What is the relationship between commands and skills?

They use the same format; if a skill and a command share a name, the skill takes precedence.

When should I create a command vs a skill?

Use a command file for simple, single-file tasks; use a skill directory when you need supporting files, templates, or background knowledge.

Which frontmatter fields matter?

Description is recommended; other fields like argument-hint, disable-model-invocation, user-invocable, allowed-tools, model, context, and agent are optional.

create-agent-skills

Flagged

{"isSafe":false,"isSuspicious":true,"riskLevel":"medium","findings":[{"category":"prompt_injection","severity":"high","description":"Dynamic Context Injection uses the !`command` syntax to execute shell commands before content is sent to Claude, which could be exploited to override context or manipulate model behavior.","evidence":"### Dynamic Context Injection\nThe `` !`command` `` syntax runs shell commands before content is sent to Claude:\n\n```yaml\n---\nname: pr-summary\ndescription: Summarize changes in a pull request\ncontext: fork\nagent: Explore\n---\n\n## Context\n- PR diff: !`gh pr diff`\n- Changed files: !`gh pr diff --name-only`\n\nSummarize this pull request...\n```"},{"category":"data_exfiltration","severity":"medium","description":"Shell commands used for context injection could read local environment data or command outputs and feed them into Claude, potentially leaking sensitive information or transforming model context without explicit user intent.","evidence":"### Dynamic Context Injection\nThe `!`command`` syntax executes shell commands to build the context (e.g., `gh pr diff`, `gh pr diff --name-only`). Outputs of these commands become part of the model's context."}],"summary":"The skill content demonstrates Dynamic Context Injection via shell commands within YAML blocks. While convenient for automation, this pattern introduces risks of prompt manipulation and potential data exfiltration if commands access sensitive data or are influenced by untrusted input. Recommend sandboxing or avoiding arbitrary command execution in content, and restricting to safe, vetted commands or API-based context assembly. Also ensure side-effectful actions are guarded (disable-model-invocation where appropriate) and clearly document intended command usage."}

npx machina-cli add skill everyinc/compound-engineering-plugin/create-agent-skills --openclaw

Files (1)

SKILL.md

8.5 KB

Creating Skills & Commands

This skill teaches how to create effective Claude Code skills following the official specification from code.claude.com/docs/en/skills.

Commands and Skills Are Now The Same Thing

Custom slash commands have been merged into skills. A file at .claude/commands/review.md and a skill at .claude/skills/review/SKILL.md both create /review and work the same way. Existing .claude/commands/ files keep working. Skills add optional features: a directory for supporting files, frontmatter to control invocation, and automatic context loading.

If a skill and a command share the same name, the skill takes precedence.

When To Create What

Use a command file (commands/name.md) when:

Simple, single-file workflow
No supporting files needed
Task-oriented action (deploy, commit, triage)

Use a skill directory (skills/name/SKILL.md) when:

Need supporting reference files, scripts, or templates
Background knowledge Claude should auto-load
Complex enough to benefit from progressive disclosure

Both use identical YAML frontmatter and markdown content format.

Standard Markdown Format

Use YAML frontmatter + markdown body with standard markdown headings. Keep it clean and direct.

---
name: my-skill-name
description: What it does and when to use it
---

# My Skill Name

## Quick Start
Immediate actionable guidance...

## Instructions
Step-by-step procedures...

## Examples
Concrete usage examples...

Frontmatter Reference

All fields are optional. Only description is recommended.

Field	Required	Description
`name`	No	Display name. Lowercase letters, numbers, hyphens (max 64 chars). Defaults to directory name.
`description`	Recommended	What it does AND when to use it. Claude uses this for auto-discovery. Max 1024 chars.
`argument-hint`	No	Hint shown during autocomplete. Example: `[issue-number]`
`disable-model-invocation`	No	Set `true` to prevent Claude auto-loading. Use for manual workflows like `/deploy`, `/commit`. Default: `false`.
`user-invocable`	No	Set `false` to hide from `/` menu. Use for background knowledge. Default: `true`.
`allowed-tools`	No	Tools Claude can use without permission prompts. Example: `Read, Bash(git *)`
`model`	No	Model to use. Options: `haiku`, `sonnet`, `opus`.
`context`	No	Set `fork` to run in isolated subagent context.
`agent`	No	Subagent type when `context: fork`. Options: `Explore`, `Plan`, `general-purpose`, or custom agent name.

Invocation Control

Frontmatter	User can invoke	Claude can invoke	When loaded
(default)	Yes	Yes	Description always in context, full content loads when invoked
`disable-model-invocation: true`	Yes	No	Description not in context, loads only when user invokes
`user-invocable: false`	No	Yes	Description always in context, loads when relevant

Use disable-model-invocation: true for workflows with side effects: /deploy, /commit, /triage-prs, /send-slack-message. You don't want Claude deciding to deploy because your code looks ready.

Use user-invocable: false for background knowledge that isn't a meaningful user action: coding conventions, domain context, legacy system docs.

Dynamic Features

Arguments

Use $ARGUMENTS placeholder for user input. If not present in content, arguments are appended automatically.

---
name: fix-issue
description: Fix a GitHub issue
disable-model-invocation: true
---

Fix GitHub issue $ARGUMENTS following our coding standards.

Access individual args: $ARGUMENTS[0] or shorthand $0, $1, $2.

