alexei-led/evolving-config
dist/gemini/skills/evolving-config/SKILL.md
Audit and improve AI coding-agent configuration. Use when reviewing or changing Claude Code, Pi, Codex, skill, agent, hook, MCP, permission, package, or generated-export setup. Default is review-only; fixes require explicit user approval or --fix. NOT for application config, git hygiene, code bugs, ordinary docs, or generated files without their source.
$ install --global
skillsauthnpx skillsauth add alexei-led/claude-code-config evolving-configInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 3:38 AM11.5s1 file scanned
SKILL.md
- description:
- Audit and improve AI coding-agent configuration. Use when reviewing or
- name:
- evolving-config
Evolving Agent Configuration
Audit AI coding-agent configuration with local evidence first and current vendor docs second. Default to review-only. Apply fixes only after explicit approval.
Read first
references/RUBRIC.mdfor shared review dimensions and severity.references/platforms/claude-code.mdfor Claude Code surfaces.references/platforms/codex.mdfor Codex surfaces.references/platforms/pi.mdfor Pi surfaces.references/apply-fixes.mdonly when the user asks to fix or passes--fix.
No dedicated Gemini coverage. If the user explicitly asks for Gemini config, review local files only and state that current best-practice coverage is skipped.
Modes
Review-only is the default for prompts such as "review my config", "audit config", "check setup", or "what should I improve".
Fix mode starts only when the user explicitly asks for changes or passes --fix.
Even in fix mode, ask before risky changes: permissions, sandbox policy, hooks,
MCP servers, model routing, deletes, moves, broad rewrites, or private config.
Scope
Review these AI-agent configuration surfaces:
- Instruction files:
AGENTS.md,CLAUDE.md, command prompts, skill and agent bodies. - Claude Code:
.claude/, user/project/local settings, hooks, skills, agents, MCP, permissions. - Codex:
.codex/,~/.codex/config.toml, project config, profiles, sandbox, approvals, MCP, skills, subagents. - Pi:
.pi/,~/.pi/agent/, settings, packages, skills, extensions, prompts, themes, context files. - Plugin/package manifests and source-to-generated export rules.
- chezmoi or dotfile copies only when deployment is part of the request.
Do not review app runtime config, git hook hygiene, product docs, source-code quality, or generated output as the source of truth.
Workflow
- Identify the requested platform, config root, and mode.
- If ambiguous, list detected config surfaces and ask which to audit.
- Inventory relevant files with paths, sizes, and source/generated status.
- Read current files before recommending changes.
- Use the platform reference to check expected structure and high-risk settings.
- Use official docs or changelogs when syntax, feature availability, or deprecation status is uncertain.
- Use broad web research only for gaps or ecosystem comparisons; do not recommend changes from uncited blogs alone.
- Classify findings by impact and disruption.
- In fix mode, apply only approved changes and verify with available validation commands.
Priorities
Flag these first:
- unsupported or stale config keys, tool names, hook events, or model names
- unsafe permissions, sandbox bypasses, broad MCP access, or secret exposure
- generated exports edited by hand instead of source files
- duplicate or overlapping skills, agents, hooks, prompts, or trigger descriptions
- bloated startup context or always-loaded instructions that should be on demand
- hooks or extensions that hide errors, block safe work, or run risky commands
- missing validation for config that produces skills, agents, hooks, or packages
Output
## Config Audit
Scope: <platforms/files>
Mode: review-only | fix-approved
Sources: <local files and docs checked>
Confidence: high | medium | low
### Summary
- Files reviewed: N
- Generated files skipped: N
- Main risk: <one sentence>
### Critical
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Important
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Suggested
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Working Well
- <config that should stay as-is>
### Verification
- <command run or recommended>
Omit empty severity sections. If no findings are confirmed, say No confirmed findings.
Failure handling
- Ambiguous target: ask one scoped question before auditing.
- Missing official docs: use local evidence, lower confidence, and report the gap.
- Generated file target: report the source path and regeneration command instead of editing it.
- Secrets or private data: do not quote secret values; identify only the path and key name when needed.
- Validation failure after a fix: revert the change unless the user asks to keep it, then report the exact error.
Related Skills
alexei-led/writing-shell
tools
VerifiedTrustedCommunity
Idiomatic shell development for POSIX sh, Bash, Zsh, Fish, hooks, CI shell steps, and scriptable CLI glue. Use when writing or changing `.sh`, `.bash`, `.zsh`, `.fish`, `.bats`, shell functions, shell pipelines, or command-runner recipes. Emphasizes portability, quoting, safe filesystem/process handling, non-TUI CLI tools, ShellCheck, shfmt, Bats, and ShellSpec. NOT for Python, TypeScript, Go, web code, or infrastructure operations.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/spec-flow
tools
VerifiedTrustedCommunity
Use when planning, executing, checkpointing, finishing, or inspecting lightweight spec-driven work. Runs one task at a time using `.spec/` markdown files and the bundled `specctl` helper. NOT for broad product discovery beyond a short requirement interview.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/operating-infra
testing
VerifiedTrustedCommunity
Author, inspect, troubleshoot, and review infrastructure across IaC, Kubernetes, cloud resources, containers, CI/CD, and Linux hosts. Use when changing Terraform/OpenTofu, Kubernetes, Helm, Kustomize, Dockerfiles, GitHub Actions, AWS, GCP, Cloud Run, BigQuery, IAM, logs, instances, or service health. NOT for deploy/apply/rollback workflows (see deploying-infra). NOT for shell scripts or generic command pipelines (see writing-shell).
33SKILL.mdUpdated Jun 5, 2026
alexei-led/configuring-git-hygiene
development
VerifiedTrustedCommunity
Configure safe git workflow hygiene: pre-commit/pre-push hooks, Gitleaks secret scanning, .gitignore rules, local git config, and guardrails. Use when setting up git hooks, gitleaks/git leaks, staged pre-commit checks, pre-push validation, core.hooksPath, .gitignore, or git config best practices. NOT for creating commits (use committing-code), cleaning branches/worktrees (use cleanup-git), or creating worktrees (use using-git-worktrees).
33SKILL.mdUpdated Jun 5, 2026