI, OpenCode, GitHub Copilot, and other agents.
Open the source and read safety notes before installing.
Safety notes
- The slash commands are designed to guide real coding, testing, reviewing, committing, and shipping work; keep edits, commits, pushes, CI changes, and deploys behind the host's normal approval controls.
- `/build auto` is explicitly intended to generate a plan and implement multiple tasks in one approved pass. Use it on bounded specs, review the generated plan first, and stop on test failures or risky changes.
- The skills encode durable engineering workflows, not guaranteed-current framework APIs. Follow the source-driven-development guidance and verify current documentation before applying generated code.
- Security, CI/CD, observability, migration, and launch skills can touch production-sensitive systems. Require dry-run plans, rollback notes, and environment scoping before approving operational commands.
- Review personas and quality gates are useful second opinions, but they do not replace maintainer review, domain-specific tests, threat modeling, or release sign-off.
Privacy notes
- Using the pack with an AI agent can expose repository code, product requirements, architecture notes, tests, CI logs, deployment settings, incidents, security findings, and launch plans to the configured model provider.
- Do not paste secrets, customer data, private incident records, production credentials, unpublished roadmap details, or proprietary compliance material into public prompts, issues, screenshots, or PR bodies.
- Agent personas and review workflows may ask for browser traces, performance data, logs, build output, dependency lists, and environment details; redact tokens and private URLs before sharing artifacts.
Prerequisites
- Claude Code plugin support, an Agent Skills compatible installer, or an agent/editor that can load Markdown instruction files.
- A software project where lifecycle guidance for specs, planning, implementation, testing, review, simplification, or launch is appropriate.
- A version-controlled workspace with a known approval model for edits, tests, commits, pushes, and deployments.
- Current framework, platform, and API documentation for any concrete implementation work produced under these skills.
- Human review before using `/build auto`, broad refactors, security changes, production deploys, or repository-wide automation.
Schema details
- Install type
- package
- Reading time
- 7 min
- Difficulty score
- 74
- Troubleshooting
- Yes
- Breaking changes
- No
- Scope
- Source repo
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-18
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
/plugin marketplace add addyosmani/agent-skills
/plugin install agent-skills@addy-agent-skills
# HTTPS fallback when SSH marketplace cloning is not configured
/plugin marketplace add https://github.com/addyosmani/agent-skills.git
/plugin install agent-skills@addy-agent-skillsAbout this resource
Addy Osmani Agent Skills
addyosmani/agent-skills is Addy Osmani's engineering workflow skill pack for
AI coding agents. It packages lifecycle slash commands, SKILL.md instruction
files, review personas, and reference checklists for agents that need to move
from product definition through implementation, verification, review, and
launch without losing engineering discipline.
Use this listing for the skill pack itself. Use separate tool, MCP, or platform entries when evaluating a runtime, agent framework, cloud service, or execution environment rather than installable agent instructions.
Knowledge Freshness
The pack is current and active, but it intentionally focuses on engineering process. Exact framework APIs, package commands, cloud behavior, browser interfaces, CI syntax, deployment controls, and security guidance still need fresh source checks during implementation.
For high-stakes work, pair these skills with current documentation, local test results, repository-specific agent instructions, and maintainer review. Treat autonomous build or shipping workflows as approval-gated execution paths, not as a substitute for release control.
Retrieval Sources
This listing is grounded in:
- The upstream
addyosmani/agent-skillsREADME. - The repository
plugin.jsonmetadata. - Representative skill files for
using-agent-skills,spec-driven-development,incremental-implementation,test-driven-development,security-and-hardening, andshipping-and-launch. - The MIT license file and current GitHub repository metadata.
Core Workflow
Claude Code is the recommended install path upstream:
/plugin marketplace add addyosmani/agent-skills
/plugin install agent-skills@addy-agent-skills
If SSH marketplace cloning is not configured, the README documents an HTTPS fallback:
/plugin marketplace add https://github.com/addyosmani/agent-skills.git
/plugin install agent-skills@addy-agent-skills
The same repository also documents setup paths for Cursor, Antigravity CLI, Gemini CLI, Windsurf, OpenCode, GitHub Copilot, Kiro, Codex, and generic agents that can load Markdown instructions or skills directories.
