Agentic Engineering Skills is a small workflow pack for people who build software with AI agents.
It helps an agent slow down just enough to inspect the project, make a narrow plan, protect secrets, use safer package installs, verify the work, and explain what changed in plain English.
Current release: 0.2.0.
Most AI coding tools make the agent faster. This pack makes the agent more trustworthy.
Instead of hoping a long prompt is followed, Agentic Engineering Skills turns good engineering behavior into reusable instructions, optional hooks, and local checks that travel with your project. The result is a practical upgrade from "the AI wrote code" to "the AI inspected the repo, protected secrets, avoided risky fresh packages, kept the change small, proved it works, and showed the evidence."
For non-technical builders, that is the unlock: you can keep the speed and creativity of AI-assisted building while adding the habits a senior engineer would normally bring to the work.
- Agent instructions for Codex, Claude Code, Cursor, and generic coding agents.
- Reusable skills for planning, debugging, verification, security boundaries, dependency safety, diff review, repo audit, and release readiness.
- Optional Claude Code hooks that can block risky package installs and ask for verification before finishing.
- Local scripts for 7-day package release-age checks, repo validation, fixture tests, eval smoke tests, and secret-like string scanning.
Loose "vibe coding" can work for quick prototypes, but agents often:
- guess before reading the code,
- edit more than they need to,
- install brand-new package versions,
- miss hidden security risks,
- finish without proof.
This repo gives the agent a simple engineering loop:
inspect -> plan -> change narrowly -> verify -> review diff -> summarize
- Not an official OpenAI, Anthropic, Cursor, or Karpathy project.
- Not a sandbox or full vulnerability scanner.
- Not a replacement for human review.
- Not something that should silently change your global machine settings.
Clone the repo and check that the pack is healthy:
git clone https://github.com/deaglecodes/agentic-engineering-skills.git
cd agentic-engineering-skills
./scripts/validate-repo.shCopy one adapter into each project where you want the workflow:
# Codex
cp adapters/codex/AGENTS.md /path/to/project/AGENTS.md
# Claude Code
cp adapters/claude/CLAUDE.md /path/to/project/CLAUDE.md
# Cursor
mkdir -p /path/to/project/.cursor/rules
cp adapters/cursor/.cursor/rules/agentic-engineering.mdc /path/to/project/.cursor/rules/
# Generic agents
cp adapters/generic/AGENTIC_ENGINEERING.md /path/to/project/AGENTIC_ENGINEERING.mdThen try a prompt like:
Use the Agentic Engineering workflow. Inspect this repo first, make the smallest useful change, verify it, review the diff, and explain the result plainly.
The package-safety scripts help protect AI agents from installing a package version that was published too recently. The default policy is a 7-day delay where the package manager supports it.
Check a project without changing anything:
./scripts/check-package-age-safety.sh --scope=all --target /path/to/projectAdd project-local safety files:
./scripts/setup-package-age-safety.sh --mode=project-local --target /path/to/projectProject-local setup writes only inside the target project and does not copy existing package-manager config, because those files can contain private registry tokens.
User-wide setup exists, but it is explicit:
./scripts/setup-package-age-safety.sh --mode=user-wide --dry-run
./scripts/setup-package-age-safety.sh --mode=user-wide --confirm-user-wideSupported settings:
| Tool | Setting | 7-day value |
|---|---|---|
| npm | min-release-age |
7 days, npm 11.10.0 or newer |
| pnpm | minimumReleaseAge |
10080 minutes |
| Bun | minimumReleaseAge |
604800 seconds |
| Yarn | npmMinimalAgeGate |
7d |
| uv | exclude-newer |
P7D |
| pip | uploaded-prior-to |
P7D, modern pip required |
| mise | minimum_release_age |
7d |
Pip is special: a project-local pip.conf is only a template unless pip is pointed at it with PIP_CONFIG_FILE, PIP_UPLOADED_PRIOR_TO=P7D, or user/site pip config.
Package managers without a native 7-day age gate in this pack, such as Cargo, Go modules, Composer, Homebrew, RubyGems, Bundler, and Mix, should be treated as manual-review paths for agent-driven installs.
Claude Code hook examples live in hooks/claude/.
pretooluse-package-install-safety.sh: blocks package install commands when the 7-day gate is missing.stop-verify-before-finish.sh: asks for verification before the agent stops.posttooluse-light-checks.sh: reports whitespace issues after edits.sessionstart-reminder.sh: adds a short workflow reminder.
Generic hooks also exist:
./hooks/verify-before-finish.sh
./hooks/block-risky-package-install.sh npm /path/to/projectSee docs/hooks.md and docs/claude.md.
- Install guide: docs/install.md
- Codex guide: docs/codex.md
- Claude Code guide: docs/claude.md
- Cursor guide: docs/cursor.md
- Generic agent guide: docs/generic.md
- Package safety: docs/package-age-safety.md
- Troubleshooting: docs/troubleshooting.md
- Security policy: SECURITY.md
- Sources: docs/sources.md
Run everything:
./scripts/validate-repo.shRun only the behavior smoke prompts:
./scripts/run-evals-smoke.shRun the secret-like string scan:
./scripts/secret-scan.sh .The secret scan is intentionally simple. It is a last-minute public-release check, not a guarantee that every secret pattern is caught.
This project is inspired by small agent-skill repos, including Karpathy-style workflow notes, but it is more operational: it includes adapters, scripts, hooks, tests, and package-safety templates. That makes it heavier than a single instruction file, so the recommended install path is to copy only the adapter and optional pieces you actually need.
See CONTRIBUTING.md, ROADMAP.md, and CHANGELOG.md.