惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
N
Netflix TechBlog - Medium
M
MIT News - Artificial intelligence
GbyAI
GbyAI
人人都是产品经理
人人都是产品经理
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园_首页
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
Y
Y Combinator Blog
L
LINUX DO - 热门话题
Project Zero
Project Zero
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
MongoDB | Blog
MongoDB | Blog
Spread Privacy
Spread Privacy
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Palo Alto Networks Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - Franky
T
Threat Research - Cisco Blogs
D
Docker
Hugging Face - Blog
Hugging Face - Blog
S
Securelist
Google DeepMind News
Google DeepMind News
T
The Exploit Database - CXSecurity.com
L
Lohrmann on Cybersecurity
月光博客
月光博客
V
Vulnerabilities – Threatpost
NISL@THU
NISL@THU
V
Visual Studio Blog
AWS News Blog
AWS News Blog
I
Intezer
T
The Blog of Author Tim Ferriss
P
Privacy International News Feed
T
Tor Project blog
F
Full Disclosure
P
Proofpoint News Feed
SecWiki News
SecWiki News
H
Heimdal Security Blog
Help Net Security
Help Net Security
The Hacker News
The Hacker News

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
State of AI instructions, 2026
TomeVault · 2026-06-16 · via Hacker News - Newest: "AI"

Findings

  1. 01

    78.7% of repositories that use AI coding tools configure only one of them.

    Their developers do not stop at one. Most run two to four AI tools, so every other assistant is left working that codebase with nothing to go on.

  2. 02

    AGENTS.md was built to bridge tools. Only 18.3% of the repositories that use it or CLAUDE.md use both.

    The one cross-vendor standard is being adopted as a replacement, not a bridge. It moves the split, it does not close it.

  3. 03

    Nine in ten repositories that ship both CLAUDE.md and AGENTS.md never connect them, so the second file is never read.

    The team maintains two contracts and gets the coverage of one, then blames the model for ignoring rules it was never handed.

  4. 04

    26.3% of CLAUDE.md files run past the 200-line guideline Anthropic publishes in its own docs.

    Past that length a file does not just waste context. A 2026 study found it lowers the rate at which the agent finishes the job.

  5. 05

    55.8% of instruction-file repositories grant no usable right to redistribute the file.

    The year gave these files install commands, directories, and marketplaces. The majority of what they distribute, nobody granted permission to distribute.

  6. 06

    Signing adoption in the open corpus is zero: of 986 probed repositories, none sign their instruction files.

    The trust layer the industry built this year exists where a distributor requires it, and so far nowhere else. Trust is becoming a property of the channel, not the file.

  7. 07

    5.0% of 219,024 scanned instruction files carry at least one deterministic safety finding.

    ClawHavoc was the loud version. This is the quiet base rate, in files agents load by default with no scan at all.

The bottom line. The world around the instruction file grew up this year: governed standards, an install command, a trust stack, a threat model. The files themselves have not caught up. They serve one tool in a multi-tool world, they are unlicensed for the distribution they are getting, and the trust layer built for them is, in the open corpus, used by nobody.

78.7%

configure only one AI coding tool

55.8%

grant no right to redistribute the file

0

repositories in a 986-repo probe sign their instruction files

Part I

The year in instructions

Twelve months ago an instruction file was a convention. This year it acquired a foundation, a distribution layer, a threat model, and its first poisoning campaign.

01

The year in twelve dates

The instruction file stopped being a private convention between a developer and one tool. Over nine months it picked up neutral governance, a package-manager-style distribution layer, vendor catalogues, security taxonomies, and an incident record. The dates below are the spine of that story; the rest of Part I walks the three that matter most.

  1. 9 Dec 2025

    The Linux Foundation forms the Agentic AI Foundation, with Anthropic’s Model Context Protocol, Block’s goose, and OpenAI’s AGENTS.md as founding projects. The instruction-file standard now has a neutral home.

  2. Dec 2025

    Anthropic releases Agent Skills as an open standard (agentskills.io): a folder with a SKILL.md that packages instructions for any agent that loads it.

  3. 15 Jan 2026

    The first large-scale audit of the new format posts to arXiv. Of 31,132 skills analysed, 26.1% contain at least one vulnerability pattern.

  4. 20 Jan 2026

    Vercel ships the skills CLI and skills.sh, a directory and leaderboard for skill packages. Instructions get an install command.

