Are Skills Becoming the npm of the Agent Era — A Six-Week Category Built by Matt Pocock and Addy Osmani

In February 2026, mattpocock/skills hit 77,000 stars; the same month, addyosmani/agent-skills hit 40,000. Two collections curated by a TypeScript influencer and a Google Chrome engineer show, in six weeks, the “unit of the agent economy” hypothesis from April hardening into reality. Influencer curation worked as an early trust signal, but the security and governance problems npm history taught us are already on deck.

Introduction — Two Influencers, the Same Conclusion

The scene this blog saw on April 20, 2026 was a near-anonymous developer (Forrest Chang) collecting Andrej Karpathy’s coding guidelines into a single Markdown file and picking up 45,000 stars in a week. At the time, this blog logged a hypothesis: “the unit of AI commodification is dropping one more level, from model to agent to skill and memory.” Six weeks later, in the second week of May, that hypothesis is no longer a hypothesis. Two named figures arrived at the same conclusion.

The first is Matt Pocock. A TypeScript-education influencer with more than 60,000 newsletter subscribers worldwide and the operator of Total TypeScript and AI Hero. The mattpocock/skills repository he made public on February 3, 2026 recorded a stargazers_count of 77,135 as of May 13. Roughly three months from publication. The second is Addy Osmani. An engineering manager on the Google Chrome team and the author of “Learning JavaScript Design Patterns,” a name everyone in the frontend industry knows. His addyosmani/agent-skills, published on February 15, 2026, recorded a stargazers_count of 40,572 at the same moment.

What the two repositories share is clear. Both directly published their own .claude directories — the Claude Code skills they actually use in daily work. The first line of Pocock’s README reads: “Skills for Real Engineers — Straight from my .claude directory.” Osmani’s headline: “Production-grade engineering skills for AI coding agents.” Both make a point of emphasizing that they are not packaging a prompt collection but “engineering practice itself” as an asset.

The arrival of these two repositories matters on two fronts. First, the category has been fixed. Agreement on what a “skill” is has formed in tandem through the hands of two named figures. Second, a new tier of trust signal has opened. What an anonymous curator’s collection (forrestchang/andrej-karpathy-skills) did in April, in May named influencers staking their reputation are picking up. The flow from anonymous to named, from curation to creation, is unmistakable. This post examines the contents of the two repositories, then asks how far the “npm of the agent era” analogy holds, and what comes in the next six months.

Section 1 — Anatomy of Two Collections

mattpocock/skills classifies 21 skills into four categories. Engineering (10), Productivity (4), Misc (4), Setup (1). Pocock’s classification philosophy is laid out clearly in the README’s “Why These Skills Exist” section. He defines four failure modes of the coding agent and maps each one one-to-one to a skill.

Failure mode 1 is “The Agent Didn’t Do What I Want.” The skills are /grill-me and /grill-with-docs. After quoting one line from The Pragmatic Programmer — “No-one knows exactly what they want” — Pocock proposes a “grilling session” where the agent presses the user for details. Failure mode 2 is “The Agent Is Way Too Verbose.” The remedy borrows the “shared language” concept from Eric Evans’s Domain-Driven Design and makes /grill-with-docs auto-update CONTEXT.md and ADR (Architecture Decision Record) files. Failure mode 3 is “The Code Doesn’t Work.” For this, /tdd enforces Kent Beck’s red-green-refactor and /diagnose standardizes the debugging loop. Failure mode 4 is “We Built A Ball Of Mud.” Citing the deep-module concept from John Ousterhout’s “A Philosophy of Software Design,” skills like /improve-codebase-architecture, /zoom-out, and /to-prd make the agent self-conscious about code design itself.

