policies
in public.
These rules describe what skillZs lists, how rankings and catalog counts are produced, what security information means, and how corrections are handled. They are product commitments, not claims that every upstream record has been independently reviewed.
Effective and last updated .
Catalog policy
What is eligible for display?
skillZs displays Agent Skill records returned by the supported public skills.sh API. A record must remain available through that API and retain enough source identity for a user to inspect its repository or domain. skillZs does not currently accept direct uploads or paid submissions.
Upstream availability is not an endorsement. Being listed does not mean approved, safe, or endorsed by skillZs. It means the record is discoverable through the supported upstream catalog contract.
What can be excluded or de-emphasized?
- Records removed or hidden by the upstream service stop appearing when its API stops returning them.
- Records explicitly flagged as duplicates are omitted from the public sitemap.
- Unavailable detail records are not replaced with scraped or guessed content.
- Paid placement does not change leaderboard order.
How are corrections handled?
Source ownership, install counts, duplicate flags, and audit results originate upstream. Report those errors through the skills.sh correction process. Report a skillZs rendering, copy, categorization, or broken-link error to the site operator. Include the listing URL, expected result, evidence, and whether the report contains sensitive information. The application does not yet offer a public issue tracker or contact form.
Methodology
What does the catalog count mean?
The number displayed by skillZs is the API-enumerable leaderboard total returned in pagination.total. It is not a claim about every raw, discovered, duplicated, rejected, private, or otherwise non-enumerable skill that may exist in a wider upstream index. If skills.sh displays a broader all-time counter, skillZs does not relabel that counter as downloadable inventory.
How are rankings calculated?
All-time, trending, and hot ordering come from the corresponding upstream API views. skillZs does not add editorial boosts or sell ranking positions. Install telemetry measures reported adoption, not correctness, maintenance, compatibility, or task fit.
What does skillZs transform?
- Source identity, install counts, files, duplicate flags, and audit responses come from skills.sh.
- Lightweight topic labels may be inferred from names and descriptions for navigation.
- Guides and research pages add editorial explanation and identify their sources and update dates.
- Browse results are cached briefly for reliability and to respect upstream limits, so short delays are expected.
Which API does skillZs use?
Yes: skillZs already uses the same documented public API contract that Vercel provides to third parties. Production calls the /api/v1/ endpoints with Vercel OIDC authentication. The listing endpoint provides the pageable leaderboard; search can query the wider corpus but returns at most 200 results for a query and has no cursor for bulk enumeration.
No: the supported API does not currently provide a bulk export of the broader advertised corpus. The skills.sh website also calls undocumented internal routes such as /api/skills/.... In a July 15, 2026 check, those routes returned the same smaller pageable leaderboard total. They have no published compatibility contract, so skillZs does not depend on them.
The supported API permits reasonable cached use subject to its published rate limits and terms. skillZs does not bypass rate limits or scrape around missing API coverage. See the skills.sh terms and API reference.
Security policy
What does a listing or audit mean?
A listing is a discovery record, not a security certification. When skills.sh supplies partner audit results, skillZs displays their provider, verdict, and summary. A pass can reduce known risk for the audited revision; it cannot guarantee future updates, runtime permissions, external inputs, dependencies, or agent behavior.
What does skillZs promise?
- Preserve source links so users can inspect provenance.
- Do not describe popularity or an audit pass as proof of safety.
- Do not silently execute third-party skill code on behalf of visitors.
- Honor upstream removals through normal catalog refreshes.
- Tell users to inspect source, instructions, scripts, dependencies, data access, and permissions before installation.
How should security issues be reported?
For a malicious or compromised third-party skill, preserve the exact source URL and revision, stop using it, rotate exposed credentials, and report it to the source host and skills.sh. skillZs does not yet have a dedicated private vulnerability-reporting channel. Do not publish secrets, working exploits, or personal data. Contact the site operator without sensitive details to request a secure reply path.
Reports should include impact, affected URL or revision, reproduction steps, and a safe contact path. A dedicated disclosure address should be added when the project opens a public support channel.
