chore: optimize skills

Author: davidmytton

CONTRIBUTING.md

@@ -126,6 +126,14 @@ Both must pass before merging.
 - Test skills by running them in an AI coding agent against a real project e.g. `claude --plugin-dir ./arcjet-plugin`
 - Start new protection rules in `DRY_RUN` mode guidance — never suggest `LIVE` as a default
 
+## Skill Writing References
+
+When creating or improving skills, follow the guidance at [agentskills.io](https://agentskills.io):
+
+- [Best practices](https://agentskills.io/skill-creation/best-practices) — scoping, context efficiency, gotchas sections, code templates, and calibrating control
+- [Optimizing descriptions](https://agentskills.io/skill-creation/optimizing-descriptions) — writing descriptions that trigger reliably on relevant prompts
+- [Evaluating skills](https://agentskills.io/skill-creation/evaluating-skills) — test cases, grading, and iterating on output quality
+
 ## License
 
 By contributing, you agree that your contributions will be licensed under the [Apache License 2.0](LICENSE).

skills/add-ai-protection/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: add-ai-protection
 license: Apache-2.0
-description: Add AI-specific security to LLM/chat endpoints — prompt injection detection, PII/sensitive info blocking, and token budget rate limiting. Use when building AI chat interfaces, completion APIs, or any endpoint that processes user prompts.
+description: Protect AI chat and completion endpoints from abuse — detect prompt injection and jailbreak attempts, block PII and sensitive info from leaking in responses, and enforce token budget rate limits to control costs. Use this skill when the user is building or securing any endpoint that processes user prompts with an LLM, even if they describe it as "preventing jailbreaks," "stopping prompt attacks," "blocking sensitive data," or "controlling AI API costs" rather than naming specific protections.
 metadata:
   pathPatterns:
     - "app/api/chat/**"
@@ -42,16 +42,7 @@ Secure AI/LLM endpoints with layered protection: prompt injection detection, PII
 
 Read https://docs.arcjet.com/llms.txt for comprehensive SDK documentation covering all frameworks, rule types, and configuration options.
 
-## Why AI Endpoints Need Special Protection
-
-AI endpoints are high-value targets:
-
-- **Prompt injection** — attackers try to override system prompts, extract training data, or bypass safety rails
-- **PII leakage** — users may paste sensitive data (credit cards, emails, phone numbers) that gets stored in model context or logs
-- **Cost abuse** — each request consumes expensive model tokens; without rate limiting, a single user can exhaust your budget
-- **Automated scraping** — bots can scrape your AI endpoints for data or to find vulnerabilities.
-
-Arcjet addresses all of these with rules that run **before** the request reaches your AI model.
+Arcjet rules run **before** the request reaches your AI model — blocking prompt injection, PII leakage, cost abuse, and bot scraping at the HTTP layer.
 
 ## Step 1: Ensure Arcjet Is Set Up
 
@@ -77,13 +68,11 @@ Prevents personally identifiable information from entering model context.
 - JS: `sensitiveInfo({ deny: ["EMAIL", "CREDIT_CARD_NUMBER", "PHONE_NUMBER", "IP_ADDRESS"] })`
 - Python: `detect_sensitive_info(deny=[SensitiveInfoType.EMAIL, SensitiveInfoType.CREDIT_CARD_NUMBER, ...])`
 
-Detection runs **locally in WASM** — no user data is sent to external services. Only available in route handlers (not pages or server actions in Next.js).
-
 Pass the user message via `sensitiveInfoValue` (JS) / `sensitive_info_value` (Python) at `protect()` time.
 
 ### Token Budget Rate Limiting
 
-Use `tokenBucket()` / `token_bucket()` for AI endpoints — it allows short bursts while enforcing an average rate, which matches how users interact with chat interfaces.
+Use `tokenBucket()` / `token_bucket()` for AI endpoints — the `requested` parameter can be set proportional to actual model token usage, directly linking rate limiting to cost. It also allows short bursts while enforcing an average rate, which matches how users interact with chat interfaces.
 
 Recommended starting configuration:
 
@@ -99,24 +88,55 @@ Set `characteristics` to track per-user: `["userId"]` if authenticated, defaults
 
 Always include `shield()` (WAF) and `detectBot()` as base layers. Bots scraping AI endpoints are a common abuse vector. For endpoints accessed via browsers (e.g. chat interfaces), consider adding Arcjet advanced signals for client-side bot detection that catches sophisticated headless browsers. See https://docs.arcjet.com/bot-protection/advanced-signals for setup.
 
