AGENTS.md is infrastructure now

Table of content

by Ray Svitla

something happened yesterday that you probably missed: microsoft and huggingface both launched repos called “skills” within 24 hours of each other.

not a coincidence. not a race. a convergence.

six months ago, AGENTS.md was a weird file that a few early adopters were experimenting with. a way to tell your AI assistant what it could do in your codebase. markdown file, structured instructions, kind of like a .env but for agent behavior.

now? microsoft is shipping “skills for grounding coding agents.” huggingface is building a skills catalog. the pattern isn’t fringe anymore. it’s infrastructure.

the shift nobody announced

here’s what’s interesting: these aren’t agent products. they’re agent interfaces.

microsoft/skills isn’t saying “use our agent.” it’s saying “here’s how to make your agent understand what it can do.” huggingface/skills isn’t a new model. it’s a directory of capabilities you can plug into whatever agent you’re running.

the assumption baked into both repos is: you already have agents running. multiple agents, probably. Claude Code, Codex, Gemini CLI, whatever. the question isn’t “which agent should I use” anymore. it’s “how do I tell all my agents what they’re allowed to do?”

this is the moment when a tool becomes a protocol.

your AI isn’t a chatbot with plugins

the mental model shift is subtle but massive.

old model: chatbot → you ask it things → it has plugins → plugins give it capabilities → plugins are controlled by the company that made the chatbot.

new model: agent → it lives in your workspace → it reads a skills file → skills are yours → you install, remove, customize them → the agent is infrastructure, skills are configuration.

your personal AI isn’t a chatbot with plugins. it’s an OS with a skill loader.

and here’s the kicker: the OS doesn’t care which agent runtime you’re using. Claude Code and Gemini CLI can read the same AGENTS.md file. same skills, different engines.

what happened to MCP?

remember MCP? model context protocol. anthropic’s big push to standardize how agents connect to external tools. it was supposed to be the standard.

it might still be. but skills are simpler.

MCP is “how does my agent talk to this API.” skills are “what is my agent allowed to do in the first place.”

MCP is network layer. skills are permissions layer.

you need both. but if I had to bet on which one becomes ubiquitous first, I’d bet on the one that’s just a markdown file.

the security conversation starts here

there’s a darker reason this matters.

yesterday, huntarr — a popular media stack automation tool — got exposed for having zero security. API keys accessible to anyone on your network. no auth. full control over your entire stack.

wasn’t malicious. dev just vibe-coded it into existence, shipped it, got users, never thought about security because the AI agent that helped build it didn’t think about it either.

ban the auditor, nuke the repo, blame the community.

this is what happens when you treat agents like magic code generators instead of infrastructure you need to secure.

skills files are the first line of defense. if your agent can only do what’s explicitly listed in AGENTS.md, it can’t accidentally expose your API keys. if skills are version-controlled, auditable, and explicit, you can review them like you review code.

the alternative is “trust the vibes.” and we just saw how that goes.

what this means if you’re building a personal AI

if you’re building anything in the personal AI / agent / cowork space, here’s what this signals:

→ stop building monoliths. your agent isn’t the product. the interface is the product.

→ markdown over APIs. if microsoft and huggingface are betting on markdown files as the config layer, you probably should too.

→ assume multi-agent. users won’t pick one agent and stick with it. they’ll run multiple. your job is to make them all play nice.

→ security is a feature. explicit, auditable permissions aren’t optional. they’re the whole point.

→ the agent lives with the code. stop thinking about AI as a service you call. start thinking about it as a process that runs in your repo.

the first skill you’d install

so here’s the question: if your AI is an OS with a skill loader, what’s the first skill you’d install?

mine would be “memory persistence across sessions.” because right now, most agents are amnesiac goldfish. every conversation starts from zero. if skills become standard, “remember what I told you last Tuesday” stops being a premium feature and starts being a config option.

second skill: “summarize this codebase and update the summary every time I commit.”

third: “when I say ‘ship it,’ run tests, build, deploy, and post the changelog to discord.”

those aren’t plugins. they’re permissions. and if they’re in a markdown file I control, I can share them, fork them, audit them, and trust them.

what’s next

microsoft/skills and huggingface/skills aren’t trying to own the standard. they’re trying to establish the standard so everyone else can build on it.

that’s a good sign.

the next six months will tell us if this becomes ubiquitous or just another repo that got stars and died. but the fact that two of the biggest players in AI converged on the same pattern in the same week? that’s not random.

agents are infrastructure now.

skills are how you configure them.

AGENTS.md is the new .env.

and if you’re not thinking about this yet, you will be soon.

Ray Svitla stay evolving 🐌