Tech Leads Club Agent Skills
by tech-leads-club
Tech Leads Club Agent Skills is a security-first registry of verified skill packages for AI coding agents. The pitch: open skill marketplaces have a 13.4% critical vulnerability rate. This registry exists because someone decided that was unacceptable. Every skill in the registry is 100% open source — no compiled binaries, no obfuscated code. Static analysis runs in CI/CD before any skill is published. Immutable integrity is enforced through lockfiles and content hashing, meaning a skill cannot change after publication without triggering a version bump and re-verification. Snyk Agent Scan checks every skill for known vulnerabilities before it enters the registry. 2,000 GitHub stars, 223 forks, 1,012 commits on main. Written entirely in TypeScript. MIT license for the software engine, CC-BY-4.0 for the skill content itself. Node.js 22+ required. The install is one command: npx @tech-leads-club/agent-skills. An interactive CLI lets you browse, search, and install skills for your specific agent. 19 AI coding platforms are supported across three tiers. Tier 1 (primary support): Claude Code, Cline, Cursor, GitHub Copilot, Windsurf. Tier 2: Aider, Antigravity, Gemini CLI, Kilo Code, Kiro, OpenAI Codex, Roo Code, TRAE. Tier 3: Amazon Q, Augment, Droid (Factory.ai), OpenCode, Sourcegraph Cody, Tabnine. Featured skills include tlc-spec-driven (project planning with persistent memory), aws-advisor (architecture and security guidance), playwright-skill (browser automation), figma (design-to-code), and security-best-practices (vulnerability detection). The registry also includes an MCP server integration for progressive disclosure — agents can discover and install skills dynamically during a coding session. Defense-in-depth security goes beyond scanning. Path isolation prevents skills from accessing files outside their designated directory. Symlink guards block path traversal attacks. Audit trails log every skill installation and execution. Offline caching ensures installed skills work without network access and cannot be tampered with by man-in-the-middle attacks. Semantic versioning with automated releases keeps the registry predictable. When a skill updates, the version number tells you whether it is a patch, minor improvement, or breaking change — and your lockfile protects you from unexpected upgrades. For a larger, less curated skill library, compare with Antigravity Awesome Skills (1,377+ skills, broader but without the same security guarantees). For managing the MCP servers your agents connect to, see MCP Gateway Registry.
Installation
Key Features
- ✓Security-first: 100% open source, static analysis in CI/CD, Snyk Agent Scan on every skill
- ✓Immutable integrity via lockfiles and content hashing — skills cannot silently change
- ✓19 AI coding platforms supported across 3 tiers (Claude Code, Cursor, Copilot, Codex, etc.)
- ✓Interactive CLI installer for browsing, searching, and installing skills
- ✓MCP server integration for dynamic skill discovery during coding sessions
- ✓Defense-in-depth: path isolation, symlink guards, audit trails, offline caching
- ✓Semantic versioning with automated releases
Use Cases
- →Installing verified, vulnerability-scanned skills for Claude Code in enterprise environments
- →Standardizing AI agent capabilities across a development team with lockfile-pinned skill versions
- →Adding security audit skills (vulnerability detection, best practices) to CI/CD agent workflows
- →Equipping Cursor or Copilot with framework-specific skills (AWS, Playwright, Figma) from a trusted source
- →Dynamic skill discovery via MCP server — agents install capabilities on-demand during sessions