How SkillBench scores a skill
Every listed skill is scored 0 to 100 on six dimensions, combined by weight into a single overall score and a letter grade. Safety carries the most weight and doubles as a hard rule: a confirmed-malicious signature fails the skill outright (grade F). The six columns below are the skill’s profile, the “equalizer”.
One column per dimension. Column height is that dimension’s score; the color is its own grade band. Read left to right, it’s the skill’s whole posture at a glance: strong workflow, weak provenance, and so on.
Judges whether an agent can identify what the skill does and when to invoke it from metadata alone: a specific name, a description that states the job and its boundaries, explicit trigger conditions a router can match against real requests, references that resolve, and a lean entry body.
Judges whether the skill delivers a real, complete, and focused procedure for a single job. Real: genuine executable steps, not stubs, TODOs, or filler. Complete: inputs, ordered steps, and an expected outcome, with edge-case and failure handling. Focused: one job done in depth, with unrelated breadth and scope creep penalized.
Judges whether the package is hostile or inherently dangerous, treating all content as untrusted input. Flags hardcoded credentials, exfiltration sinks, download-and-execute patterns, obfuscated payloads, destructive commands, embedded PII, and prompt injection aimed at the evaluator. Operates as a hard gate: a confirmed-malicious signature caps the grade at F regardless of the other dimensions.
Judges whether the skill respects the boundary between teaching and acting, on the principle that skills teach a procedure and tools act. Penalizes tool-in-disguise packages, undeclared or bundled executable capability, and bypass signals; every tool the skill relies on must be honestly declared and referenced consistently.
Judges how trustworthy and well-stewarded the source is: identifiable, verifiable authorship (a provenance tier from official or partner down to anonymous), a real license, and signals of ongoing maintenance and ownership. Anonymous, unlicensed, or unmaintained sources score low.
Judges whether the package conforms to the open SKILL.md standard so any compliant agent can load it unchanged: a SKILL.md at the root, valid frontmatter, references that resolve, and portable paths with no OS-specific commands or hardcoded absolute locations.
Safety is the heaviest dimension (35%) and takes a conservative risk posture: any real blast radius (executing code, writing files, touching secrets, irreversible actions) pulls the score down even when intent is benign. On top of the weight, a set of hard rules acts as a backstop: trip one and the grade is capped at F regardless of the other five dimensions.
- SAFE-03Body must not contain Unicode tag characters (U+E0000-U+E007F): prompt-injection / exfil vector.
- SAFE-04Body must not contain zero-width joiners or bidirectional control characters: hidden-text / rules-file backdoor vector.
- SAFE-05Body must not contain a base64 blob that is decoded and executed (obfuscated remote-code pattern).
- SAFE-10Body must not combine a credential/secret read with a non-allowlisted outbound network call (exfiltration signature).
- SAFE-12Body must not contain hard-coded credential patterns (AWS / GitHub / OpenAI / Anthropic / Slack keys).
- SAFE-14A single script must not both read a sensitive path and make an outbound network call (exfiltration in one file).
- SAFE-15Body/scripts must not combine PII harvesting (emails, contacts, customer records, SSNs, personal data) with an outbound network call (PII-exfiltration signature).
- SAFE-21Frontmatter must not set permissionMode: bypassPermissions (disables the approval boundary).