Web deployment platform, Vercel, has built its internal AI agent workflows around Anthropic’s open skills specification – a portable, open-source standard that allows developers to package domain expertise into reusable instructions for AI agents.
The San Francisco-based company revealed that the firm’s data science agent now runs on roughly 100 discrete skills covering everything from customer metrics to time series data.
Speaking to Anthropic, the chief of software said the approach has changed how the teams work with AI agents, and highlighted a shift in who is shaping the ecosystem – with marketers, legal professionals, and other non-developers among the most-downloaded skill authors on shills.sh, the open registry he built on top of Anthropic’s spec.
The shift to modular agent workflows
Anthropic’s Agent Skills documentation defines skills as packages of instructions, metadata and optional resources such as scripts and templates. The structure is built around a SKILL.md file, with Claude loading metadata first and then pulling in instructions, code or reference material only when needed.
In the Q&A, Andrew Qu, Vercel’s chief of software, said the company’s d0 data science agent uses skills for aggregation, customer metrics, product metrics and time-series data. “Once we’ve done something accurately we can capture it,” Qu said.
Qu cited migrations, on-call debugging and design-system matching as examples of work turned into internal skills, stored in “mini repos dedicated to internal agent skills.” His broader claim was direct: “Skills have changed how we work with agents at Vercel.”
Anthropic’s public skills repository describes each skill as a self-contained folder containing the instructions and metadata Claude uses. For enterprise AI teams, the operational question is where repeatable knowledge is stored, reviewed and updated.
Measuring the impact of agent-led tasks
A migration checklist, analytics method or on-call procedure can be captured as a maintained artifact rather than repeated in chat.
The public Vercel Q&A, however, does not provide audited measures for cost savings, cycle-time reduction, incident resolution or development quality. Qu described the speed gains as anecdotal.
Distributing skills at scale
Vercel is also building distribution infrastructure around the format. In a June 5 changelog, the company said the skills.sh API lets developers query more than 600,000 skills, pull skill details and check security audits.
Vercel said the API uses a project’s Vercel OIDC token, with short-lived tokens scoped to a team and project and a limit of 600 requests per minute.
Managing the enterprise security burden
Anthropic’s enterprise guidance treats skill deployment like a software-review process, warning that skills can include scripts, external network calls, MCP tool references and file-system access instructions that require audit before use.
The listed risk indicators include code execution, network access patterns, hardcoded credentials, MCP references and broad file-system access. The same guidance warns: “Treat Skill installation with the same rigor as installing software on production systems.”
Vercel has already added security checks to its public registry. In a February changelog, the company said skills.sh had automated security audits through Gen, Socket and Snyk, with public audit results on skill detail pages and malicious skills hidden from leaderboard and search results.
Those controls aim to address discovery risk, but Anthropic’s enterprise checklist still calls for reviewing every bundled file, sandboxing scripts, checking external fetches and testing skills before production use.
For software teams, the governance burden resembles third-party component review. NIST’s Secure Software Development Framework recommends reviewing third-party software components in the context of their expected use.