Command Surface
The README maps seven slash commands to the software lifecycle:
| Phase | Command | Purpose |
|---|---|---|
| Define | /spec |
Turn an idea into a concrete product or engineering spec. |
| Plan | /plan |
Break the spec into small implementation tasks. |
| Build | /build |
Implement in incremental, testable slices. |
| Verify | /test |
Prove behavior through tests and debugging. |
| Review | /review |
Run quality, maintainability, and readiness review. |
| Simplify | /code-simplify |
Reduce complexity while preserving behavior. |
| Ship | /ship |
Prepare release, rollout, monitoring, and rollback work. |
The README also documents /build auto, which creates a plan and implements
tasks in a single approved pass. That mode is useful for bounded specs, but it
should stay behind explicit plan review, test checks, and stopping conditions.
Capability Scope
The pack includes 24 skills: the using-agent-skills meta-skill plus 23
lifecycle skills. They cover idea refinement, specs, task planning,
incremental implementation, TDD, context engineering, source-driven
development, doubt-driven review, UI engineering, API design, browser testing,
debugging, code review, simplification, security hardening, performance,
git workflow, CI/CD, migrations, ADRs, observability, and shipping.
It also includes specialist agent personas:
| Persona | Focus |
|---|---|
code-reviewer |
Staff-level code review across quality and maintainability. |
test-engineer |
Test strategy, coverage analysis, and proof-oriented QA. |
security-auditor |
Threat modeling, vulnerability detection, and OWASP review. |
web-performance-auditor |
Core Web Vitals and browser performance review. |
Reference checklists cover testing, security, performance, accessibility, and multi-persona orchestration patterns.
Production Rules
- Start with
/specand/planfor ambiguous or multi-step work. - Keep
/build autolimited to reviewed, bounded specs with testable tasks. - Require human approval for commits, pushes, dependency changes, CI changes, infrastructure changes, and deploys.
- Verify current docs and installed versions before accepting framework, package, cloud, browser, or security-specific code.
- Treat review personas as focused reviewers, not as authority to bypass the repository's maintainer process.
- Redact secrets and private production data from prompts, browser traces, logs, screenshots, and PR text.
Use Cases
- Add a lifecycle command set to Claude Code for spec, plan, build, test, review, simplify, and ship workflows.
- Give Codex, Cursor, Gemini CLI, OpenCode, or another agent a consistent engineering process through Markdown skills or project instructions.
- Use the
source-driven-developmentanddoubt-driven-developmentskills to force current documentation checks and adversarial review before implementation. - Run a structured code review with the
code-reviewer,security-auditor,test-engineer, orweb-performance-auditorpersona. - Standardize engineering rituals across a team without baking all of that context into every prompt.
Troubleshooting
Marketplace install fails over SSH
Use the HTTPS install form documented in the README, or configure GitHub SSH keys before adding the marketplace repository.
The agent starts making broad changes
Pause the run and ask it to return to /spec or /plan. Break the work into
small tasks with acceptance criteria, tests, rollback notes, and approval gates.
Framework code looks stale
Invoke or mirror the source-driven workflow. Re-check official documentation, installed package versions, changelogs, and local type errors before accepting implementation details.
/build auto is too aggressive
Use it only after reviewing the plan. If the task is exploratory, risky, security-sensitive, or production-facing, require task-by-task approval instead of one-pass execution.
Source Review
Verified on 2026-06-18:
- The README describes the repository as production-grade engineering skills for AI coding agents.
- The README documents Claude Code marketplace installation, an HTTPS fallback, local development setup, and setup paths for Cursor, Antigravity CLI, Gemini CLI, Windsurf, OpenCode, GitHub Copilot, Kiro, Codex, and generic agents.
- The README lists seven lifecycle commands:
/spec,/plan,/build,/test,/review,/code-simplify, and/ship. - The README says
/build autocreates a plan and implements tasks in one approved pass while still pausing on failures or risky steps. - The README lists 24 skills total, including the
using-agent-skillsmeta-skill and 23 lifecycle skills. - The repository includes review personas for code review, tests, security, and web performance.
plugin.jsonnames the pluginagent-skillsand describes it as production-grade engineering skills for AI coding agents.- GitHub reports MIT licensing, a current release, and active repository
updates for
addyosmani/agent-skills.
