How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does best-practices support?

best-practices works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is best-practices free to use?

Yes. best-practices is free to install and use. It is available from the open explainx.ai skill registry published by tech-leads-club.

Where can I read ratings and reviews for best-practices?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install best-practices?

Run `npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices` in your terminal. You need to have run `npx skills init` once in your project first.

quality

best-practices▌

tech-leads-club/agent-skills · updated May 23, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices

0 commentsdiscussion

summary

Apply modern web development best practices for security, compatibility, and code quality. Use when asked to "apply best practices", "security audit", "modernize code", "code quality review", or "check for vulnerabilities". Do NOT use for accessibility (use web-accessibility), SEO (use seo), performance (use core-web-vitals), or comprehensive multi-area audits (use web-quality-audit).

skill.md

name	best-practices
description	Apply modern web development best practices for security, compatibility, and code quality. Use when asked to "apply best practices", "security audit", "modernize code", "code quality review", or "check for vulnerabilities". Do NOT use for accessibility (use web-accessibility), SEO (use seo), performance (use core-web-vitals), or comprehensive multi-area audits (use web-quality-audit).
license	MIT
metadata	author: web-quality-skills version: '1.0'

Best practices

Modern web development standards based on Lighthouse best practices audits. Covers security, browser compatibility, and code quality patterns.

Security

HTTPS everywhere

Enforce HTTPS:

<!-- ❌ Mixed content -->
<img src="http://example.com/image.jpg" />
<script src="http://cdn.example.com/script.js"></script>

<!-- ✅ HTTPS only -->
<img src="https://example.com/image.jpg" />
<script src="https://cdn.example.com/script.js"></script>

<!-- ✅ Protocol-relative (will use page's protocol) -->
<img src="//example.com/image.jpg" />

HSTS Header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP)

<!-- Basic CSP via meta tag -->
<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; 
               script-src 'self' https://trusted-cdn.com; 
               style-src 'self' 'unsafe-inline';
               img-src 'self' data: https:;
               connect-src 'self' https://api.example.com;"
/>

<!-- Better: HTTP header -->

CSP Header (recommended):

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-abc123' https://trusted.com;
  style-src 'self' 'nonce-abc123';
  img-src 'self' data: https:;
  connect-src 'self' https://api.example.com;
  frame-ancestors 'self';
  base-uri 'self';
  form-action 'self';

Using nonces for inline scripts:

<script nonce="abc123">
  // This inline script is allowed
</script>

Security headers

# Prevent clickjacking
X-Frame-Options: DENY

# Prevent MIME type sniffing
X-Content-Type-Options: nosniff

# Enable XSS filter (legacy browsers)
X-XSS-Protection: 1; mode=block

# Control referrer information
Referrer-Policy: strict-origin-when-cross-origin

# Permissions policy (formerly Feature-Policy)
Permissions-Policy: geolocation=(), microphone=(), camera=()

No vulnerable libraries

# Check for vulnerabilities
npm audit
yarn audit

# Auto-fix when possible
npm audit fix

# Check specific package
npm ls lodash

Keep dependencies updated:

// package.json
{
  "scripts": {
    "audit": "npm audit --audit-level=moderate",
    "update": "npm update && npm audit fix"
  }
}

Known vulnerable patterns to avoid:

// ❌ Prototype pollution vulnerable patterns
Object.assign(target, userInput)
_.merge(target, userInput)

// ✅ Safer alternatives
const safeData = JSON.parse(JSON.stringify(userInput))

Input sanitization

// ❌ XSS vulnerable
element.innerHTML = userInput
document.write(userInput)

// ✅ Safe text content
element.textContent = userInput

// ✅ If HTML needed, sanitize
import DOMPurify from 'dompurify'
element.innerHTML = DOMPurify.sanitize(userInput)

Secure cookies

// ❌ Insecure cookie
document.cookie = "session=abc123";

// ✅ Secure cookie (server-side)
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

Browser compatibility

Doctype declaration

<!-- ❌ Missing or invalid doctype -->
<html>
  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

  <!-- ✅ HTML5 doctype -->
  <!DOCTYPE html>
  <html lang="en"></html>
</html>

Character encoding

<!-- ❌ Missing or late charset -->
<html>
  <head>
    <title>Page</title>
    <meta charset="UTF-8" />
  </head>

  <!-- ✅ Charset as first element in head -->
  <html>
    <head>
      <meta charset="UTF-8" />
      <title>Page</title>
    </head>
  </html>
</html>

Viewport meta tag

<!-- ❌ Missing viewport -->
<head>
  <title>Page</title>
</head>

<!-- ✅ Responsive viewport -->
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Page</title>
</head>

Feature detection

// ❌ Browser detection (brittle)
if (navigator.userAgent.includes('Chrome')) {
  // Chrome-specific code
}

