The emergence and popularity of skills is one of the most obvious ways that agentic AI has evolved from demos to enterprise production.
Technically, a skill is simply a folder of markdown instructions that an agent loads and follows, but the implications are enormous. Write one good skill, accurately describing a business workflow, and every employee that selects it and every agent that installs it inherits the workflow. From reviewing a pull request, to running a security audit, to building a slide deck and more, skills turn isolated prompts into portable workflows.
So it’s no surprise that since Anthropic introduced the skills format in late 2025, the public ecosystem has grown to tens of thousands of published skills. However, that growth has outpaced any way to judge quality. A skill only delivers value if an agent can find it, trigger it at the right moment, and actually complete the whole task it describes. Most published skills fall short somewhere along that chain.
We built ToolBench to reliably benchmark MCP servers, and the response showed how much teams want transparent scoring before they adopt. Today we’re extending that approach to skills with SkillBench.
What SkillBench measures and how it works
As of today, SkillBench has now scored approximately 39,000 skills and counting, making it the largest graded index of agent skills anywhere. The set includes popular skills from Anthropic, obra/superpowers, mattpocock, Microsoft, Vercel, Flutter, and others. More are being added, and we encourage you to submit your own for scoring.
Every skill is scored 0–100 across six weighted dimensions, rolled into a letter grade from A to F. Each dimension directly correlates to enterprise production and is grounded in how skills actually fail:

Safety and malicious intent (35% of total score) is the heaviest dimension, and it takes a conservative posture because the potential for real world business impact is so severe. Any real blast radius (executing code, writing files, touching secrets, taking irreversible actions) pulls the score down even when intent is benign. The safety signatures come from documented attack vectors and techniques showing up in real prompt-injection research and incidents: Unicode tag smuggling, rules-file backdoors, and credential exfiltration patterns.
Safety also doubles as a hard rule that mirrors that same business impact. A set of confirmed-malicious signatures acts as a backstop: trip one and the skill fails outright, regardless of the other five scores.
Tool boundary (25% of total score) measures whether a skill declares and respects limits on what it can touch, acting on the principle that skills should teach a procedure and tools should carry out that action.
Workflow quality (12% of total score) and discoverability and activation (8% of total score) judge whether the skill delivers a focused procedure for a single job, and whether an agent can identify what the skill does and when to invoke it from metadata alone.
Provenance & maintenance (10%) judges how trustworthy and well-stewarded the source is. Portability and standards conformance (10%) checks that a skill works across harnesses, not just the one it was written in.
The full methodology is public on the site.
The big takeaways: safety and weak tool boundaries are red flags

Of the 39,014 scored skills, 73% carry elevated safety risk and 7,034 tripped a hard safety gate and were quarantined outright. Those hard-gate failures go beyond “could be better documented” and into exfiltration signatures, hidden-text vectors, and embedded credentials. This is especially concerning considering that in the enterprise context an unsafe skill can act like a prompt injection that you installed yourself.
The risk concentrates in the collection where the most skills are being created and have the most power. Software and programming skills account for 14,688 flagged skills, more than the next four categories combined.

Even skills that pass the safety checks often fail on scope. Most notably, 12,516 carry a weak tool boundary. These skills reach beyond the access they claim to need, touching files, credentials, or the network without declaring it. Every undeclared permission widens the blast radius when something goes wrong.
On the plus side, the overall quality of skills is more encouraging than the MCP server ecosystem was.

20% of skills earned an A (85+), with the highest score at 97. The middle is crowded, with 38% landing at a C. Importantly, the gap between a C and an A is almost always the same few fixes: a clear tool boundary, explicit trigger guidance, and provenance a reviewer can verify. Only 2% received an outright F.
How you can use SkillBench
If you’re installing skills, filter by grade and collection before you commit, and treat anything below a B as a read-the-source situation. Every skill page shows the six-dimension breakdown and a one-line install command for Claude Code, Cursor, or any agent.
If you’re publishing skills, we recommend you score your own as soon as possible. Connect to SkillBench over MCP from any client and you can score, browse, and submit skills directly from your agent. Every skill also gets a shareable badge so you can signal to users that your skill is strong.

Skills are how expertise moves between agents, and better skills mean better agents. We built SkillBench to help make the skills ecosystem safer and more reliable for the people working with agentic AI every day. Join us.
Explore the index at skillbench.arcade.dev.


