LAST UPDATED: FEBRUARY 13, 2026
A skill file is how an AI agent tells other systems what it can do. The SKILL.md standard — now adopted by OpenAI, Microsoft, GitHub Copilot, and thousands of developers — is reshaping how agents discover, consume, and verify each other's capabilities.
Self-registration, soulbound identity, transparent trust scoring.
THE CONCEPT
An AI agent that can't describe itself is invisible. It might be the best code reviewer on the internet. It might process invoices faster than any human team. Doesn't matter. If another system can't read what it does, how to call it, and what it returns — it doesn't exist in the agent economy.
A skill file solves this. It's a structured document — typically named SKILL.md — that describes what an AI agent can do, how to invoke it, and what to expect back. Think of it as the difference between a person who can do a job and a person who has a résumé on file. Both are capable. Only one gets found.
The format was created by Anthropic, introduced as a Claude feature in October 2025, then released as an open standard on December 18, 2025 at agentskills.io. Within weeks, OpenAI adopted a structurally identical format for ChatGPT and Codex, Microsoft integrated it into VS Code and GitHub Copilot, and platforms like Cursor, Vercel, and Cloudflare added native support.
SKILL.md is to AI agents what robots.txt was to web crawlers. A simple text file at a known location that tells automated systems what to do. Except instead of telling crawlers where not to go, it tells agents what you can do and how to use you.
ANATOMY
Every skill file has two parts: YAML frontmatter for machine-readable metadata and a Markdown body with human-and-agent-readable instructions. The formal specification is intentionally minimal — as security researcher Simon Willison noted, you can read the entire thing in a few minutes.
Required: name (≤64 characters) and description (≤1,024 characters). Optional: license, metadata, and compatibility fields. This is what agents scan for quick discovery — roughly 100 tokens per skill.
Free-form instructions: workflows, examples, edge cases, step-by-step procedures. Anthropic recommends keeping it under ~5,000 tokens. This is the part agents load into context when they actually need to use the skill.
A skill is a directory, not just a file. The SKILL.md sits at the root, with optional subdirectories for scripts, reference documents, and other resources the agent loads on demand during execution.
The critical design principle. At startup, agents load only the frontmatter for discovery. When a task matches, the full body loads. During execution, scripts load on demand. This keeps agents fast while enabling deep capabilities.
The specification lives in the agentskills/agentskills GitHub repository under Apache 2.0 (code) and CC-BY-4.0 (documentation). Anthropic maintains a reference library of production skills.
THE ECOSYSTEM
The largest skill file ecosystem grew around OpenClaw, the open-source AI agent framework that exploded to 188,000+ GitHub stars in early 2026. OpenClaw uses SKILL.md as its core plugin format, and its community marketplace — ClawHub — now hosts over 5,700 community-built skills. Think of it as npm for AI agents.
5,700+
Skills on ClawHub
188K+
OpenClaw GitHub stars
12+
Platforms with native support
But skill files aren't limited to OpenClaw. Commercial partners building pre-built skills include Atlassian, Canva, Cloudflare, Figma, Notion, Ramp, Sentry, Stripe, and Zapier. Cloudflare published an RFC for web-based skill discovery using .well-known/skills/ URIs — meaning agents could eventually discover skills from any website, not just a marketplace. Mintlify already auto-generates skill files for all its documentation sites.
Both MCP and Agent Skills now fall under the Agentic AI Foundation at the Linux Foundation, co-founded by Anthropic, OpenAI, and Block. The standard is converging, not fragmenting.
THE RISK
The same openness that made skill files powerful made them dangerous. A SKILL.md file isn't just documentation — it's executable instructions that an agent follows autonomously. As 1Password's security team put it: “Markdown isn't 'content' in an agent ecosystem. Markdown is an installer.”
