Best Claude Code skills in 2026: the honest list (free and paid)

TL;DR

I have installed and pulled the source on 187 Claude Code skills in 2026 while building the SkillVault audit bundle. This is the honest shortlist of what is worth installing, what to skip, and where the gaps still are. Free options first, then paid, then the bundles. No affiliate gymnastics. No "top 50" lists. Just the ones I actually use.

Table of contents

• How I picked these
• Free upstream sources worth installing today
• Individual skills I use weekly
• The most-installed marketplace skills
• Paid bundles compared
• What I rejected and why
• How to install safely

How I picked these

For each candidate I ran the 7-check audit framework from our skill safety post: source/maintainer history, metadata scan, tool surface, dependencies, example invocations, license, prompt-injection scan. A skill had to pass all seven to make this list.

I am not ranking by install count because the Snyk audit found that 13.4% of public skills have critical-level security issues, including some with very high install counts. Popularity is not safety.

What "worth installing" actually means

Three criteria. First, the skill solves a real problem you have today, not a hypothetical workflow. Second, the source is short enough that you can read the whole thing in under fifteen minutes. Third, the value of having the skill exceeds the maintenance cost of keeping it audited as upstream changes.

That third one kills most of the bundle skills you see marketed. A skill that saves you ten minutes a week but requires twenty minutes to re-audit every month is a net loss. The skills below clear all three bars.

Free upstream sources worth installing today

Anthropic's official skills

The Anthropic-maintained skills repo is the baseline. The four document skills (pdf, docx, xlsx, pptx) are excellent. Note the license: they are source-available, not open source. You can use them in your own Claude Code instance. You cannot redistribute them. That distinction matters if you are bundling skills for a team.

Repo: github.com/anthropics/skills

alirezarezvani/claude-skills (5,200+ stars)

The largest single-maintainer collection. 329 skills, 30+ agents, 70+ slash commands, eight IDE coverage matrix. Active in 2026. The maintainer ships frequently and responds to issues.

Use it for: Breadth. Browsing the full landscape of what skills can do.

Caveats: No published security audit. License is per-skill, which means you have to check each one before you redistribute. About 18% of skills have at least one dependency that I would not have approved in our bundle.

Repo: github.com/alirezarezvani/claude-skills

VoltAgent/awesome-agent-skills

Curated "awesome list" style collection. 1,000+ skills aggregated from official dev teams and the community. Closer to a directory than a bundle.

Use it for: Discovery. Finding a specific skill for a specific need.

Caveats: Curation is by inclusion (does this exist?), not by audit (is this safe?). You still have to audit anything you pull from here.

Repo: github.com/VoltAgent/awesome-agent-skills

daymade/claude-code-skills

56+ skills with a "professional" framing. Includes a skill-creator meta-skill that is genuinely useful for building your own. Active through January 2026.

Use it for: A starting set if you do not want to install all 329 of alirezarezvani's.

Caveats: No audit trail. License review is on you.

Repo: github.com/daymade/claude-code-skills

Individual skills I use weekly

These are the skills I actually run on real work. One-line review each.

• skill-creator (Anthropic). Use this to scaffold any new skill. It is the only "meta" skill that has earned a permanent slot in my install.
• pdf (Anthropic). Best PDF extraction in the ecosystem. Reads tables, handles encrypted files, knows when to OCR. Source-available, not redistributable.
• docx / pptx / xlsx (Anthropic). Same caveat on license. Best-in-class for document work.
• commit-message-writer (community). Generates conventional commit messages from staged diffs. The version we ship in SkillVault is a fork of the upstream with the network-call dependency removed.
• review (Anthropic skill set). Runs a structured PR review pass. Especially good when you point it at a CHANGELOG and ask it to flag anything the changelog missed.
• security-review (Anthropic skill set). Surfaces the high-signal security issues in a diff. Will not catch everything but is a useful first pass.
• screenshot (community). Takes a screenshot of a URL and returns it inline. Audit the version carefully; one popular fork phones home.

For most teams, those eight plus the skill-creator are enough. Resist the urge to install 200 skills.

The most-installed marketplace skills

For completeness, the highest-install skills as of May 2026. Inclusion here is not a recommendation. It is a market data point.

• Superpowers (476,000+ installs). Productivity-bundle marketing. Massive install count. The bundle ships a mix of audited and unaudited components. I install individual components from it; I do not install the bundle wholesale.
• An Anthropic-published marketplace skill (564,000+ installs). Per the BuildFastWithAI 2026 Claude Skills guide, the most-installed skill on the marketplace. First-party. Safe to install.

The trap: install count is heavily skewed by marketplace recommendation algorithms. A skill with 500K installs is not 100x safer than a skill with 5K installs. It is just 100x more discoverable.

