§1 · Introduction

A linter for SKILL.md. Right inside the IDE.

Skill Inspector is a JetBrains IDE plugin that treats every SKILL.md as a first-class linted document — real-time inspections, quick fixes, and a Problems-panel integration anchored to the official Agent Skills specification, with zero external dependencies.

Install on Marketplace → Source on GitHub

§2 · The Manifest

Every rule, on the record.

Thirty rules. Five categories. One opinionated baseline.

Rules are grouped by determinism and risk, the same way IDEA groups inspection results. Every rule has a stable ID you can cite, suppress, or report against — no opaque "AI says so" heuristics.

#	Rule ID	Severity	Description	Quick Fix
2.01	`frontmatter.missing`	Error	No YAML frontmatter; all subsequent field checks are skipped.	ADD_FRONT_MATTER
2.02	`frontmatter.name.mismatch`	Error	`name` field does not equal the parent directory name.	SYNC_NAME_WITH_DIRECTORY
2.03	`frontmatter.name.invalid`	Error	`name` does not match `^[a-z0-9]+(?:-[a-z0-9]+)*$`.	CONVERT_NAME_TO_KEBAB
2.04	`frontmatter.description.missing`	Error	Missing or empty `description`; agents cannot trigger.	ADD_DESCRIPTION
2.05	`description.too-generic`	Warn	Description is one of `helper`, `tool`, `skill`, `assistant`, `utility`.	—
2.06	`description.missing-usage`	Warn	No trigger phrase ("use when", "when to use", etc.).	—
2.07	`reference.missing-file`	Warn	Relative link target does not exist on disk.	CREATE_MISSING_REFERENCE
2.08	`reference.case-mismatch`	Warn	Link case differs from on-disk entry (will break on Linux).	—
2.09	`resource.unused-reference`	Warn	File under `references/` is never linked from `SKILL.md`.	—
2.10	`security.dangerous-command`	Error	Detects `rm -rf /` or piped `curl … \| sh` in body.	—
2.11	`security.secret-pattern`	Error	Suspected `api_key`, `token`, `secret`, `password` or high-entropy value.	—
2.12	`security.sensitive-path`	Warn	Body steers towards `~/.ssh`, `.env`, `~/.aws`.	—

Structural

11·

Error · frontmatter, naming, length

Quality

6·

Warning · description, body, triggers

Reference

4·

Warning · links, paths, case

Security

5·

Error · secrets, dangerous cmds

Resource

2·

Warning · unused refs, scripts

↳ The complete table, with severities and quick-fix mappings, lives in docs/rules.md.

§3 · Capabilities

Six things the plugin does, plainly.

Not a wrapper around a generic linter. Agent-Skills-aware, end to end.

Every capability removes a real friction in writing SKILL.md: missing fields shipped to production, broken relative links, dangerous shell snippets, descriptions Agents cannot trigger on.

Real-time inspection.

A LocalInspectionTool attaches to every SKILL.md file (gated strictly on file name, so other Markdown stays untouched). Errors and warnings appear live in the editor gutter and Problems panel — exactly like a Kotlin or Java file would.

Conservative quick fixes.

Add missing frontmatter, sync name with the parent directory, convert to kebab-case, scaffold a missing reference — one Alt+Enter away. The plugin never rewrites your prose.

Project-wide scan.

Right-click → Validate Skill. A background task FilenameIndex-scans every SKILL.md, aggregates a clean Error/Warning summary, and jumps to the first failing file. Works in CI via headless inspection too.

Specification-first by default.

Rules anchor on the official Agent Skills specification, not any single Agent's private extension. Agent-specific quirks become advisory profiles in V2 — never default errors. Your skills stay portable.

Status-bar switch.

A status-bar widget toggles the whole inspection on or off with a single click — no hunting through Settings → Inspections. Fine-grained tuning lives at Tools → Skill Inspector.

Rules reference →

Zero dependencies.

Pure IntelliJ Platform API — no third-party plugin kit, no telemetry, no remote calls. Safe in air-gapped enterprise environments; jar -tf the bundled plugin if you want to verify.

§4 · Examples

Before · after, three real cases.

What a fixed `SKILL.md` actually looks like.

Three minimal examples drawn from the rule manifest above. Each pair shows the input that triggers the inspection, and the file after a single Alt+Enter.

frontmatter.name.mismatch

The name must match the directory.

Agents discover a skill by directory name. If name drifts (snake_case, capitalisation, typo), the skill stops being addressable. Quick Fix · SYNC_NAME_WITH_DIRECTORY

— Beforecode-reviewer/SKILL.md

1---
2name: code_reviewer
3description: Use when reviewing PR diffs.
4---

+ Aftercode-reviewer/SKILL.md

1---
2name: code-reviewer
3description: Use when reviewing PR diffs.
4---

frontmatter.description.missing

Without a description, no Agent can trigger.

