alexei-led/evolving-config
dist/claude/plugins/discovery/skills/evolving-config/SKILL.md
Audit and improve AI coding-agent configuration. Use when reviewing or changing Claude Code, Pi, Codex, skill, agent, hook, MCP, permission, package, or generated-export setup. Default is review-only; fixes require explicit user approval or --fix. NOT for application config, git hygiene, code bugs, ordinary docs, or generated files without their source.
$ install --global
skillsauthnpx skillsauth add alexei-led/claude-code-config evolving-configInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 3:38 AM13.5s1 file scanned
SKILL.md
- argument-hint:
- [--fix] [scope]
- context:
- fork
- description:
- Audit and improve AI coding-agent configuration. Use when reviewing or
- model:
- sonnet
- name:
- evolving-config
- user-invocable:
- true
Evolving Agent Configuration
Audit AI coding-agent configuration with local evidence first. Default to
review-only. Apply fixes only when the user explicitly asks or passes --fix.
Claude tool use
- Use Read, Glob, and Grep for local inventory.
- Use WebFetch for official docs, changelogs, and exact source URLs.
- Use Perplexity only when official docs do not answer a current best-practice or ecosystem question.
- Use AskUserQuestion before ambiguous scope or risky fixes.
- Do not fetch broad web advice before reading local config.
Read first
references/RUBRIC.mdfor shared review dimensions and severity.references/platforms/claude-code.mdfor Claude Code surfaces.references/platforms/codex.mdfor Codex surfaces.references/platforms/pi.mdfor Pi surfaces.references/apply-fixes.mdonly in approved fix mode.
No dedicated Gemini coverage. If the user explicitly asks for Gemini config, review local files only and state that current best-practice coverage is skipped.
Modes
Review-only is the default for prompts such as "review my config", "audit config", "check setup", or "what should I improve".
Fix mode starts only when the user explicitly asks for changes or passes --fix.
Even then, ask before changing permissions, sandbox policy, hooks, MCP servers,
model routing, package installs, deletes, moves, broad rewrites, private config,
or managed settings.
Workflow
- Identify platform, config root, and mode.
- If scope is ambiguous, list detected surfaces and ask which to audit.
- Inventory relevant files with paths, sizes, and source/generated status.
- Read current files before recommending changes.
- Check the matching platform reference.
- Fetch official docs only when syntax, feature availability, or deprecation status is uncertain.
- Use broader web research only for source gaps or ecosystem comparisons.
- Classify findings by impact and disruption.
- In fix mode, apply only approved changes and verify.
Scope
Review AI-agent config only:
- Claude Code settings,
CLAUDE.md, skills, agents, commands, hooks, MCP, permissions. - Codex config,
AGENTS.md, profiles, sandbox, approvals, MCP, skills, subagents. - Pi settings, packages, skills, extensions, prompts, themes, context files.
- Plugin/package manifests and source-to-generated export rules.
Do not review app runtime config, git hook hygiene, product docs, source-code quality, or generated output as the source of truth.
Priorities
Flag these first:
- unsafe permissions, sandbox bypasses, broad MCP access, or secret exposure
- unsupported or stale keys, tool names, hook events, or model names
- generated exports edited by hand instead of source files
- duplicate or overlapping skills, agents, hooks, prompts, or trigger descriptions
- bloated startup context or always-loaded instructions that should be on demand
- hooks or extensions that hide errors, block safe work, or run risky commands
- missing validation for config that produces skills, agents, hooks, or packages
Output
## Config Audit
Scope: <platforms/files>
Mode: review-only | fix-approved
Sources: <local files and docs checked>
Confidence: high | medium | low
### Summary
- Files reviewed: N
- Generated files skipped: N
- Main risk: <one sentence>
### Critical
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Important
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Suggested
- `path:line` — issue. Evidence: <fact>. Fix: <action>.
### Working Well
- <config that should stay as-is>
### Verification
- <command run or recommended>
Omit empty severity sections. If no findings are confirmed, say No confirmed findings.
Failure handling
- Ambiguous target: ask one scoped question before auditing.
- Missing official docs: use local evidence, lower confidence, and report the gap.
- Generated file target: report the source path and regeneration command instead of editing it.
- Secrets or private data: do not quote secret values; identify only the path and key name when needed.
- Validation failure after a fix: revert the change unless the user asks to keep it, then report the exact error.
Related Skills
alexei-led/writing-shell
tools
VerifiedTrustedCommunity
Idiomatic shell development for POSIX sh, Bash, Zsh, Fish, hooks, CI shell steps, and scriptable CLI glue. Use when writing or changing `.sh`, `.bash`, `.zsh`, `.fish`, `.bats`, shell functions, shell pipelines, or command-runner recipes. Emphasizes portability, quoting, safe filesystem/process handling, non-TUI CLI tools, ShellCheck, shfmt, Bats, and ShellSpec. NOT for Python, TypeScript, Go, web code, or infrastructure operations.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/spec-flow
tools
VerifiedTrustedCommunity
Use when planning, executing, checkpointing, finishing, or inspecting lightweight spec-driven work. Runs one task at a time using `.spec/` markdown files and the bundled `specctl` helper. NOT for broad product discovery beyond a short requirement interview.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/operating-infra
testing
VerifiedTrustedCommunity
Author, inspect, troubleshoot, and review infrastructure across IaC, Kubernetes, cloud resources, containers, CI/CD, and Linux hosts. Use when changing Terraform/OpenTofu, Kubernetes, Helm, Kustomize, Dockerfiles, GitHub Actions, AWS, GCP, Cloud Run, BigQuery, IAM, logs, instances, or service health. NOT for deploy/apply/rollback workflows (see deploying-infra). NOT for shell scripts or generic command pipelines (see writing-shell).
33SKILL.mdUpdated Jun 5, 2026
alexei-led/configuring-git-hygiene
development
VerifiedTrustedCommunity
Configure safe git workflow hygiene: pre-commit/pre-push hooks, Gitleaks secret scanning, .gitignore rules, local git config, and guardrails. Use when setting up git hooks, gitleaks/git leaks, staged pre-commit checks, pre-push validation, core.hooksPath, .gitignore, or git config best practices. NOT for creating commits (use committing-code), cleaning branches/worktrees (use cleanup-git), or creating worktrees (use using-git-worktrees).
33SKILL.mdUpdated Jun 5, 2026