Agent skills grew a real supply chain this week — and the tooling proves it.

Agent skills grew a real supply chain this week — and the tooling proves it. The registry is official (Anthropic's plugin marketplace sits near 30k stars), the breakout package exists (a research skill at 39.5k stars, 2,500 of them added today), and now come the parts every supply chain grows when it gets serious: an NVIDIA security scanner, because a quarter of public skills reportedly carry vulnerabilities, and a governance SaaS for teams. The back half of the slate is the ops desk for the agents consuming all this — a process monitor, an analytics warehouse, and something to do while you wait. We dropped Apache Burr's incubation (a fine framework, but the news is the foundation, not the code), Extend UI's open-source document components (solid, narrow), and the entire Anthropic policy cycle — retention windows and guardrail complaints are news, not tools. ## last30days-skill A Claude/Codex/Cursor skill that researches any topic across Reddit, Hacker News, GitHub, Polymarket, and — with API keys — X, YouTube, and TikTok, then synthesizes the last 30 days into a cited brief with engagement-weighted sources. `/plugin marketplace add mvanhorn/last30days-skill` in Claude Code, or `npx skills add` anywhere else. v3.3.0, 1,012 passing tests, MIT, and 39.5k stars — 2,500 of them today. This is what "skills are a distribution channel" looks like in practice: a markdown-plus-scripts package outcompeting standalone research products. Delete the eight-tab ritual of checking Reddit sentiment, HN threads, and GitHub activity before forming an opinion. Tradeoff: zero-config gets you Reddit, HN, Polymarket, and GitHub; the platforms people actually argue on — X, YouTube, TikTok — all need keys. [link](https://github.com/mvanhorn/last30days-skill)

SkillSpector

NVIDIA's security scanner for agent skills: a Python CLI that runs 64 vulnerability patterns across 16 categories — prompt injection, data exfiltration, privilege escalation — over any skill directory, repo, or zip before you install it, with an optional LLM semantic pass and live OSV.dev CVE lookups. Outputs terminal, JSON, Markdown, or SARIF, so it drops straight into CI. Apache 2.0. The research underneath claims 26.1% of public skills contain vulnerabilities and 5.2% look outright malicious — which, if even half right, makes "I installed a 39k-star skill" a sentence worth scanning first. Delete the vibes-based README skim you currently call review. Tradeoff: skills are natural-language instructions, and scanning prose is heuristic by nature — a clean report means "nothing matched," not "safe."

→ github.com/NVIDIA/SkillSpector

Cloudskill

A management plane for the skill files your team feeds its agents: central catalogue, version control with one-click rollback, per-person access policies, approval workflows, and an append-only audit log. Launched on Product Hunt today with a free tier. If skills are dependencies, someone in your org eventually asks who approved the one that can run shell commands — this is the tool that has an answer. Delete the `skills/` folder duplicated across forty repos and the Slack thread that passes for change review. Tradeoff: it's a day-old SaaS standing between your agents and their instructions, for what are ultimately markdown files — solo builders should keep using git; this earns its seat at team scale, not before.

→ www.producthunt.com/products/cloudskill

abtop

htop for coding agents: a Rust TUI that watches every Claude Code, Codex CLI, and OpenCode session on your machine and shows token usage, context-window percentage, rate limits, child processes, and open ports per session. Read-only, no API keys; shell or PowerShell installer, Cargo, or prebuilt binaries. 2.7k stars, 34 releases, v0.4.8 this month. The pitch is that agents are now long-running processes, and you wouldn't run those without a process monitor either. Delete the ritual of clicking through terminals to ask which session is about to hit its context ceiling. Tradeoff: it reads local session state, so it monitors this machine only — and it wants a 120x40 terminal, which on a laptop means abtop is the screen.

→ github.com/graykode/abtop

agentsview

A local-first analytics app for agent sessions — a Go binary (or desktop app, or Docker image) that auto-discovers sessions from Claude Code, Codex, Cursor, Copilot CLI, Gemini CLI, and twenty-odd others, then gives you full-text search over every message plus cost and token dashboards with per-model breakdowns. Bills itself as a 100x-faster ccusage replacement. 1.4k stars, 52 releases, MIT. Where abtop is the live top, this is the warehouse: what all this agent use actually cost, and where that one session went wrong last Tuesday. Delete ccusage and the spreadsheet where you guess at subscription utilization. Tradeoff: your complete agent history lands in a searchable local SQLite database — local by default, but the built-in Gist publishing is one keystroke from making a session very public.

→ github.com/kenn-io/agentsview

Foyer

A dashboard for the time you spend waiting on agents: `npx @getfoyer/foyer setup` installs HTTP hooks into Claude Code or Codex, and a localhost panel then narrates what the agent is doing in real time and serves sourced research briefs on the code it's touching. Hooks return instantly, so the agent doesn't slow down. MIT. It's the most direct product response yet to the deskilling anxiety: instead of doomscrolling while the agent works, you read about what it's working on. Delete the second "quick" task you start in parallel and then ruin both contexts with. Tradeoff: early-stage, the research panel burns LLM calls of its own, and there's an unresolved irony in fighting distraction with another browser tab.

→ github.com/get-foyer/foyer

One of these,
every weekday.

Free. Unsubscribe by replying with one word. No tracking pixels in the email.