How to share and adopt AI skills safely.

For millennia, humans have dreamed of acquiring knowledge and skills instantly.

As a kid, I dreamed of downloading a book into my head by tapping it gently against my head. It was an episode from a Mickey Mouse comic in the '80s-'90s that struck me (!) so much I spent years looking for a way to acquire skills instantly. Spoiler: I still haven't found one, but I'm still dreaming about it, especially for all the AI novelties popping up.

I think Anthropic's idea of "skills" carries a lot of this desire. Except for us humans the shortcut is still far away. What we can do, though, is focus on our pampered agents. On our beloved, irreplaceable Claudio, Claudia, Claude, miniMe, which a year ago were considered extreme nerd territory when I showed them around, and have now gone mainstream.

Everyone grows their own "little agent", their own miniMe, and tries to give it only the best. Like a pet. Like a child who must have the top of every thing. A new skill here, an MCP server there, a custom connector elsewhere.

I'll stop or you'll end up tying me up. Those who know me know I joke around this affection, but the truth is that for me and for the miniMe Owners (the group of people that has formed around this way of working with agents, and that grows every day) it is becoming irreplaceable.On AI MAX, academy there's a dedicated course for those who want it.

What a skill is, for anyone wondering

Skills are one of the most interesting things to come out of the AI agents world in the last two years. The nice part is that you can grasp them in half a minute, even on the run.

Imagine having a new assistant. They're smart, they're sharp, but in their first week of work they know nothing about you or how you do things. You'd want to teach them a specific way to move: how you prepare quotes, how you handle difficult emails, how you edit videos for a lesson. A skill is exactly this: a sheet of paper, written in plain English (or in Italian, for more local agents), that says "look, when you need to do X, do this, then that, then that". Often the sheet carries a small program that automates the most boring steps (a bit like how we used to bring our cheat sheets with formulas to school). But the most important part is the sheet itself: that's where the knowledge sits, the competence, the way of doing things. The program is just a little helper to execute them.

The powerful thing is that your agent decides by itself when to open that sheet. You don't tell it explicitly: it looks at what you're asking, understands "ah, this is where I need that thing" and goes to read it. It's as if every new assistant, just hired, instantly inherited the operating manual of the person who trained them. For anyone who has ever dreamed of cloning their own skills, this is the toy closest to the Mickey Mouse dream above.

Here lies both the magic and the problem. If the sheet is yours, written by you, you know what it contains. But if someone else hands you the sheet, your agent will read it and execute it. Without asking you anything. Without showing you what's inside.

The moment we hit bottom

Once at the market, you bought by looking, touching, listening to the seller. Those who knew how to evaluate took home a good product, those who didn't got ripped off. Skill marketplaces work the same way: lots of exposure but too much Plug & Pray. You read a dazzling description of the skill on display that "will change the way you work with AI forever", no one certifies anything, and you install on trust. It can work for a while, but sooner or later the bill comes due.

In early February 2026 a security researcher published an audit of one of the main skill marketplaces. Out of nearly 2,700 available skills, over 340 were malicious. Almost all part of a single coordinated campaign, designed to steal credentials, passwords and crypto wallets from those who installed them on their computers.

I've put all the numbers, technical names, and links to the audits at the end of the article. They were skills disguised as innocent utilities (crypto tools, YouTube plugins, Polymarket bots), calibrated for human categories where the urge to install right away wins over the urge to read the code or understand what you're doing.

Why copy-pasting a skill is a terrible idea

The pattern behind it is basic: there's FOMO, we all want super-agents, so we let agents exchange skills with each other:

That above is a dialogue that could really happen between AI Agents on MoltBook, the wanna-be-facebook of agents that actually exchange skills with no controls.

Except that some of those skills contain malware, scripts that infect your machine, or worse: instructions that silently shape how your agent operates without you having any way to notice. A skill, in the end, is a long prompt plus some scripts. If you let it into your system, it self-activates when it decides. If it's a plugin with pre-configured connectors, it can do even more.

We can't solve the ancient problem of instant skill acquisition simply by downloading other people's skills. They can quietly cause disasters, and few people have the competence to actually read what's inside.

Some skills are genuinely interesting and worth trying. And right in the miniMe Owners group a healthy curiosity is growing around sharing the skills each of us has built. For example, my skill for automated video editing: it records interactions with ChatGPT, Lovable or other tools, packages them, automatically speeds up the pauses, and out comes a clean video. Or my skill for meeting transcription, which handles things even a secretarial team couldn't imagine.

Magic.

