Skills Catalog Enterprise Usage
This guide shows how to implement an enterprise-ready skills catalog for AI coding assistants and agents under AEEF controls. It translates PRD-STD-017: Agent Skills Catalog Governance into practical workflows for implementation teams.
Why a Skills Catalog Matters
Community skill collections (for example, Claude Skills catalogs) are useful discovery signals, but they are not enterprise controls. AEEF recommends converting external skill ideas into an internal skills catalog with explicit ownership, risk classification, and gate integration.
This is especially important for "vibe coding" environments where developers may otherwise execute ad hoc prompts or imported skills without review or traceability.
Official Vendor Baseline: anthropics/skills
The X post you flagged points to Anthropic's official skills repository:
https://github.com/anthropics/skills
AEEF recommends treating this repository as an official vendor baseline source for:
- skills packaging patterns (
SKILL.md, scripts/resources layout) - implementation examples
- benchmarking internal skill quality
Important:
- Official source does not mean auto-approved for enterprise runtime use.
- Anthropic's README indicates mixed usage terms (many skills open source, some source-available document skills).
- You MUST verify license/usage status per skill before internal adoption.
- Maintain a per-skill license matrix in the intake records before mapping Anthropic skills into your internal catalog.
What to Build
At minimum, implement:
- Skill Registry — metadata and approval status for every skill
- Execution Policy — who can run which skill, where, and with what tools
- Review Workflow — intake, testing, approval, deprecation
- Traceability Hooks —
skill-idandskill-versionrecorded in run logs or PRs - Starter Catalog — a small approved set for common tasks
Recommended Starter Skill Catalog (AEEF-Aligned)
Start with a curated, internal set of skills tied to standards rather than a large unreviewed catalog.
| Skill Category | Example Skill | Primary Standard Mapping | Risk Class | Default Status |
|---|---|---|---|---|
| Implementation | Feature scaffold with tests | PRD-STD-003, PRD-STD-007 | Development Assist | Approved |
| Review | PR risk review | PRD-STD-002, PRD-STD-009 | Development Assist | Approved |
| Security | Secure endpoint review | PRD-STD-004, PRD-STD-009 | Sensitive | Provisional |
| Dependency | Dependency risk check | PRD-STD-008 | Elevated Tool Use | Approved |
| Documentation | Change summary + runbook | PRD-STD-005 | Development Assist | Approved |
| Orchestration | Handoff artifact generator | PRD-STD-009, PRD-STD-017 | Development Assist | Approved |
Enterprise Workflow: External Skill to Internal Catalog
Step 1: Capture with Attribution
For any external/community skill:
- record original owner/publisher
- record source URL
- record date evaluated
- record your internal adaptation delta
For official vendor repositories (for example, anthropics/skills), also record:
- vendor/publisher classification (
official-vendor-source) - per-skill license status (
open-source,source-available,unknown) - whether the skill is a reference pattern only vs runtime candidate
Do not paste or republish external content as internal originals.
For a concrete AEEF intake example (quarantine clone + attribution manifest + starter catalog mapping), see Skills Catalog Intake & AEEF Starter Mapping.
Step 2: Classify and Constrain
Define:
- allowed agent roles
- allowed environments (
dev,staging,prod) - allowed tools/commands
- required gates (
code review,tests,security scan)
Step 3: Sandbox Evaluation
Test each skill against:
- normal task input
- ambiguous input
- risky input (secrets, production commands, architecture changes)
- failure-handling behavior
Step 4: Publish in Internal Catalog
Make approved skills discoverable in a single registry doc or service:
skill-id- version
- usage scope
- owner
- approval status
- examples
- known limitations
Vibe Coding Integration (Controlled, Not Freeform)
Objective
Convert "vibe coding" from informal prompting into skill-backed, gated workflows.
Pattern
- Developers choose an approved skill (not freeform copy/paste prompts) for common tasks.
- Skill output must include required artifacts (tests, risk notes, traceability fields).
- CI and reviewers verify output against AEEF gates.
- High-risk work escalates to specialized skills or role-agents (security/compliance/architect).
Minimum Team Rules
- No direct production use of unregistered skills
- Every skill-generated change still requires human review
- Skills that run commands or write files must be policy-scoped
- External skill sources must remain attributed in the internal registry
IDE and Agent Runtime Integration Patterns
IDE (Copilot / Cursor / Claude Code)
- Maintain a small approved skill set per repo/team
- Reference the skills catalog in
.cursorrules,CLAUDE.md, and team instructions - Add "use approved skills first" guidance to onboarding and review checklists
Agent Orchestrator
- Validate
skill-id+ version before agent execution - Block skills not allowed for current agent role or stage
- Require gate completion before moving to next stage
See Skill Registry & Multi-Agent Gate Patterns for orchestration details.
Example Skills Catalog Entry (Markdown)
## skill-id: aeef.dev.secure-endpoint-template
- Version: 1.0.0
- Owner: Security Engineer
- Source: Internal adaptation (inspired by external community skill)
- Attribution URL: https://github.com/BehiSecc/awesome-claude-skills
- Status: Provisional
- Risk Class: Elevated Tool Use
- Allowed Roles: developer-agent, security-agent
- Allowed Environments: dev, staging
- Required Gates: code-review, testing, security-scan
- Output Requirements: tests, risk notes, AI attribution metadata
- Known Limitations: framework-specific assumptions (Express/FastAPI)
Rollout Plan (30 Days)
- Week 1: create registry schema and ownership model
- Week 2: publish 5-10 approved starter skills
- Week 3: integrate skill checks into reviews/CI metadata validation
- Week 4: add orchestration gate enforcement and deprecation workflow