Free tools for people who build with agents
Installing a skill for your agent is still an honor system.
Agent skills and MCP servers get distributed the way npm packages did a decade ago — before anyone thought to audit what showed up in node_modules.
One command — npx skills@latest add owner/name — drops a stranger's instructions and scripts straight into a working agent's context. No sandbox. No diff. No review step. It runs with whatever access that agent already has.
What we give away
Six plugins, source on GitHub, free to install — read the code before you trust it. That's the whole argument of this page, applied to our own work first.
Build with our plugins
The same tools we build client systems with — six plugins for SEO, knowledge work, and AI-native development, free to install in Claude Code or Cowork straight from GitHub.
seo-aeo-geoAudit & optimize for Google and AI search — SEO, AEO, and GEO.
View on GitHubobsidian-second-brainTurn an Obsidian vault into a research engine — Zettelkasten/PARA/MOC, semantic search, MCP.
View on GitHubproject-launcherIdea → PRD → gap analysis → scaffolded project, ready for autonomous build.
View on GitHubrhize-devflowContext, error-lifecycle & data-mutation guardrails for Next.js + Sanity, with Sentry instrumentation.
View on GitHubrhize-opsDelegation & team-workflow automation — Jira, Slack, and Fireflies hand-offs.
View on GitHubrhize-metaMeta-skills: forge new skills and refine your own from real usage feedback.
View on GitHub
What installing one looks like
/plugin marketplace add Rhize-Media/rhize-plugins/plugin install seo-aeo-geo@rhize-pluginsskills + slash commands, instantlyThe other half of the problem
@rhize/skill-forge
A CLI that runs a candidate agent skill — or, since v0.5, an MCP server — through a pipeline before it's anywhere near your live setup. Not "SkillForge" — the scoped npm name is deliberate; there's an unrelated existing package called skillforge (no hyphen), and the project's own README calls out the collision.
Quarantine
Installs the candidate into an isolated sandbox — nowhere near your live skill set.
Profile
Reads name, version, license, file structure, and declared dependencies.
Safety scan
Runs a deny-pattern ruleset against the code — curl-pipe-bash patterns, credential-file access, and the other shapes a malicious skill tends to take.
Overlap analysis
Checks the candidate against what you already have configured, so you're not stacking three tools that do the same job with different blast radii.
Report
Everything above, written down. You promote it, hold it, or reject it — the tool doesn't decide for you.
After the report, you decide: promote it, hold it, or reject it. This reduces the risk of installing something you haven't vetted — it doesn't make a skill safe. Nothing can guarantee that from outside a full code review.
The commands
npx @rhize/skill-forge initSet up the pipeline in a projectnpx @rhize/skill-forge add <owner/skill>Pull a candidate skill through itnpx @rhize/skill-forge scanRun the safety scan on demandnpx @rhize/skill-forge listSee what's been vettednpx @rhize/skill-forge statusCheck where a candidate is in the pipelineWant the same build discipline
on your own systems?
A call. No pitch.
Book a call and we'll talk through what you're building with agents right now — whether you hire us or not.
No pitch — you leave with a plan. We'll tell you exactly what we'd do, whether you hire us or not.