The description field is what the discovery loader reads before the body. Empty means the skill is invisible to every Agent on every prompt. Quick Fix · ADD_DESCRIPTION

— Beforecommit-helper/SKILL.md

1---
2name: commit-helper
3description: 
4---

+ Aftercommit-helper/SKILL.md

1---
2name: commit-helper
3description: Use when generating a commit message from staged changes.
4---

security.dangerous-command

Some things must not auto-fix.

Security rules locate and flag, never rewrite. A piped curl … | sh is reported with a precise text range so you can decide: pin a hash, swap the source, or accept the risk with a noinspection comment.

— Reportedinstaller/SKILL.md

7## Install
8Run the following to bootstrap:
9 
10    curl https://x.example/install.sh | sh

+ Suggestedinstaller/SKILL.md

7## Install
8Run the following to bootstrap:
9 
10    curl -fsSL https://x.example/install.sh -o /tmp/install.sh
11    sha256sum -c install.sh.sha256 && sh /tmp/install.sh

§5 · Audience

Four scenarios, no fabricated quotes.

The plugin was designed around four real audiences.

Until the project has more shipped users, these are the scenarios Skill Inspector was built to serve. We refuse to invent quotes with stock photos — when real users speak up, the words below will be replaced verbatim.

I want my SKILL.md to fail loudly before I commit it.

Skill author

Open the file in IDEA. Missing required fields, directory-name drift, or a dead relative link — all surface in the gutter before you push. Alt+Enter applies the deterministic fix; the prose stays yours.

My team writes skills for several agents. I need one quality bar.

Team lead

Every developer's IDE sees the same inspection results because the rules live in the plugin, not in personal configs. CI can run the same Validate Skill sweep headlessly on every PR — non-spec-compliant skills never reach main.

I publish skill bundles. Reviewers shouldn't waste time on mechanical mistakes.

OSS maintainer

Structural, quality and reference rules catch the boring stuff automatically — name mismatches, dead links, descriptions too vague to trigger, references/ files no one cites. Reviewers get to focus on content, not format.

I need to know if a skill ships curl … | sh or leaks secrets.

Security-aware enterprise

Security rules flag dangerous commands, suspected API keys, high-entropy strings, sensitive paths (~/.ssh, .env) and prompt-injection phrases. V1 locates and reports only — never auto-rewrites — so review stays human-led.

§6 · Q&A

Honest answers, cited where possible.

Eight questions before you install.

§6.1

Which IDEs are supported?

IntelliJ IDEA Community / Ultimate 2024.2 → 2026.1 are the official baseline — the plugin declares sinceBuild = 242.2 and untilBuild = 261.*. CI builds & verifies against IC/IU 2024.2, 2024.3, 2025.1, 2025.2 and 2025.3; 2026.1 is covered by the declared compatibility range. Other JetBrains IDEs on the same platform (PyCharm, GoLand, WebStorm, …) usually work within that build range, but only IDEA is tested by CI.

§6.2

What rules ship today? Where is the full list?

Five categories — Structural (11), Quality (6), Reference (4), Security (5) and Resource (2). Each has a stable rule ID like frontmatter.name.mismatch or security.dangerous-command. Full table in docs/rules.md.

§6.3

Does it phone home?

No telemetry, no analytics, no remote calls. The plugin reads SKILL.md inside the open project and runs every inspection locally. Safe for air-gapped environments.

§6.4

What does "Quick Fix" actually do?

Conservative, deterministic fixes only: add missing frontmatter, add a name field, sync name with the parent directory, convert name to kebab-case, add a description stub, and create the empty referenced file (with parent directories). The plugin never rewrites your prose.

§6.5

How does this differ from a generic Markdown linter?

Skill Inspector is Agent-Skills-aware. It parses the YAML frontmatter as a real SkillFrontMatter record, knows that name must equal the parent directory, validates relative links inside the skill directory (with cross-OS case-mismatch detection), and scans for security risks. A generic Markdown linter does none of that.

§6.6

It only triggers on files literally named SKILL.md?

Correct. The inspection's first gate is PsiFile.getName().equals("SKILL.md"). That keeps readme.md, notes.md and any other Markdown file completely untouched, so the plugin is invisible until you actually open a skill file.

§6.7

Can I disable the whole thing temporarily?

Yes — a status-bar widget toggles all inspections on or off with a single click, no need to hunt through Settings → Inspections. Tools → Skill Inspector is the settings page for finer control.

§6.8

Is it open source? What license?

Yes — MIT, sources on GitHub. Issues, PRs and new rules are welcome — see AGENTS.md for the contributor guide.