  5. 1 Feb 2026

    Koi Security discloses ClawHavoc: 341 malicious skills on ClawHub, the marketplace serving the OpenClaw agent. The format’s first documented poisoning campaign.

  6. 17 Feb 2026

    skills.sh adds automated security audits from three vendors (Gen Digital, Socket, Snyk); skills flagged malicious are hidden from search and leaderboards.

  7. Feb 2026

    ETH Zurich publishes the first controlled study of context files: over-specified files reduce agent success and add more than 20% cost. Lean beats long.

  8. 13–26 Mar 2026

    A community RFC asks the Agent Skills spec to absorb cryptographic signing. The spec maintainer declines, pointing to the distribution layer instead.

  9. 16 Apr 2026

    GitHub ships gh skill in public preview: install, search, publish, with version pinning and content-addressed change detection, deliberately not centralised verification.

  10. 22 Apr 2026

    Google launches its official skills repository on the open Agent Skills format, announced on Day 1 of Cloud Next.

  11. 19 May 2026

    NVIDIA announces Verified Agent Skills: scan, skill card, detached signature, verify at install, on the open spec. The same day, Google’s enterprise Skill Registry enters public preview.

  12. 3 Jun 2026

    Andrew Nesbitt, who built Libraries.io and runs Ecosyste.ms, publishes the gap plainly: the trust machinery package registries spent a decade building mostly does not exist for skills.

02

The standards found a home

The two formats that matter most ended the year under neutral governance or open specification, with the largest vendors publishing into them.

AGENTS.md spent its first year as an OpenAI repository convention. On 9 December 2025 it became a founding project of the Agentic AI Foundation, a directed fund under the Linux Foundation, alongside the Model Context Protocol and goose. By late February the foundation counted 146 member organisations. One caution for anyone citing this as settled: as of that date the foundation itself described the formal governance models for its three projects as still being defined, so AGENTS.md has a neutral home and a membership, not yet a finished constitution.

The Agent Skills format ran the same arc faster. Released by Anthropic as an open standard in December, it ended the spring as the format Google ships its official skills in, the format GitHub’s gh skillvalidates against, and the format NVIDIA chose for its verified catalogue. Google’s Gemini CLI documentation states it directly: a skill is “based on the Agent Skills open standard.” When the largest vendors publish into a competitor-originated format rather than forking it, the format has stopped being anyone’s product.

The one asymmetry worth recording sits inside Google. Its public repository is openly on the standard; its enterprise Skill Registry, in public preview since 19 May, requires the SKILL.md package structure but nowhere names the open specification, and describes itself as a secure, private repository. The format travels; the catalogue is the product. That split, open format underneath and proprietary distribution on top, is the shape most of the year’s vendor moves share.

Why it matters. Teams standardising their instruction files in 2026 are no longer betting on a vendor’s whim. The formats are governed or open, and the year’s entrants built on them rather than around them. The open question has moved up a layer: not what the file looks like, but who vouches for it. That is the next section.

03

Trust arrived at the distribution layer, not in the spec

The year’s defining argument was about where trust should live. The spec said: not here.

In March, a community RFC proposed building cryptographic signing into the Agent Skills specification itself: an ed25519 signature block in SKILL.md frontmatter, with publisher keys discoverable at a well-known URL. The spec maintainer declined to absorb it. His position, stated on 16 March, was that signing is “better implemented at the distribution layer”; on 25 March he added that it is “unlikely that we’d make it an official part of the spec.” The discussion remains open, so this is a stated maintainer position rather than a closed ruling, but the spec has held: as of 11 June its frontmatter defines no signing, verification, or trust fields at all. The companion implementation tells the same story from the tooling side. A pull request addingskills verify to the distribution CLI was opened on 15 March and remains unmerged; no released version of the CLI carries a verify command.

Then in May, NVIDIA shipped exactly what the maintainer had pointed at. Its Verified Agent Skills programme is a trust stack built entirely at the distribution layer, on the open spec: an open-source scanner the company says checks for both conventional risks and agent-specific ones, a machine-readable skill card per skill, a detached signature in the OpenSSF Model Signing format, and verification at install or in CI. Every one of the 207 skills in its catalogue ships the full set: SKILL.md, skill card, signature. And the catalogue distributes through skills.sh, a competitor’s registry, with a plain npx skills add nvidia/skills.

The community asked the spec for trust. The spec pointed at the distributors. NVIDIA built it there two months later.