-## Step 3: Compose the protect() Call
-
-All rule parameters are passed together in a single `protect()` call. The key parameters for AI:
-
-- `requested` — tokens to deduct for rate limiting
-- `sensitiveInfoValue` / `sensitive_info_value` — the user's message text for PII scanning
-- `detectPromptInjectionMessage` / `detect_prompt_injection_message` — the user's message text for injection detection
-
-Typically `sensitiveInfoValue` and `detectPromptInjectionMessage` are set to the same value: the user's input message.
-
-## Step 4: Handle Decisions
-
-For AI endpoints, provide meaningful error responses:
-
-- **Rate limited** (`reason.isRateLimit()`) → 429 with message like "You've exceeded your usage limit. Please try again later."
-- **Prompt injection** (`reason.isPromptInjection()`) → 400 with "Your message was flagged as potentially harmful."
-- **Sensitive info** (`reason.isSensitiveInfo()`) → 400 with "Your message contains sensitive information that cannot be processed. Please remove any personal data."
-- **Bot detected** (`reason.isBot()`) → 403
+## Step 3: Compose the protect() Call and Handle Decisions
+
+All rule parameters are passed together in a single `protect()` call. Use this pattern:
+
+```typescript
+const userMessage = req.body.message; // the user's input
+
+const decision = await aj.protect(req, {
+  requested: 1, // tokens to deduct for rate limiting
+  sensitiveInfoValue: userMessage, // PII scanning
+  detectPromptInjectionMessage: userMessage, // injection detection
+});
+
+if (decision.isDenied()) {
+  if (decision.reason.isRateLimit()) {
+    return Response.json(
+      { error: "You've exceeded your usage limit. Please try again later." },
+      { status: 429 },
+    );
+  }
+  if (decision.reason.isPromptInjection()) {
+    return Response.json(
+      { error: "Your message was flagged as potentially harmful." },
+      { status: 400 },
+    );
+  }
+  if (decision.reason.isSensitiveInfo()) {
+    return Response.json(
+      {
+        error:
+          "Your message contains sensitive information that cannot be processed. Please remove any personal data.",
+      },
+      { status: 400 },
+    );
+  }
+  if (decision.reason.isBot()) {
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  }
+}
+
+// Arcjet fails open — log errors but allow the request
+if (decision.isErrored()) {
+  console.warn("Arcjet error:", decision.reason.message);
+}
+
+// Proceed with AI model call...
+```
+
+Adapt the response format to your framework (e.g., `res.status(429).json(...)` for Express).
 
 ## Step 5: Verify
 
@@ -144,3 +164,11 @@ The Arcjet dashboard at https://app.arcjet.com is also available for visual insp
 **Multiple models / providers**: Use the same Arcjet instance regardless of which AI provider you use. Arcjet operates at the HTTP layer, independent of the model provider.
 
 **Vercel AI SDK**: Arcjet works alongside the Vercel AI SDK. Call `protect()` before `streamText()` / `generateText()`. If denied, return a plain error response instead of calling the AI SDK.
+
+## Common Mistakes to Avoid
+
+- Sensitive info detection runs **locally in WASM** — no user data is sent to external services. It is only available in route handlers, not in Next.js pages or server actions.
+- `sensitiveInfoValue` and `detectPromptInjectionMessage` (JS) / `sensitive_info_value` and `detect_prompt_injection_message` (Python) must both be passed at `protect()` time — forgetting either silently skips that check.
+- Starting a stream before calling `protect()` — if the request is denied mid-stream, the client gets a broken response. Always call `protect()` first and return an error before opening the stream.
+- Using `fixedWindow()` or `slidingWindow()` instead of `tokenBucket()` for AI endpoints — token bucket lets you deduct tokens proportional to model cost and matches the bursty interaction pattern of chat interfaces.
+- Creating a new Arcjet instance per request instead of reusing the shared client with `withRule()`.

skills/protect-route/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: protect-route
 license: Apache-2.0
-description: Add Arcjet security protection to a route handler. Detects framework, imports the shared client, applies appropriate rules, and handles decisions. Use when adding security to API routes, form handlers, or any server-side endpoint.
+description: Add security protection to a server-side route or endpoint — rate limiting, bot detection, email validation, and abuse prevention. Works across frameworks including Next.js, Express, Fastify, SvelteKit, Remix, Bun, Deno, NestJS, and Python (Django/Flask). Use this skill when the user wants to protect an API route, form handler, auth endpoint, or webhook from abuse, even if they describe it as "add rate limiting," "block bots," "prevent brute force," or "secure my endpoint" without mentioning Arcjet specifically.
 metadata:
   pathPatterns:
     - "app/**/route.ts"
@@ -85,35 +85,58 @@ Search the project for an existing shared Arcjet client file (commonly `lib/arcj
 
