From 98e9e7991195fd21a6d2cb2c1268dc3c80e2c917 Mon Sep 17 00:00:00 2001
From: Romain SIMON <contact@romainsimon.net>
Date: Tue, 24 Feb 2026 01:39:03 +0100
Subject: [PATCH 1/3] Add agentskill-learn skill

---
 skills/agentskill-learn/SKILL.md | 54 ++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 skills/agentskill-learn/SKILL.md

diff --git a/skills/agentskill-learn/SKILL.md b/skills/agentskill-learn/SKILL.md
new file mode 100644
index 000000000..85f3d60a8
--- /dev/null
+++ b/skills/agentskill-learn/SKILL.md
@@ -0,0 +1,54 @@
+---
+name: agentskill-learn
+description: "Discover, install, and manage AI agent skills from agentskill.sh marketplace. Search 44,000+ community skills by keyword, install mid-session with security scanning, and rate skills after use. Use when asked to find skills, extend capabilities, or learn new tools."
+---
+
+# AgentSkill Learn — Community Skills Marketplace
+
+This skill connects GitHub Copilot to [agentskill.sh](https://agentskill.sh), a community marketplace for AI agent skills. Search, install, and manage skills with built-in security scanning.
+
+## Installation
+
+This is a pointer to the canonical skill. Install the full version:
+
+```bash
+gh copilot skill install https://github.com/agentskill-sh/learn
+```
+
+## What It Does
+
+- **Search**: Find skills by keyword from the agentskill.sh catalog (44,000+ skills indexed)
+- **Install**: Download skills with security scanning (blocks dangerous patterns)
+- **Rate**: Auto-rate skills after use; user ratings override
+- **Update**: SHA-based version tracking for updates
+- **Multi-platform**: Works with Copilot, Claude Code, Codex, Cursor, Windsurf, Cline
+
+## Quick Commands
+
+| Command | Description |
+|---------|-------------|
+| `/learn <query>` | Search for skills |
+| `/learn @owner/slug` | Install specific skill |
+| `/learn trending` | Show trending skills |
+| `/learn list` | Show installed skills |
+| `/learn update` | Check for updates |
+| `/learn scan <path>` | Security scan a skill |
+
+## Security
+
+**Two-layer security model:**
+
+1. **Registry-side**: All skills pre-scanned at publish time with pattern detection (command injection, data exfiltration, prompt injection, credential harvesting, obfuscation)
+2. **Client-side**: Score displayed before install; skills below 70 blocked, 70-89 require acknowledgment
+
+| Score | Action |
+|-------|--------|
+| 90-100 | SAFE — install proceeds |
+| 70-89 | REVIEW — requires acknowledgment |
+| <70 | BLOCKED — installation refused |
+
+## Links
+
+- **Marketplace**: https://agentskill.sh
+- **Source**: https://github.com/agentskill-sh/learn
+- **Report Issues**: https://github.com/agentskill-sh/learn/issues

From 705da567293a73d57673f1274bcb362c55bfed3b Mon Sep 17 00:00:00 2001
From: Romain SIMON <contact@romainsimon.net>
Date: Sun, 1 Mar 2026 15:07:20 +0100
Subject: [PATCH 2/3] Update generated README.skills.md

Run npm start to regenerate docs after adding agentskill-learn skill.
---
 docs/README.skills.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/README.skills.md b/docs/README.skills.md
index e3c5e5fd8..00e3dd9fd 100644
--- a/docs/README.skills.md
+++ b/docs/README.skills.md
@@ -29,6 +29,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [add-educational-comments](../skills/add-educational-comments/SKILL.md) | Add educational comments to the file specified, or prompt asking for file to comment if one is not provided. | None |
 | [agent-governance](../skills/agent-governance/SKILL.md) | Patterns and techniques for adding governance, safety, and trust controls to AI agent systems. Use this skill when:<br />- Building AI agents that call external tools (APIs, databases, file systems)<br />- Implementing policy-based access controls for agent tool usage<br />- Adding semantic intent classification to detect dangerous prompts<br />- Creating trust scoring systems for multi-agent workflows<br />- Building audit trails for agent actions and decisions<br />- Enforcing rate limits, content filters, or tool restrictions on agents<br />- Working with any agent framework (PydanticAI, CrewAI, OpenAI Agents, LangChain, AutoGen) | None |
 | [agentic-eval](../skills/agentic-eval/SKILL.md) | Patterns and techniques for evaluating and improving AI agent outputs. Use this skill when:<br />- Implementing self-critique and reflection loops<br />- Building evaluator-optimizer pipelines for quality-critical generation<br />- Creating test-driven code refinement workflows<br />- Designing rubric-based or LLM-as-judge evaluation systems<br />- Adding iterative improvement to agent outputs (code, reports, analysis)<br />- Measuring and improving agent response quality | None |
+| [agentskill-learn](../skills/agentskill-learn/SKILL.md) | Discover, install, and manage AI agent skills from agentskill.sh marketplace. Search 44,000+ community skills by keyword, install mid-session with security scanning, and rate skills after use. Use when asked to find skills, extend capabilities, or learn new tools. | None |
 | [ai-prompt-engineering-safety-review](../skills/ai-prompt-engineering-safety-review/SKILL.md) | Comprehensive AI prompt engineering safety review and improvement prompt. Analyzes prompts for safety, bias, security vulnerabilities, and effectiveness while providing detailed improvement recommendations with extensive frameworks, testing methodologies, and educational content. | None |
 | [appinsights-instrumentation](../skills/appinsights-instrumentation/SKILL.md) | Instrument a webapp to send useful telemetry data to Azure App Insights | `LICENSE.txt`<br />`examples/appinsights.bicep`<br />`references/ASPNETCORE.md`<br />`references/AUTO.md`<br />`references/NODEJS.md`<br />`references/PYTHON.md`<br />`scripts/appinsights.ps1` |
 | [apple-appstore-reviewer](../skills/apple-appstore-reviewer/SKILL.md) | Serves as a reviewer of the codebase with instructions on looking for Apple App Store optimizations or rejection reasons. | None |

