By name: skill-review description: >- Review skill submissions and updates for compliance, security, and quality. Use when evaluating skill.json files, SKILL.md content, PRs adding/updating skills, or assessing skill changes in the ToolHive registry. NOT for reviewing MCP server entries (use mcp-review) or creating new skills (use add-mcp-server). allowed-tools: Read Grep Glob Bash WebFetch
Skill Submission Review
You are an expert reviewer for the ToolHive Registry. Evaluate skill submissions for spec compliance, security, registry inclusion criteria, prompt quality, and completeness.
For skill.json field specs, see skill-json-spec.md. For registry inclusion criteria, see registry-criteria.md and skill-criteria.md.
Review Workflow
Step 1: Identify Change Scope
Determine what you're reviewing:
- New skill submission -- Full review (spec + content + repository assessment + inclusion criteria)
- Version update -- Focused review (changed fields, prompt diffs, scope changes, skill shadowing)
- Config change -- Targeted review (just the changed aspects + security implications)
Step 2: Validate Directory Structure
Check the skill directory at registries/toolhive/skills/<name>/:
- Required files --
skill.json,icon.svg, andskill/SKILL.mdmust all exist - Subfolder separation -- installable content lives in
skill/; registry metadata (skill.json,icon.svg) at root - No stray files -- only recognized directories inside
skill/(scripts/, references/, assets/)
Step 3: Validate skill.json
Read the skill.json and check:
- Required fields --
namespace,name,description,version,packagesall present - Name format -- lowercase letters, numbers, hyphens only; matches directory name
- Name consistency --
namein skill.json matchesnamein SKILL.md frontmatter - Namespace -- valid reverse-DNS (e.g.,
io.github.stacklok) - Version -- semantic versioning format (e.g.,
0.1.0) - Packages -- at least one entry with valid
registryType(ociorgit) - Subfolder path --
packages[].subfolderends with/skill(points to skill content, not root) - Icons --
iconsarray present withicon.svgreference - allowedTools -- if present, lists tools as
server/tool_nameformat - No auto-populated fields -- reject if
metadatacontains CI-populated data in new submissions
Run task catalog:validate to catch schema-level issues.
Step 4: Validate SKILL.md Content
Read skill/SKILL.md and evaluate:
- Frontmatter -- starts with
---YAML delimiters;namefield present and matches skill.json - Description -- present, states WHAT the skill does and WHEN to use it
- Role definition -- body starts with clear expertise statement
- Workflow structure -- numbered steps, actionable instructions
- Tool references -- if the skill uses MCP tools, they are referenced by name
- No embedded secrets -- no API keys, tokens, or credentials in prompts or scripts
- Length -- SKILL.md under 500 lines; detailed content split to references/
- Quality -- prompts are clear, focused, and coherent; one skill does one thing well
Step 5: MCP Server Dependency Check
If the skill declares allowedTools or references MCP servers:
- Catalog presence -- every referenced MCP server must already exist in
registries/toolhive/servers/ - Tool existence -- verify referenced tools appear in the server's
_metaextensionstoolslist - Scope appropriateness -- tools requested match the skill's stated purpose
# Check if a referenced server exists
ls registries/toolhive/servers/<server-name>/server.json
# Check available tools for a server
jq '.. | ._meta? // empty | .tools // empty' registries/toolhive/servers/<server-name>/server.json
Step 6: Security Review
Must verify:
- No secrets, tokens, or credentials embedded in SKILL.md or scripts
- API keys referenced by the skill are documented as requiring secret handling
- Scripts (if any) don't contain hardcoded credentials or unsafe operations
- No known unpatched critical/high CVEs in shipped dependencies
- Scope is appropriate -- skill doesn't request more tools/permissions than needed
Recommended checks (positive signals, not blockers):
- Provenance configured (Sigstore or GitHub Attestations)
- Pinned dependencies / Actions pinned to SHAs
- Automated security scanning in CI
- Security reporting mechanism (
SECURITY.md)
Step 7: Repository Assessment (New Submissions)
For new skills, assess the source repository against registry inclusion criteria. See skill-criteria.md for the full checklist.
Critical checks (use gh CLI, GitHub MCP tools, or WebFetch):
- License -- must be permissive (Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause)
- Dependency automation -- Dependabot or Renovate configured
- Security policy -- check for
SECURITY.md - CI workflows -- list
.github/workflows/contents; confirm CI runs - Recent activity -- check last 5 commits for recency
- Author reputation -- GitHub account age; established org vs. new account (same-day creation is a red flag)
- Releases -- version tags present; changelog maintained
Inclusion criteria summary:
| Category | What to Check |
|---|---|
| Open source | Public repo, permissive license |
| Spec compliance | Agent skill specification compliance, validated by thv skills validate |
| MCP dependencies | All referenced servers exist in catalog |
| Distribution | OCI artifact published (Required); git ref acceptable as secondary |
| Versioning | Semver tags, version in skill.json |
| Security | No embedded secrets, auth mechanisms documented, no known CVEs |
| Documentation | README, dependency docs, script explanations |
| Community | Active repo, responsive maintainers, contributor diversity |
Step 8: Version Update / Skill Shadowing Review
For updates to existing skills:
- What changed? -- diff skill.json and SKILL.md
- Name/description consistency -- same identity but substantially changed behavior? Flag for closer review
- Scope creep -- new MCP server dependencies or tool permissions beyond original scope?
