Discover, browse, and install GitHub Copilot skills for your projects.
Copilot Skills Hub is a curated catalog of GitHub Copilot skills. Skills are instruction files (SKILL.md) that teach Copilot how to handle specific development tasks — from generating commit messages to performing security audits.
- Browse by Category — Skills organized into 11 categories (Testing, DevOps, Documentation, etc.)
- Search — Find skills by name, description, or trigger keywords
- One-Click Install — Copy commands to add skills to your project
- CLI Extension — Install skills directly from the terminal with
gh skills-hub - Security Scanning — Two-pass security scanner (regex + AI) validates every skill
- Skill Details — See what each skill does, its triggers, and example usage
Visit the live site: skillshub.space
Or explore the skills registry directly.
| Category | Skills | Description |
|---|---|---|
| ✨ Code Quality | 90 | Reviews, refactoring, linting |
| 📝 Documentation | 52 | READMEs, PRDs, technical writing |
| 🔀 Git & Version Control | 44 | Commits, branching, GitHub operations |
| 🎨 Frontend & UI | 48 | React, Vue, components, design |
| 🔌 API & Backend | 40 | REST APIs, GraphQL, databases |
| 🧪 Testing | 34 | Unit tests, E2E, test automation |
| 🚀 DevOps & CI/CD | 26 | Pipelines, Docker, Kubernetes |
| 🔧 MCP Development | 6 | Model Context Protocol servers and apps |
| 📊 Diagrams | 8 | Mermaid, PlantUML, visualizations |
| 🔒 Security | 2 | Audits, vulnerabilities, secure coding |
| 📈 Data & Analytics | 4 | SQL, data pipelines, visualization |
Skills are auto-discovered! Just add them to .github/skills/ and Copilot loads them automatically based on their name and description frontmatter.
# Install the gh extension
gh extension install samueltauil/skills-hub
# Search for skills
gh skills-hub search git
# Install a skill
gh skills-hub install git-commit
# Browse all available skills
gh skills-hub list- Find the skill on skillshub.space
- Click Download ZIP or Copy All Files on the skill detail page
- Extract to
.github/skills/<skill-name>/in your project
Note: No configuration needed! Copilot discovers skills automatically from
.github/skills/.
skills-hub/
├── .github/
│ ├── workflows/ # CI/CD for deployment & validation
│ ├── ISSUE_TEMPLATE/ # Issue templates
│ └── PULL_REQUEST_TEMPLATE/
├── site/ # Astro static site
│ ├── src/
│ │ ├── pages/ # Site pages
│ │ ├── components/ # UI components
│ │ └── layouts/ # Page layouts
│ └── public/ # Static assets
├── skills/
│ ├── schema.json # Skill metadata schema
│ ├── registry.json # Manually curated skills subset
│ └── security-rules.yml # Security scan rules
├── scripts/ # Build, scan, and enrichment scripts
├── sources/ # Upstream skill sources (git submodules)
├── gh-skills-hub # GitHub CLI extension
└── CONTRIBUTING.md # How to add skills
We welcome skill contributions! See the full Contribution Guide for detailed instructions.
- Fork this repository
- Add your skill to
skills/registry.json - Submit a Pull Request
- GitHub Actions validates your submission automatically
{
"id": "my-skill",
"name": "My Skill",
"description": "What this skill does...",
"shortDescription": "One-line summary",
"category": "code-quality",
"author": "your-name",
"license": "MIT",
"triggers": ["keyword1", "keyword2"],
"complexity": "beginner",
"source": {
"repo": "https://github.com/owner/repo",
"path": "skills/my-skill/SKILL.md"
}
}- Node.js 20+
- npm
npm install
cd site && npm install && cd ..
npm run devnpm run buildRun from the repository root:
| Script | Description |
|---|---|
npm run aggregate |
Aggregate skills from submodule sources into site/src/data/skills.json |
npm run scan |
Run regex security scan on all skills; updates verified field |
npm run scan:ai |
Run regex + AI security scan (requires GITHUB_TOKEN and Copilot CLI) |
npm run enrich |
AI-enrich skill metadata using @github/copilot-sdk (requires Copilot CLI) |
npm run build |
Aggregate + scan + build the Astro site |
npm run dev |
Aggregate + start local dev server |
Every skill undergoes a two-pass automated security scan before being published.
Pass 1 — Pattern analysis scans all skill files against 13 regex-based rules defined in skills/security-rules.yml:
- Shell command execution, eval, and unsafe deserialization
- Prompt injection markers and social engineering phrases
- Hardcoded secrets, credentials, and sensitive file access
- Base64 decode-and-execute, environment variable exfiltration
- Path traversal, SQL injection, and curl-pipe-to-shell patterns
Pass 2 — AI deep scan (opt-in) uses @github/copilot-sdk to semantically analyze skills for threats that regex can't catch: obfuscated malware, disguised data exfiltration, and supply chain risks.
Skills that pass the scan receive a ✅ Verified badge on the catalog and their detail page.
# Regex scan (default — runs as part of build)
npm run scan
# Regex + AI scan (requires GITHUB_TOKEN)
GITHUB_TOKEN=ghp_... npm run scan:ai
# Scan only (no write-back)
node scripts/scan-skills.js --output my-report.json
# Fail CI on high-severity findings
node scripts/scan-skills.js --fail-on-highThe scan runs automatically every time skills are synced from upstream sources (weekly via sync-skills.yml) and can also be triggered manually via the Enrich & Scan Skills workflow.
The enrich-skills.js script uses @github/copilot-sdk to improve skill metadata:
- shortDescription — a tight one-sentence summary
- tags — up to 5 relevant keywords
- complexity —
beginner,intermediate, oradvanced - platforms —
windows,macos,linux
Enrichment is incremental: skills already enriched are skipped unless --force is passed.
# Enrich up to 10 pending skills
GITHUB_TOKEN=ghp_... npm run enrich -- --limit 10
# Force re-enrich everything
GITHUB_TOKEN=ghp_... npm run enrich -- --force
# Dry-run (no writes)
GITHUB_TOKEN=ghp_... node scripts/enrich-skills.js --dry-runThe enrichment workflow can be triggered on-demand from the Actions tab.
MIT License - see LICENSE for details.
Copilot Skills Hub — Discover the right skill for every task.