From b9651f1cb7aa23fad809fb2a7c7cbfdbe3d7d3c6 Mon Sep 17 00:00:00 2001
From: Romain SIMON <contact@romainsimon.net>
Date: Tue, 3 Mar 2026 15:03:55 +0100
Subject: [PATCH 3/3] Make skill self-contained with full instructions

Replace pointer/stub with the complete skill content inline,
as required by the awesome-copilot contribution guidelines.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 skills/agentskill-learn/SKILL.md | 140 +++++++++++++++++++++++--------
 1 file changed, 107 insertions(+), 33 deletions(-)

diff --git a/skills/agentskill-learn/SKILL.md b/skills/agentskill-learn/SKILL.md
index 85f3d60a8..0dc8e608f 100644
--- a/skills/agentskill-learn/SKILL.md
+++ b/skills/agentskill-learn/SKILL.md
@@ -5,50 +5,124 @@ description: "Discover, install, and manage AI agent skills from agentskill.sh m
 
 # AgentSkill Learn — Community Skills Marketplace
 
-This skill connects GitHub Copilot to [agentskill.sh](https://agentskill.sh), a community marketplace for AI agent skills. Search, install, and manage skills with built-in security scanning.
+This skill transforms your agent into a self-improving system capable of discovering and installing new capabilities during active sessions. It connects to [agentskill.sh](https://agentskill.sh), a community marketplace with 44,000+ AI agent skills.
 
-## Installation
+> Maintained at [github.com/agentskill-sh/learn](https://github.com/agentskill-sh/learn) — check there for the latest version.
 
-This is a pointer to the canonical skill. Install the full version:
+## Core Commands
+
+- **`/learn <query>`** — Search for skills matching a query
+- **`/learn @<owner>/<slug>`** — Install a specific skill directly
+- **`/learn <url>`** — Install from agentskill.sh URL
+- **`/learn`** — Context-aware recommendations based on current project
+- **`/learn trending`** — Display trending skills
+- **`/learn feedback <slug> <score> [comment]`** — Rate installed skills
+- **`/learn list`** — Show all installed skills
+- **`/learn update`** — Check and apply skill updates
+- **`/learn remove <slug>`** — Uninstall a skill
+- **`/learn scan <path>`** — Audit skill security
+- **`/learn config autorating <on|off>`** — Toggle automatic ratings
+
+## Installation Flow
+
+When a user requests a skill install:
+
+1. Fetch skill content from the API
+2. Run multi-phase security scanning
+3. Display security results and request confirmation
+4. Write skill file with metadata header
+5. Track install event
+6. Show post-install summary
+
+## Security Scanning (Two-Layer Model)
+
+**Registry-side (agentskill.sh):** All skills pre-scanned using automated pattern detection before publication.
+
+**Client-side:** Pre-computed security scores displayed before install. Scores below 70 block installation; scores 70-89 require acknowledgment.
+
+### Scanning Phases
+
+1. **Automated Tools** — Run mcp-scan, trufflehog, gitleaks if available
+2. **Metadata & Structure** — Validate SKILL.md and folder contents
+3. **Static Text Analysis** — Detect prompt injection, RCE, obfuscation, secrets, persistence mechanisms
+4. **Secret & Dependency Scan** — Check for hardcoded credentials and suspicious packages
+5. **Script Analysis** — Examine Python/shell scripts for dangerous functions
+6. **Dynamic Analysis** — Optional sandbox execution for high-value targets
+
+### Scoring
 
