Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

275 lines
12 KiB
Markdown

---
title: Agent Skills for Evals and Red Teaming
description: Install Promptfoo agent skills for eval writing, provider setup, and red-team workflows in Claude Code and OpenAI Codex, with security configs and scan triage.
sidebar_label: Agent Skills
sidebar_position: 99
---
# Agent Skills for Evals and Red Teaming
AI coding agents can write promptfoo configs, but they often get the details wrong: shell-style env vars that do not work, hallucination rubrics that cannot see the source material, tests dumped inline instead of in files, and red-team configs that collapse real app inputs into one generic prompt field.
Promptfoo ships one agent-skill bundle with four focused skills — `promptfoo-evals` for eval authoring, `promptfoo-provider-setup` for connecting targets, and `promptfoo-redteam-setup` plus `promptfoo-redteam-run` for red-team setup and scan triage. The same bundle is published to both the [Claude Code](https://code.claude.com) and [OpenAI Codex](https://openai.com/index/codex) marketplaces.
It follows the open [Agent Skills](https://agentskills.io) standard, so the skills should also work with other compatible tools.
## Why use a skill?
Without the skill, agents frequently:
- Use `$ENV_VAR` syntax in YAML configs, which does not work because promptfoo uses Nunjucks `'{{env.VAR}}'`
- Write `llm-rubric` assertions that reference "the article" but don't inline the source, so the grader can't actually compare
- Dump all tests inline in the config instead of using `file://tests/*.yaml`
- Reach for `llm-rubric` when `contains` or `is-json` would be faster, free, and deterministic
The skill gives the agent these rules up front.
The red-team skills cover a different set of common mistakes: flattening
multi-input targets into one prompt field, choosing broad scans before mapping
the app boundary, and regenerating probes when a stable rerun would be easier to
compare.
## Install
### Via Claude Code marketplace
```bash
/plugin marketplace add promptfoo/promptfoo
/plugin install promptfoo@promptfoo
```
This installs all four skills. Ask the agent to create an eval, connect a
target, or run a red team and it routes to the right skill, or invoke one
directly with a namespaced slash command such as `/promptfoo:promptfoo-evals`.
:::note
This plugin was previously published as `promptfoo-evals` (eval skill only). If
you installed it under that name, reinstall with
`/plugin install promptfoo@promptfoo` to get the full four-skill bundle and
future updates.
:::
### Via Codex plugin bundle
For Codex, the same `plugins/promptfoo` bundle is exposed by
`.agents/plugins/marketplace.json`. Add it to a Codex workspace to install the
same four skills.
### The four skills
Both marketplaces install the same bundle at `plugins/promptfoo`, exposed by
`.claude-plugin/marketplace.json` for Claude Code and
`.agents/plugins/marketplace.json` for Codex:
| Skill | Use it for |
| -------------------------- | -------------------------------------------------------------------------- |
| `promptfoo-evals` | Non-redteam eval suites, assertions, test cases, and result inspection |
| `promptfoo-provider-setup` | HTTP targets plus JavaScript or Python `file://` providers and wrappers |
| `promptfoo-redteam-setup` | Focused redteam configs from live endpoints, OpenAPI specs, or static code |
| `promptfoo-redteam-run` | Running generated scans, triaging failures, and filtered reruns |
There is intentionally no meta selector skill. The agent routes from each skill's
description and default prompt.
Python providers are first-class in the bundle. The provider and redteam
skills cover Promptfoo's `file://provider.py` and
`file://provider.py:function_name` syntax for eval providers, redteam targets,
local graders, and local redteam generators, including `workers`, `timeout`, and
`PROMPTFOO_PYTHON` configuration.
To reuse the bundle in another workspace, copy `plugins/promptfoo` together with
its marketplace entry — `.claude-plugin/marketplace.json` for Claude Code or
`.agents/plugins/marketplace.json` for Codex.
For red teaming, `promptfoo-provider-setup` connects the system under test,
`promptfoo-redteam-setup` turns live endpoints, OpenAPI specs, or static code
into a scan plan, and `promptfoo-redteam-run` executes and triages the
generated probes.
### Manual install
For an eval-only setup, copy the self-contained
[`promptfoo-evals` skill](https://github.com/promptfoo/promptfoo/tree/main/.claude/skills/promptfoo-evals)
into your project:
**Claude Code** (project-level, recommended for teams):
```bash
cp -r promptfoo-evals your-project/.claude/skills/
```
**Claude Code** (personal, available in all projects):
```bash
cp -r promptfoo-evals ~/.claude/skills/
```
**OpenAI Codex / other Agent Skills tools**:
```bash
cp -r promptfoo-evals your-project/.agents/skills/
```
To add provider setup or red teaming as well, install the full bundle from the
marketplace (above) so the skills can hand off to each other, or copy the whole
[`plugins/promptfoo/skills`](https://github.com/promptfoo/promptfoo/tree/main/plugins/promptfoo/skills)
directory so the referenced sibling skills resolve.
:::note
Commit skills to `.claude/skills/` or `.agents/skills/` so every developer's
agent picks them up automatically, with no per-person install needed.
:::
Each skill consists of a `SKILL.md` with workflow instructions plus a
`references/` directory of assertion types, provider patterns, and config
examples (provider and redteam setup also include a `scripts/` directory).
