This list covers official documentation entry points, cross-tool standards, community discovery resources, security scanning tools, and researcher workflow tools. For the evaluation framework see 03-1, 03-2, and 03-3. Apply those three sections’ scanning SOP before installing any third-party resource. Links and content verified as of 2026-06; treat each vendor’s official page as the authoritative source. Any entry marked “needs source verification” should be confirmed before use. Community resources change at any time; appearing here means only “was included,” not “worth installing.”
| Vendor / Tool | Entry point | Purpose |
|---|
| Anthropic Claude Code | code.claude.com/docs | Official Claude Code documentation hub; primary source for all CLI settings, hooks, skills, subagents, plugins, and MCP chapters |
| Anthropic account / privacy | support.claude.com, privacy.claude.com | Account settings, Help Improve Claude toggle, retention periods, Team / Enterprise terms |
| Anthropic Cowork | anthropic.com/product/claude-cowork | Cowork product page; specific connector configuration mechanisms require the official support docs |
| Anthropic Engineering | anthropic.com/engineering | Engineering team blog; conceptual articles on context engineering, augmented LLM, etc. |
| OpenAI ChatGPT | help.openai.com | ChatGPT consumer settings, Custom Instructions, Memory, and Projects |
| OpenAI Codex | developers.openai.com/codex | Codex CLI / IDE settings, config.toml, AGENTS.md, hooks (experimental) |
| OpenAI policies | openai.com/policies | Data use, privacy, API terms of service |
| Google Gemini | support.google.com/gemini | Gemini consumer Gems, Personal context, Keep Activity toggle |
| Google Antigravity | developers.googleblog.com, ai.google.dev, Google Codelabs | Antigravity and Gemini API developer documentation (some mechanisms require re-checking against your installed version’s official page) |
| Google AI developer docs | ai.google.dev | Gemini API specification, model cards, pricing |
| GitHub Copilot | docs.github.com/copilot | Copilot documentation hub for all surfaces (CLI, IDE, Chat, coding agent) |
| VS Code Copilot | code.visualstudio.com/docs/copilot | Copilot Chat inside VS Code and IDE settings such as chat.instructionsFilesLocations |
| Cursor | cursor.com/docs | Cursor rules, ignore files, MCP, Composer |
| Linux Foundation AAIF | linuxfoundation.org | Agentic AI Foundation; governance for MCP, goose, and AGENTS.md founding projects |
When a vendor ships a new version, the changelog and release notes are the first-hand source for configuration file renames and mechanism changes. They are more accurate and faster than any secondary summary.
- AGENTS.md specification site:
agents.md. The open rules-file standard across tools; governed by the Agentic AI Foundation (AAIF) under the Linux Foundation.
- MCP (Model Context Protocol) specification site:
modelcontextprotocol.io. MCP specification, definitions of the three interface types (tools / resources / prompts), and transport evolution.
- Claude official MCP server directory:
claude.ai/directory. Anthropic’s curated list of official MCP servers.
- Snyk Security advisories:
snyk.io and security.snyk.io. ToxicSkills reports, CVEs, and third-party component risk research.
- GitHub Security Advisories:
github.com/advisories. Query CVEs and vulnerability advisories by package, tool, or keyword; subscribe to the tools and libraries you depend on most.
AGENTS.md is the baseline (shared rules); vendor-specific files (CLAUDE.md / GEMINI.md / .cursor/rules/*.mdc / .github/copilot-instructions.md) override or extend it. Claude Code does not natively read AGENTS.md; use @AGENTS.md inside CLAUDE.md to import it.
Inclusion criteria are “actively maintained, has users, not a shell.” Quality, maintenance recency, permission scope, and security must be assessed with the frameworks in 03-1, 03-2, and 03-3. 3.1 Rules / Skill / Agent resources
| Resource | Primary content | Entry point |
|---|
PatrickJS/awesome-cursorrules | Community collection of Cursor .mdc rules | github.com/PatrickJS/awesome-cursorrules |
VoltAgent/awesome-agent-skills | Cross-tool skill collection (mostly Claude / Cursor) | github.com/VoltAgent/awesome-agent-skills |
kodustech/awesome-agent-skills | Another cross-tool skill collection | github.com/kodustech/awesome-agent-skills |
addyosmani/agent-skills | Engineering-oriented skill templates | github.com/addyosmani/agent-skills |
| Claude Code awesome lists | Community-curated plugin / skill / hook collections | Search awesome claude-code on github.com |
3.2 Package marketplaces
| Marketplace | Content | Entry point |
|---|
| VS Code Marketplace (Copilot extensions) | Copilot extensions, language tools | marketplace.visualstudio.com |
npm @github/copilot | Standalone copilot CLI | npmjs.com/package/@github/copilot |
| PyPI (Python packages) | Agent / SDK packages, evaluation frameworks | pypi.org |
| crates.io (Rust packages) | Agent / toolchain crates | crates.io |
3.3 Evaluation and benchmarks
| Resource | Purpose |
|---|
| Vendor evaluation pages (Anthropic / OpenAI / Google) | Official model capability tests; do not rely on these alone — run your own personal benchmark |
| LMSYS Chatbot Arena | Crowd-voted comparisons; useful for community perception, not a reliable proxy for personal task performance |
lmsys/lm-evaluation-harness | Open-source evaluation framework for building custom task sets |
openai/evals | OpenAI’s open-source evaluation framework |
| Hugging Face Hub | Model, dataset, and Spaces discovery hub; validate everything yourself |
| Tool | Purpose | Entry point |
|---|
rg (ripgrep) | Scan for hidden Unicode / bidi, suspicious outbound connections, dangerous commands | github.com/BurntSushi/ripgrep |
| Snyk | Package vulnerabilities, ToxicSkills reports | snyk.io |