Duplicate Review
Checked current content/skills/, content/tools/, content/mcp/,
content/agents/, open pull requests, and repository-wide content for
addyosmani/agent-skills, Addy Osmani Agent Skills, Addy Agent Skills,
agent-skills@addy-agent-skills, /spec, /plan, /build auto, and the
repository URL. Adjacent official skill-pack entries exist, but no dedicated
Addy Osmani Agent Skills collection entry, exact source URL duplicate, target
file, or open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. The collection is maintained by Addy Osmani and published from the public GitHub repository.
Source citations
Add this badge to your README
Show that Addy Osmani Agent Skills is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/addy-osmani-agent-skills)How it compares
Addy Osmani Agent Skills side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Addy Osmani Agent Skills Addy Osmani's production-grade Agent Skills pack for AI coding agents, with lifecycle slash commands, engineering workflow skills, review personas, quality gates, and cross-agent setup guidance for Claude Code, Cursor, Gemini CLI, Antigravity CLI, OpenCode, GitHub Copilot, and other agents. Open dossier | wshobson Agentic Plugin Marketplace Multi-harness agentic plugin marketplace with 84 plugins, 192 agents, 156 skills, 102 commands, and 16 orchestrators for Claude Code, Codex CLI, Cursor, OpenCode, Gemini CLI, and GitHub Copilot from one Markdown source tree. Open dossier | Google Agents CLI Skills Google Agents CLI skill suite for coding agents that build, scaffold, evaluate, deploy, publish, and observe ADK agents on Gemini Enterprise Agent Platform, Agent Runtime, Cloud Run, GKE, and Google Cloud. Open dossier | Planning with Files MIT-licensed Agent Skill for persistent file-based planning across Claude Code, Codex, Cursor, Gemini CLI, OpenCode, Hermes Agent, OpenClaw, Kiro, and other SKILL.md-compatible coding agents, with task_plan.md, findings.md, progress.md, hooks, session recovery, attestation, and opt-in long-running run modes. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | Addy Osmani | Seth Hobson | Ahmad Othman Ammar Adi | |
| Added | 2026-06-18 | 2026-06-18 | 2026-06-18 | 2026-06-18 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLIContinue |
| Source repo | — | — | — | — |
| Safety notes | ✓The slash commands are designed to guide real coding, testing, reviewing, committing, and shipping work; keep edits, commits, pushes, CI changes, and deploys behind the host's normal approval controls. `/build auto` is explicitly intended to generate a plan and implement multiple tasks in one approved pass. Use it on bounded specs, review the generated plan first, and stop on test failures or risky changes. The skills encode durable engineering workflows, not guaranteed-current framework APIs. Follow the source-driven-development guidance and verify current documentation before applying generated code. Security, CI/CD, observability, migration, and launch skills can touch production-sensitive systems. Require dry-run plans, rollback notes, and environment scoping before approving operational commands. Review personas and quality gates are useful second opinions, but they do not replace maintainer review, domain-specific tests, threat modeling, or release sign-off. | ✓This marketplace installs executable agent workflow instructions, slash commands, skills, and agent profiles. Review each selected plugin before giving it write, shell, network, MCP, cloud, browser, or deployment access. Some plugins target security scans, infrastructure, Kubernetes, cloud architecture, CI/CD, incident response, dependency management, and multi-agent orchestration; keep destructive, expensive, or production-impacting commands behind human approval. The marketplace includes external git-subdir plugin entries as well as local plugins. Verify external source repositories, manifests, licenses, update cadence, and dependency behavior separately. Cross-harness adapters intentionally transform source artifacts for Codex, Cursor, OpenCode, Gemini, and Copilot; inspect generated artifacts when relying on tool allowlists, model mappings, command conversion, or skill size limits. Do not assume every plugin is appropriate for every repository, compliance environment, model provider, or agent sandbox. | ✓The skills intentionally guide agents through scaffold, eval, deploy, publish, CI/CD, infrastructure, datastore, and observability workflows that can create or modify cloud resources. Deployment and infrastructure commands may provision service accounts, IAM bindings, Terraform resources, Cloud Run services, Agent Runtime deployments, GKE resources, Artifact Registry images, Secret Manager entries, and CI/CD runners. The workflow skill explicitly requires clarifying goals and writing a spec before scaffolding a new project; skipping that step can create