Paid bundles compared

Honest comparison of the paid options I have evaluated. Prices verified May 2026.

| Bundle | Price | Skills | Audited? | License-clean? | Best for | |---|---|---|---|---|---| | SkillVault | $99 lifetime | 41 | Yes (7-check framework, public summary) | Yes (MIT replacements for source-available) | Teams that need attestation | | Premium Claude Skills (usamaakrm) | ~$19 | "Premium Collection" | No | Mixed | Solo devs who just want a pack | | Claude Skill Bundle (AIMastering) | ~$29 | 56 | No | Unknown | Marketing/copy workflows | | Claude Skills Pack (ThinkAIPrompt) | ~$15-25 | 30 | No | Unknown | Cheapest test buy | | Claude Code Mastery Pack (aijack) | ~$199 | 9 workflows + skills | No | Unknown | Tutorial + skills hybrid | | ClaudeKit | Subscription | varies | Partial | Yes | Continuous updates |

Affiliate disclosure: I run SkillVault. The other bundles are real comps and I included them because if your use case fits one of them better, you should buy that one. I gain nothing from misdirecting you.

Pricing logic: The free GitHub repos are the perceived-value ceiling for buyers. A $19 pack is "what you would pay for convenience." A $99 pack like SkillVault is "what you pay for the audit." A $199 pack is hybrid (course + skills). If you do not value the audit, $19 is the right price. If a vulnerability in a skill would cost you customer-data exposure or a SOC2 finding, $99 is cheap.

When to buy SkillVault vs DIY-audit-your-own

The honest framing. There are two valid paths and I will not pretend the bundle is the right answer for everyone.

DIY the audit yourself if: you are a solo developer with time on your hands, you enjoy reading source, and you want to install 5 to 10 skills total. The work is real but bounded. Budget 30 to 60 minutes per skill across the seven checks. For ten skills that is one weekend. The output is a personal install set you fully understand.

Buy SkillVault if: you are on a 2 to 10 person team where any skill could touch your prod database, your customer data, or your commit history. The bundle saves 20 to 40 hours of skilled engineering time and gives you a public audit summary you can show to a security reviewer or a SOC2 auditor. At $99 lifetime, that math works if your time is worth more than $2.50 an hour.

Use both if: you want the audited core for daily work and a few experimental skills you ran through the framework yourself. That is what most of my team does. The bundle is the floor; personal experiments live above it.

The category of "skills worth installing" is small. Resist the urge to collect them like Pokemon. Five great skills you understand beat fifty random skills you do not.

What I rejected and why

A representative sample of skills that did not make the list:

• A 500K-install code-review skill that pulled a node-fetch dependency from a maintainer with no public history. The maintainer registered the npm account 90 days before the dependency was added. Killed.
• A popular "AWS cost reporter" that called out to aws-cost-data.example.com (real domain, different name) for "enrichment." I could not find a legitimate reason for the call. Killed.
• Most marketplace bundles that ship Anthropic's document skills without addressing redistribution. They are infringing whether they know it or not. Killed.
• Anything with unpinned dependencies. A skill that says "requests": "*" is one supply-chain attack away from owning every install.

How to install safely

Three rules that prevent 90% of skill incidents:

1. Read the source before you install. Every skill. If the skill is 200 lines and you do not have 10 minutes to read it, you do not have time to safely install it.
2. Pin every install to a commit hash. Not a tag, not a branch. A specific commit hash you reviewed.
3. Install one at a time and run your full test suite between installs. If something breaks, you know which skill did it.

A concrete pinning example

When you install from a community repo, the difference between safe and unsafe is one flag. Compare these two forms:

# Unsafe: pulls whatever HEAD is right now
/plugin marketplace add alirezarezvani/claude-skills

# Safer: pin to a specific commit you reviewed
/plugin marketplace add alirezarezvani/claude-skills@a3f7c9d

The second form gives you reproducibility. If the maintainer pushes a malicious commit tomorrow, your install does not auto-pull it. The cost is that you need to re-review and re-pin when you actually want updates, which is exactly the cadence you want for security-sensitive software.

For team installs, commit the pinned hashes into your repo's claude.toml or equivalent. Treat it like a package-lock.json. A skill version that drifts under your feet is a vulnerability you have not seen yet.

If those three rules sound like too much work for every skill, the math on SkillVault gets simple. We do them for you, on 41 skills, with a public audit summary. $99 lifetime, one payment.

---

Skip the audit work. SkillVault is the bundle: 41 audited skills, public audit summary, MIT replacements for source-available Anthropic skills, quarterly refresh.

Get SkillVault →

Free option just as valid: install from alirezarezvani/claude-skills and run the 7-check audit framework yourself.