And here's the problem: I can't share them (I actually haven't yet) because they contain personal references, the recipient could get confidential data about me, or simply information that is perfectly clear and valid in my work context but doesn't apply elsewhere. They might also contain operations not allowed in the recipient's environment (in my case they won't contain hacking... but you'd have to trust me.) And if I shared them as-is, whoever receives them would have to read them, understand them, validate them from a cyber standpoint, adapt them to their environment. That is, adopt them, not install them as a black box.

How do we solve this?

The piece that's still missing

Anthropic has already made quite a few important moves on this front: it opened the skill format as a public standard, published guidelines and vertical drops, and in fact every skill is open source. But given what happened with the marketplaces, in my view one piece is still missing: the one about informed sharing. And I've called it ShareMe.md, a very simple file

ShareMe tries to structure the minimum trust you need when you install someone else's skill. A skill that leaves someone's workspace and enters yours still needs to be welcomed with some trust: which can be blind (Plug & Pray) or informed (read what it touches, what it needs, what should change, and decide).

ShareMe is there to make that trust informed: it helps you adopt a skill, make it yours, understand it, adapt it to your environment. It helps you think.

A text file that lives next to SKILL.md when a skill leaves the workspace of whoever wrote it. A file that answers eleven (for now) questions:

1. What is this skill, in one line?

2. What does it concretely do?

3. What does it not do?

4. What does it do "behind the scenes" that might not be obvious: network calls, disk writes, MCPs touched, persistent profiles?

5. What is specific to the author? (paths, brand, naming, profiles)

6. What else could you do with it, beyond the original use case?

7. What questions should you ask yourself before touching the code?

8. What are the technical prerequisites?

9. What are the cyber risks and ToS caveats?

10. How do you adapt it, step by step?

11. Under what license?

In essence, the skill stays untouched in the workspace of whoever wrote it. But when it leaves, it travels with an accompanying document that forces whoever (or whatever) receives it to stop, read, and decide if it really works for them.

The plugin

I built a free plugin with just two skills for now:

The first: *WRAP* if you have a skill of yours and want to pass it to someone, the plugin prepares a shareable version for you. It cleans it of your personal references and places next to it an instruction sheet that explains, to whoever receives it, what it does, what it doesn't do, what it might cause, and how to adapt it to their environment. The skill you use isn't touched: the plugin works on a copy, in a new folder placed next to the original.

The second: *UNWRAP* if a skill written by someone else lands in your hands and you want to figure out whether it's worth installing, the same plugin analyzes it and produces the same adoption sheet for it too. At that point you spend a few minutes on it, decide, and avoid surprises.

It's open source. There are two options, your choice.

Option 1: ShareMe only. The standalone repo is github.com/maxturazzini/shareme. The standard and the skill, nothing else around. If you only care about this:

/plugin marketplace add maxturazzini/shareme
/plugin install shareme@shareme

Option 2: the marketplaceaimax-skills. Same skills, inside a marketplace that will grow with other things I'll publish. You register the marketplace once, then install what you need when you need it:

/plugin marketplace add maxturazzini/aimax-skills
/plugin install shareme@aimax-skills

Two options. The first says "I only want this".

The second says "keep me plugged in, I'll see what comes out".

After installing, the skills are available in any Claude Code session as /shareme:wrap and /shareme:unwrap. For parameters, behaviors and format conventions check the README of the repos.

The skill stays where it should stay, and around it a layer of readable documentation emerges, to be consulted before adopting it as a black box. No more "install and let's see what happens".

But in practice?

Last week, a fellow entrepreneur asked me how I download the monthly invoices from the many foreign SaaS providers I pay subscriptions to (Anthropic, ChatGPT, ElevenLabs, Microsoft 365, Wix and so on). Same problem he had, same monthly annoyance for me. I have a skill that does it for me, called /invoice-download.

Five minutes: I ran /shareme:wrap, I got the depersonalized version and the ShareMe. I sent it to him. He read the sheet, understood what it touched (Playwright, Chrome profile, where invoices ended up), changed the paths to his environment, and was operational in no time.

Without ShareMe it would have been painful for me (a lot of time spent editing the skill to strip personal references) and a risk for him: "just install it, come on, and then we'll see". This way, at least, he understood a bit more of what the skill was doing and what he'd have to do himself to make it work.

What ShareMe does not solve

ShareMe does not solve the malicious case: whoever wants to scam you will write a deceitful ShareMe, just as they write deceitful descriptions inside the skills themselves today. Trust cannot be given to you by a prompt that self-certifies.

But at least you can start to understand what you're risking, and decide if it's fine with you or not.

Starting right from this marketplace, this plugin, these skills. Which of you spotted the inconsistency? I built a plugin with two skills meant to make skills shareable in a soft way. And I'm asking you to install it.

But at least this plugin comes with its own ShareMe.md already written.

Will it become a global standard?

