--- id: pattern:skill-anatomy type: pattern title: Skill Anatomy — frontmatter, body, references, scripts status: active confidence: 0.9 sources: - 2026-05-09-cybersec-library-overview.md - 2026-05-09-cybersec-skill-acquire-disk-image.md - 2026-05-09-cybersec-skill-threat-actor-ttps.md - 2026-05-09-cybersec-skill-ir-playbook.md - 2026-05-09-cybersec-skill-cloud-siem.md - 2026-05-09-cybersec-skill-android-malware.md - 2026-05-09-cybersec-skill-memory-forensics.md - 2026-05-09-cybersec-skill-ad-acl-abuse.md created: 2026-05-09 updated: 2026-05-09 updated_log: - 2026-05-09: created tiers: semantic half_life_days: 180 tags: [skill-anatomy, agentskills, structure] --- # Skill Anatomy ## Summary Every skill in the [[concept:cybersec-skill-library]] follows the same on-disk shape, defined by the [[concept:agentskills-io-standard]]. A skill is a directory containing a `SKILL.md` (YAML frontmatter + Markdown body), an optional `references/` folder for deep technical context, an optional `scripts/` folder for working helpers, and an optional `assets/` folder for templates. The frontmatter is keyword-rich for sub-second agent discovery; the body has `When to Use` / `Prerequisites` / `Workflow` / `Verification` sections so the agent follows the same playbook a senior practitioner would. Cross-framework mappings are encoded in frontmatter fields (`nist_csf`, `atlas_techniques`, `d3fend_techniques`, `nist_ai_rmf`, `mitre_attack`). ## Claims - Every skill follows a consistent directory structure: `SKILL.md`, `references/standards.md` + `references/workflows.md`, `scripts/process.py`, `assets/template.md`. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}` - YAML frontmatter fields include: `name` (kebab-case, 1-64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`, `version`, `author`, `license`. Framework mapping fields: `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories), and `mitre_attack` (when present). `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.9}` - ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases — not always in frontmatter. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.8}` - Markdown body sections follow a fixed contract: `When to Use` (trigger conditions), `Prerequisites` (tools/access), `Workflow` (step-by-step commands and decision points), `Verification` (how to confirm success). Many skills add `Key Concepts`, `Tools & Systems`, `Common Scenarios`, and `Output Format`. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}` - Frontmatter mapping fields are populated unevenly per skill — e.g. `acquiring-disk-image-with-dd-and-dcfldd` declares only `nist_csf` (no atlas/d3fend/ai_rmf/mitre_attack); `building-incident-response-playbook` declares `mitre_attack` + `nist_csf`; `building-cloud-siem-with-sentinel` declares `nist_csf` + `atlas_techniques` + `nist_ai_rmf` (no d3fend/mitre_attack). Coverage tracks relevance, not a checklist. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.8}` - The `analyzing-threat-actor-ttps-with-mitre-attack` skill's frontmatter shows `d3fend_techniques` populated with friendly names ("Executable Denylisting", "Execution Isolation") rather than D3-prefixed IDs — the field accepts either form. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.7}` - Each skill costs ~30 tokens to scan (frontmatter only) and 500-2,000 tokens to fully load — the structure enables progressive disclosure across 754 skills in a single agent context. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}` ## Relationships - composes → [[concept:agentskills-io-standard]] `{conf: 0.9}` - composes → [[concept:cybersec-skill-library]] `{conf: 0.85}` - complements → [[pattern:installing-skills]] `{conf: 0.8}` - uses → [[skill:acquire-disk-image]] `{conf: 0.7}` - uses → [[skill:threat-actor-ttps]] `{conf: 0.7}` ## Open questions - [ ] Is there a published `agentskills.io` schema spec (JSON Schema, OpenAPI)? Raw sources only describe the convention informally. ## Changelog - 2026-05-09 — created