GitHub Copilot Agents & Skills - Comprehensive Guide
January 31, 2026 ยท View on GitHub
๐ Overview
This repository now features a comprehensive GitHub Copilot integration with:
- 6 Custom Agents - Specialized AI experts for different development tasks
- 6 Agent Skills - Reusable patterns and best practices (December 2025 feature)
- GitHub MCP Insiders - Advanced features including Copilot coding agent tools
๐ Three-Tier Architecture
Understanding the hierarchy helps you use the right tool for each job:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CUSTOM INSTRUCTIONS (.github/copilot-instructions.md) โ
โ Project-wide defaults, coding standards, setup guides โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CUSTOM AGENTS (.github/agents/*.md) โ
โ Specialized experts with domain knowledge and tools โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AGENT SKILLS (.github/skills/*/SKILL.md) โ
โ Reusable patterns, rules, and best practices โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
When to Use Each
| Feature | Purpose | Example |
|---|---|---|
| Custom Instructions | Project setup, coding standards | "Use TypeScript strict mode" |
| Custom Agents | Domain expertise for tasks | "Use game-developer for Three.js work" |
| Agent Skills | Reusable patterns/rules | "How to test Three.js components" |
๐ฏ Custom Agents (6 Total)
๐ฏ product-task-agent
Expert in product analysis and GitHub issue creation
Improvements:
- โ Added 6 GitHub Copilot assignment methods (basic, advanced, custom instructions, direct PR, stacked PRs, job tracking)
- โ Complete GitHub MCP Insiders documentation
- โ Enhanced issue creation templates
- โ ISMS compliance verification checklist
- โ Skills integration (all 6 skills)
Growth: 420 โ 950 lines (+126%)
Use for:
- Product quality analysis
- Creating GitHub issues
- Coordinating specialized agents
- ISMS compliance verification
๐ฎ game-developer
Expert in Three.js game development with React
Improvements:
- โ 60fps performance enforcement rules
- โ useFrame optimization patterns with delta time
- โ Instanced mesh for particles (>10 objects)
- โ Strict TypeScript for 3D components
- โ References react-threejs-game skill
Growth: 77 โ 440 lines (+471%)
Use for:
- Three.js components
- 3D game mechanics
- WebGL rendering
- Game loop implementation
๐จ frontend-specialist
Expert in React 19 and UI development
Improvements:
- โ React 19 specific patterns (useTransition, useDeferredValue)
- โ WCAG 2.1 AA accessibility compliance
- โ
Strict TypeScript (no
anytypes ever) - โ Performance optimization (useMemo, useCallback)
- โ References documentation-standards skill
Growth: 62 โ 500 lines (+706%)
Use for:
- React UI components
- TypeScript interfaces
- Accessibility compliance
- Performance optimization
๐งช test-engineer
Expert in comprehensive testing strategies
Improvements:
- โ 80%+ coverage enforcement (95% for security code)
- โ Deterministic test patterns (mocked time/random)
- โ Three.js testing with canvas mocking
- โ React Testing Library best practices
- โ References testing-strategy skill
Growth: 81 โ 520 lines (+542%)
Use for:
- Unit tests with Vitest
- E2E tests with Cypress
- Test coverage improvement
- Three.js component testing
๐ security-specialist
Expert in security, compliance, and supply chain
Improvements:
- โ OSSF Scorecard โฅ8.0, SLSA Level 3, SBOM โฅ7.0 enforcement
- โ License compliance (only MIT, Apache-2.0, BSD, ISC)
- โ OWASP Top 10 secure coding rules
- โ XSS prevention with sanitization
- โ References security-by-design and isms-compliance skills
Growth: 107 โ 580 lines (+442%)
Use for:
- Security reviews
- Dependency audits
- License compliance
- ISMS policy alignment
๐ documentation-writer
Expert in technical documentation
Improvements:
- โ Complete JSDoc patterns (@param, @returns, @example)
- โ Mermaid diagram templates (architecture, flows, ISMS)
- โ ISMS documentation structure
- โ Architecture Decision Records (ADR)
- โ References documentation-standards skill
Growth: 93 โ 540 lines (+480%)
Use for:
- README files
- API documentation
- JSDoc comments
- Mermaid diagrams
๐ Agent Skills (6 Total)
๐ security-by-design (421 lines)
High-level security principles and enforcement
Key Rules:
- Never commit secrets or credentials
- Validate and sanitize ALL user input
- Use parameterized queries (never string concatenation)
- Implement proper authentication & authorization
