Turn AI from Intern to Certified Expert with CloudBase Agent Skills

Background

AI‑generated code often works only in a local localhost environment because the model lacks awareness of the real backend infrastructure.

Agent Skills

Agent Skills (introduced by Anthropic in Oct 2025 for Claude Code) are bundles of a SKILL.md file plus optional scripts, references and assets. The SKILL.md contains metadata (e.g., name, description) and step‑by‑step instructions that tell an AI how to perform a specific task.

my-skill/
├── SKILL.md   # core: instructions + metadata
├── scripts/   # optional executable code
├── references/ # optional docs
└── assets/    # optional templates/resources

Progressive Disclosure

Discovery : At startup the agent loads only each skill’s name and description, keeping the context window small.

Activation : When a request matches a skill’s description, the full SKILL.md is injected into the context.

Execution : The agent follows the instructions, loading any referenced files or scripts on demand.

CloudBase Skills – 8 Years of Serverless Experience

CloudBase is a serverless platform launched in 2018. Its CloudBase Skills combine the skill concept with a full‑stack base that provides:

Full‑stack deployment : Convert a local demo into a publicly reachable URL.

Native multi‑platform authentication : Unified login for Web, Mini‑Program, etc., without hard‑coded parameters.

Database layer : NoSQL and SQL access with built‑in per‑user security rules, preventing horizontal privilege escalation.

The platform handles >10 billion daily API calls for >3.3 million developers, and this operational knowledge is encoded as AI‑readable commands.

Scenario 1 – Authentication

Incorrect approach – trusting a client‑provided userId leads to horizontal privilege attacks:

// Bad: trust client‑provided ID
const { openid } = event.params;
const user = await db.collection('users').doc(openid).get();

Correct approach – load the auth‑wechat skill, which forces the AI to use CloudBase’s native authentication context:

// Good: use platform‑provided OPENID
const { OPENID } = cloud.getWXContext();
const user = await db.collection('users').doc(OPENID).get();

Engineering rule: Security must rely on the base’s native trust, not on client‑supplied values.

Scenario 2 – Data Security

Instead of exposing raw database APIs, the skill injects security rules directly into the database layer:

// Rule enforced by CloudBase
auth.uid == doc._openid

This creates a defensive programming loop: even if business‑logic bugs occur, the underlying sandbox blocks unauthorized data modifications.

Scenario 3 – AI Integration

Hard‑coding API keys in the front end is unsafe. CloudBase Skills store keys in secure environment variables and expose a minimal SDK call:

const model = wx.cloud.extend.AI.createModel("hunyuan-exp");
const res = await model.streamText({
  model: "hunyuan-turbos-latest",
  messages: [{role: "user", content: "介绍一下李白"}]
});
for await (const text of res.textStream) {
  console.log("文本片段:", text);
}

Installation

Run the following command in a terminal to add the CloudBase skill set to any supported AI development tool:

npx skills add tencentcloudbase/skills

Architecture Overview

The system follows an “Environment as Boundary” design:

Physical isolation : Separate plugins for Web, Mini‑Program, and Node.js avoid semantic pollution.

Guideline routing : A cloudbase‑guidelines skill acts as the entry point, detecting the project type (e.g., presence of app.json indicates a Mini‑Program) and loading only the relevant sub‑skills.

Practical Tips to Boost Skill Activation

Primacy injection : Begin every prompt with a mandatory line such as "You MUST read the cloudbase‑guidelines skill FIRST when working with CloudBase projects." This leverages the primacy effect to raise activation from ~20 % to ~84 %.

Project‑level system rules : Add a CLAUDE.md or AGENT.md file at the repository root that enforces skill usage without repeating the prompt each time.

Forced evaluation hook : Configure a hook (e.g., .claude/settings.json) that intercepts every AI request, requiring the model to emit an evaluation report listing available skills and justification before any code is generated.

Future Roadmap (Technical Highlights)

Mini‑Program WeChat Pay skill

Virtual payment skill for Mini‑Programs

Game‑related CloudBase skill packs

Full‑stack backend deployment skill

Additional templates and skill matrices

References

CloudBase Skills repository: https://github.com/TencentCloudBase/Skills

CloudBase MCP repository: https://github.com/TencentCloudBase/CloudBase-MCP