Skip to content
Skill Creator (Secure) cover
Meta / SkillsFree · MIT

Skill Creator (Secure)

Write a focused, token-lean skill AND lint it for safety before shipping — the generator that doesn't produce vulnerable skills.

v1.0.0 · ~577 tokens · ⬇ 0 · Updated July 6, 2026

What it does

Builds a correct skill (tight frontmatter, trigger-rich description, imperative body, one job, token budget, deterministic checks, anti-patterns section) then runs a security lint on the result (no injection, no exfiltration, least-tools, clean bundled scripts). If it would fail skill-security-auditor, it fixes it before shipping. Says when something shouldn't be a skill at all.

Example uses

Turn a workflow into a skill

You keep re-explaining the same pre-deploy checklist to your agent at the start of every session.

Turn this workflow into a skill: before every deploy we check that migrations are reversible, feature flags default to off, and the changelog is updated. Write the SKILL.md with a description that triggers on 'deploy', 'release', and 'ship', keep the body lean and imperative, include an anti-patterns section, and run your security lint on it before handing it over.

Split a bloated skill

Your draft skill does five jobs, burns tokens on every trigger, and still fires at the wrong times.

Here's my draft skill that handles code review, changelog writing, release notes, and Slack announcements all in one file. Split it into focused single-job skills, write each trigger description so it fires at the right moment, and give me the estimated token count for each body.

Lint a skill before installing

You found a skill online and want it checked for unsafe instructions before it touches your setup.

Lint this SKILL.md before I install it: check for instruction-override or hide-from-user phrasing, unpinned remote fetches piped to a shell, destructive commands run by default, and tool permissions broader than the job needs. Report everything you find and fix what's fixable.

Install

# 1. Create the skill folder in your Claude setup
mkdir -p ~/.claude/skills/skill-creator-secure

# 2. Download SKILL.md into it (or move the file you just downloaded)
#    → ~/.claude/skills/skill-creator-secure/SKILL.md

# 3. Claude Code auto-discovers it on next launch.

Inside the skill

SKILL.md
---
name: skill-creator-secure
description: Write a new Claude/agent skill correctly and safely — tight SKILL.md, token budget, and a built-in security lint of the result. Use when the user wants to create, write, or scaffold a new skill ("make a skill for X", "write a SKILL.md", "turn this workflow into a skill").
---

# Skill Creator (secure)

Build a skill that's focused, token-lean, and safe — then lint what you produced. A skill
is an instruction the model will follow with tools; sloppy or unsafe skills do real harm.

## Anatomy (get this exactly right)

```
---
name: kebab-case-name
description: <what it does + WHEN to use it — trigger phrases. This is what routes the skill.>
---
# Title
<the instructions — imperative, specific, the model is the reader>
```

- **description** decides when the skill fires — pack it with concrete trigger cases, not fluff.
- Body: imperative rules, not prose essays. Show the exact checks/format/output.
- Bundle extra files (scripts, templates) only if used; reference them by relative path.

## Design rules

- **One job.** A skill that does five things fires at the wrong time and bloats context.
  Split it. (Monolithic skills measurably lose accuracy.)
- **Token budget.** Aim for a lean body (a few hundred tokens). Every token loads into
  context on trigger. If it's long, it's probably two skills or padded.
- **Deterministic where possible.** Prefer a runnable check/regex/gate over "be careful".
- **Anti-patterns section.** State what the skill must NOT do — that's where safety lives.

## Security lint (run on the skill you just wrote — don't ship without it)

- No instruction-override / "hide from user" phrasing.
- No unpinned remote fetch piped to a shell, no exfiltration, no destructive command by default.
- No request for broader tools than the job needs.
- Bundled scripts: no secrets, no `eval`, no `curl | sh`.
(If it would fail `skill-security-auditor`, fix it before shipping.)

## Output

The complete SKILL.md (+ any bundled files), the estimated token count, and a one-line
"lint: clean" or the issues found and fixed.

## Rules

- Write for the model, not for a human reader — it's an instruction set, not a tutorial.
- If the "skill" is really just a prompt with no reusable rules, say so — not everything needs to be a skill.

Changelog

  • v1.0.02026-07-03Initial clean-room write.

Frequently asked questions

Is Skill Creator (Secure) free?

Yes. Skill Creator (Secure) is free to download and MIT-licensed.

Where do I install Skill Creator (Secure)?

Place the SKILL.md file in ~/.claude/skills/skill-creator-secure/ and Claude Code auto-discovers it on next launch.

How many tokens does Skill Creator (Secure) use?

About 577 tokens — it is designed to be token-lean.

Anthony M. — Founder & Lead Reviewer
Anthony M.Verified Builder

We're developers and SaaS builders who use these tools daily in production. Every review comes from hands-on experience building real products — DealPropFirm, ThePlanetIndicator, PropFirmsCodes, and many more. We don't just review tools — we build and ship with them every day.

Written and tested by developers who build with these tools daily.