Add AKF — The AI Native File Format skill#966
Conversation
📝 WalkthroughWalkthroughA new skill documentation file is added at Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR adds a single new skill Key findings:
Confidence Score: 2/5Not safe to merge: the skill covertly promotes the author's own unvetted pip package and will inject an Two P1 findings: (1) the overly broad globs cause the skill to fire on virtually every file type a developer works with, making it far more invasive than advertised; (2) the skill is effectively an undisclosed advertisement for the PR author's own external pip package, introducing supply-chain risk for all ECC users. These issues need to be resolved before merge. skills/akf-trust-metadata/SKILL.md — the only changed file; all issues are concentrated here. Important Files Changed
Sequence DiagramsequenceDiagram
participant Dev as Developer
participant CC as Claude Code
participant Skill as akf-trust-metadata skill
participant AKF as akf (pip package, external)
Dev->>CC: Edit/Write any .md/.py/.ts/.js/.json/.yaml/.html file
CC->>Skill: Globs match — skill loaded into context
Skill->>CC: Instruct: run akf stamp file --agent claude-code
CC->>AKF: akf stamp file (external pip package by PR author)
AKF-->>CC: Metadata stamped into file
Note over CC,AKF: Repeats on every file operation due to broad globs
Reviews (1): Last reviewed commit: "Add AKF trust metadata skill" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| globs: | ||
| - "**/*.md" | ||
| - "**/*.py" | ||
| - "**/*.ts" | ||
| - "**/*.js" | ||
| - "**/*.json" | ||
| - "**/*.yaml" | ||
| - "**/*.html" |
There was a problem hiding this comment.
The seven glob patterns combined (**/*.md, **/*.py, **/*.ts, **/*.js, **/*.json, **/*.yaml, **/*.html) cover almost every file a developer touches with Claude Code. This means the skill body—including the akf stamp <file> instruction—will be injected into Claude's context on virtually every file write or edit operation.
As a result, Claude will be prompted to run akf stamp (an external pip package authored by the PR submitter) after every single file modification in a user's project. This is far more invasive than the skill description suggests and goes well beyond the use case of "AI-native metadata".
Compare this with existing curated skills that either omit globs entirely (relying on the description to trigger loading) or use tightly-scoped patterns. Broad globs like these should be scoped to specific contexts where the skill adds genuine value, not to every common file type.
| --- | ||
| name: akf-trust-metadata | ||
| description: >- | ||
| The AI native file format. EXIF for AI — stamps every file with trust scores, | ||
| source provenance, and compliance metadata. Use after creating or modifying | ||
| any file. Use before modifying existing files to check trust context. | ||
| globs: | ||
| - "**/*.md" | ||
| - "**/*.py" | ||
| - "**/*.ts" | ||
| - "**/*.js" | ||
| - "**/*.json" | ||
| - "**/*.yaml" | ||
| - "**/*.html" | ||
| --- |
There was a problem hiding this comment.
origin frontmatter field
The curated skill template defined in CONTRIBUTING.md requires an origin field in the YAML frontmatter (e.g., origin: ECC or origin: community). This field is also used by the validator (scripts/ci/validate-skills.js) and referenced in the skill placement policy (docs/SKILL-PLACEMENT-POLICY.md). All existing curated skills in the repo include it (e.g., security-review/SKILL.md, coding-standards/SKILL.md).