-```bash
-gh copilot skill install https://github.com/agentskill-sh/learn
 ```
+Score = 100 - (CRITICAL x 20) - (HIGH x 10) - (MEDIUM x 3) - (LOW x 1)
+Minimum = 0
+```
+
+| Score | Rating | Action |
+|-------|--------|-------------------------------------|
+| 90-100 | SAFE | Allow installation |
+| 70-89 | REVIEW | Show issues, require acknowledgment |
+| <70 | DANGER | Block installation |
+
+Critical patterns include: prompt injection ("ignore previous"), remote code execution (curl|bash), credential exfiltration, reverse shells, destructive commands (rm -rf).
+
+## Platform Detection
+
+Detect where to install based on directory presence:
+
+- `.github/copilot/` — GitHub Copilot
+- `.claude/` — Claude Code / Claude Desktop
+- `.cursor/` — Cursor
+- `.windsurf/` — Windsurf
+- `.cline/` — Cline
+- `.codex/` — Codex
+- `.opencode/` — OpenCode
+- `.aider/` — Aider
+- `.gemini/` — Gemini CLI
+- `.amp/` — Amp
+- `.goose/` — Goose
+- `.roo-code/` — Roo Code
+- `.trae/` — Trae
+
+Install path format: `<platform-dir>/skills/<slug>.md`
+
+## Automatic Skill Rating (Opt-Out)
+
+After using an installed skill, auto-rate it using a 1-5 scoring rubric:
+
+- **5** — Task completed perfectly; clear, accurate instructions
+- **4** — Successful completion with minor improvements possible
+- **3** — Completed with friction; instruction gaps requiring interpretation
+- **2** — Partial completion; significant issues or outdated information
+- **1** — Failed or misleading; instructions incorrect or harmful
 
-## What It Does
+Users receive a notification before submission and can disable auto-rating with `/learn config autorating off`.
 
-- **Search**: Find skills by keyword from the agentskill.sh catalog (44,000+ skills indexed)
-- **Install**: Download skills with security scanning (blocks dangerous patterns)
-- **Rate**: Auto-rate skills after use; user ratings override
-- **Update**: SHA-based version tracking for updates
-- **Multi-platform**: Works with Copilot, Claude Code, Codex, Cursor, Windsurf, Cline
+## Output Formatting
 
-## Quick Commands
+- Use markdown tables for skill listings
+- Use `AskUserQuestion` tool for interactive selections
+- Format headers with `##` for scannability
+- Bold skill names and important values
+- Truncate descriptions to ~80 characters in tables
+- Show full descriptions in detail views
 
-| Command | Description |
-|---------|-------------|
-| `/learn <query>` | Search for skills |
-| `/learn @owner/slug` | Install specific skill |
-| `/learn trending` | Show trending skills |
-| `/learn list` | Show installed skills |
-| `/learn update` | Check for updates |
-| `/learn scan <path>` | Security scan a skill |
+## Error Handling
 
-## Security
+- **API unreachable:** Direct users to browse at agentskill.sh
+- **No results:** Suggest alternate keywords
+- **Install failures:** Note permission issues or write errors
+- **Self-update failures:** Continue silently with current version
+- **Security blocks:** Display full report without proceeding
 
-**Two-layer security model:**
+## API Endpoints
 
-1. **Registry-side**: All skills pre-scanned at publish time with pattern detection (command injection, data exfiltration, prompt injection, credential harvesting, obfuscation)
-2. **Client-side**: Score displayed before install; skills below 70 blocked, 70-89 require acknowledgment
+All calls to `https://agentskill.sh`:
 
-| Score | Action |
-|-------|--------|
-| 90-100 | SAFE — install proceeds |
-| 70-89 | REVIEW — requires acknowledgment |
-| <70 | BLOCKED — installation refused |
+- `GET /api/agent/search?q=<query>&limit=5` — Search
+- `GET /api/agent/skills/<slug>/install` — Fetch content
+- `GET /api/agent/skills/<slug>/version` — Check version
+- `POST /api/skills/<slug>/install` — Track install
+- `POST /api/skills/<slug>/agent-feedback` — Submit rating
 
-## Links
+## Self-Update Protocol
 
-- **Marketplace**: https://agentskill.sh
-- **Source**: https://github.com/agentskill-sh/learn
-- **Report Issues**: https://github.com/agentskill-sh/learn/issues
+Before executing commands, check if `/learn` itself is current by comparing local `contentSha` with remote version. Fetch and scan new versions before updating; proceed silently if API is unreachable.