// ✅ Feature detection
if ('IntersectionObserver' in window) {
  // Use IntersectionObserver
} else {
  // Fallback
}

// ✅ Using @supports in CSS
@supports (display: grid) {
  .container {
    display: grid;
  }
}

@supports not (display: grid) {
  .container {
    display: flex;
  }
}

Polyfills (when needed)

<!-- Load polyfills conditionally -->
<script>
  if (!('fetch' in window)) {
    document.write('<script src="/polyfills/fetch.js"><\/script>')
  }
</script>

<!-- Or use polyfill.io -->
<script src="https://polyfill.io/v3/polyfill.min.js?features=fetch,IntersectionObserver"></script>

Deprecated APIs

Avoid these

// ❌ document.write (blocks parsing)
document.write('<script src="..."></script>');

// ✅ Dynamic script loading
const script = document.createElement('script');
script.src = '...';
document.head.appendChild(script);

// ❌ Synchronous XHR (blocks main thread)
const xhr = new XMLHttpRequest();
xhr.open('GET', url, false); // false = synchronous

// ✅ Async fetch
const response = await fetch(url);

// ❌ Application Cache (deprecated)
<html manifest="cache.manifest">

// ✅ Service Workers
if ('serviceWorker' in navigator) {
  navigator.serviceWorker.register('/sw.js');
}

Event listener passive

// ❌ Non-passive touch/wheel (may block scrolling)
element.addEventListener('touchstart', handler)
element.addEventListener('wheel', handler)

// ✅ Passive listeners (allows smooth scrolling)
element.addEventListener('touchstart', handler, { passive: true })
element.addEventListener('wheel', handler, { passive: true })

// ✅ If you need preventDefault, be explicit
element.addEventListener('touchstart', handler, { passive: false })

Console & errors

No console errors

// ❌ Errors in production
console.log('Debug info') // Remove in production
throw new Error('Unhandled') // Catch all errors

// ✅ Proper error handling
try {
  riskyOperation()
} catch (error) {
  // Log to error tracking service
  errorTracker.captureException(error)
  // Show user-friendly message
  showErrorMessage('Something went wrong. Please try again.')
}

Error boundaries (React)

class ErrorBoundary extends React.Component {
  state = { hasError: false }

  static getDerivedStateFromError(error) {
    return { hasError: true }
  }

  componentDidCatch(error, info) {
    errorTracker.captureException(error, { extra: info })
  }

  render() {
    if (this.state.hasError) {
      return <FallbackUI />
    }
    return this.props.children
  }
}

// Usage
;<ErrorBoundary>
  <App />
</ErrorBoundary>

Global error handler

// Catch unhandled errors
window.addEventListener('error', (event) => {
  errorTracker.captureException(event.error)
})

// Catch unhandled promise rejections
window.addEventListener('unhandledrejection', (event) => {
  errorTracker.captureException(event.reason)
})

Source maps

Production configuration

// ❌ Source maps exposed in production
// webpack.config.js
module.exports = {
  devtool: 'source-map', // Exposes source code
}

// ✅ Hidden source maps (uploaded to error tracker)
module.exports = {
  devtool: 'hidden-source-map',
}

// ✅ Or no source maps in production
module.exports = {
  devtool: process.env.NODE_ENV === 'production' ? false : 'source-map',
}

Performance best practices

Avoid blocking patterns

// ❌ Blocking script
<script src="heavy-library.js"></script>

// ✅ Deferred script
<script defer src="heavy-library.js"></script>

// ❌ Blocking CSS import
@import url('other-styles.css');

// ✅ Link tags (parallel loading)
<link rel="stylesheet" href="styles.css">
<link rel="stylesheet" href="other-styles.css">

Efficient event handlers

// ❌ Handler on every element
items.forEach((item) => {
  item.addEventListener('click', handleClick)
})

// ✅ Event delegation
container.addEventListener('click', (e) => {
  if (e.target.matches('.item')) {
    handleClick(e)
  }
})

Memory management

// ❌ Memory leak (never removed)
const handler = () => {
  /* ... */
}
window.addEventListener('resize', handler)

// ✅ Cleanup when done
const handler = () => {
  /* ... */
}
window.addEventListener('resize', handler)

// Later, when component unmounts:
window.removeEventListener('resize', handler)

// ✅ Using AbortController
const controller = new AbortController()
window.addEventListener('resize', handler, { signal: controller.signal })

// Cleanup:
controller.abort()

Code quality

Valid HTML

<!-- ❌ Invalid HTML -->
<div id="header">
  <div id="header">
    <!-- Duplicate ID -->

    <ul>
      <div>Item</div>
      <!-- Invalid child -->
    </ul>

    <a href="/"><button>Click</button></a>
    <!-- Invalid nesting -->

    <!-- ✅ Valid HTML -->
    <header id="site-header"></header>

    <ul>
      <li>Item</li>
    </ul>

    <a href="/" class="button">Click</a>
  </div>
</div>

Semantic HTML

<!-- ❌ Non-semantic -->
<div class="header">
  <div class="nav">
    <div class="nav-item">Home</div>
  </div>
</div>
<div class="main">
  <div class="article">
    <div class="title">Headline</div>
  </div>
</div>