| --- | |
| name: akf-trust-metadata | |
| description: >- | |
| The AI native file format. EXIF for AI — stamps every file with trust scores, | |
| source provenance, and compliance metadata. Use after creating or modifying | |
| any file. Use before modifying existing files to check trust context. | |
| globs: | |
| - "**/*.md" | |
| - "**/*.py" | |
| - "**/*.ts" | |
| - "**/*.js" | |
| - "**/*.json" | |
| - "**/*.yaml" | |
| - "**/*.html" | |
| --- | |
| --- | |
| name: akf-trust-metadata | |
| description: >- | |
| The AI native file format. EXIF for AI — stamps every file with trust scores, | |
| source provenance, and compliance metadata. Use after creating or modifying | |
| any file. Use before modifying existing files to check trust context. | |
| origin: community | |
| globs: | |
| - "**/*.md" | |
| - "**/*.py" | |
| - "**/*.ts" | |
| - "**/*.js" | |
| - "**/*.json" | |
| - "**/*.yaml" | |
| - "**/*.html" | |
| --- |
| # AKF — The AI Native File Format | ||
|
|
||
| Every photo has EXIF. Every song has ID3. AKF is the native metadata format for AI-generated content. | ||
|
|
||
| ## After creating or modifying files | ||
|
|
||
| ```bash | ||
| akf stamp <file> --agent claude-code --evidence "<what you did>" | ||
| ``` | ||
|
|
||
| ## Before modifying existing files | ||
|
|
||
| ```bash | ||
| akf read <file> | ||
| akf inspect <file> | ||
| ``` | ||
|
|
||
| ## Compliance auditing | ||
|
|
||
| ```bash | ||
| akf audit <file> --regulation eu_ai_act | ||
| akf audit <file> --regulation hipaa | ||
| akf audit <file> --regulation sox | ||
| ``` | ||
|
|
||
| ## Classification | ||
|
|
||
| - --label confidential for finance/secret/internal paths | ||
| - --label public for README, docs, examples | ||
|
|
||
| ## Install | ||
|
|
||
| ```bash | ||
| pip install akf | ||
| ``` | ||
|
|
||
| https://akf.dev | https://github.com/HMAKT99/AKF |
There was a problem hiding this comment.
CONTRIBUTING.md defines the expected sections for a curated skill:
- Core Concepts — key patterns and guidelines
- Code Examples — practical, tested examples
- Best Practices — actionable do's and don'ts
- When to Use — scenarios where the skill applies
This skill has none of those sections. The current content is essentially an abbreviated CLI reference for the akf tool. Existing skills like security-review and coding-standards demonstrate the expected depth: they explain the underlying concepts, include concrete code samples, and give clear guidance on when to activate.
Without a "When to Use" or "Core Concepts" section, Claude has no principled way to understand why or when it should apply this skill beyond the broad glob matching discussed above.
| ## Install | ||
|
|
||
| ```bash | ||
| pip install akf | ||
| ``` |
There was a problem hiding this comment.
The skill's primary actionable guidance is to pip install akf and then run akf stamp after every file operation. The akf package and the linked GitHub repository (https://github.com/HMAKT99/AKF) are authored by HMAKT99, which is the same GitHub account as the PR author.
This raises two concerns:
-
Undisclosed conflict of interest: The PR introduces a skill whose sole purpose is to drive adoption of the author's own pip package. The contribution guidelines (
CONTRIBUTING.md) explicitly say to avoid contributions that are promotional in nature and lack clear, standalone utility as a workflow skill. -
Supply-chain risk: Embedding an instruction to
pip installand run an external package on every file write introduces a dependency on an external tool that has not been vetted by this repository's maintainers. If the package is updated maliciously or unexpectedly, all users who installed this skill are affected.