The rest of the trust layer is assembling around the same point. skills.sh added three-vendor automated audits in February, grading every listed skill and hiding the ones flagged malicious. OWASP opened an Agentic Skills Top 10 project in the spring, an incubator-stage proposal with ten draft risk categories and a 1.0 release targeted for the fourth quarter of 2026 on its own roadmap. And the academic record arrived in January: the first large-scale audit of skills in the wild found 26.1% of the 31,132 it analysed carrying at least one vulnerability pattern, with skills that bundle executable scripts twice as likely to be affected.

One more entry belongs in this chronicle, and it is ours, so the interest gets declared rather than implied. Each trust stack above vouches only for its own shelf: NVIDIA verifies what NVIDIA publishes, Google’s registry holds what an enterprise stores inside it, skills.sh audits what it lists. Nothing in the buildout vouches across registries, and little of it reaches the developer outside an enterprise gate. That neutral corner is the one TomeVault works from: the same scans and grades applied across every major format and every source, free for individuals and teams alike, and the corpus they produce is the one Part II measures. Judge our numbers with that interest in view.

Andrew Nesbitt, whose Libraries.io and Ecosyste.ms spent a decade mapping package ecosystems, closed the season with the sentence the whole year had been spelling out: “trusted-publishing and provenance attestations are the answers package registries arrived at; the equivalents for skills are mostly absent.”

Exhibit 1Where the trust layer stood at the snapshot
InitiativeStatus at 2026-06-11
Agent Skills spec (agentskills.io)Live, open. No signing or trust fields in the spec; the signing RFC remains an open discussion after the maintainer declined to absorb it.
AGENTS.md governanceFounding project of the Agentic AI Foundation (directed fund under the Linux Foundation) since 9 Dec 2025; 146 members at 24 Feb; formal per-project governance still being defined at that date.
Vercel skills CLI / skills.shDirectory live with three-vendor security audits since 17 Feb. No verify command shipped; the signature-verification PR is unmerged.
NVIDIA Verified Agent SkillsLive since 19 May: scan, skill card, OMS detached signature, install-time verify. 207 of 207 catalogue skills carry card and signature. Distributes via skills.sh.
GitHub gh skillPublic preview since 16 Apr. Validates against the open spec; version pinning and content-addressed change detection, framed by GitHub as an alternative to centralised verification.
OWASP Agentic Skills Top 10Incubator-stage proposal in active development; ten draft categories (AST01 to AST10); v1.0 targeted Q4 2026 on the project's own roadmap.
Google Skill Registry (Gemini Enterprise)Public preview (Pre-GA) since 19 May. Mandates the SKILL.md structure; private, platform-bound; does not name the open spec.
TomeVault (publisher of this report)Neutral cross-registry layer: the same scans and grades across every major format and source, free, not gated to an enterprise platform. Interest declared; its corpus is the one Part II measures.

Sources: each row traces to a primary source with access date in the References block. Statuses are snapshots as of 2026-06-11 and several are explicitly in motion.

Why it matters. The market has decided where trust attaches: to catalogues, registries, and install tools, not to the file format. Whoever distributes the file is being asked to vouch for it. Part II measures how far that ambition has reached into the open corpus. The short answer is: it has not.

04

The year’s incident

The threat the trust layer exists for stopped being hypothetical on 1 February.

ClawHub is the skill marketplace serving OpenClaw, one of the fastest-growing open agents of the winter. On 1 February, Koi Security disclosed that of the 2,857 skills then on the marketplace, 341 were malicious, 335 of them from a single campaign it named ClawHavoc. The mechanism was social engineering embedded in the instruction file itself: a SKILL.md telling the user that installation required a companion utility, fetched from a link, sometimes inside a password-protected archive. The payloads were a macOS credential stealer, reverse shells, and environment exfiltration. By Koi’s 16 February update its count had more than doubled, to 824.

Antiy CERT’s follow-on analysis five days later credited Koi’s discovery and added its own telemetry: at least 1,184 malicious skills had appeared on the marketplace historically, twelve uploader identities were involved, and one account alone had published 677 packages. The marketplace responded inside the week, removing the reported skills, shipping a user-reporting mechanism that auto-hides any skill flagged by three distinct users, and appointing a security lead with a public roadmap pledge.

Three numbers circulate for this incident, and they measure different things: 341 is the initial disclosure, 824 is the discoverer’s revised count two weeks on, and 1,184 is one CERT’s cumulative historical estimate. Any of them supports the same conclusion. A marketplace of plain-text instruction files was poisoned at scale, within months of the format appearing, by attackers who needed no exploit beyond the file format’s own credibility.