wrong infrastructure or unsafe agent behavior. Evaluation guidance may invoke LLM-as-judge, synthetic datasets, and prompt optimization; treat cost, data exposure, and nondeterminism as production concerns. Do not run deploy, publish, infrastructure, datastore, or CI/CD commands without explicit human approval and a known Google Cloud target. | ✓Planning with Files writes persistent planning state into the active project. Review whether `task_plan.md`, `findings.md`, `progress.md`, `.planning/`, and handoff files should be committed, ignored, or scrubbed before sharing. The skill uses hooks and helper scripts to re-inject plan context, remind the agent to update progress, run session catchup, and check completion. Inspect the installed hook scripts before enabling them in shared repositories or global agent config. Planning files become model context. Do not paste untrusted web content, issue comments, logs, or external instructions into planning files without summarizing and neutralizing prompt-injection text. The upstream eval notes describe a prior prompt-injection amplification risk from web fetch/search content being written into planning files and re-read by hooks; current SKILL.md removes WebFetch/WebSearch from allowed tools and documents the security boundary. Codex users should merge hook entries into existing hook configs rather than overwriting them, and avoid enabling duplicate workspace plus global hooks that would run twice. Autonomous and gated modes are opt-in for long-running runs. Understand whether the host can hard-block, follow up, or only notify before relying on a completion gate. |
| Privacy notes | ✓Using the pack with an AI agent can expose repository code, product requirements, architecture notes, tests, CI logs, deployment settings, incidents, security findings, and launch plans to the configured model provider. Do not paste secrets, customer data, private incident records, production credentials, unpublished roadmap details, or proprietary compliance material into public prompts, issues, screenshots, or PR bodies. Agent personas and review workflows may ask for browser traces, performance data, logs, build output, dependency lists, and environment details; redact tokens and private URLs before sharing artifacts. | ✓Installed plugins can expose project files, source code, issues, pull requests, logs, architecture notes, prompts, tool outputs, credentials accidentally present in context, cloud resource names, deployment details, and incident data to the configured agent runtime. MCP, memory, browser, cloud, and external plugin integrations may send prompts, file snippets, traces, or task context to additional local or remote services depending on configuration. Generated Codex, Cursor, OpenCode, Gemini, and Copilot artifacts may persist agent instructions, skills, commands, and project assumptions on disk. Keep secrets, customer data, regulated records, private infrastructure details, and unreleased business or incident material out of public plugin configs, examples, issues, PRs, screenshots, and generated docs. | ✓Agents CLI projects can contain Google Cloud credentials, AI Studio keys, Secret Manager names, service account emails, project IDs, regions, Terraform state, eval traces, prompts, tool outputs, logs, traces, user data, embeddings, and datastore contents. Eval artifacts and observability exports can include full prompts, tool calls, responses, failure rationales, trace IDs, and private application data. Publishing to Gemini Enterprise, deploying to Agent Runtime, Cloud Run, or GKE, and enabling analytics can move agent traffic into Google Cloud services subject to separate terms and access controls. Keep project IDs, credentials, Terraform state, traces, eval datasets, user data, private prompts, and secret names out of public issues, PRs, examples, and screenshots. | ✓The planning files can contain task goals, source paths, branch names, PR URLs, test output, error logs, research findings, product decisions, customer context, security findings, and operational handoff details. Session-catchup workflows inspect local agent session stores such as Claude Code project history, Codex sessions, or other host-specific stores to recover context after `/clear` or compaction. Hook-injected planning content is sent to the active model provider as part of the agent context. Keep secrets, access tokens, private incident data, customer records, and unreleased roadmap details out of planning files unless the provider and retention policy are approved. Attestation stores hashes of plan content for tamper detection, but it does not encrypt the planning files or make their content safe to publish. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | — | — | — | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Featured in
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.