Submitting Skills

How to write a SKILL.md, pass verification, and publish your skill to the verified-skill.com registry.

Overview

Every skill on verified-skill.com starts as a SKILL.md file in a public GitHub repository. When you submit, the file goes through automated security scanning and LLM intent analysis before appearing in the registry.

├── FreeNo cost to submit. No approval queue for Tier 1 (Scanned).

├── PublicYour GitHub repo must be public. Private repos are not supported.

└── AutomatedTier 1 scanning is instant. Tier 2 LLM analysis adds 1-2 minutes.

SKILL.md format

A skill is a Markdown file with YAML frontmatter. The frontmatter declares metadata; the body contains the prompt instructions your AI agent will follow.

markdown

---
description: Generate responsive React components following accessibility best practices. Use when building UI components, forms, or interactive elements.
model: sonnet
---

# React Component Generator

You are an expert React developer...

## Guidelines

- Use functional components with hooks
- Follow WAI-ARIA accessibility standards
- Write TypeScript with proper type annotations
...

ℹTip

The description field is critical — it determines when your skill triggers and how it appears in search results. Be specific about what the skill does and when to use it.

Frontmatter schema

descriptionrequiredWhat the skill does and when to use it. Used for search and auto-triggering.

modeloptionalPreferred model: opus, sonnet, or haiku. Defaults to the user's active model.

nameoptionalDisplay name. Defaults to the filename without extension.

versionoptionalSemantic version (e.g., 1.0.0). Used for update tracking.

authoroptionalAuthor name or GitHub handle.

tagsoptionalComma-separated tags for categorization.

Submission flow

Create your SKILL.md

Write your skill in a public GitHub repository. The file must be named SKILL.md and placed at the root of the repository or in a subdirectory.

Scan locally first

Run the scanner locally to catch issues before submitting.

bash

npx vskill scan ./my-skill

Submit to the registry

Submit via the CLI or the web form at verified-skill.com/submit.

bash

npx vskill submit ./my-skill

Automated verification

The skill goes through Tier 1 static analysis (52 patterns) and Tier 2 LLM intent analysis (6 dimensions). Results appear on your publisher profile.

Published to registry

Once verified, your skill appears in the registry. Users can install it with npx vskill install your-skill-name.

Verification timeline

ScannedInstant52 static patterns. Sub-second. Every skill, every time.

Verified1-2 minutesLLM intent analysis. Runs when Tier 1 passes or has concerns.

CertifiedManual reviewFull security review by the vskill team. Applied on request.

Pre-submission checklist

Self-audit your skill before submitting. If you check all boxes, your skill will almost certainly pass verification.

[ ]SKILL.md has valid YAML frontmatter with a description field

[ ]Skill does exactly what the description says, nothing more

[ ]No references to .env, .ssh, .aws, or credential stores

[ ]No curl, wget, or fetch to external URLs (unless required and documented)

[ ]No sudo, chmod, chown, or privilege escalation

[ ]No role impersonation phrases

[ ]No LLM delimiter tokens

[ ]No rm -rf or writes to system paths

[ ]DCI blocks (if any) use static, project-scoped commands only

[ ]No base64 payloads, hex escapes, or obfuscated strings

[ ]No lifecycle scripts in package.json (preinstall, postinstall)

[ ]Dependencies are well-known packages (no typosquats)

[ ]Code examples in fenced code blocks (triple backtick)

[ ]Repo is public on GitHub

⚠False positives

If you have legitimate reasons to use flagged patterns, document them clearly in your SKILL.md. The Tier 2 LLM analysis takes context into account. See the Security Guidelines for details.

After submission

├── Content changesIf your SKILL.md changes between scan and approval, the submission enters RESCAN_REQUIRED state and must be re-scanned.

├── UpdatesUpdating a published skill triggers a new scan. Use vskill update to diff and re-verify.

├── BlocklistingIf a skill is later found malicious, the author's entire portfolio is flagged for review.

└── AppealsFor DCI false positives and other findings, file a report via the report form.

Security Guidelines →Submit now →FAQ →

Related resources

Security Guidelines→CLI Reference→Plugin Marketplace→