 Select rules based on the route's purpose. If the user specified what they want (via `$ARGUMENTS` or in their prompt), use that. Otherwise, infer from context:
 
-| Route type              | Recommended rules                                                      |
-| ----------------------- | ---------------------------------------------------------------------- |
-| Public API endpoint     | `shield()` + `detectBot()` + `fixedWindow()` or `slidingWindow()`      |
-| Form handler / signup   | `shield()` + `validateEmail()` + `slidingWindow()`                     |
-| Authentication endpoint | `shield()` + `slidingWindow()` (strict, low limits)                    |
-| AI / LLM endpoint       | Use `/arcjet:add-ai-protection` instead — it handles the full AI stack |
-| Webhook receiver        | `shield()` + filter rules for allowed IPs                              |
-| General server route    | `shield()` + `detectBot()`                                             |
+| Route type              | Recommended rules                                                                                            |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------ |
+| Public API endpoint     | `shield()` + `detectBot()` + `slidingWindow()` (use `fixedWindow()` only if hard per-window caps are needed) |
+| Form handler / signup   | `shield()` + `validateEmail()` + `slidingWindow()`                                                           |
+| Authentication endpoint | `shield()` + `slidingWindow()` (strict, low limits)                                                          |
+| AI / LLM endpoint       | Use `/arcjet:add-ai-protection` instead — it handles the full AI stack                                       |
+| Webhook receiver        | `shield()` + filter rules for allowed IPs                                                                    |
+| General server route    | `shield()` + `detectBot()`                                                                                   |
 
 For routes that need to detect sophisticated bots (headless browsers, advanced scrapers) — especially form submissions, login/signup pages, and other abuse-prone endpoints — recommend adding Arcjet advanced signals. This is a browser-based detection system using client-side telemetry that complements server-side `detectBot()` rules. See https://docs.arcjet.com/bot-protection/advanced-signals for setup instructions.
 
 Apply route-specific rules using `withRule()` on the shared instance — do not modify the shared instance directly.
 
 ## Step 4: Add Protection to the Handler
 
-**Key patterns:**
-
-- Call `protect()` **inside** the route handler, not in middleware.
-- Call `protect()` only **once** per request.
-- Pass the framework's request object directly.
-- For Next.js pages/server components: use `import { request } from "@arcjet/next"` then `const req = await request()`.
-
-**Handle the decision:**
-
-- `isDenied()` (JS) / `is_denied()` (Python) — return the appropriate error response:
-  - `429` if `reason.isRateLimit()`
-  - `403` if `reason.isBot()`, `reason.isShield()`, or `reason.isFilterRule()`
-  - `400` if `reason.isSensitiveInfo()`
-- `isErrored()` / `is_error()` — Arcjet fails open. Log the error and allow the request to proceed.
+Call `protect()` **inside** the route handler (not in middleware), only **once** per request, passing the framework's request object directly. For Next.js pages/server components: use `import { request } from "@arcjet/next"` then `const req = await request()`.
+
+Use this pattern:
+
+```typescript
+const decision = await aj.protect(req);
+
+if (decision.isDenied()) {
+  if (decision.reason.isRateLimit()) {
+    return Response.json(
+      { error: "Too many requests" },
+      { status: 429 },
+    );
+  }
+  if (decision.reason.isBot() || decision.reason.isShield() || decision.reason.isFilterRule()) {
+    return Response.json(
+      { error: "Forbidden" },
+      { status: 403 },
+    );
+  }
+  if (decision.reason.isSensitiveInfo()) {
+    return Response.json(
+      { error: "Bad request" },
+      { status: 400 },
+    );
+  }
+}
+
+// Arcjet fails open — log errors but allow the request
+if (decision.isErrored()) {
+  console.warn("Arcjet error:", decision.reason.message);
+}
+
+// Proceed with route handler logic...
+```
+
+Adapt the response format to your framework (e.g., `res.status(429).json(...)` for Express, `JsonResponse` for Django).
 
 ## Step 5: Verify