- Handle errors securely (no stack traces to users)
- Use cryptography correctly (established libraries)
- Secure dependencies (npm audit, license check)
- Implement security headers (CSP, X-Frame-Options)
- Log security events (never sensitive data)
- Follow Secure Development Policy
Examples: 5 complete code examples with anti-patterns
๐ isms-compliance (191 lines)
ISMS policy alignment verification
Key Rules:
- Reference appropriate ISMS policies in all security code
- Follow ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1
- Maintain security documentation with policy links
- Implement required security controls with control IDs
- Verify compliance before PR approval
- Document security architecture decisions
- Maintain traceability to ISMS requirements
- Include policy references in commit messages
- Update security docs when policies change
- Align features with ISMS Policy Mapping
ISMS Policies: 10 core policies referenced
๐ฎ react-threejs-game (404 lines)
Three.js game development patterns
Key Rules:
- Use @react-three/fiber for declarative 3D scenes
- Implement game loops with useFrame and delta time
- Type all Three.js refs explicitly (
useRef<THREE.Mesh>) - Target 60fps (use Chrome DevTools Performance)
- Use InstancedMesh for >10 similar objects
- Optimize re-renders (useMemo for expensive calculations)
- Dispose resources in useEffect cleanup
- Handle events with onPointerOver/onPointerOut
- Use proper lighting for visibility
- Test with Three.js mocks
Examples: 8 complete patterns with anti-patterns
๐งช testing-strategy (502 lines)
Comprehensive testing patterns
Key Rules:
- Aim for 80%+ coverage (95% for security code)
- Write deterministic tests (mock Date.now(), Math.random())
- Test behavior, not implementation
- Use React Testing Library user-centric queries
- Mock external dependencies with Vitest
- Test Three.js with canvas mocking
- Use Cypress for critical E2E flows
- Follow "arrange, act, assert" pattern
- Group related tests with describe blocks
- Run tests before every commit
Examples: 15 complete test patterns
๐ documentation-standards (459 lines)
Clear technical documentation
Key Rules:
- Use complete JSDoc (@param, @returns, @throws, @example)
- Include working code examples (tested)
- Create Mermaid diagrams for architecture
- Reference ISMS policies appropriately
- Maintain README with setup instructions
- Write Architecture Decision Records (ADR)
- Keep docs synchronized with code
- Use consistent terminology
- Include troubleshooting sections
- Follow markdown best practices
Examples: 10 documentation templates
โก performance-optimization (492 lines)
React and Three.js optimization
Key Rules:
- Minimize React re-renders (useMemo, useCallback)
- Optimize useFrame (avoid state updates)
- Use InstancedMesh for particles/crowds
- Profile with Chrome DevTools Performance
- Reduce bundle size (code splitting, tree shaking)
- Optimize Three.js geometry (lower polygon counts)
- Dispose resources properly
- Use texture atlases for multiple textures
- Implement Level of Detail (LOD)
- Target 60fps consistently
Examples: 12 optimization patterns
๐ GitHub MCP Insiders Features
Available Copilot Coding Tools
The product-task-agent documents 6 methods for assigning work to GitHub Copilot:
1. Basic Assignment (REST API)
gh copilot assign <issue-number>
2. Feature Branch Assignment
gh copilot assign <issue-number> --base-ref feature/branch-name
Use for: Stacked PRs, feature branches
3. Custom Instructions Assignment
gh copilot assign <issue-number> --custom-instructions "Follow patterns in src/components/"
Use for: Providing specific context
4. Direct PR Creation
gh pr create --assign-copilot --title "Add feature" --body "Description"
5. Custom Agent PR Creation
gh pr create --assign-copilot --agent security-architect --title "Security fix"
Use for: Using specific agent for PR
6. Job Status Tracking
gh copilot status <job-id>
Use for: Monitoring Copilot progress
Stacked PRs Example
# PR 1: Foundation
gh pr create --assign-copilot --title "Step 1: Data models" --base main
# PR 2: Build on PR 1
gh copilot assign <issue-2> --base-ref copilot/issue-1
# PR 3: Final integration
gh pr create --assign-copilot --title "Step 3: API" --base copilot/issue-2
๐ Usage Examples
Example 1: Create a Three.js Particle System
Prompt:
@workspace Use the game-developer agent to create a particle system
with 100 particles using InstancedMesh for performance.