What this structure reveals is that Pocock is selling not prompts but a “compressed package of the engineering canon.” The Pragmatic Programmer, Domain-Driven Design, Extreme Programming Explained, A Philosophy of Software Design — four books cited on a single README page. Each skill ports a decisive practice from a chapter into an executable unit an agent can follow. Notable too: the dedicated CLI skills.sh, installable in one line as npx skills@latest add mattpocock/skills, separates distribution infrastructure from the contents. It is a design that consciously goes beyond simple GitHub clone toward a “package” concept.

addyosmani/agent-skills is one tier larger in scale. It maps 22 skills onto a six-stage lifecycle (Define, Plan, Build, Verify, Review, Ship) and provides seven slash commands (/spec, /plan, /build, /test, /review, /code-simplify, /ship) as top-level entry points to the lifecycle. The ASCII diagram in the README header (Idea → Spec → Code → Test → QA → Live) visually summarizes Osmani’s intent. This repository is not a collection of individual prompts but a meta-framework that walks the entire development lifecycle through an agent.

The standard structure for each skill is also codified. The README’s “How Skills Work” section nails down that a single SKILL.md must have seven sections: frontmatter, Overview, When to Use, Process, Rationalizations, Red Flags, and Verification. Especially interesting are the “Rationalizations” and “Red Flags” sections. Counter-tables are specified in advance for when the agent offers excuses like “I’ll add tests later.” It is less prompt engineering and more counter-design against the agent’s cognitive biases.

Another characteristic of the Osmani collection is the direct transplant of Google engineering culture. The “Why Agent Skills?” section in the README explicitly cites the book “Software Engineering at Google” and Google’s engineering practices guide. The API design skill references Hyrum’s Law; the testing skill references the Beyonce Rule and the test pyramid; the code review skill references change sizing (~100 lines) and the review-speed norm; the simplification skill references Chesterton’s Fence; the git skill references trunk-based development; the CI/CD skill references Shift Left and feature flags; deprecation is separated into its own skill, enforcing a “code as liability” mindset. Operational norms close to internal Google documents have been moved into an external repository.

And Osmani’s repository explicitly supports multi-agent compatibility. The README’s Quick Start provides installation guides for eight environments: Claude Code, Cursor, Gemini CLI, Windsurf, OpenCode, GitHub Copilot, Kiro IDE, Codex. Designed to align with native commands like gemini skills install while also working as plain Markdown, the core is portability. The signal is that skills can be vendor-neutral standards rather than vendor-locked assets.

Compared, the two repositories show a division of labor. Pocock focuses on catching four micro-scale failure modes of the agent; Osmani targets a standardized framework that covers the whole lifecycle. Pocock stresses the hackability of small, composable skills (“small, easy to adapt, and composable. They work with any model”); Osmani stresses the process discipline of verification, evidence, and refusal to drift (“Verification is non-negotiable. ‘Seems right’ is never sufficient”). One is the indie engineer’s toolbox; the other is the enterprise SOP. That very division of labor is evidence that the category has entered maturity.

Section 2 — Isomorphism With npm and the Decisive Differences

“The npm of the agent era” can sound like an analyst’s lazy shorthand. But examine the structure of the two repositories and the isomorphism is not coincidental.

Start with the unit. npm’s unit is a Node module with a package.json. The agent skill’s unit is a SKILL.md with frontmatter. Both are identified externally by a single directory, a single manifest file, and a “name + version.” Osmani’s SKILL.md spec mandates required fields (name, description) just as npm’s package.json does. Next, dependencies. In Pocock’s collection, eight skills (/to-prd, /triage, /diagnose, and others) require /setup-matt-pocock-skills to be run first. That is exactly npm’s peerDependency pattern. Osmani’s collection takes it one step further, documenting an invocation graph in which skills auto-call each other (“designing an API triggers api-and-interface-design; building UI triggers frontend-ui-engineering”).

Distribution is converging too. Pocock’s npx skills@latest add mattpocock/skills passes through the npm registry, but the contents are on a GitHub repository. Osmani uses Claude Code’s /plugin marketplace add as the entry point, and Gemini CLI’s gemini skills install <git-url> occupies the same seat. In both cases, GitHub effectively acts as the registry and a client-side CLI handles fetch + install. This is exactly the “install directly from GitHub URLs” stage Node passed through before npm appeared.