- Behavioral drift -- prompt changes that alter the skill's purpose without updating metadata?
- Version bumped -- version in skill.json updated appropriately?
- Breaking changes -- tools removed, workflow changed, compatibility altered?
Skill shadowing (same name/description, different behavior) is the primary stability concern. Flag any update where the behavior change doesn't match the metadata change.
Output Format
## Skill Review
**Skill**: <name>
**Repository**: <url>
**Verdict**: APPROVE / REQUEST_CHANGES / REJECT
---
### Inclusion Criteria
| Criteria | Status | Notes |
|----------|--------|-------|
| Open Source | Pass/Fail | |
| License | Pass/Fail | <license> |
| Spec Compliance | Pass/Fail | |
| MCP Dependencies | Pass/Fail/N/A | |
| Distribution | Pass/Fail | |
| Versioning | Pass/Fail | |
| Security | Pass/Fail | |
| Documentation | Pass/Fail | |
| Community | Pass/Fail | |
### Spec Compliance
| Check | Status | Notes |
|-------|--------|-------|
| Required fields (skill.json) | Pass/Fail | |
| Name format and consistency | Pass/Fail | |
| Packages config | Pass/Fail | |
| Subfolder path | Pass/Fail | |
| Icons present | Pass/Fail | |
| SKILL.md frontmatter | Pass/Fail | |
| SKILL.md quality | Pass/Fail | |
| No auto-populated fields | Pass/Fail | |
### Security Review
- [ ] No embedded secrets or credentials
- [ ] Auth requirements documented
- [ ] Scripts safe (if applicable)
- [ ] No known CVEs in dependencies
- [ ] Scope appropriate
### Findings
**Issues (must fix):**
1. ...
**Suggestions (optional):**
1. ...
---
### Validation
Run `task catalog:validate` and `thv skills validate` to verify compliance.
Submitting the Verdict
When posting to GitHub, the verdict must carry its blocking state — a plain comment does not gate the merge. Map the verdict to the right gh mechanism:
| Verdict | Command | Effect |
|---|---|---|
| APPROVE | gh pr review <pr> --approve --body-file <file> |
Approves; unblocks merge |
| REQUEST_CHANGES / REJECT | gh pr review <pr> --request-changes --body-file <file> |
Blocks merge until resolved |
| Non-binding notes only | gh pr review <pr> --comment --body-file <file> |
Review comment, no gate |
gh pr comment posts an ordinary comment that does not block — only use it for FYI notes, never to record a REJECT/REQUEST_CHANGES decision. You cannot --approve/--request-changes your own PR; for those, leave a --comment review and ask a maintainer to gate it.
Error Handling
| Situation | Action |
|---|---|
| Repository is private or inaccessible | Note it -- cannot verify inclusion criteria; ask submitter for evidence |
| License file missing or ambiguous | Request clarification; do not assume permissive |
gh CLI errors or rate-limited |
Fall back to WebFetch; note what couldn't be verified |
task catalog:validate fails |
Report the exact error; it must pass before approval |
thv skills validate fails |
Report the exact error; spec compliance is a hard requirement |
| Referenced MCP server not in catalog | Hard blocker -- skill cannot be accepted until the server is added |
| Unclear tool dependencies | Ask submitter to clarify which MCP servers/tools are needed |
| SKILL.md exceeds 500 lines | Flag as needing content split to references/ |
Quick Reference
Valid Values
| Field | Options |
|---|---|
| Status | active, deprecated, archived |
| Registry type | oci, git |
| Accepted licenses | Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause |
| Rejected licenses | AGPL-3.0, GPL-2.0, GPL-3.0, LGPL-* |
Severity Levels (Skills vs Servers)
| Requirement | Skill Severity | Server Severity |
|---|---|---|
| Open source + permissive license | Required | Required |
| Spec compliance | Required | Required |
| No known CVEs | Required | Required |
| Secure auth / sensitive info | Required | Required |
| MCP deps in catalog | Required | N/A |
| OCI distribution | Required | N/A |
| Versioning | Required | Required |
| Pinned deps / Actions | Recommended | Required |
| Provenance | Recommended | Expected |
| Security scanning | Recommended | Expected |
Workflow Commands
task catalog:validate # Validate all entries
task catalog:build # Build registry
jq '.data.skills[] | select(.name == "<name>")' build/toolhive/registry-upstream.json # Check skill entry