<!-- ✅ Semantic HTML5 -->
<header>
  <nav>
    <a href="/">Home</a>
  </nav>
</header>
<main>
  <article>
    <h1>Headline</h1>
  </article>
</main>

Image aspect ratios

<!-- ❌ Distorted images -->
<img src="photo.jpg" width="300" height="100" />
<!-- If actual ratio is 4:3, this squishes the image -->

<!-- ✅ Preserve aspect ratio -->
<img src="photo.jpg" width="300" height="225" />
<!-- Actual 4:3 dimensions -->

<!-- ✅ CSS object-fit for flexibility -->
<img src="photo.jpg" style="width: 300px; height: 200px; object-fit: cover;" />

Permissions & privacy

Request permissions properly

// ❌ Request on page load (bad UX, often denied)
navigator.geolocation.getCurrentPosition(success, error)

// ✅ Request in context, after user action
findNearbyButton.addEventListener('click', async () => {
  // Explain why you need it
  if (await showPermissionExplanation()) {
    navigator.geolocation.getCurrentPosition(success, error)
  }
})

Permissions policy

<!-- Restrict powerful features -->
<meta http-equiv="Permissions-Policy" content="geolocation=(), camera=(), microphone=()" />

<!-- Or allow for specific origins -->
<meta http-equiv="Permissions-Policy" content="geolocation=(self 'https://maps.example.com')" />

Audit checklist

Security (critical)

HTTPS enabled, no mixed content
No vulnerable dependencies (npm audit)
CSP headers configured
Security headers present
No exposed source maps

Compatibility

Valid HTML5 doctype
Charset declared first in head
Viewport meta tag present
No deprecated APIs used
Passive event listeners for scroll/touch

Code quality

No console errors
Valid HTML (no duplicate IDs)
Semantic HTML elements used
Proper error handling
Memory cleanup in components

UX

No intrusive interstitials
Permission requests in context
Clear error messages
Appropriate image aspect ratios

Tools

Tool	Purpose
`npm audit`	Dependency vulnerabilities
SecurityHeaders.com	Header analysis
W3C Validator	HTML validation
Lighthouse	Best practices audit
Observatory	Security scan

References

how to use best-practices

How to use best-practices on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add best-practices

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/tech-leads-club/agent-skills --skill web-best-practices

The skills CLI fetches best-practices from GitHub repository tech-leads-club/agent-skills and configures it for Cursor.

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ── always included ────

│ • Amp

│ • Antigravity

│ • Cline

│ • Codex

│ ●Cursor(selected)

│ • Cursor

│ • Windsurf

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/best-practices

Reload or restart Cursor to activate best-practices. Access the skill through slash commands (e.g., /best-practices) or your agent's skill management interface.

⚠

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

›View source code on GitHub ›Skills CLI documentation ›Learn more about Cursor ›What are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases▌

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Implementation Guide▌

Prerequisites

›Claude Desktop or compatible AI client with skill support
›Clear understanding of task or problem to solve
›Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

1.Install skill using provided installation command
2.Test with simple use case relevant to your work
3.Evaluate output quality and relevance
4.Iterate on prompts to improve results
5.Integrate into regular workflow if valuable

Common Pitfalls

⚠Expecting perfect results without iteration
⚠Not providing enough context in prompts
⚠Using skill for tasks outside its intended scope
⚠Accepting outputs without review and validation

Best Practices▌

✓ Do

+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns

✗ Don't

−Don't use without understanding skill limitations
−Don't skip validation of outputs
−Don't share sensitive information in prompts
−Don't expect skill to replace human judgment

💡 Pro Tips

★Be specific about desired format and style
★Ask for multiple options to choose from
★Request explanations to understand reasoning
★Combine AI efficiency with human expertise

When to Use This▌

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path▌

1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★71 reviews

★★★★★Advait Sanchez· Dec 28, 2024
best-practices reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Noor Shah· Dec 16, 2024
best-practices fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Dhruvi Jain· Dec 12, 2024
best-practices has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Noor Sharma· Dec 12, 2024
I recommend best-practices for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Kwame Harris· Dec 12, 2024
best-practices has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Ren Agarwal· Dec 12, 2024
Solid pick for teams standardizing on skills: best-practices is focused, and the summary matches what you get after install.
★★★★★Kwame Wang· Nov 19, 2024
best-practices has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Mia Jackson· Nov 7, 2024
We added best-practices from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Oshnikdeep· Nov 3, 2024
best-practices reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Advait Rao· Nov 3, 2024
Useful defaults in best-practices — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 71

1 / 8