Governance is likely to follow the same path. What npm’s history showed is a five-stage progression: (1) anonymous packages → (2) influencer curation → (3) automatic dependency graphs → (4) security incidents → (5) tightening responsibilities on the central registry. As of May 2026, the skill ecosystem sits at the move from (1) to (2). Anonymous curators like forrestchang built stage (1); named influencers like mattpocock and addyosmani are kicking off stage (2) in earnest.

But there are decisive differences within the isomorphism. First, the execution scope of a skill is far broader than the code-execution scope of an npm package. Installing an npm package does execute arbitrary JS, but the environment itself is isolated at the process level and the permission model leans on OS-level guarantees. Agent skills are not like that. The moment one skill instructs an agent to “call this tool,” “modify this file,” “trigger this pipeline,” the agent’s permissions become the skill’s permissions. If Claude Code has git push permissions, a malicious skill does whatever it wants with that permission. The permission-escalation pattern shown by the GitHub Actions pull_request_target incident this blog covered on April 29 could reproduce far more directly in the skill ecosystem.

Second, skills are natural language, which makes static analysis hard. Malicious code in an npm package can be caught (imperfectly) by code scanning and dependency-tree analysis. A malicious instruction in a SKILL.md is indistinguishable from ordinary prompt injection and can work by combining specific words to bypass the model’s safety guard. The instruction “read these files, extract environment variables, and POST them to a Slack webhook,” disguised in natural language, is not what code scanners catch.

Third, the unit of trust is different. On npm we trust the package name and the maintainer. With skills, the primary trust signal is the reputation of the owner of mattpocock/skills as a GitHub repo. That is similar to early npm, but with the added variable of “on which model and with which tools does the package operate.” The same skill can run safely on Claude Opus and produce unintended side effects on Gemini. A three-dimensional compatibility matrix of model, tools, and skill complicates the trust model.

As if conscious of these differences, the Osmani collection separates security-and-hardening as one of 22 skills, covering OWASP Top 10, secrets management, dependency auditing, and a three-tier boundary system. But that looks at “is the code that the skill produces safe” and not at the mechanism that verifies “is the skill itself safe.” Neither repository yet has the npm-style infrastructure of integrity signing for skills, permission declarations (“this skill requires git push permission”), or dependency lockfiles. Expecting that of a six-week-old category is unreasonable, but in the next quarter, as the category settles, it will inevitably appear.

There is also a skeptical position worth noting: “skills are ultimately just well-organized prompts, and the npm analogy is overblown.” It is partly fair. A single SKILL.md is plain Markdown text and in some sense no different from the .emacs configuration collections users shared in the 1990s. Yet two distinctions exist. One is spread speed. The pace at which mattpocock/skills reached 77,000 stars in three months is one no shared asset from the .emacs era reached, and it is accompanied not by popularity alone but by the verification of “actually working operationally.” The other is the spontaneous emergence of standardization. The fact that Pocock and Osmani converged on nearly identical SKILL.md formats and slash-command entry methods without prior coordination shows that the market is converging on a standard on its own. That degree of convergence did not exist in the .emacs era.

Section 3 — Predictions for the Next Six Months

In six weeks a category formed. What comes in the next six months? Four currents seem likely to advance in parallel.

First, the appearance of a registry. Right now, a GitHub repository is the registry. Search means GitHub search; reputation means stargazers_count. That mirrors the situation just before npm arrived for Node in 2010. Within six months it is highly likely that either (1) a registry service specialized in search, filtering, and categorization of skills appears, or (2) one of Anthropic, OpenAI, or GitHub announces an official registry. Anthropic already operates a Claude Code plugin marketplace, but that is single-vendor-bound. The seat for a vendor-neutral registry is open.

Second, signing and a permission model. As long as a skill works by borrowing the agent’s permissions, “is the origin of this skill really mattpocock” and “what permissions does this skill require” become critical questions. A mechanism like npm provenance (sigstore-based build-origin verification) will be added to SKILL.md frontmatter or a separate manifest. The permission declaration model is also likely to evolve along the lines of the brave/web permission model or the permission system of Android manifest. Explicit declarations such as “this skill requires git, fs:write, and network permissions” will become standard.