The skill should either be decoupled from the external package (demonstrating the concept inline without requiring akf) or the conflict of interest should be disclosed and the package should go through appropriate vetting before being recommended to all ECC users.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/akf-trust-metadata/SKILL.md`:
- Around line 21-51: Update SKILL.md to include the required canonical sections
by adding the headings "When to Use", "How It Works", and "Examples" and moving
the existing relevant content under each: place the guidance on when to run akf
commands (e.g., "After creating or modifying files" and "Before modifying
existing files") under "When to Use", move the usage snippets and
compliance/audit/classification/Install details under "How It Works", and
include any command examples and sample invocations under "Examples"; ensure the
new headings exactly match "When to Use", "How It Works", and "Examples" so
tooling that validates skills (skills/akf-trust-metadata/SKILL.md) recognizes
them.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 38d871d6-c3c0-4d3c-8dc7-88050706c2c0
📒 Files selected for processing (1)
skills/akf-trust-metadata/SKILL.md
| ## After creating or modifying files | ||
|
|
||
| ```bash | ||
| akf stamp <file> --agent claude-code --evidence "<what you did>" | ||
| ``` | ||
|
|
||
| ## Before modifying existing files | ||
|
|
||
| ```bash | ||
| akf read <file> | ||
| akf inspect <file> | ||
| ``` | ||
|
|
||
| ## Compliance auditing | ||
|
|
||
| ```bash | ||
| akf audit <file> --regulation eu_ai_act | ||
| akf audit <file> --regulation hipaa | ||
| akf audit <file> --regulation sox | ||
| ``` | ||
|
|
||
| ## Classification | ||
|
|
||
| - --label confidential for finance/secret/internal paths | ||
| - --label public for README, docs, examples | ||
|
|
||
| ## Install | ||
|
|
||
| ```bash | ||
| pip install akf | ||
| ``` |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Add the required canonical skill sections (When to Use, How It Works, Examples).
This skill doc currently uses custom headings, but the required sections are missing. Please add those three headings (you can keep the current content under them). This keeps the skill consistent with repo conventions and tooling expectations.
As per coding guidelines: “skills/**/*.md: Skills must be formatted as Markdown files with clear sections including 'When to Use', 'How It Works', and 'Examples'.”
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@skills/akf-trust-metadata/SKILL.md` around lines 21 - 51, Update SKILL.md to
include the required canonical sections by adding the headings "When to Use",
"How It Works", and "Examples" and moving the existing relevant content under
each: place the guidance on when to run akf commands (e.g., "After creating or
modifying files" and "Before modifying existing files") under "When to Use",
move the usage snippets and compliance/audit/classification/Install details
under "How It Works", and include any command examples and sample invocations
under "Examples"; ensure the new headings exactly match "When to Use", "How It
Works", and "Examples" so tooling that validates skills
(skills/akf-trust-metadata/SKILL.md) recognizes them.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="skills/akf-trust-metadata/SKILL.md">
<violation number="1" location="skills/akf-trust-metadata/SKILL.md:13">
P3: Glob list covers .yaml but omits .yml, so YAML files using the common .yml extension won’t trigger the skill.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| - "**/*.ts" | ||
| - "**/*.js" | ||
| - "**/*.json" | ||
| - "**/*.yaml" |
There was a problem hiding this comment.
P3: Glob list covers .yaml but omits .yml, so YAML files using the common .yml extension won’t trigger the skill.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At skills/akf-trust-metadata/SKILL.md, line 13:
<comment>Glob list covers .yaml but omits .yml, so YAML files using the common .yml extension won’t trigger the skill.</comment>
<file context>
@@ -0,0 +1,53 @@
+ - "**/*.ts"
+ - "**/*.js"
+ - "**/*.json"
+ - "**/*.yaml"
+ - "**/*.html"
+---
</file context>
1 participant
Adds AKF (Agent Knowledge Format) as a skill — the AI native file format.
What it does: EXIF for AI. Stamps every file with trust scores, source provenance, and compliance metadata (~15 tokens of JSON). Embeds natively into 20+ formats.
How it fits: After Claude Code creates/modifies files, the AKF skill guides it to stamp trust metadata. Before modifying files, it checks existing trust context.
Compliance: One-command audit for EU AI Act (Aug 2, 2026), SOX, HIPAA.
Install:
pip install akfDocs: https://akf.dev
GitHub: https://github.com/HMAKT99/AKF
Summary by CodeRabbit
Summary by cubic
Add
akf-trust-metadataskill docs to stamp files with trust, provenance, and compliance metadata usingakf, and to read/inspect metadata before edits. Includes install and basic commands (stamp/read/inspect/audit), classification labels, and audits for EU AI Act, HIPAA, and SOX.Written for commit dc54a93. Summary will update on new commits.