Skill Format
Each skill is a self-contained directory with structured metadata, the skill instructions, a changelog, evaluation tests, and example usage.
Directory Structure
skills/
code-security/
backend-frameworks/
nodejs/
secure-express-js-developer/
SKILL.md # Skill instructions with YAML frontmatter
METADATA.json # Structured metadata for routing and discovery
CHANGELOG.md # Version history
tests/
eval.md # Domain-specific evaluation prompts
examples/
good/ # Correct usage examples
bad/ # Incorrect usage examples
_index/
skills-index.md # Compact manifest for router discovery (267 entries)
index.json # Master manifest with full metadata for all skills
SKILL.md
The primary file. Contains YAML frontmatter for metadata followed by the full role instructions in markdown.
---
name: secure-express-js-developer
description: >-
Enforce security-focused development practices as a Secure Express.js
Developer including authentication, authorization, input validation,
secrets management, CSRF protection.
license: Proprietary. LICENSE.txt has complete terms
metadata:
author: manicode
version: "1.0.0"
category: code-security
subcategory: backend-frameworks
source-variant: Opus 4.6
---
# Role
Act as a senior Node.js engineer specializing in Express.js security...
## Security Principles
...
## Coding Rules
...
Frontmatter Fields
| Field | Description | Example |
|---|---|---|
name | Unique identifier (kebab-case) | secure-express-js-developer |
description | What the skill enforces | Enforce security-focused development practices... |
metadata.category | Top-level category | code-security |
metadata.subcategory | Subcategory path | backend-frameworks |
metadata.version | Skill version | 1.0.0 |
metadata.source-variant | Model the skill was optimized for | Opus 4.6 |
METADATA.json
Structured metadata used by routers and tooling for discovery, filtering, and composition.
{
"id": "secure-express-js-developer",
"version": "1.0.0",
"status": "stable",
"description": "Enforce security-focused development practices...",
"triggers": ["express", "nodejs", "node", "backend", "api"],
"tags": ["code-security", "backend-frameworks", "nodejs"],
"conflicts": [],
"requires": [],
"owner": "[email protected]",
"last_validated": "2026-03-10",
"skill_path": "code-security/backend-frameworks/nodejs/secure-express-js-developer/SKILL.md",
"token_estimate": 1724,
"source_variant": "Opus 4.6"
}
Key Fields
| Field | Purpose |
|---|---|
triggers | Keywords that cause routers to consider this skill for a request |
tags | Classification tags for filtering and grouping |
token_estimate | Approximate token count — helps tooling manage context budgets |
status | stable, draft, or deprecated |
conflicts | Skills that should not be combined with this one |
requires | Skills that should be loaded alongside this one |
tests/eval.md
Each of the top 50 skills includes 3 domain-specific evaluation prompts with measurable pass criteria. These are used to verify that a skill produces the expected security behaviors.
## Test 1: Authentication Middleware
**Prompt:** Write Express.js middleware that authenticates JWT tokens.
**Pass criteria:** Uses `jsonwebtoken.verify()`, checks token expiration,
returns 401 on failure, does not log token values.
Manifests
index.json
The master manifest listing all 267 skills with their full metadata. Used by tooling that needs structured access to the complete skill inventory.
skills-index.md
A compact, human-readable manifest designed for router consumption. Lists each skill's ID, tags, and path — small enough to fit in a single context window for efficient skill discovery.
- secure-express-js-developer
tags: code-security, backend-frameworks, nodejs
path: code-security/backend-frameworks/nodejs/secure-express-js-developer/SKILL.md