I don't think so but... try it. If it works, share it. If it doesn't, open me an issue.

Worst case, we get Karpathy to make it viral. Always works. Can someone forward it to him? :)

So what?

The dream of downloading skills straight into your head, for now, concerns only the agents. For us humans the shortcut remains closed.

But if we want this toy to work outside our personal fence too, and especially inside companies (where this is essential), I believe ShareMe can help.

Alternatively, there are two things you can do on your own:

For those who write and share skills: before passing one to someone, write an instruction sheet readable in five minutes. What it does, what it doesn't do, what it touches, what's tailored to you. Call it ShareMe.md. The important thing is that it exists and actually explains what you're passing to whoever receives it. And reference it in the claude.md or in the Agents.md

For those who install skills: try to understand before installing blindly. Always. Even if it comes from a trusted friend, even if the skill is official, even if it's the trend of the month. Your agent will execute everything that's written inside. It's worth knowing before, not after.

The day this becomes obvious to everyone, I'll stop writing posts like this. In the meantime, remember to watch out for the Plug & Pray :-)

Max

PS: A few links

Going back to the February audit: the researcher's name is Oren Yomtov, he works for Koi Security, and he published the data in this article. The marketplace is called ClawHub and it's the main one in the openClaw ecosystem. Precise numbers: 2,632 skills scanned, 341 malicious, 335 traced back to a single campaign called ClawHavoc, which distributed Atomic macOS Stealer (AMOS).

AMOS is a commercial infostealer that steals: browser credentials, macOS keychain passwords, cryptocurrency wallets, SSH keys, Telegram sessions.

I threw in seven technical terms on purpose. Even if you don't know what a keychain or an exfiltrated Telegram session is, you can tell it's bad stuff. When you install a third-party skill without reading it, you accept all this as a black box.

The names of the malicious skills were typosquats of the real name of the ClawHub CLI: clawhubb, clawhubcli, clawwhub. One extra vowel, a distracted install, and it's done.

Shortly after Koi's audit, Snyk published ToxicSkills, the first systematic audit of the ecosystem: prompt injection in 36% of skills tested, 1,467 active malicious payloads across ClawHub and skills.sh. Cato Networks separately documented how you can weaponize Claude Skills to deliver ransomware, MedusaLocker included.

Prompt injection: the skill manipulates your agent with hidden instructions. Ransomware: they encrypt your files and ask for a ransom. This is what you expose yourself to when you install without reading.

On Anthropic's drop: the financial services plugins, and the inc.com coverage on the extension to HR, legal, financial research. Anthropic reminds in its own skill guidelines to "treat them as software to install".

Do I have to write a ShareMe.md for every skill I share, even with a trusted friend?

Yes. The problem isn't the friend, it's their agent. Even if you trust the person 100%, the agent of whoever receives it will execute everything that's written inside: paths, commands, MCPs touched, disk writes. ShareMe makes these things visible before installation. Five minutes spent like this save you hours of debugging later.

Q&A

Do I have to write a ShareMe.md for every skill I share, even with a trusted friend?

Yes. The problem isn't the friend, it's their agent. Even if you trust the person 100%, the agent of whoever receives it will execute everything that's written inside: paths, commands, MCPs touched, disk writes. ShareMe makes these things visible before installation. Five minutes spent like this save you hours of debugging later.

Do ShareMe.md protects you from malicious skills?

No. Whoever wants to scam you will write a deceitful ShareMe, just as they write deceitful descriptions inside the skills themselves today. ShareMe solves a different problem: it makes the exchange navigable between those who share in good faith and those who receive. It helps you understand what you're adopting, adapt it to your environment, ask yourself the right questions first. Runtime sandboxing is up to Anthropic and the vendors, we can't do it from the user side.

What do I do if I receive a skill without a ShareMe.md?

Run /shareme:unwrap on the skill. The plugin analyzes it and produces the same adoption sheet even if the author didn't write one. It works on any skill, including public ones. Output in a few minutes: a draft ShareMe to review, but a good starting point to decide whether to install it or not.

Can I apply ShareMe to skills I've already installed without thinking?

Yes, and I recommend it. Run /shareme:unwrap on each third-party skill you've accumulated. Read what it actually does: persistent profiles, writes to paths you didn't expect, MCPs it touches, network calls. If you find something that doesn't sit right, decide whether to keep it or uninstall it. It's a hygiene worth doing twice a year.

ShareMe standalone or aimax-skills marketplace: which one do I install?

The skills are identical, only the entry point changes. shareme if you only want this: two skills, nothing else around, single repo. aimax-skills if you want to stay connected to what I'll publish in the same marketplace in the future. Reversible choice at any time: remove one marketplace, add the other, the skills stay where they are.