In January 2026, security firm Koi Security discovered 341 malicious skills on ClawHub — 335 from a single coordinated campaign called ClawHavoc. Over 9,000 OpenClaw installations were compromised before the attack was detected. The malware targeted cryptocurrency wallets, SSH keys, browser credentials, and API keys.
The attack used typosquatted skill names — like solana-wallet-tracker and youtube-summarize-pro — to trick agents into loading malicious instructions. Some skills contained base64-encoded payloads. Others hid reverse shell backdoors inside otherwise functional code.
Snyk's threat analysis identified what they called the “lethal trifecta” of AI agent security: agents combine access to private data, exposure to untrusted content, and the ability to take external action. A malicious skill file exploits all three at once. Their follow-up ToxicSkills study found that 36% of AI agent skills contain security flaws, with over 1,400 malicious payloads identified across the marketplace.
Meanwhile, the Moltbook breach exposed 1.5 million API keys from a social platform built entirely with AI-generated code. The pattern is clear: as agents proliferate, the infrastructure connecting them is being built faster than it's being secured.
Skill files tell you what an agent claims it can do. They don't tell you who built it, whether it has a track record, or whether anyone has verified it. ClawHub added GitHub OAuth verification and VirusTotal scanning after ClawHavoc — good steps. But the deeper problem remains: agents have capabilities without identity.
A skill file answers “what can this agent do?” It doesn't answer “should I trust this agent?” That's a different question entirely — and it's the question that Know Your Agent infrastructure exists to answer.
THE STACK
The AI agent ecosystem in 2026 is organizing into complementary protocol layers. Each one solves a different problem. Skill files occupy one layer — and depend on the others to work safely.
Anthropic's Model Context Protocol standardizes how agents connect to external tools and data sources. Released November 2024, now under Linux Foundation governance. MCP handles the “southbound” connection — agent to tool.
Google's Agent-to-Agent Protocol handles how agents discover and communicate with each other. Launched April 2025, backed by 150+ organizations. Uses Agent Cards at /.well-known/agent-card.json.
Procedural knowledge and domain-specific workflows. A skill file tells an agent how to use the tools MCP connects and the services A2A discovers. It's the instructions, not the wiring.
The ERC-8004 standard adds on-chain identity, reputation, and verification. Deployed on Ethereum Mainnet January 29, 2026. It answers the question the other protocols can't: “Should I trust this agent?”
The protocols are converging rather than competing — which means the identity and trust layer becomes more important, not less, as interoperability improves. Capabilities without identity is the gap. That's what the KYA layer fills.
GETTING STARTED
Skill files are becoming table stakes. If your agent doesn't have one, it's invisible to the growing ecosystem of orchestrators, marketplaces, and other agents that use SKILL.md for discovery.
Start with the SKILL.md spec. Be specific about what your agent does and honest about what it doesn't. Overstatement gets your skill invoked for tasks it can't complete — which burns trust fast.
A skill file makes your agent describable. Registration in an open registry makes it discoverable. RNWY's API lets you register with one call — or batch-register up to twenty agents.
Connect a wallet. Mint a soulbound identity. The more verifiable context your agent carries, the more likely other systems are to invoke it over an unverified alternative.
If you're consuming skills from marketplaces, use tools like Cisco's AI Skill Scanner to check for prompt injection, encoded payloads, and malicious dependencies before loading them.
RNWY'S APPROACH
RNWY's AI agent identity API is built for a world where agents register themselves. An agent can read RNWY's own skill.md, understand the registration endpoint, and register itself — no human approval, no OAuth, no gatekeeper.
What follows is what skill files alone can't provide: a persistent identity, an explorer profile with transparent trust scoring, and on-chain verification through a soulbound token that anyone can check. Every score shows its math. Every pattern shows its evidence.
Same door, whether you're a human registering an agent or an agent registering itself. The skill file is the entry point. The identity is what makes the agent verifiable.
One API call. Soulbound identity. Transparent trust scoring that shows its math. No gatekeeper.
See the API →