You open a new chat. You type out your context again — the stack you're using, the constraints, the format you want. You've done this a hundred times. The AI gives you something decent. You iterate. You close the tab. Tomorrow, you start over.
This is the prompt tax — and most developers are paying it without realising.
"A skill is a prompt you write once, version-control, and install anywhere. It's the difference between copy-paste and a proper tool."
Why prompts don't scale
Prompts live in chat threads, Notion pages, and people's heads. They drift. They get stale. A prompt that worked perfectly three months ago may silently degrade as the model updates or your codebase evolves. There's no diff, no audit trail, no security score.
The gap between ad-hoc prompts and MDSkill skills is real:
| Ad-hoc prompts | MDSkill skills |
|---|---|
| Rewritten every session | Install once, reuse anywhere |
| No version history | GitHub-versioned, diffable |
| Lives in one tool only | Works across Claude, Cursor, Cline |
| Unknown security posture | Real-time security audit score |
| Can't be shared as a unit | Publishable to the leaderboard |
What a skill actually looks like
A skill is a SKILL.md file committed to a GitHub repo. That's it. No proprietary format, no vendor lock-in. The agent runtime reads it, your code stays yours.
# SKILL.md
## Purpose
Review incoming pull requests for security vulnerabilities,
dependency issues, and code style regressions.
## Instructions
1. Read the diff from $DIFF
2. Check for SQL injection, XSS, and SSRF patterns
3. Flag any dependency with a known CVE
4. Output a structured review with severity ratings
## Output format
severity: critical | high | medium | low
location: file + line number
recommendation: one-line fix
Installing a skill in 30 seconds
From your terminal, with the MDSkill CLI installed, one command pulls a skill into your agent context:
$ npx mdskill add anthropics/pr-security-reviewer
✓ Fetched SKILL.md from GitHub
✓ Security score: 92/100
✓ Installed to .claude/skills/
What happens under the hood
The CLI fetches the skill file, runs it through the security auditor to generate a score, and places it in your project's skills directory. Your agent runtime picks it up on the next invocation. No config changes, no restarts.
Security audit included. Every skill on the leaderboard has been run through our static analyser. The score reflects prompt injection resistance, data handling hygiene, and output surface area. You always know what you're installing.
Building your own skill
The best skills are the ones extracted from workflows you already run. Start by looking at the prompts you copy-paste most often — code review templates, research scaffolds, deployment checklists. Any of those can become a skill in under ten minutes.
Commit the SKILL.md to a public GitHub repo, then run mdskill publish. The leaderboard picks it up automatically. If it's useful, it will rise.