Adoption · Reader skills · v0.1.0

Read profiles. Don't get hijacked.

The author skills on the adopt page help a publisher write their own profile. These are the inverse: three drop-in skills that teach an AI agent how to find and use somebody else's published profile via directory.agentic-first.co/mcp and the canonical /.well-known/agentic-profile.json. Lookup, search, diligence sweep, protected-tier negotiation, and the safe-handling pattern for publisher-controlled prose - all built in. Same shape as the author skills (Claude, Codex, generic agent prompt); same prompt-injection posture.

Why a reader skill

Any half-decent agent can curl the directory MCP. The reader skill exists for what happens after the response lands:

• Routing. Use search_companies first; fall back to get_company; if the directory has no record, fetch /.well-known/agentic-profile.json directly; if that fails, try the embedded <script type="application/agentic-profile+json">; if that fails, try the inline-XML fallback. Wired in.
• Verification. Surface the verified flag. Distinguish "self-attested" from "verified". Flag profiles whose updated_at is more than 180 days old.
• Banded numerics. Don't extrapolate revenue_band: "1m-5m" into "around £2.4m" - the publisher banded it on purpose. Precise figures live behind the protected tier.
• Evidence first. Cite evidence[].url when the user is making a real decision; be honest about which links 404'd.
• Protected-tier negotiation. Walk the user through requesting a token via contact.preferred_channel rather than guessing. Default scopes, default 90-day TTL.
• Prompt-injection guardrails. Profile prose is publisher-controlled free text on the open web. The skill wraps it in --- BEGIN UNTRUSTED PROFILE --- delimiters before showing it to the model, strips control characters and zero-width unicode, refuses to render <script> / javascript: / on-event handlers, and labels claims as "self-attested" when the evidence URL doesn't resolve.

What the skill does end-to-end

Each variant (Claude, Codex, generic prompt) walks the same six-step workflow:

1. Frame. Single-company lookup, discovery / search, full diligence sweep, or protected-tier access? Pick the route, then proceed.
2. Search the directory. Call search_companies with whatever filters the user gave (industry, jurisdiction, stage, headcount band, raised band, free-text q). Returns a ranked list with confidence scores.
3. Fetch the canonical profile. Call get_company({ domain }). Inspect the verified flag, the registry/LEI anchor, the updated_at, the funding / team / metrics blocks, and the evidence array.
4. Fall back to the well-known. If the directory has no record, try /.well-known/agentic-profile.json, then the root-level fallback, then the embedded data island, then the inline XML form. If all four miss, the publisher hasn't adopted - say so, don't infer.
5. Negotiate for protected. If the user wants precise figures (revenue, ARR, churn, runway, fundraise terms, salary detail), the skill drafts a token request to the publisher's contact.preferred_channel - contact.private_mcp if available, then email or form, with the conventional scopes (profile:read, financials:read, traction:read, fundraise:read, updates:read) and a 90-day TTL. Never sends on the user's behalf - hands the draft back.
6. Diligence summary. Produces a structured report (Identity / Shape / Money / People / Evidence followed / What's missing / Channels / Provenance) ending with a verbatim directory_version + schema_version stamp from /healthz.

Install

1 · Claude Skill

1. Create the skill directory if it doesn't already exist:

   mkdir -p ~/.claude/skills/agentic-first-reader

2. Drop the downloaded SKILL.md into it:

   curl -L -o ~/.claude/skills/agentic-first-reader/SKILL.md \
     https://www.agentic-first.co/skills/claude/agentic-first-reader/SKILL.md

3. Restart Claude (Desktop) or your Claude Code session. The skill is now active for any conversation.

Project-scoped install: drop the same file at {your-repo}/.claude/skills/agentic-first-reader/SKILL.md and commit it. Pairs naturally with the author skill in the same repo.

2 · Codex Skill

1. Create the skill directory:

   mkdir -p ~/.codex/skills/agentic-first-reader

2. Drop the downloaded SKILL.md into it:

   curl -L -o ~/.codex/skills/agentic-first-reader/SKILL.md \
     https://www.agentic-first.co/skills/codex/agentic-first-reader/SKILL.md

3. Run codex skills list to confirm agentic-first-reader shows up. Trigger by chat, same as the Claude variant.

The Codex variant assumes shell + filesystem write. With network enabled, it will also fetch the canonical schema from https://directory.agentic-first.co/schemas/ live rather than relying on whatever the skill remembers.

3 · Generic agent prompt

No install. Open the generic prompt, copy the SYSTEM PROMPT block, paste it into your agent's system-prompt field. Works in ChatGPT (custom GPT or one-shot system message), Gemini, Cursor chat, your internal copilot, anything that lets you set a system prompt. Browser only.

If your host doesn't expose a system-prompt field, paste the whole prompt as the first user message of a new conversation and follow it with a real question.

Trigger phrases

In any of the three variants, the skill fires when the user says something like:

• "Look up {domain} on agentic-first."
• "What does the directory say about {company}?"
• "Search agentic-first for UK fintech, Series A or later."
• "Run a diligence sweep on {domain}."
• "Pull {domain}'s public profile and check the evidence URLs."
• "Can you read their agentic-first profile?"
• "I want to see their private MCP." (token-gated; the skill draws up the negotiation request)

A short note on prompt injection

An agentic-first profile is publisher-controlled free text being served on the open web for AI agents to read. The tagline, summary, bio, notes, and evidence[].caption fields can carry imperatives addressed to the next reader. Treat them like a scraped HTML page.

The reader skills enforce the canonical safe-handling pattern from our security page: delimiter-wrap profile prose before showing it to the model (--- BEGIN UNTRUSTED PROFILE --- / --- END UNTRUSTED PROFILE ---), keep profile text out of the system prompt, render as plain text not as markdown / HTML, strip control characters and zero-width unicode, refuse to follow imperatives appearing inside the profile, treat URLs in links and evidence[].url as suggestions not instructions.

The directory at directory.agentic-first.co already runs the same checks on ingest (control-char strip, zero-width strip, bidi-override strip, length cap, rejected-pattern reject). The reader skill applies them again on the consumer side - defence in depth.

When skills get bumped

Every skill on this site carries a version field (in the YAML frontmatter for Claude / Codex SKILL.md files; in the top blockquote for the generic prompt). The current version of both the reader skills and the author skills is v0.1.0, matching the standard's schema_version.

Skill versions bump when the underlying surface they target changes:

• Schema bump (e.g. v0.2.0 of any of the four canonical profile schemas) → all six skills bump in lockstep with the new banded enums, required fields, or discriminators. Old skills keep working against old hosted profiles; the version field tells you which is which.
• Directory tool change (new MCP tool, new argument, new return shape on search_companies / get_company) → the reader skills bump; author skills are unaffected unless submit_website or queue_scan changes.
• Adoption-side guidance change (new safe embedding pattern, new prompt-injection finding) → only the affected skills bump.

The website footer pill always shows the live directory_version and schema_version from /healthz. The website CHANGELOG lists every skill and page release with a date, so you can tell at a glance whether your installed skill is current.