Agent Skills
Agent Skills are version-controlled instruction packs that teach an agent a repeatable workflow — PR review, release notes, migration checklists — without re-prompting every session.
Last reviewed: June 2026
Skills frontmatter fields and discovery paths change between tool releases. Verify against Cursor Agent Skills docs and the Agent Skills specification before relying on specifics.
The problem
Project rules (AGENTS.md, .cursor/rules/) answer "how does this repo work?" Skills answer "how do I run this workflow?" — a security review, a deploy checklist, a Markdoc page from the growth playbook.
Without skills, teams paste the same multi-paragraph prompt into every session. With skills, the agent loads instructions on demand and follows a tested procedure.
Skills vs rules vs MCP
| Mechanism | What it carries | When to use |
|---|---|---|
Rules (AGENTS.md, .cursor/rules/) | Persistent repo conventions — stack, lint commands, protected paths | Every session in this repo |
Skills (SKILL.md) | Task-specific workflows — review checklists, release steps, content templates | Repeatable procedures invoked when relevant |
| MCP servers | Live tools — query DB, search internal docs, call APIs | When the agent needs external data or side effects |
Rules stay lean. Skills hold procedural depth. MCP handles runtime access skills cannot provide.
See Project Rules for rules authoring and Building MCP Servers when a skill needs live data.
Directory layout
Each skill is a folder with a required SKILL.md:
my-skill/
├── SKILL.md # Required — frontmatter + instructions
├── references/ # Optional — loaded on demand
│ └── standards.md
├── scripts/ # Optional — executable helpers
│ └── validate.sh
└── assets/ # Optional — templates, config samples
Where skills live
| Location | Path | Scope |
|---|---|---|
| Project | .cursor/skills/<skill-name>/ | Shared with the repo; commit to git |
| Personal | ~/.cursor/skills/<skill-name>/ | All your projects on this machine |
Do not author skills under ~/.cursor/skills-cursor/ — that directory is reserved for Cursor built-in skills.
The folder name must match the name field in frontmatter (lowercase letters, numbers, hyphens; max 64 chars).
SKILL.md structure
Every skill starts with YAML frontmatter, then markdown instructions:
---
name: security-review
description: >-
Review diffs for SQL injection, hardcoded secrets, missing auth checks,
and XSS. Use when reviewing pull requests, examining staged changes,
or when the user asks for a security review.
disable-model-invocation: true
paths: src/**/*.ts, src/**/*.tsx
---
# Security Review
## Checklist
- [ ] Parameterized queries only — no string-concatenated SQL
- [ ] No secrets in source; env vars server-side only
- [ ] Mutations call auth middleware before business logic
- [ ] No dangerouslySetInnerHTML without sanitization
## Output format
Return pass/fail per category with severity (critical / warning / info).
Frontmatter fields
| Field | Required | Purpose |
|---|---|---|
name | Yes | Identifier; must match the parent folder name |
description | Yes | What the skill does and when to invoke it — the agent uses this for discovery. Write in third person; include trigger keywords |
paths | No | Glob patterns (comma-separated string or YAML list). Skill surfaces only when the agent works on matching files |
disable-model-invocation | No | When true, skill loads only on explicit /skill-name — not auto-discovered from context |
metadata | No | Arbitrary key-value pairs (version, owner, etc.) |
Description quality matters. Vague descriptions never trigger. Good: "Generate commit messages from staged diffs following Conventional Commits. Use when the user asks for a commit message or reviews staged changes." Bad: "Helps with git."
Default disable-model-invocation: true for destructive or expensive workflows (deploys, migrations). Omit it when you want ambient discovery (e.g. a Markdoc authoring skill scoped with paths).
Progressive disclosure
Keep SKILL.md under ~500 lines. Put reference material in sibling files the agent reads only when needed:
## Additional resources
- Full coding standards: [references/standards.md](references/standards.md)
- Example reviews: [references/examples.md](references/examples.md)
Link one level deep from SKILL.md — nested reference chains lead to partial reads.
Scripts in skills
Reference executable helpers with paths relative to the skill root. In the skill body, tell the agent to run the script — do not nest code fences inside a SKILL.md example:
## Validate before merge
Run: bash scripts/validate-markdoc.sh <file>
Do not reimplement the checker inline. Fix reported errors before finishing the task.
Scripts beat generated one-offs when the operation is fragile or must be identical every time.
Invocation
| Method | Behavior |
|---|---|
| Auto-discovery | Agent reads skill metadata at startup; loads full SKILL.md when description matches the task |
Explicit /skill-name | Forces the skill into context regardless of disable-model-invocation |
paths scoping | Skill metadata appears only when editing files matching the glob |
Test discovery by starting a fresh session and asking for the workflow without naming the skill. If it does not load, tighten the description trigger terms or remove disable-model-invocation.
Example: content page skill
Project skill for this site's Markdoc pages:
.cursor/skills/add-markdoc-page/
├── SKILL.md
└── references/
└── checklist.md
---
name: add-markdoc-page
description: >-
Add a Markdoc content page to a Next.js Pages Router site — frontmatter,
navigation.js registration, cross-links. Use when creating pages under
src/pages/ or when the user mentions Markdoc, navigation.js, or content growth.
paths: src/pages/**/*.md
---
# Add Markdoc Page
1. Create `src/pages/<path>.md` with required frontmatter: title, pageTitle, description, date (MM-DD-YYYY).
2. First paragraph ends with the Markdoc lead annotation; add a Last reviewed callout.
3. Register in `src/shared/navigation.js` — href without trailing slash.
4. Cross-link from one related existing page.
5. Run `npm run dev` and open the new URL with trailing slash.
Allowed Markdoc tags only — see `markdoc/tags.js`. No MDX or JSX.
Production concerns
| Concern | What to do |
|---|---|
| Cost | Skills add tokens when loaded; use paths and disable-model-invocation to avoid loading irrelevant workflows |
| Latency | Large SKILL.md files slow first response; split into references/ |
| Failure modes | Agent skips steps if instructions are vague — use numbered steps and checklists, not prose |
| Drift | Review skills when stack versions change; tie skill PRs to CODEOWNERS like rules files |
| Secrets | Never embed API keys in skills; point to env vars or MCP for runtime credentials |
Team rollout
| Step | Action |
|---|---|
| 1 | Start with one high-friction workflow (security review, release notes) |
| 2 | Store in .cursor/skills/; add CODEOWNERS on .cursor/skills/ |
| 3 | Document invocation in CONTRIBUTING.md — when to /skill-name vs rely on auto-discovery |
| 4 | Link skills from Team AI Policy if they gate merge (e.g. required review checklist) |
| 5 | Quarterly review alongside Project Rules |
Skills complement Agentic Workflows — the skill is the playbook; the agent loop executes it.
Related
- Project Rules and AGENTS.md — persistent repo conventions
- Building MCP Servers — when skills need live tool access
- Agentic Workflows — plan → implement → review loops
- Claude Code — skills, hooks, and terminal agent patterns
- Context Engineering — token budgeting across rules and skills