Why it matters. Every layer of the year’s trust buildout, the scanners, the audits, the signatures, the taxonomies, is a response to exactly this class of attack. ClawHavoc is why the question Part II asks about the open corpus, who scans it, who licenses it, who signs it, stopped being academic.

Part II

What the data shows

Part I is what the year said. This is what the corpus shows: 267,228 repositories, every major format, two frozen snapshots, every denominator disclosed.

05

What this measures

Every AI coding tool reads its instructions from a file in the repository. Claude Code reads CLAUDE.md. Cursor reads .cursorrules and .cursor/rules. Copilot reads .github/copilot-instructions.md. Gemini, Windsurf, and the cross-vendor AGENTS.md convention each read their own, and the Agent Skills format packages instructions for any agent that loads them. That file is the closest thing a team has to a contract with its AI tools: this is the stack, these are the rules, this is how we work.

Developers no longer settle on one of these tools. Industry surveys throughout 2026 put the typical engineer at two to four AI coding tools at once, commonly one assistant for editing and another for larger agentic work, and the market has no single winner. So the question that matters is not which tool a team picks. It is whether the contracts in their repository serve the several tools their developers actually use.

Sections 06 to 09 measure that gap across 35,830 symmetrically probed repositories: which tools each repository addresses, whether the files connect, and whether their length follows the vendor’s own guidance. Sections 10 to 13 are new to the annual edition and widen the lens to the full 267,228-repository corpus: growth, licensing, safety, and signing, the ground truth under the trust layer Part I chronicled.

One scope note, since it is the first thing a careful reader will want pinned down. This report measures how instruction files are written, connected, licensed, and signed, not whether models obey them. We measure loadability: whether a rule is well formed and positioned to take effect. We do not measure obedience, which happens at runtime inside a model we cannot observe, and we claim nothing about it.

06

Developers are multi-tool. Their repositories are not.

Most repositories configure a single assistant, while the developers behind them run several.

A developer cannot see this from inside one project. Each repository shows its own setup and nothing about anyone else’s. The pattern only appears once you check every format in every repository and count how many tools each one actually addresses. No single developer can run that query across the field. We did.

Exhibit 2AI tools configured per repository

One tool78.7%

Two tools17.6%

Three or more3.7%

Source: TomeVault, State of AI Instructions 2026. n = 35,830 repositories, snapshot frozen 2026-06-04.

Single-tool is the norm, by a factor of four. The reading that matters is the distance between this chart and how developers actually work. The same people whose repositories address one tool are, on the evidence of every 2026 survey, using two, three, sometimes four. A setup tuned for Claude Code leaves the Cursor, the Copilot, and the Gemini that the same developer reaches for that afternoon with nothing to go on. The repository has not caught up to the toolkit.

Why it matters. A single-tool setup is not a sign that one tool is enough. It is the point where the effort stopped. Add a teammate who prefers a different assistant, switch tools as nearly half of agencies did this year, or open a second tool for a second job, and the work starts again from a blank file. The investment a team makes in one tool stays stranded where it was written, and earns nothing for the rest of the toolkit around it.

This gap is the one we built TomeVault around, so the interest is declared here as it is in Part I: a vault keeps your instructions as one canonical source, converts them into every format on this chart, and keeps the copies in sync, at no cost whether you are one developer or a team. The rest of this report stays clear of the pitch; section 14 is where the practical advice lives, whichever tools you use to follow it.

07

The standard built to end fragmentation is being absorbed by it

AGENTS.md is spreading fast, and mostly as a replacement rather than a bridge.

AGENTS.md is the one format designed to be read by more than one tool, and the industry has rallied behind it. Released by OpenAI in 2025 and now a founding project of the Linux Foundation’s Agentic AI Foundation, the same body that stewards Anthropic’s MCP, it had reached more than 60,000 public repositories by the middle of 2026. In our snapshot it appears in 15,856 of these repositories, 75.7% of CLAUDE.md’s footprint. On an adoption chart, the cross-vendor standard looks like it is winning.

Co-occurrence tells a different story.

AGENTS.md was built to bridge tools. Only 18.3% of the repositories that use it or CLAUDE.md use both.

