Working with Skills

How copilot-kit's 45 domain skills are loaded on-demand and how to get the most out of them.

How skills work

Skills are domain-specific knowledge files stored in .github/skills/. Each skill has a SKILL.md containing detailed instructions, examples, and best practices for its domain.

Skills are lazily loaded — they are only read when the request keywords match the skill's domain signals. This keeps responses fast while enabling deep expertise when needed.

Skill loading protocol

Agent is activated by the Risk Engine

Agent checks the request for domain keywords

Matching skills are identified by their description field

Only the matching sections of SKILL.md are read (selective reading)

ARCHITECTURE.md is read on first multi-file or cross-module action

Bulk-reading skill folders is prohibited. Skills stay dormant until request keywords match their description field. This prevents context bloat from irrelevant knowledge.

All 45 skills

Code Quality

clean-codecode-review-checklisttdd-workflowtesting-patternslint-and-validate

Frontend

frontend-designtailwind-patternsvercel-react-best-practicesweb-design-guidelinesseo-fundamentalsgeo-fundamentals

Backend & API

api-patternsdatabase-designnodejs-best-practicespython-patternsrust-pro

AI & ML

ai-engineeringml-patterns

Mobile

mobile-design

Systems & Robotics

ros2-humblerobotics-automationiot-solutionscontrol-systems

Security

vulnerability-scannerred-team-tactics

Infrastructure & Ops

deployment-proceduresserver-managementbash-linuxpowershell-windows

Architecture & Planning

architectureplan-writingparallel-agentsapp-buildermcp-builder

Developer Experience

systematic-debuggingperformance-profilingconventional-commitsi18n-localizationdocumentation-templatesbrainstormingbehavioral-modesgame-developmentintelligent-routingfind-skillswebapp-testing

Triggering skills explicitly

While skills fire automatically, you can name a skill explicitly in your request to guarantee it loads:

If you

Mention "security audit" or "vulnerabilities"

→ vulnerability-scanner skill

If you

Mention "architecture" or "system design"

→ architecture skill

If you

Mention "test" or "TDD" or "coverage"

→ tdd-workflow + testing-patterns

If you

Mention "deploy" or "production" or ".env"

→ deployment-procedures (L3 gate)

PreviousRisk Levels Explained NextAgent Routing

How skills work

Skills are domain-specific knowledge files stored in .github/skills/. Each skill has a SKILL.md containing detailed instructions, examples, and best practices for its domain.

Skills are lazily loaded — they are only read when the request keywords match the skill's domain signals. This keeps responses fast while enabling deep expertise when needed.

Skill loading protocol

Agent is activated by the Risk Engine

Agent checks the request for domain keywords

Matching skills are identified by their description field

Only the matching sections of SKILL.md are read (selective reading)

ARCHITECTURE.md is read on first multi-file or cross-module action

Bulk-reading skill folders is prohibited. Skills stay dormant until request keywords match their description field. This prevents context bloat from irrelevant knowledge.

All 45 skills

Code Quality

clean-codecode-review-checklisttdd-workflowtesting-patternslint-and-validate

Frontend

frontend-designtailwind-patternsvercel-react-best-practicesweb-design-guidelinesseo-fundamentalsgeo-fundamentals

Backend & API

api-patternsdatabase-designnodejs-best-practicespython-patternsrust-pro

AI & ML

ai-engineeringml-patterns

Mobile

mobile-design

Systems & Robotics

ros2-humblerobotics-automationiot-solutionscontrol-systems

Security

vulnerability-scannerred-team-tactics

Infrastructure & Ops

deployment-proceduresserver-managementbash-linuxpowershell-windows

Architecture & Planning

architectureplan-writingparallel-agentsapp-buildermcp-builder

Developer Experience

systematic-debuggingperformance-profilingconventional-commitsi18n-localizationdocumentation-templatesbrainstormingbehavioral-modesgame-developmentintelligent-routingfind-skillswebapp-testing

Triggering skills explicitly

While skills fire automatically, you can name a skill explicitly in your request to guarantee it loads:

If you

Mention "security audit" or "vulnerabilities"

→ vulnerability-scanner skill

If you

Mention "architecture" or "system design"

→ architecture skill

If you

Mention "test" or "TDD" or "coverage"

→ tdd-workflow + testing-patterns

If you

Mention "deploy" or "production" or ".env"

→ deployment-procedures (L3 gate)