I do agree with Jacques Ellul in Technological Society that technique precedes science, and that's certainly the case with LLMs; however, this whole industry waves off rigorous validation in favor of personal anecdotes ("it feels more productive to me!" "they didn't study after Opus 4.5 was released").

The "cognitive load" problem latand6 raised for reviewing every skill is real. That's where you integrate security and quality gates – treat these skills like any other software artifact. You wouldn't manually review every line of every dependency, so automate the validation here too.

But in practice you end up with skills that depend on other skills, or a skill that assumes specific instructions are already loaded, conflicting skills, versioning and supply chain issues - and suddenly you need dependency resolution.

I've built a package-manager approach for this (APM - github.com/microsoft/apm) and the thing that surprised me most was how quickly even small teams end up with config sprawl - and how much a manifest that travels with the project helps.

The "too small for a repo" thing is real, but one pattern that works is having a monorepo per dev team or org with all skills and building jointly over there.

That’s what I do for each ticket.