Exhibit 3Repositories using CLAUDE.md or AGENTS.md, split by overlap
  • 49%CLAUDE.md only
  • 18.3%both
  • 32.7%AGENTS.md only

Source: TomeVault, State of AI Instructions 2026. n = 31,095 repositories using at least one of the two formats.

Of the repositories that ship CLAUDE.md, 67.9% ship nothing else at all. Teams adopt the shared standard the way they adopt a competitor, by migrating onto it and dropping what they had, rather than using it to connect two tools they both run.

Why it matters. An industry that agreed fragmentation was worth a standard is now adopting that standard one tool at a time. Read on its own, the AGENTS.md curve suggests the field is converging. Co-occurrence shows it is not. A standard that replaces one file instead of uniting several does not reduce fragmentation. It relocates it.

08

The file the first tool never reads

Thousands of teams ship two instruction files and believe both tools are covered. One of the two is never read.

Anthropic is explicit in its own documentation: Claude Code reads CLAUDE.md, not AGENTS.md. The two only act as one if the repository deliberately connects them. Where they are not connected, Claude Code never sees the AGENTS.md the team wrote, however carefully it was written.

We looked at the 5,565 repositories that ship both files and that we could fully resolve, symlinks included. In 88.9% of them, the two files are not connected at all.

Exhibit 4How repositories shipping both files connect them
  • 11.1%connected
  • 42.3%names it, not connected
  • 46.6%separate, no reference

Source: TomeVault, State of AI Instructions 2026. n = 5,565 repositories shipping both files and fully resolvable (symlink-aware).

Just 11.1% connect the two by a route the tool actually follows. Another 42.3% name AGENTS.md inside the CLAUDE.md without pulling it in, which looks like a connection and carries nothing. The remaining 46.6% are two separate files with no reference between them, free to contradict each other with nobody watching.

In nearly nine of ten repositories that ship both files, the second one is never read.

Why it matters. Developers complain constantly that their AI tools ignore the rules they wrote. Some of that is the model. A large share of it, on this evidence, is simpler: the rule sat in a file the tool never loaded. The team carries the cost of maintaining two contracts and gets the coverage of one, and never finds out which half is live.

09

The files that exist are outgrowing their own guidance

Even the instructions teams do write are drifting past the length their own tools recommend, and the length where they start to backfire.

Which files a repository ships is one question. What is inside them is another. We re-fetched the live contents of 20,606 root CLAUDE.md files, measured their length, and discarded the text.

Anthropic sets the target in plain words: “target under 200 lines per CLAUDE.md file. Longer files consume more context and reduce adherence.” The median CLAUDE.md runs 111 lines, well inside the target. The tail is where it breaks down.

One in four CLAUDE.md files runs past the 200-line guideline Anthropic publishes in its own docs.

Exhibit 5CLAUDE.md length against Anthropic's 200-line target
  • 73.7%under 200 lines
  • 20.7%200 to 500
  • 5.6%over 500

Source: TomeVault, State of AI Instructions 2026. n = 20,606 root CLAUDE.md files re-fetched live; line counts measured, contents discarded.

26.3% pass 200 lines, 5.6% pass 500, and the longest stretch beyond 900. These are mainstream files that grew, the way documents grow, past the point their own tool says they start to work less well.

The cost of that growth is no longer a matter of guidance alone. In February 2026, researchers at ETH Zurich ran the first controlled test of these files across a standard set of software-engineering tasks, and found that over-specified context files reduce an agent’s success rate and raise its cost by more than 20% against giving it no file at all. Their conclusion was blunt: an instruction file should describe only the minimal requirements. A longer file is not a more helpful one. Past a point it is a file that quietly makes the tool worse, and the team that wrote it has no way to see the damage.

Why it matters. The instinct is to write more: more rules, more context, more coverage. The evidence runs the other way. A short, well-formed instruction file is not a lesser version of a long one. On the only measure that counts, the work the agent actually finishes, it is the better one.

10

The discovery window

Across ten weeks of continuous discovery, the corpus added thousands of instruction-file repositories every week, and the flow has not slowed.

This section reads differently from the others, and the difference is the point. The dates here are when our pipeline first observed each repository, not when its instruction file was created, so the curve describes the assembly of the corpus inside an explicit measurement window, 2026-04-02 to 2026-06-11. The first week is the bootstrap, 178,919 repositories found by the initial sweep, and weeks after it are steady-state discovery: what a fixed set of queries keeps surfacing once the backlog is drained.