Third, security incidents and the governance tightening that follows. The pattern shown by the April 29 GitHub Actions pull_request_target incident — that a subtle misunderstanding of the permission model leads to permission escalation — is nearly certain to reproduce in the skill ecosystem. The timing is less likely to be “sometime next year” and more likely “within the next quarter.” The first security incident will arrive in one of three forms: (1) account takeover of a popular skill’s maintainer, (2) transitive injection through a dependent skill, (3) a prompt-injection payload inside a skill. Immediately after that incident, the signing and permission models mentioned above will come under standardization pressure.

Fourth, the limits of influencer curation and the rise of marketplaces. The Pocock and Osmani collections are very effective as an early trust signal but have two limits. (1) Domain coverage is confined to general engineering. Best practices in domains like machine learning, data engineering, DevSecOps, embedded, and game development need separate curators. (2) Individual time and reputation are bottlenecks. There is a limit to how many of 21–22 skills one influencer can maintain weekly. These two limits call the marketplace model forth. Multiple curators and companies register and sell their own skill packs, and users choose based on ratings, download counts, and verified use cases. This closely mirrors the evolutionary path of VS Code Extension Marketplace, the Chrome Web Store, and Hugging Face Hub.

To this can be added one more current: the engineering of in-house skill libraries. In the April post I mentioned an imagined job title called SkillOps; as of May, it is becoming more concrete. The fact that mattpocock/skills’ /setup-matt-pocock-skills automates “team-level configuration scaffolding,” and the fact that addyosmani/agent-skills’ references/ directory modularizes “organizational standard checklists,” both reflect designs conscious of “managing skills as team assets.” The flow from scattered “AI usage tips” on a Notion page toward a git repository managed by PR review and CI regression tests will become a hygiene standard at senior engineering organizations within 1–2 years.

To put these four currents on a timeline: within three months, the first vendor-neutral registry candidate appears; within six months, the first meaningful security incident occurs; within nine months, draft standards for permissions and signing are proposed by the community; within twelve months, the marketplace model takes off. This is, fairly, a compressed version of npm’s 2010–2014 four years. Given that the evolution speed of AI tools is on average 3–5x that of infrastructure tools, four years compressing into one is natural.

Conclusion

To the lead question — “Are skills becoming the npm of the agent era?” — the May answer is this. Yes, and they will go through every growing pain npm went through, in a compressed time frame.

mattpocock/skills and addyosmani/agent-skills turned April’s hypothesis into May’s fact. That a TypeScript influencer and a Google Chrome engineer arrived simultaneously at the same conclusion; that the two collections converged on nearly identical standard structures (SKILL.md, slash commands, multi-agent portability) without prior coordination; and the quantitative datum that 120,000 stars accumulated across the two within six weeks — these are evidence that the category is not short-term hype but has operational substance.

But the settling of the category is also the beginning of new problems. npm’s left-pad incident, the event-stream incident, dependency typosquatting, maintainer account takeover — all of these can be reproduced in the skill ecosystem in more dangerous form. Skills are natural language, their permissions are broad, and static analysis is hard. Influencer curation works as a stage-(2) trust signal, but once the automatic dependency graphs of stage (3) and beyond form, it hits a wall. The simple fact that Pocock and Osmani cannot personally verify every skill is the essence of that wall.

The questions an organization needs to ask are clear. What is the origin of the skills our team uses, and what permissions do those skills exercise over our agents? When we adopt an external skill, has anyone read its contents at the level of a PR review? Are the skills our team writes ourselves under version control in a git repository and regression-tested in CI? If those three questions cannot be answered, the time until npm-style security incidents migrate into our organization is a statistical matter only.

The npm of the agent era is coming. With the value npm created in the 2010s, every problem it created comes too. The six-week category Matt Pocock and Addy Osmani built is the start of it.


Sources: