Skip to content

Skillselionwith God's help

By phase

IdeaResearch & spot demand
ValidateScope & prototype
BuildFrontend, backend, MCP
ShipTest, review, deploy
LaunchDistribution, SEO, ASO
GrowAnalytics & retention
OperateMonitoring & uptime

By type

Skills
Marketplaces
MCP servers
Workflows

Skills Marketplaces MCP Learn Brief

Browse all tools →By phase

Idea Validate Build Ship Launch Grow Operate

Explore

Skills
Marketplaces
MCP
Learn
Brief

This week for builders

Five minutes, every Monday — the tools, releases and tactics for shipping solo.

Email address

unsubscribe anytime.

Skillselion

An independent, curated directory of AI-coding tools for solo builders - skills, MCP servers, marketplaces and workflows for Claude Code, Codex and Cursor, organized by the indie build journey from idea to operate.

ResourcesBrowse Skills Browse MCP Servers Browse Marketplaces Browse Workflows Best-of shortlists Glossary State of AI Skills 2026 Weekly Brief

CommunityAbout Learn Feedback Privacy Policy Terms Cookie Policy Accessibility Cookie settings

Last updated June 10, 2026 · © 2026 Skillselion. Skillselion is an independent project and is not affiliated with Anthropic, OpenAI, Cursor, Claude, Claude Code, or Codex.

Skills/MICROSOFT/HVE CORE

microsoft/hve-core

12 skills · 537 installs · 13.4k stars · GitHub

Install

npx skills add https://github.com/microsoft/hve-core

Skills in this repo

1PowerpointPowerPoint content-extra is an agent skill for Microsoft’s slide pipeline when declarative content.yaml is not enough for complex drawings. Solo builders and small teams shipping pitch decks, training slides, or generated reports install it to add a content-extra.py beside each slide’s content.yaml. The build script invokes render() after standard elements land, so Python-drawn shapes layer correctly. You get a strict contract—unchanged parameters, hex colors, local assets only—so automated agents do not break the renderer. It matters when you need charts, connectors, or bespoke layout that YAML elements do not model, without forking the whole build system.195installs 2Owasp Top 10OWASP Web Top 10 Vulnerability Index is a reference skill for solo and indie builders shipping SaaS, APIs, or mobile-backed web products. It lists each 2025 Top 10 entry—Broken Access Control through Mishandling of Exceptional Conditions—with stable IDs, human-readable titles, and primary security categories. Use it when an agent or you need to label a finding, scope a security review, or pull the right deep-dive document without guessing naming. The index emphasizes a uniform document shape (description through remediation patterns), so workflows stay comparable across vulnerabilities. It does not replace hands-on testing or automated scanners; it gives you the shared vocabulary OWASP expects in audits, checklists, and fix tickets. Pair it with concrete testing and code-review skills during Ship, and dip back during Build when designing auth or data flows.59installs 3Owasp Agenticowasp-agentic is a reference agent skill that indexes the OWASP Top 10 for Agentic Applications (2026) for solo builders shipping LLM agents and multi-agent workflows. Instead of guessing category names during a security review, you pull the canonical ASI01–ASI10 identifiers, titles, and primary categories—from Agent Goal Hijack and Tool Misuse through Rogue Agents and Cascading Failures. The skill documents how each vulnerability entry is structured in the broader HVE corpus so your agent can cross-link symptoms to the right control discussions during design in Build, pre-launch hardening in Ship, or incident postmortems in Operate. It does not execute scans; it grounds conversations in a shared taxonomy so indie teams align prompts, tools, memory, and inter-agent channels with recognized agentic risk classes without hiring a dedicated AppSec bench on day one.35installs 4Owasp LlmOWASP LLM is a journey-wide reference skill from Microsoft’s hve-core pack: a vulnerability index for the OWASP Top 10 for LLM Applications (2025), not a single-fix scanner. Solo builders shipping chatbots, RAG pipelines, or tool-using agents use it to name risks consistently—prompt injection, excessive agency, embedding weaknesses, misinformation, and resource exhaustion—when writing threat models, review prompts, or security gates. Each catalog row ties an official identifier to a human title and category so you can jump to deeper write-ups that follow a uniform Description and Risk layout. It does not replace penetration testing or platform guardrails; it gives you the shared vocabulary to align Build-time agent design, Ship-time review, and Operate-time incident triage with industry-standard LLM AppSec framing. Keep it handy whenever you evaluate a new model integration, MCP server, or system prompt change.34installs 5Hve Core InstallerHVE-Core Installer is an agent skill that documents and drives Microsoft HVE-Core installer scripts for solo builders wiring opinionated agent packs into GitHub-style projects. Use it when you need environment detection, collision checks before copy, selective agent file deployment, upgrade detection, and post-clone validation—not when you are authoring agent logic itself. The skill centers on PowerShell examples (bash parity for environment detection) covering detect-environment, collision-detection with -Selection and custom CollectionAgents, agent-copy with HveCoreBasePath and FilesToCopy arrays, upgrade-detection, and validate-installation flows. It fits indie teams standardizing task-researcher and task-planner agents without clobbering customized `.github/agents` copies. Treat it as procedural packaging for agent collections rather than a browser or Dataverse integration.31installs 6Owasp CicdOWASP CI/CD is a reference agent skill that indexes the OWASP Top 10 CI/CD Security Risks (2025) for solo and indie builders shipping through automated pipelines. Instead of ad-hoc “is our Actions setup safe?” threads, you get stable identifiers—such as insufficient flow control, inadequate IAM, dependency chain abuse, poisoned pipeline execution, and improper artifact integrity—each tied to a primary category like supply chain or credential management. Use it when you are documenting threats, scoping a pipeline audit, or prompting an agent to classify findings against a known framework before merge or deploy. It does not replace a full pentest or vendor-specific hardening guides; it gives you shared vocabulary and coverage checks so security work in Ship and Operate stays consistent across repos and small teams wearing every hat.28installs 7Owasp InfrastructureOWASP Infrastructure is a reference agent skill that indexes the OWASP Infrastructure Security Top 10 (2024) for Microsoft’s HVE-core security toolkit. Solo builders and small teams use it when they need consistent vulnerability identifiers—not informal wording—while reviewing servers, cloud accounts, Kubernetes, or CI runners before ship. Each catalog row lists the ISR code, human-readable title, and primary category such as patch management, observability, configuration management, access control, data protection, network security, or credential hygiene. The skill does not run scans by itself; it grounds conversations, checklists, and remediation tickets so findings align with a widely recognized taxonomy. Install it when your agent is drafting infra audit notes, mapping controls to gaps, or explaining why a misconfiguration maps to a specific Top 10 class. It complements hands-on hardening skills and pairs with ship-phase review rituals rather than replacing automated scanners.28installs 8Owasp McpOWASP MCP is a reference agent skill that catalogs the OWASP MCP Top 10 (2025) vulnerability index for solo and indie builders shipping Claude Code, Cursor, or Codex workflows that call MCP servers. Instead of ad-hoc security notes, you get stable IDs (MCP01–MCP10), human-readable titles, and primary attack categories spanning credential hygiene, privilege scope creep, tool and supply-chain poisoning, command and prompt injection, weak authZ, missing telemetry, shadow servers, and context over-sharing. Use it while designing MCP tools in Build, running pre-release reviews in Ship, and governing production MCP sprawl in Operate. The SKILL.md is an index table—not a scanner—so your agent cites the right framework language when you triage exposure, write audit memos, or prioritize fixes before users connect untrusted MCP endpoints.28installs 9Video To GifVideo-to-gif is a procedural agent skill from microsoft/hve-core that converts video files to optimized GIF animations using FFmpeg’s two-pass palette workflow. Solo and indie builders install it when they need crisp, smaller GIFs from MP4 or similar inputs without hand-tuning ffmpeg flags in chat. Pass one analyzes frames and builds an optimized palette; pass two applies that palette for sharper colors and tighter file sizes compared with one-shot conversion. The skill documents PATH prerequisites, platform install commands, and a quick start via scripts/convert.sh or PowerShell equivalents. After conversion, the agent returns the GIF as a markdown link with the full absolute path so you can preview the asset before dropping it into READMEs, changelogs, marketing pages, or support threads. Complexity is beginner-friendly once FFmpeg is on PATH; the agent mainly orchestrates documented commands and parameters rather than inventing encoders.26installs 10GitlabThe GitLab skill from Microsoft’s hve-core is a Python REST API v4 client that wires your agent into merge requests, pipelines, and jobs on GitLab.com or self-hosted instances. Solo and indie builders shipping on GitLab install it when they want repeatable, scriptable checks—pipeline pass/fail, job logs, MR metadata—inside Claude Code, Cursor, or Codex instead of context-switching to the browser. Configuration is environment-driven: GITLAB_URL and a personal access token are required, and GITLAB_PROJECT can default from the local git remote when omitted. The package targets Python 3.11 or newer and is structured for testing with pytest and linting with ruff, which signals production-minded maintenance rather than a one-off snippet. Use it during ship and operate moments when CI truth matters, and during build when you are wiring agent tooling into your delivery stack. It is an integration skill, not a planning methodology—you bring the workflow; the skill executes authenticated API calls and returns structured data your agent can reason over.25installs 11Owasp DockerOwasp-docker from Microsoft hve-core is a reference skill that indexes the OWASP Docker Security Top 6 for agent-assisted reviews of containerized workloads. Indie builders shipping APIs, SaaS backends, or internal tools on Docker can use it to structure security conversations around six high-impact areas instead of ad-hoc grep for privileged flags. Each indexed item—such as secure user mapping, patch strategy, network segmentation, secure defaults, security contexts, and resource protection—follows a repeatable outline covering risk, exposure indicators, preventive controls, example attacks, and detection guidance. That makes it useful when you are drafting a threat model, answering a security questionnaire, or preparing a ship checklist before exposing images to production orchestrators. It does not replace hands-on scanning tools; it gives your agent a canonical vocabulary and depth template so remediation stories stay consistent across services in a monorepo.24installs 12Security Reviewer Formatssecurity-reviewer-formats is a reference skill for Microsoft HVE Core’s security reviewer orchestrator: it defines the exact markdown/text shapes for in-flight Scan Status updates and final Scan Completion confirmations after a report is written. Solo and indie builders running agent skill vulnerability workflows use it so every phase (Setup through Complete) reports mode-consistent messaging and comparable severity and verification rollups. Audit and diff modes surface critical through low counts plus confirmed, disproved, and downgraded verification lines; plan mode swaps verification for risk, caution, and coverage framing. The skill is format-only—pair it with the main security reviewer workflow for scanning logic—but it keeps multi-skill assessments legible for catalog pages, CI gates, and handoff to human review.24installs