Exhibit 6New instruction-file repositories observed per week, steady state

W1520,934

W161,483

W1710,072

W1810,207

W1913,946

W205,767

W2118,095

W222,921

W234,065

  • CLAUDE.md / AGENTS.md
  • per-tool configs
  • skills and other

Source: TomeVault, State of AI Instructions 2026. Full corpus, n = 267,228 repositories observed 2026-04-02 to 2026-06-11; bootstrap week and the partial current week excluded from the chart and disclosed here. Snapshot 2026-06-11.

Steady state averages 9,721 newly observed repositories a week, and the mix is consistent: the CLAUDE.md and AGENTS.md pair dominates new arrivals, per-tool configuration formats keep flowing, and skills arrive in bursts that track the discovery sources rather than a calendar trend. We publish this series for a narrower reason than the other sections: it is the baseline the 2027 edition will diff against, with the same frozen definitions, where a year-over-year shape will mean something a ten-week one cannot.

Why it matters. Every number in Part II is a ratio over this corpus, so the corpus itself has to be auditable: how big, gathered when, growing how. This is that disclosure, published as data rather than as a methods footnote.

11

The permission nobody checked

The year gave instruction files an install command. More than half of them grant no right to redistribute.

Part I described an ecosystem racing to treat instruction files as packages: directories, install CLIs, vendor catalogues. Packages get copied, mirrored, and redistributed, and that is a licensing question nobody in the distribution race is asking out loud. We checked the licence of every instruction-file repository in the corpus, all 267,228 of them, against the licence field GitHub itself reports.

55.8% of instruction-file repositories offer no usable right to redistribute the file the ecosystem is busy distributing.

Exhibit 7Redistribution rights across the corpus
  • 36.3%permissive licence
  • 2.4%restrictive licence
  • 61.3%none, unclassifiable, or unrecognised

Source: TomeVault, State of AI Instructions 2026. n = 267,228 repositories, full corpus, snapshot 2026-06-11. Classification reuses the same fail-closed allowlist that gates our own pipeline; "no licence" follows default copyright, all rights reserved.

Just 36.3% of repositories carry a recognised permissive licence. 56.1% carry no licence at all, which under default copyright means all rights reserved, however public the repository looks. The rest split between explicitly restrictive licences and LICENSE files too custom to classify. The figure is structural, not a corner case: it is the majority of the corpus.

Why it matters. Every directory, mirror, and marketplace in Part I inherits this number. An ecosystem built on installing other people’s instruction files is, in the majority case, installing files whose authors never granted that permission. Until licensing becomes part of the trust conversation alongside scanning and signing, the distribution layer is scaling on rights it does not have.

12

Safety, through the field’s own forming lens

One in twenty instruction files trips a deterministic safety pattern, and the field now has a draft vocabulary for saying which kind.

Safety is the dimension where the easy figure misleads. Measured over only the files an index accepts, the safe rate climbs towards 100%, because files that fail a scan are blocked before they reach the index; that is the filter’s pass rate wearing a safety label. Our denominator is the discovered corpus, blocked files included: 219,024 instruction files put through the same deterministic pattern scanner, of which 5.0% carry at least one finding and 3,678 were blocked from distribution outright.

The 47,393 individual findings inside those files skew heavily towards low-severity signals, obfuscation markers like long encoded blobs and mixed-script text that warrant a look rather than an alarm. The tail is the part that matters: 13,605 findings, about 28.7% of the total, are high or critical severity, the embedded credentials, exfiltration routes, and destructive commands.

New this year is a shared way to say which kind of risk. OWASP’s Agentic Skills Top 10, the incubator project from Part I, proposes ten draft categories for exactly this surface. Mapping our scanner findings onto that draft gives the first corpus-scale view through the field’s own forming lens, and a caveat comes with it: the taxonomy is unreleased and our mapping is editorial, so the table below is a projection, versioned and revisable, not a standard applied.

Exhibit 8Scanner findings projected onto the draft OWASP AST categories

AST01 Malicious Skills38,437

AST04 Insecure Metadata6,339

AST03 Over-Privileged Skills1,625

AST02 Supply Chain Compromise992

Source: TomeVault, State of AI Instructions 2026. 47,393 findings across 11,037 flagged repositories, snapshot 2026-06-11. Projection via TomeVault map v0.1-draft, pegged to OWASP's draft categories as of 2026-06-11; ground-truth category counts ship in the data download.

