00:00If you are using codecs and constantly repeating the same prompts, you are probably missing
00:05the simple one thing, skills.md.
00:08A skill.md file is a structured workflow definition.
00:12People repeat the same instructions, they rewrite the same prompts, and every time codecs
00:18behaves a little differently.
00:20If that sounds familiar, this video will save you a lot of wasted time, because the real
00:26setup is more specific than most people think.
00:28The file is usually called skill.md with capital letters.
00:33It is inside a skill folder, and when structured properly, it turns messy repeated prompting
00:39into a reusable system.
00:41So in the next few minutes, I'll show you what a skill actually is, what goes inside
00:47skill.md, and how the folder should be organized, and how to build one with real examples you
00:54can actually copy.
00:56Here's the real difference.
00:57Without a skill, your workflow usually looks like this.
01:00Open codecs, write a long prompt, explain your rules, remind it not to break something,
01:08don't make any mistakes, remind it use a certain file, use these assets files under assets folder,
01:17or under resource folder, and remind it how to return the result.
01:23So what do we put in skill.md?
01:27First, trigger conditions, which conditions should trigger this skill.
01:34And after that, exact workflow steps, what should be done.
01:39Then, preferred tools or commands, and safety constraints, and the last thing, output format expectations.
01:52Let's look at the official OpenAI documentation for skills.
02:01I'm not going to read this page.
02:03I'm not going to read this page line by line.
02:03I'm not going to read this page.
02:08The important thing is here, the skill.md structure.
02:16The skill is just a folder.
02:22Here, optional scripts, optional references, and optional assets, templates, or resources.
02:28So it's not just text, it can be a full system.
02:37Also, this is important.
02:46How codecs decide if use a skill or not.
02:52Codecs doesn't load every skill fully.
02:55It just reads only metadata, name, description, pet.
03:00And only if it decides to use the skill, then it loads the full instructions after that.
03:08That's how you avoid context overload.
03:12And there are two ways a skill can run.
03:18Explicit and implicit.
03:21Explicit, you directly call it, use the skill for coding.
03:27Explicit or implicit codecs decides to use it based on your prompt.
03:37And that means your description is not just a documentation.
03:42It's the trigger condition.
03:45Also, you can create a skill in two ways using the built-in skill creator and manually writing
03:59writing a yaml file like that name and description how to trigger.
04:12And where to save skills, repo-based, user-based, or system level.
04:20If we are using a github repository, it stores under agent skills.
04:28And for user, system level bundled with codecs, by the way.
04:35So, you can have project-specific skills, personal skills, and team-wide skills.
04:46And a skill doing three things, deciding when to activate, defining how to execute, and standardizing
04:55the output.
04:58This documentation also gives some really solid advice.
05:02Keep skills focused on one job.
05:05This is, as you know, Unix philosophy.
05:10And clearing trigger conditions, explicit in steps, and minimal unless you need the scripts.
05:19So, again, this is about moving logic out of the prompts and moving into reusable systems.
05:31Once you start thinking this way, you stop repeating yourselves.
05:36And if we move to the github here, github.com openai skills.
05:49We can see how professional skills worked.
05:56Let's find a
06:03good example.
06:11Yeah, we can use security best practices because it's important for everyone.
06:19Skills.md
06:25Okay, now it's full screen.
06:30Okay, this is a real example from the official OpenAI Skills repository.
06:36Security best practices.
06:40Yeah, this is a YAML file.
06:43And here, name, security best practices, and description.
06:50The most important part is here.
06:55It defines how to trigger this skill.
07:01It says trigger only when the user explicitly requests security best practices guidance,
07:08a security review report, or secure by default coding help.
07:13Trigger only for supported languages,
07:17python, javascript, typescript, and colang.
07:20And don't trigger for general code review, debugging, or non-security test.
07:26This is so important.
07:30And even more importantly, when not to trigger.
07:38So, what you are seeing here is not just the documentation in this description.
07:45This is a behavior gating.
07:48You are literally telling the agent only become a security expert under these conditions.
07:57So, it will not work on, for example, Perl or PHP.
08:07And the workflow.
08:14This is where things get interesting.
08:18The agent is instructed to first detect all languages and all frameworks.
08:27And bot frame content and backend.
08:38Then it's loading security guidelines.
08:44And there's a decision tree.
08:53Yeah, the skill doesn't contain all knowledge itself.
09:00It knows how to find the right knowledge.
09:10Here overrides report format.
09:15And the skill actually defines three different operating modes.
