Super Agent Skill vs building skills in-house
Your team can absolutely write its own agent skills — the question is whether writing the skill is the expensive part. In practice, the prompt is 20% of the work; the testing, hardening, and ongoing re-verification are the other 80%. Here is the honest build-vs-install breakdown.
What 'building it in-house' actually includes
Writing a skill that works on the happy path takes an afternoon. Making it safe takes an evaluation harness: adversarial test cases, injection suites, a way to score outputs, and a schedule to re-run all of it every time the underlying model or the skill changes. Most teams that start with 'we'll just write the prompt ourselves' end up building a miniature testing platform on the side — or skipping the testing and hoping.
There is also the provenance problem inside your own walls. Without signing, any engineer (or any compromised CI job) can edit the prompt an agent runs in production, and nothing flags it.
What the marketplace amortizes for you
Super Agent Skill runs adversarial testing with attacker and judge LLMs against every published skill, and SkillForge re-tests over time so results stay current instead of decaying. Skills are Ed25519-signed, so what you install is provably what the author published. The Trust Score is a public, reproducible formula: adversarial test results count for 45%, real-world success telemetry for 20%, signing status for 10%, package age for 15%, and schema validity for 10%. Nothing is editorially assigned, and anyone can recompute a score offline with npm run trust:verify.
Installation is one MCP URL or an npx command, which means evaluating three candidate skills costs minutes, not sprints. The build-vs-buy math shifts: in-house makes sense for skills encoding genuinely proprietary logic; for everything generic — code review, redaction, triage, compliance checks — you are rebuilding tested commodities.
The hybrid most teams land on
Install verified skills for commodity capabilities, and reserve in-house effort for the skills that encode your domain edge. You can also publish in-house skills to the marketplace privately or publicly and inherit the testing infrastructure — the adversarial harness and re-testing pipeline run the same either way, which is usually cheaper than maintaining your own.
The verdict
Build the skills that are your moat. Install the ones that aren't — and let the adversarial testing pipeline be someone else's infrastructure bill.
Frequently asked questions
When does building in-house clearly win?
When the skill encodes proprietary business logic, touches internal systems no marketplace skill knows about, or when policy requires all agent instructions to be authored internally. Even then, you still need adversarial testing — the threat model doesn't care who wrote the prompt.
Can we run marketplace-grade testing on our own skills?
Yes — submit them through SkillForge and they go through the same attacker/judge LLM evaluation and periodic re-testing as public skills.
How do we audit what we install?
Every skill's Trust Score decomposes into its published components (adversarial 45%, real success 20%, signing 10%, age 15%, schema 10%), and npm run trust:verify recomputes it offline. Your security team can verify without trusting us.
Every listing shows its Trust Score, adversarial pass rate, and Ed25519 signing status.
One URL installs the marketplace into any MCP-capable agent. No SDK, no migration.
Want to audit us? Run npm run trust:verify to recompute any Trust Score and verify signatures offline.