## Usage
Once installed, the agent activates automatically when you ask it to create or
update eval coverage. In Claude Code, you can also invoke a skill directly with
a slash command (namespaced when installed from the marketplace):
```text
/promptfoo:promptfoo-evals Create an eval suite for my summarization prompt
```
In Codex and other Agent Skills tools, ask the agent to create an eval. The
skill activates from the task context.
For red-team work, ask for the task directly:
```text
Create a focused red team config for this invoice assistant. Preserve user_id, invoice_id, and message inputs; test policy, RBAC, and BOLA.
Run the generated redteam scan, summarize attack success rate, and give me the narrowest rerun command for failures.
```
The agent:
1. Search for existing promptfoo configs in the repo
2. Scaffold a new suite if needed (`promptfooconfig.yaml`, `prompts/`, `tests/`)
3. Write test cases with deterministic assertions first, model-graded when needed
4. Validate the config with `promptfoo validate`
5. Provide run commands
:::note
New to promptfoo? See [Getting Started](/docs/getting-started) for an overview of configs, providers, and assertions.
:::
## What the skill teaches
- **Deterministic assertions first.** Use `contains`, `is-json`, `javascript` before reaching for `llm-rubric`. Deterministic checks are fast, free, and reproducible.
- **File-based test organization.** Tests go in `tests/*.yaml` files loaded via `file://tests/*.yaml` glob, keeping configs clean as test count grows.
- **Dataset-driven scaling.** For larger suites, use `tests: file://tests.csv` or script-generated tests like `file://generate_tests.py:create_tests`.
- **Faithfulness checks done right.** When using `llm-rubric` to check for hallucination, the source material must be inlined in the rubric via `{{variable}}` so the grader can actually compare.
- **Pinned grader provider.** Model-graded assertions should explicitly set a grading provider (`defaultTest.options.provider` or `assertion.provider`) for stable scoring.
- **Environment variables.** Use Nunjucks syntax `'{{env.API_KEY}}'` in YAML configs, not shell syntax.
- **CI-friendly runs.** Use `promptfoo eval -o output.json --no-cache` and inspect `success`, `score`, and `error`.
- **Config field ordering.** description, env, prompts, providers, defaultTest, scenarios, tests.
The provider and red-team skills also teach the agent to:
- Keep real inputs such as user IDs, object IDs, documents, and tools visible so authorization and agent-boundary issues stay testable.
- Choose plugins such as `policy`, `rbac`, `bola`, `hijacking`, `prompt-extraction`, and `system-prompt-override` from live or static evidence instead of defaulting to one broad scan.
- Inspect generated probes before running them, reuse generated tests with `redteam eval` when possible, and separate grader failures from real target failures.
- Prefer no-share runs for internal systems and keep provider secrets in environment variables rather than committed configs.
## Example output
Ask the agent to "create an eval for a customer support chatbot that returns JSON" and it produces:
```yaml title="promptfooconfig.yaml"
# yaml-language-server: $schema=https://promptfoo.dev/config-schema.json
description: 'Customer support chatbot'
prompts:
- file://prompts/chat.json
providers:
- id: openai:chat:gpt-4.1-mini
config:
temperature: 0
response_format:
type: json_object
defaultTest:
assert:
- type: is-json
- type: cost
threshold: 0.01
tests:
- file://tests/*.yaml
```
```yaml title="tests/happy-path.yaml"
- description: 'Returns order status for valid customer'
vars:
order_id: 'ORD-1001'
customer_name: 'Alice Smith'
assert:
- type: is-json
value:
type: object
required: [status, message]
- type: javascript
value: "JSON.parse(output).status === 'shipped'"
```
A red-team setup should keep the security boundary visible instead of collapsing
it into one free-form prompt:
```yaml title="promptfooconfig.yaml"
description: 'Invoice assistant red team'
targets:
- id: https
label: invoice-assistant
inputs:
user_id: Signed-in user identifier.
invoice_id: Invoice being requested.
message: User message.
config:
url: '{{env.INVOICE_AGENT_URL}}'
method: POST
stateful: false
body:
user_id: '{{user_id}}'
invoice_id: '{{invoice_id}}'
message: '{{message}}'
transformResponse: json.output
redteam:
purpose: >-
Invoice assistant for signed-in users. It may answer questions about the
caller's invoices only and must not reveal or modify other users' invoices.
plugins:
- id: policy
config:
policy: The assistant must not disclose or modify another user's invoices.
- rbac
- bola
strategies:
- basic
```
## Customizing the skill
The skill is just markdown files. Edit them to match your team's conventions:
- **Add custom providers** to the reference files if your team uses specific models or endpoints.
- **Add assertion patterns** for your domain (e.g., medical accuracy rubrics, financial compliance checks).
- **Change the default layout** if your repo uses a different directory structure for evals.
## Related
- [Getting Started](/docs/getting-started): promptfoo overview for newcomers
- [Test Agent Skills](/docs/guides/test-agent-skills): compare Claude and Codex skill versions side by side
- [Configuration Reference](/docs/configuration/guide): full config schema documentation
- [Assertions Reference](/docs/configuration/expected-outputs): complete list of assertion types
- [Custom Providers](/docs/providers/custom-api): build Python, JavaScript, and HTTP providers
- [LLM Red Teaming](/docs/red-team/): security testing concepts and workflows
- [Red Team Coding Agents](/docs/red-team/coding-agents/): security evals for agentic systems
- [Coding Agent Plugins](/docs/red-team/plugins/coding-agent/): repository, sandbox, secret, and verifier-boundary checks
- [MCP Server](/docs/integrations/mcp-server): expose promptfoo to AI agents via MCP