09:23Write secure code from the start.
09:25To detect vulnerabilities while working.
09:31And generate full security report if asked.
09:48If the user asks for a report, the agent doesn't just explain things casually.
09:55It generates a structured markdown report here.
10:01With severity levels.
10:05And numbered findings.
10:08Impact statements here.
10:11And even file and line references.
10:22Here, make sure to find and include line numbers.
10:26Code you are referencing.
10:33And fixes.
10:35This is also important.
10:37When fixing issues, it explicitly tells the agent
10:43Don't break the system.
10:48Focus on fixing a single finding at a time.
10:57Avoid regressions.
11:06And general security advice.
11:20Yeah, and once you realize that, you stop writing prompts.
11:23Because you cannot write this length of prompt every time.
11:33For every prompt.
11:38And after that, we can make a small example
11:45on Python using this security best practices skill.
11:52Let's go.
12:00Hello.
12:01Here we have a simple Python sample.
12:06This code block retrieves the current Bitcoin price.
12:13As a Euro currency.
12:19Hope you can see on the screen.
12:23This is a very basic Python code.
12:27It's just using requests and retrieve the Bitcoin price.
12:36There's no formatting.
12:38Any security or user improvements.
12:46And it's working.
12:48Returning the value as integer.
12:52This code is work.
13:00But there is, as you can see, there is no validation.
13:04There is no any security side improvements.
13:15And we will check it with codex.
13:18First, we need to trust the folder.
13:34We have just one file in the folder.
13:39We have just one file in the folder.
13:40If we write a slash skill.
13:45We will get the skills menu.
13:47And we can list skills.
13:49Enable, disable them.
13:53I'm going to choose lists.
13:55And
13:59I will install skills from the OpenAI skills.
14:06It's running skill installer.
14:09Stop comment.
14:21Would you like to run the following comment?
14:23Yes.
14:24Proceed.
14:26It's running a Python list skills application.
14:33Yeah.
14:33As you can see, the list is the same as on GitHub.
14:39We have ASP.NET Core, security best practices.
14:44Yeah.
14:45We just need security best practices for this little example.
14:52I'm going to choose yes.
14:54Proceed again.
14:57It's retrieving the skill MD.
15:01But it's installed under the dot codex skills security best practices.
15:10Directly installed in the codex folder.
15:14Not the current project folder.
15:20And we can enable and disable them from skills menu.
15:32Yeah.
15:33This is the code.
15:34Just 10 lines.
15:37Importing requests.
15:39Just one function.
15:40Get price.
15:44Now, review this code for security best practices.
15:49This is just a single prompt.
15:57And it will check the skill list and if the description match with current project,
16:07it will continue from that skill.
16:11Because it's Python project and we ask for security best practices.
16:18Yeah.
16:19As you can see, it's using security best practices right now.
16:30Already found two items.
16:36One is medium and the other is low severe.
16:40Medium is outbound.
16:42HTTP call has no timeout.
16:44So the process can hang indefinitely on a slower stalled upstream.
16:50Yeah.
16:51This is common issue with the HTTP calls.
16:54If you don't put a timeout, you can wait forever.
17:04And the other one,
17:06yeah, related to JSON validation in our code,
17:13we had no validation for the JSON.
17:18But of course, it's just a basic validation.
17:23And I asked for generate a security report because this skill has that function.
17:34It will create a report as an MD file.
17:52Yeah, we have a detailed summary here.
17:56Yeah, we have a detailed summary here.
18:11I will say yes.
18:13Proceed to write to a file.
18:17Okay, it's written.
18:20Security best practices.
18:25And I will say fix the critical issues.
18:29Until this point, it didn't change anything.
18:34But now it will change the code.
18:38And now timeout is 5 milliseconds added.
18:51And the other change is
18:58JSON validation.
19:02Now we are checking if not is instance bitcoin or euro not in the bitcoin.
19:13We are raising value error.
19:31Of course, this is very basic code.
19:36But you got the idea.
19:43How skill MD works.
19:50And you can apply this thing for other skill as well.
20:03And for every addition, from now on,
20:09it can check security best practices.
20:13Because this is the Python code and
20:16it will use this skill MD.
20:22That was a small demonstration of skill MD in action.
20:26You will find similar concepts on the Gemini side as well.
20:31Just implement it a little bit differently.
20:34If this kind of content is useful to you, subscribe and like the video.
20:39That's the best way to support my channel.
20:42See you next time. Bye.
Yorumlar