What happens:
- Custom Instructions โ TypeScript strict mode, project structure
- game-developer agent โ Three.js expertise, 60fps enforcement
- react-threejs-game skill โ InstancedMesh pattern
- performance-optimization skill โ 60fps optimization rules
Result: Optimized particle system with proper TypeScript, 60fps target
Example 2: Add Comprehensive Tests
Prompt:
@workspace Use test-engineer to add tests for the Player component
with 80%+ coverage including Three.js canvas interactions.
What happens:
- Custom Instructions โ Vitest setup, test location
- test-engineer agent โ Testing expertise, coverage enforcement
- testing-strategy skill โ Three.js testing patterns, mocking
- react-threejs-game skill โ useFrame testing patterns
Result: Comprehensive tests with Three.js mocking, 80%+ coverage
Example 3: Security Review
Prompt:
@workspace Use security-specialist to review this authentication code
for OWASP Top 10 vulnerabilities and ISMS compliance.
What happens:
- Custom Instructions โ TypeScript strict mode
- security-specialist agent โ Security expertise, OSSF enforcement
- security-by-design skill โ Defense-in-depth patterns
- isms-compliance skill โ Policy references
Result: Security review with OWASP checklist, ISMS policy references
๐ฏ Quick Reference
Choose the Right Agent
| Task | Agent | Skills Applied |
|---|---|---|
| Product analysis | product-task-agent | All 6 skills |
| Three.js components | game-developer | react-threejs-game, performance-optimization |
| React UI | frontend-specialist | documentation-standards, performance-optimization |
| Writing tests | test-engineer | testing-strategy |
| Security review | security-specialist | security-by-design, isms-compliance |
| Documentation | documentation-writer | documentation-standards, isms-compliance |
Common Workflows
New Feature:
- product-task-agent โ Analyze and create issue
- game-developer / frontend-specialist โ Implement
- test-engineer โ Add tests
- security-specialist โ Security review
- documentation-writer โ Update docs
Bug Fix:
- test-engineer โ Add failing test
- game-developer / frontend-specialist โ Fix
- test-engineer โ Verify test passes
- security-specialist โ Check for security implications
Performance Optimization:
- game-developer โ Profile and identify bottlenecks
- frontend-specialist โ Optimize React re-renders
- test-engineer โ Add performance tests
- documentation-writer โ Document optimizations
๐ Metrics Summary
Before vs After
| Metric | Before | After | Growth / Status |
|---|---|---|---|
| Custom Agents | 1,040 lines | 3,530 lines | +239% |
| Agent Skills | 0 | 2,469 lines | NEW! |
| Total Lines | 1,040 | 5,999 lines | Informational only* |
| Rules per Agent | ~3 | ~10 | +233% |
| Examples per Agent | ~2 | ~8 | +300% |
| Checklists | 0 | 6 | NEW! |
| Decision Frameworks | 0 | 24 | NEW! |
* Total lines of configuration are tracked for context only and are not used as a quality metric. Prefer outcome metrics such as reduced clarifying questions or increased autonomous task completion.
Quality Improvements
- โ Autonomy: Decision frameworks reduce questioning by ~80%
- โ Consistency: Enforcement rules ensure uniform output
- โ Compliance: 100% ISMS policy coverage
- โ Performance: 60fps enforcement, 80%+ test coverage
- โ Security: OSSF โฅ8.0, SLSA L3, SBOM โฅ7.0
๐ Maintenance
Quarterly Review
- Review skills for accuracy (Dec, Mar, Jun, Sep)
- Update agents when patterns evolve
- Sync with ISMS policy updates
- Add new skills as patterns emerge
Monthly Updates
- Update examples with latest patterns
- Fix reported issues
- Improve documentation
- Add community feedback
On Policy Changes
- Update isms-compliance skill
- Update security-specialist agent
- Update documentation-writer agent
- Cross-reference new policies
๐ค Contributing
Adding a New Skill
- Create
.github/skills/skill-name/directory - Create
SKILL.mdwith YAML frontmatter - Write 10 enforceable rules
- Add 5-10 examples with anti-patterns
- Test with GitHub Copilot
- Update skills README
- Submit PR for review
Improving an Agent
- Identify improvement area
- Add decision frameworks
- Add enforcement rules
- Add examples
- Reference relevant skills
- Test with Copilot
- Submit PR for review
๐ Additional Resources
Official Documentation
Best Practices
Hack23 Resources
Remember: Skills teach patterns, agents apply expertise, and custom instructions set defaults. Together, they create a comprehensive AI-assisted development experience! ๐