The AgentPod Skill Standard
Standard version 1.0 · published 9 July 2026
Anyone can call a catalog curated. The word costs nothing, and it has already been abused: marketplaces that branded themselves curated have shipped malware to hundreds of thousands of people. So instead of asking you to trust a label, we publish the exact checklist every skill on AgentPod must pass, we version it, and we show each skill's results on its own page. This is version 1.0 of that standard.
- What does the safety score on each skill mean?
- It is the result of the review above, out of 100. Points are lost for anything that increases risk or ambiguity: broad access, unclear provenance, actions that change or send data, weak trigger descriptions. It is our assessment, published so you can hold us to it.
- Why should I trust AgentPod's review?
- You should not have to trust it blindly, and that is the point of this page: the checklist is public, each skill page shows its score, test date, tested platforms, and file fingerprint, and the full skill text is on every page for anyone to read. Everything we claim is checkable.
- Does a passed review mean a skill is guaranteed safe?
- No, and we will never claim that. It means a person and our checks read the whole skill, found no problems, and verified it works on the platforms listed. Limits are described above, in plain sight.
Every skill is reviewed, line by line
A skill is a set of instructions your AI agent will follow with real access to your files and accounts. We treat that text as untrusted until a person and our automated checks have read all of it. A skill is listed only when every check passes.
- Does what it says: the behavior matches the description, with no hidden side effects.
- Least access: every file, tool, and connection the skill touches is mapped, and nothing is broader than the job requires.
- No hidden instructions (prompt injection): nothing in the text tries to make your AI ignore you, impersonate you, or follow orders buried in content it reads.
- No data leaks (exfiltration): nothing quietly sends your information to an outside service the skill has no reason to touch.
- No irreversible surprises: skills that can delete, overwrite, or send anything must preview first and ask before acting.
- Clear origin: the source and license are identified and credited, and the author is who they say they are.
- Written to actually work: the skill's trigger description is clear enough that your agent knows when to use it.
We install and run every skill ourselves
A review of the text is not enough, because the most common failure in this ecosystem is not malice: it is skills that install fine and then silently never work. So before a skill is listed, we install it and run it on the platforms we support: Claude Cowork, Claude Code, and Codex.
Every skill page shows the date we last tested it and the platforms we tested it on. If we have not tested something, it does not carry the badge, simple as that.
The file we reviewed is the file you install
Most directories point you at someone else's repository. The file that gets installed can change after the review, and in one documented case a skill passed two major security scanners and then swapped its payload after reaching 26,000 installs.
AgentPod works differently: your agent installs the skill file directly from agentpod.com, and that file is byte-for-byte the one we reviewed. Each skill page shows the file's SHA-256 fingerprint. If we re-review a skill after an update, the fingerprint changes with it. No silent swaps.
Honest usage labels
Agentic tasks can use 5 to 20 times more of your AI plan than a plain chat message, because the agent reads files, calls tools, and works in steps. People hit their plan limits without knowing why, conclude the product is broken, and quit.
So every skill carries a usage weight, assigned by us when we test it: light is a short exchange, medium reads several files or pages in one run, heavy runs long multi-step jobs like deep research or bulk processing. You see the cost before you run it.
What this standard cannot catch
We would rather under-promise. Passing this standard means we found no problems at review time and the skill worked when we tested it. It does not make a skill risk-free, and you should know the limits.
- Whether a skill actually fires in your session is partly up to your agent's own routing, which changes between versions and can silently skip skills. If one seems inactive, ask for it by name.
- Skills that connect to outside services (calendars, email, notes apps) inherit those services' outages and changes.
- A static review cannot see every possible behavior. That is exactly why we also test, hash-lock the files, and re-review.
- Your judgement still matters. Read what a skill can touch before running it on sensitive data.
When something fails after listing
Curation is not a one-time gate. Our nightly pipeline re-checks the catalog, and when a source repository goes bad, a connector breaks, or a report comes in, we act: the skill is fixed, delisted, or publicly written up in our not-safe section with a plain-language explanation.
If a skill we listed ever causes harm, we will say so plainly on this site, explain what our review missed, and update this standard so it catches the next one. That is what the version number is for.
Report a problem
If a skill behaves unexpectedly, seems to over-reach, or just does not work, tell us at hello@agentpod.com with the skill name and what you saw. Reports go straight to review and we act quickly. Finding what we missed makes the standard better for everyone.