The shape says most flagged content looks like malicious or obfuscated instruction material rather than sloppy hygiene, with embedded credentials a clear second. Read it as a first sighting, not a ranking: when OWASP ships its 1.0, this section reruns against the released categories, and the projection map is versioned so the 2027 numbers stay comparable.

Why it matters. ClawHavoc made the threat concrete; this is its base rate in the open corpus. A five-percent flag rate over two hundred thousand files is tens of thousands of files worth a closer look, sitting in repositories that agents load with no scan at all in the default case.

13

Signing: zero, measured

The year built signing pipelines, formats, and catalogues. In the open corpus, signing adoption rounds to zero.

Part I ended with the trust layer’s ambition; this is its reach. We probed a deterministic sample of distributed repositories from the corpus, 986of them reachable, listing each repository’s full file tree and looking for any signature or attestation artefact under a definition frozen before the probe ran: detached OMS signatures, GPG and minisign signatures, Sigstore bundles, in-toto attestations, provenance files.

0

repositories signing their instruction files, effective rate

3

nominal filename matches in 986 probed repositories, none of them instruction-file signing on inspection

0

NVIDIA-style skill cards found outside vendor catalogues

Three repositories matched the filename patterns, and manual inspection dissolves all three: a build cache manifest, an application’s template fixtures, and a stray signature file in an unrelated project. Not one repository in the sample signs its instruction files, and not one ships a skill card. Against Part I’s chronicle the contrast is exact: NVIDIA signs 207 of 207 skills in its own catalogue, and the open corpus signs nothing.

Why it matters. Signing exists where a distributor requires it and nowhere else, which is precisely the maintainer’s March position playing out in the data: trust is becoming a property of the channel, not of the file. Whatever closes the gap between a signed vendor catalogue and an unsigned open corpus, it will not be authors signing files spontaneously. The zero is the baseline the 2027 edition measures against.

Part III

What this means

The one place in this report where we say what to do about it, and who should do it.

14

What this means for you

Three readings, depending on where you sit.

If you write code with an AI tool

Your setup probably lives in one tool’s file and goes blank the moment you open another you also use. Keep your instructions in one source and connect each tool’s file to it, by import or by symlink, so a single edit reaches every assistant. It is a five-minute change, and the difference between tuning your tools once and tuning each from scratch.

If you lead an engineering team

Your team’s AI investment is concentrated in a single vendor’s format, and it does not transfer when people switch tools or when you adopt a second one. Standardise on one source of instructions, kept lean, connected into every format your team runs, and license it so the sharing you intend is sharing you have actually permitted. It is the cheapest portability you will ever buy.

If you build a tool or registry

Adoption numbers flatter every format; co-occurrence is the scoreboard that shows whether a standard unites the field or relocates the split. And if you distribute other people’s instruction files, the licensing and signing numbers in this report are your exposure: the trust layer is real, the corpus has not adopted it, and somebody fills that gap.

Every check behind this report runs on a single repository. Compare your own CLAUDE.md length and your CLAUDE.md to AGENTS.md connection against these distributions, and decide what to change.

Methodology & limits

Two kinds of claim, one seam

This report makes two kinds of claim and keeps the seam between them visible. Part I is editorial: a chronicle assembled from primary sources, each load-bearing claim verified against the original document with its access date recorded in the References block, and adversarially checked before printing. Part II is empirical: measurements of our own corpus, generated by versioned scripts with frozen metric definitions. Where Part I reports what someone said, we date the statement; where Part II reports a number, we name its denominator. Neither half borrows the other’s authority. And where the publisher itself appears, in sections 03 and 06, the interest is declared in place rather than left to the colophon.

How Part II was measured

Two populations, each named where used. The fragmentation sections (06 to 09) use 35,830 repositories probed symmetrically: one directory listing per repository, checked for all six tool families in a single pass, so a format that is absent is genuinely absent. Those facts are frozen and hash-stamped at 2026-06-04. The annual-edition sections (10 to 13) use the full discovered corpus, 267,228 repositories across every discovery source, snapshotted 2026-06-11; it is broader and includes the skills ecosystem, and it is the corpus the 2027 edition will diff against.

Generated, not queried. Every figure in sections 10 to 13 is produced by a checked-in generator with frozen metric definitions, run against a read-only database snapshot, with output hashes recorded in a manifest. Population definitions travel inside the output files themselves, and the headline aggregates are downloadable above. Nothing in this report comes from an ad-hoc query that cannot be rerun.

