Skills Library
The skills library contains 267 code security skills — the same expertise as the Prompt Library, packaged in a machine-readable format optimized for tooling, automation, and programmatic discovery.
Skills are the recommended way to integrate Manicode into your workflow. They include structured metadata, a router layer for automatic skill selection, evaluation tests, and manifests for bulk operations.
Skills vs. Prompts
| Prompts | Skills | |
|---|---|---|
| Format | Plain markdown | SKILL.md + METADATA.json per skill directory |
| Variants | Up to 5 files per role (one per model) | One consolidated file per role (canonical variant) |
| Metadata | Encoded in filename and folder path | Structured YAML frontmatter + JSON metadata with triggers, tags, token estimates |
| Discovery | Manual browsing | Automated via router skills and a skills manifest |
| Tests | None | Domain-specific evaluation prompts for top 50 skills |
| Versioning | None | CHANGELOG.md per skill, version field in metadata |
| Total | 328 (with model variants) | 267 (deduplicated, one per role) |
Choose prompts when you are manually configuring an LLM and want to pick a model-specific variant. Choose skills for everything else — IDE integration, automated pipelines, programmatic discovery, and router-based skill selection.
Categories
| Category | Skills | What It Covers |
|---|---|---|
| Backend Frameworks | 122 | Node.js, Python, Java, Go, .NET, PHP, Ruby on Rails, Rust, Scala, Elixir, GraphQL, gRPC, ServiceNow, SQL/RDBMS |
| Infrastructure | 54 | Secret management, Terraform, Kubernetes, Docker, serverless, WAF, CI/CD, cloud security |
| Client-Side Frameworks | 49 | React, Vue, Angular, Next.js, Svelte, TypeScript, Flutter, SolidJS, and more |
| AI Security | 41 | Agentic AI, RAG security, AI agent frameworks, supply chain, governance |
| Web and API Security | 18 | SSRF, XXE, XSS, SQL injection, CSRF, CORS, JWT, WebSocket, CSP |
| Authorization | 8 | RBAC, ABAC, ReBAC with OPA, OpenFGA, SpiceDB, Casbin, Cedar |
| Mobile | 8 | Android, iOS, React Native, Flutter, Kotlin Multiplatform, Electron |
| Authentication | 7 | Password storage, MFA, session management, SSO, passwordless |
| Cryptography | 6 | Symmetric/asymmetric encryption, password hashing, TLS, key management |
| Embedded and IoT | 6 | FreeRTOS, Zephyr RTOS, embedded Linux, IoT protocols and cloud |
| WASM | 5 | Browser and server-side WASM, cryptography, supply chain, memory safety |
| C and C++ | 3 | Secure C, secure C++, embedded C |
Router Layer
Instead of browsing skills manually, use the router layer — specialized router skills that automatically discover and select the right skill for your request.
You: "How do I secure my Django authentication flow?"
Router: Scans manifest → loads secure-django-developer → applies Django security patterns
Routers work in Claude Code (as slash commands like /router-backend), Cursor, and any tool that supports custom skill files.
Learn more about the Router Layer
Skill Format
Each skill is a self-contained directory with structured metadata:
secure-express-js-developer/
SKILL.md # Instructions with YAML frontmatter
METADATA.json # Triggers, tags, token estimate, version
CHANGELOG.md # Version history
tests/
eval.md # Evaluation prompts with pass criteria
examples/
good/ # Correct usage examples
bad/ # Incorrect usage examples
Learn more about the Skill Format
Getting Started
- With routers (recommended): Use a router slash command in Claude Code (e.g.,
/router-backend) and describe your task. The router selects the right skill automatically. - Direct selection: Browse the categories above, find the skill for your framework, and load its SKILL.md as your system instruction.
- Programmatic: Use
index.jsonorMETADATA.jsonto filter and load skills in your tooling.
Limitations
- Skills contain the same security rules as prompts — the same limitations apply.
- The
source-variantfield indicates which model the skill was originally optimized for. Performance may vary on other models. - Skills are version 1.0.0. The metadata schema may evolve in future releases.