| Trivy | Container, IaC, and SBOM scanning | trivy.dev |
bandit | Python static security analysis | pypi.org/project/bandit |
| Semgrep | Multi-language static analysis with custom rules for supply-chain fingerprinting | semgrep.dev |
| GitHub Advisory Database | Vulnerability database | github.com/advisories |
| OSV.dev | Cross-ecosystem vulnerability database | osv.dev |
agentshield | Security scanning tool for third-party skill / agent descriptor files | github.com/affaan-m/agentshield [needs source verification] |
Three scans to run on any unfamiliar skill:# 1. Hidden characters and bidi overrides
rg -nP '[\x{200B}\x{200C}\x{200D}\x{2060}\x{FEFF}\x{202A}-\x{202E}]' ~/.claude/plugins/ .claude/ .mcp.json
# 2. Suspicious outbound connections and dangerous commands
rg -n 'curl|wget|nc|scp|ssh|ANTHROPIC_BASE_URL|enableAllProjectMcpServers' ~/.claude/plugins/ .claude/ .mcp.json
# 3. HTML comments, script tags, base64
rg -n '<!--|<script|data:text/html|base64,' ~/.claude/plugins/ .claude/ .mcp.json
5. Further resources for researchers
5.1 Local inference and deployment
| Tool | Purpose | Entry point |
|---|
| vLLM | High-throughput LLM serving; well-suited for local serving in research environments | github.com/vllm-project/vllm |
| llama.cpp | Local inference on CPU / Apple Silicon / low-VRAM setups | github.com/ggerganov/llama.cpp |
| SGLang | Structured generation, radix attention, inference optimization | github.com/sgl-project/sglang |
| Ollama | Out-of-the-box local model management | ollama.com |
| LM Studio | GUI local model manager | lmstudio.ai |
| Hugging Face Transformers | De-facto standard library for model loading, inference, and training | huggingface.co/docs/transformers |
| Hugging Face Hub | Entry point for models, datasets, and Spaces | huggingface.co |
| Open WebUI | Self-hosted chat interface compatible with Ollama / OpenAI-compatible APIs | github.com/open-webui/open-webui |
| llama-swap | Dynamic multi-model switching proxy | github.com/mostlygeek/llama-swap |
| GPU-Stack | Multi-GPU / multi-node inference orchestration | github.com/gpustack/gpustack |
5.2 Academic workflow integration
| Resource | Purpose |
|---|
arxiv.org | Preprint server; starting point for SOTA tracking (check peer-reviewed journals for accepted work) |
| Semantic Scholar, Google Scholar | Citation graphs and cited-by counts; “who cited whom” for literature reviews |
| Connected Papers, Litmaps, ResearchRabbit | Visual citation graphs for finding related papers |
| Zotero (with Better BibTeX) | Reference management; integrates with Obsidian / VS Code |
| Obsidian + Citations / Zotero Integration plugin | Pull literature metadata into notes |
| Overleaf | Online LaTeX; collaborative editing and template library |
| Zettlr, Obsidian | Markdown-first long-form writing environments |
| Pandoc | Markdown / LaTeX / DOCX conversion; primary tool for producing final manuscripts |
| LangChain / LlamaIndex | RAG and agent frameworks; for retrieval-augmented literature search and automation |
| OpenReview | Public conference review records; inspect reviewer comments and rebuttal quality |
| Papers with Code | Links papers to implementations / benchmarks; entry point for finding open-source implementations |
| Tool | Purpose |
|---|
| Git | Version control foundation; commit conventions and .gitignore templates covered throughout this Playbook |
| uv | Python package and environment management (CLI / scripts / web use) |
| conda / Miniconda | Scientific computing, ML, and CUDA dependency management |
| Docker / Docker Compose | Reproducible environment packaging; entire agent workflows can be containerized |
| Devcontainer (VS Code / GitHub Codespaces) | Standardized development environments on cloud or local |
| pytest | Python testing framework; pair with pytest-cov to reach 80% coverage |
| pre-commit | Gate lint / type-check / format checks before commit |
uv run / nix run | One-shot, disposable execution environments |
| Resource | Purpose |
|---|
| Supabase / pgvector | Backend + vector database; the most common path for self-hosted RAG |
| MinIO | S3-compatible object storage; self-hosted data lake |
| Cloudflare (Workers, Tunnels, Zero Trust, WARP, WAF, DNS, R2) | Edge compute and zero-trust networking; low-cost option for individuals and small teams |
| Tailscale | Zero-config mesh VPN; self-hosted cross-machine agent networking |
| acme.sh | Automated TLS certificates; lowest-cost HTTPS for public-facing services |
| n8n | Visual workflow orchestration; API chaining accessible to non-engineers |
| LangGraph | Agent flows as stateful graphs; designed for complex multi-step tasks |
Only common self-hosted / platform options are listed here. Selection details depend on your specific deployment requirements (latency, bandwidth, cost, regulatory constraints) and each vendor’s official documentation.
7. Standard SOP for using community resources
When you encounter a popular Skill / Plugin / MCP server, follow these seven steps:
- Source review: Is the author named? What organization? How long since the last commit? Is the issue tracker active?
- File review: Read
SKILL.md / plugin.json / .mcp.json / hooks.json in full. Do the first 50 lines contain suspicious commands or outbound connections?
- Permission review: Does it write files? Connect to the network? Require a token? Does the task actually need any of that?
- Isolated test: Install it first in a throwaway environment or container, run one empty task, and observe network and file behavior.
- Scan: Run the three
rg scans from Section 4. Do not skip any hit.
- Track: Follow the author’s releases. Re-run all five steps before upgrading.
- Document: Write the review findings into
MEMORY.md or project documentation. When a colleague asks whether it is safe to install, hand them the record directly.