The probe behind the zero. The signing figure comes from a deterministic 1,000-repository sample of the distributed corpus, 986 reachable, each repository’s full file tree listed and matched against a signature-artefact definition frozen before the probe ran. Filename matching overcounts if anything: the three nominal matches it produced dissolve on inspection, which is why the effective rate is zero and the nominal rate is published alongside it.

What we structurally cannot see. Public GitHub only, through a discovery method subject to the platform’s 1,000-results-per-query cap. Private repositories, enterprise installations, and the vendor registries’ server sides are invisible to us, and every claim here should be read with that boundary in mind. Discovery dates are our ingestion dates, not file creation dates, which is why section 10 is framed as a window and not a trend.

Tool versus format. Cursor ships two formats; we count them as one tool, which is why the fragmentation count is six tools across seven formats. We do not probe nested CLAUDE.md files or path-scoped Copilot files there. The content findings re-fetch each file live, measure line count and connection, discard the text, and report raw distributions against Anthropic’s stated guidance. No quality grade is applied.

What we did not measure, and why

We held back every figure our own instruments could not support honestly.

We do not publish a conversion-fidelity rate. The internal flag we would have used was true by construction, so it measured nothing, and we cut it rather than dress it up.

We do not publish a single quality score. Several of the checks that would feed one are unimplemented or skewed towards mainstream web stacks, which would mark a precise data or systems file as vague for naming tools the check does not recognise. A composite built on that would be confident and wrong.

We do not publish the OWASP projection as if the taxonomy were released. It is a draft mapped by us onto a draft, both versioned, and labelled that way everywhere it appears.

We do not publish a safety rate over only the indexed files, for the survivor reason given in section 12. The honest denominator is the discovered set, and that is the one we used.

Stating these limits is what earns the rest of the numbers.

Prior work

Several tools already check one repository at a time: agnix, ctxlint, cursor-doctor, and agentlinter each lint or grade a single project. Several studies measure populations of these files, among them Agent READMEs (arXiv 2511.12884), Beyond the Prompt (arXiv 2512.18925), and Agent Skills in the Wild (arXiv 2601.10338), which track adoption, score quality, or audit security one format at a time. This report adds the parts none of them cover: the per-repository intersection of every major format, and the licensing and signing ground truth under the year’s trust buildout, across hundreds of thousands of repositories at once. That is the only novelty we claim.

References

Part I sources are primary and were accessed 2026-06-10 or 2026-06-11; statuses they support are snapshots as of those dates.

Corrections & revisions

This page is versioned. If a published figure or claim turns out to be wrong, the correction appears here, dated, with the original wording preserved; silent edits are not made. Claims about in-motion projects (an unmerged pull request, an unreleased taxonomy, a product in preview) are snapshots as of their stated access dates and are re-verified before each revision.

  • r2 · 2026-06-11 Annual edition. Added Part I (the year in instructions) and four corpus analyses (discovery window, licensing, safety through the draft OWASP lens, signing). One prior figure moved: the safety section’s population widened from the 52,985-file instruction-file scan to the full 219,024-file corpus, taking its flag rate from 3.9% to 5.0%, with both denominators stated in place. No other figure changed.
  • r1 · 2026-06-08 Initial publication: the fragmentation measurement, sections 05 to 09.
·

Where this goes next

The gap this report measures is now a two-layer gap. At the file layer, developers are adding tools faster than their repositories are learning to serve them, and the standard that could close that gap is being absorbed into it. At the trust layer, the industry built scanners, signatures, and taxonomies this year, and the open corpus has adopted none of it: unlicensed in the majority, unsigned in its entirety, flagged at a steady five percent.

Nothing here is hard to fix, and that is the strange part. Connecting two instruction files is a symlink. Licensing a repository is a file. Signing is a command the vendor catalogues already run on every skill they ship. It is just, for now, almost universally undone.

Every file behind these numbers is public, the checks run on a single repository, the aggregates are downloadable above, and the definitions are frozen. The data is the contribution. The 2027 edition reruns the same instruments and reports the deltas: whether the multi-tool gap closed, whether the licences appeared, and whether the signing zero budged.

Citation and reuse

The Part II figures are published as machine-readable data under CC BY 4.0, and described in the structured dataset metadata embedded on this page. Reuse the numbers with attribution.

Suggested citationTomeVault. (2026). State of AI instructions, 2026. TomeVault Standards. https://tomevault.io/standards/state-reports/2026