Dynamic Context Injection

The !`command` syntax runs shell commands before content is sent to Claude:

---
name: pr-summary
description: Summarize changes in a pull request
context: fork
agent: Explore
---

## Context
- PR diff: !`gh pr diff`
- Changed files: !`gh pr diff --name-only`

Summarize this pull request...

Running in a Subagent

Add context: fork to run in isolation. The skill content becomes the subagent's prompt. It won't have conversation history.

---
name: deep-research
description: Research a topic thoroughly
context: fork
agent: Explore
---

Research $ARGUMENTS thoroughly:
1. Find relevant files
2. Analyze the code
3. Summarize findings

Progressive Disclosure

Keep SKILL.md under 500 lines. Split detailed content into reference files:

my-skill/
├── SKILL.md           # Entry point (required, overview + navigation)
├── reference.md       # Detailed docs (loaded when needed)
├── examples.md        # Usage examples (loaded when needed)
└── scripts/
    └── helper.py      # Utility script (executed, not loaded)

Link from SKILL.md: For API details, see [reference.md](reference.md).

Keep references one level deep from SKILL.md. Avoid nested chains.

Effective Descriptions

The description enables skill discovery. Include both what it does and when to use it.

Good:

description: Extract text and tables from PDF files, fill forms, merge documents. Use when working with PDF files or when the user mentions PDFs, forms, or document extraction.

Bad:

description: Helps with documents

What Would You Like To Do?

Create new skill - Build from scratch
Create new command - Build a slash command
Audit existing skill - Check against best practices
Add component - Add workflow/reference/example
Get guidance - Understand skill design

Creating a New Skill or Command

Step 1: Choose Type

Ask: Is this a manual workflow (deploy, commit, triage) or background knowledge (conventions, patterns)?

Manual workflow → command with disable-model-invocation: true
Background knowledge → skill without disable-model-invocation
Complex with supporting files → skill directory

Step 2: Create the File

Command:

---
name: my-command
description: What this command does
argument-hint: [expected arguments]
disable-model-invocation: true
allowed-tools: Bash(gh *), Read
---

# Command Title

## Workflow

### Step 1: Gather Context
...

### Step 2: Execute
...

## Success Criteria
- [ ] Expected outcome 1
- [ ] Expected outcome 2

Skill:

---
name: my-skill
description: What it does. Use when [trigger conditions].
---

# Skill Title

## Quick Start
[Immediate actionable example]

## Instructions
[Core guidance]

## Examples
[Concrete input/output pairs]

Step 3: Add Reference Files (If Needed)

Link from SKILL.md to detailed content:

For API reference, see [reference.md](reference.md).
For form filling guide, see [forms.md](forms.md).

Step 4: Test With Real Usage

Test with actual tasks, not test scenarios
Invoke directly with /skill-name to verify
Check auto-triggering by asking something that matches the description
Refine based on real behavior

Audit Checklist

Valid YAML frontmatter (name + description)
Description includes trigger keywords and is specific
Uses standard markdown headings (not XML tags)
SKILL.md under 500 lines
disable-model-invocation: true if it has side effects
allowed-tools set if specific tools needed
References one level deep, properly linked
Examples are concrete, not abstract
Tested with real usage

Anti-Patterns to Avoid

XML tags in body - Use standard markdown headings
Vague descriptions - Be specific with trigger keywords
Deep nesting - Keep references one level from SKILL.md
Missing invocation control - Side-effect workflows need disable-model-invocation: true
Too many options - Provide a default with escape hatch
Punting to Claude - Scripts should handle errors explicitly

Reference Files

For detailed guidance, see:

official-spec.md - Official skill specification
best-practices.md - Skill authoring best practices

Sources

Source

git clone https://github.com/everyinc/compound-engineering-plugin/blob/main/plugins/compound-engineering/skills/create-agent-skills/SKILL.md

View on GitHub

Overview

This skill teaches how to create Claude Code skills and slash commands following the official spec. It explains when to use a command vs a skill directory, how YAML frontmatter controls invocation, and how to structure content for auto-loading and clarity.

How This Skill Works

A skill directory at .claude/skills/name/SKILL.md and a command file at .claude/commands/name.md share the same format and invocation rules. When both exist with the same name, the skill takes precedence. Frontmatter and Markdown body drive how Claude loads context, handles arguments, and enables optional supporting files or templates.

When to Use It

Authoring a new skill with templates and supporting files.
Working with SKILL.md files during plugin development.
Improving an existing skill by adding reference scripts.
Converting a command into a skill directory to enable advanced features.
Understanding skill structure, frontmatter controls, and best practices.

Quick Start

Step 1: Review the frontmatter and standard Markdown format guidance.
Step 2: Decide between a command file or a skill directory based on complexity.
Step 3: Populate Quick Start, Instructions, and Examples sections, then test invocation.

Best Practices

Keep frontmatter concise and include a descriptive description.
Use standard Markdown sections: Quick Start, Instructions, Examples.
Prefer skill directories for complex tasks requiring supporting files and auto-loading.
Follow naming rules: lowercase, hyphens, max 64 chars.
Leverage frontmatter options like disable-model-invocation and user-invocable to manage workflows.

Example Use Cases

A review workflow implemented as both .claude/commands/review.md and skills/review/SKILL.md.
Converting commands/resolve.md to skills/resolve/SKILL.md for context loading.
A deployment workflow with disable-model-invocation: true to avoid auto action.
A background knowledge skill with user-invocable: false for non-user actions.
An annotated SKILL.md that includes Quick Start, Instructions, and Examples.

Frequently Asked Questions

Add this skill to your agents