agents.md is infrastructure now
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
AGENTS.md: fringe → standard
skills: scattered → catalog
your AI: chatbot → OS
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
1. microsoft/skills + huggingface/skills — the AGENTS.md standard is real now
both microsoft and huggingface dropped repos called “skills” within 24 hours of each other. microsoft’s is for “grounding coding agents”, huggingface’s is a catalog. what looked like a fringe pattern six months ago (AGENTS.md, custom agents, MCP servers) is now infrastructure.
the interesting part: these aren’t agent products. they’re agent interfaces. the assumption is you already have agents running. now you need a standard way to tell them what they can do.
your personal AI isn’t a chatbot with plugins. it’s an OS with a skill loader.
why this matters: skills files are the first line of defense against vibe-coded chaos. if your agent can only do what’s explicitly listed in AGENTS.md, it can’t accidentally expose your API keys. if skills are version-controlled, auditable, and explicit, you can review them like you review code.
→ microsoft/skills
→ huggingface/skills
2. huntarr — when vibe coding meets production
someone built huntarr, a media stack automation tool. it got popular. then someone did a security audit. turns out: API keys exposed to anyone on your network. no auth. full control over sonarr, radarr, everything.
the dev banned the person who raised concerns, then nuked the github repo after the reddit thread blew up.
here’s the uncomfortable part: this wasn’t malicious. it was vibes. someone AI-coded their way to a working product, shipped it, got users, and never thought about security because the agent didn’t either.
the new supply chain risk: not dependency hell. trust-the-vibes hell. when your entire stack is AI-generated code that “works” but was never audited, reviewed, or hardened, you’re trusting vibes at every layer.
3. iOfficeAI/AionUi — free cowork infrastructure for every CLI
AionUi is a local, open-source 24/7 cowork app that supports Claude Code, Codex, OpenCode, Gemini CLI, Qwen Code, Goose, Auggie, and more. 17K stars in like a week.
it’s basically saying: the cowork layer (memory, context, scheduling, persistence) shouldn’t be proprietary to one agent. make it infrastructure.
this is the flip side of the skills signal. skills = what your agent can do. cowork = how your agent lives.
the shift: if this gains traction, agents stop being “tools you run” and start being “entities you host.”
4. BlackRoad-AI/lucidia — personal AI built on consent, not extraction
lucidia is positioning itself as “your AI that actually knows you” with an explicit focus on transparency, consent, and care. not just privacy-washing. the whole pitch is anti-extraction.
it’s early (just launched on github), but the framing matters. most personal AI products say “we respect your privacy.” lucidia says “we’re built on a different moral architecture.”
the fork in the road: if personal AI goes mainstream, this is the decision point: do you want an agent that serves you, or one that studies you?
→ BlackRoad-AI/lucidia-platform
5. VectifyAI/PageIndex — reasoning over documents without vectors
PageIndex is a document index for “vectorless, reasoning-based RAG.” instead of chunking + embedding + similarity search, it builds a structured index and lets the LLM reason over it directly.
this is part of a broader shift: vectors were a workaround for models that couldn’t handle long context. now that they can, why keep the workaround?
if this works at scale: RAG stops being “find similar chunks” and starts being “read the index, think, retrieve.”
6. prompt-security/clawsec — security for agent workspaces
clawsec is a security skill suite for OpenClaw agents. drift detection, live security recs, automated audits, skill integrity verification. one installable suite.
the assumption: your agent has a SOUL.md. it has memory. it runs in your workspace. it can change files. someone needs to watch it.
the emerging security model: not “block the agent” but “audit the agent.”
the pattern
six signals. one theme: agents are infrastructure now.
skills are how you configure them.
AGENTS.md is the new .env.
security is auditing, not blocking.
cowork is hosting, not calling.
the question isn’t “which agent should I use” anymore.
it’s “how do I make all my agents play nice with each other — and with me?”