bjornmelin/opensrc-inspect
skills/opensrc-inspect/SKILL.md
opensrc CLI—dep + upstream source. Triggers—impl beyond docs/types, version compare, upgrade diff audit, prewarm w/ `opensrc fetch` then `opensrc path`. Not general web or release-note-only.
$ install --global
skillsauthnpx skillsauth add bjornmelin/dev-skills opensrc-inspectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 3:15 AM163.4s4 files scanned
SKILL.md
- name:
- opensrc-inspect
- description:
- opensrc CLI—dep + upstream source. Triggers—impl beyond docs/types, version compare, upgrade diff audit, prewarm w/ `opensrc fetch` then `opensrc path`. Not general web or release-note-only.
Opensrc Inspect
Use this skill when source-level dependency inspection materially changes the answer. Prefer docs and types first; pull source when behavior, migration risk, or internal implementation details matter.
Core Workflow
- Read the repo
AGENTS.mdand inspect the repo's manifests and lockfiles. - Use the global
opensrcbinary when available. Fall back tobunx opensrconly if the binary is unavailable. - Use
opensrc fetchwhen the goal is cache-only prep for CI, scripts, or multi-package warmup:opensrc fetch --cwd <repo-root> zod react nextopensrc fetch <pkg>@<current_version> <pkg>@<target_version>
- Use
opensrc pathfor actual inspection, composition, and diffs:rg "pattern" $(opensrc path zod)cat $(opensrc path zod)/src/types.tsfind $(opensrc path pypi:requests) -name "*.py"git diff --no-index "$(opensrc path <pkg>@<current_version>)" "$(opensrc path <pkg>@<target_version>)"
- Cite exact versions and local paths when source evidence affects the recommendation.
- Use web/docs sources for release notes, API references, and changelogs; use opensrc for implementation internals and source diffs.
- If
/home/bjorn/.codex/skill-support/bin/deps-workbenchexists and the task is an npm/Bun dependency upgrade, use it as the fast prep layer before the deeper source reasoning:deps-workbench upgrade-prep --cwd <repo-root> --package <pkg> --out <tmp.json>deps-workbench report --input <tmp.json> --format md
Version Resolution Guardrails
opensrc0.7.x caches globally at~/.opensrc/and keys cache entries by resolved version or ref. The global cache is not the main risk.- The real risk is incorrect version resolution before fetch.
opensrc0.7.2 improved pnpm workspace and Yarn workspace/protocol handling, but you still need to verify the resolved version before trusting it.- For npm-family packages, current upstream code checks:
node_modules/<pkg>/package.jsonpackage-lock.jsonpnpm-lock.yamlyarn.lockpackage.json
- In Bun repos, use the workspace root as
--cwdby default. Ifnode_modulesis stale, opensrc can resolve a stale installed version first. - Verify the resolved version from the returned path before trusting it.
- For upgrade work or any ambiguity, pin versions explicitly:
opensrc path pkg@current_versionopensrc path pkg@target_version
Cache and Specs
- Source is cached globally in
~/.opensrc/.OPENSRC_HOMEoverrides the cache root. - Metadata lives in
~/.opensrc/sources.json, not in the project. - Use current spec forms only:
- npm:
zodwith accepted aliasnpm:zod - PyPI:
pypi:requestswith accepted aliasespip:requests,python:requests - crates.io:
crates:serdewith accepted aliasescargo:serde,rust:serde - repos:
owner/repo,github:owner/repo,gitlab:owner/repo,bitbucket:owner/repo, or full URLs - pinned refs:
owner/repo@tag,owner/repo#branch,pkg@version
- npm:
- Private repo auth uses
GITHUB_TOKEN,GITLAB_TOKEN, andBITBUCKET_TOKEN.
Prefer fetch vs path
- Use
opensrc fetchwhen you want deterministic cache warmup without printing paths, especially in CI, prep scripts, or before a multi-version comparison. - Use
opensrc pathwhen the next command needs the resolved filesystem path. - For current-versus-target analysis, prewarming with
fetchis optional; the important rule is that the actual inspection uses explicitly pinned versions.
Load These References When Needed
- Read
references/opensrc-cli-reference.mdwhen you need the exact modern CLI surface, cache model, supported spec forms and aliases, auth env vars, or release deltas. - Read
references/dependency-upgrade-audit.mdwhen the task is a package upgrade, current-versus-target comparison, migration audit, or hard-cut removal of obsolete package integrations. - Use the shared helper only to gather fast inventory, Bun signals, usage hits, and current/target opensrc paths. Keep the actual migration reasoning with the model.
Do Not Use This Skill For
- broad web research that does not require source inspection
- release-note summaries where docs alone answer the question
- simple API usage questions that types and official docs already resolve
Outputs
- resolved current and target versions
- exact local source paths used for analysis
- concise note on whether source inspection changed the conclusion
- for upgrade work, a hard-cut migration brief with obsolete code to remove
Related Skills
bjornmelin/kimi-ui-advisor
tools
VerifiedTrustedCommunity
Explicit-only Kimi Code CLI frontend/UI advisor for UI audits, redesigns, components, screenshots, before/after comparison, layout, styling, accessibility, responsive behavior, and visual polish. Use only when the user explicitly invokes `$kimi-ui-advisor` and wants Codex to ask Kimi for structured UI suggestions, then review, apply, and verify them in the repo.
2SKILL.mdUpdated May 28, 2026
bjornmelin/autoreview
development
VerifiedTrustedCommunity
Run a Codex-only structured code review closeout for local, branch, or commit diffs. Use when the user asks for autoreview, Codex review, structured closeout review, final review before commit/ship, or review after non-trivial code edits.
2SKILL.mdUpdated May 28, 2026
bjornmelin/firecrawl
tools
VerifiedTrustedCommunity
Use this skill for Firecrawl CLI web work: web search, URL scraping, site mapping, crawling, structured extraction, page interaction, monitoring changes, offline site download via x download, and parsing local documents such as PDF, DOCX, XLSX, HTML, DOC, ODT, or RTF. Trigger for requests to search the web, look up current info, fetch/read/scrape a URL, extract website data, crawl docs, click/fill/login/paginate a page, monitor page changes, save a site offline, or parse a document. Do not trigger for generic local file reads/edits, git/deploy/code tasks, or Firecrawl app integration work.
2SKILL.mdUpdated May 26, 2026
bjornmelin/sentry-triage-to-pr
tools
VerifiedTrustedCommunity
Triage unresolved Sentry issues into ranked groups, GitHub issue plans, branches, subspawn worktree assignments, PRs, and closeout loops using the sentry CLI, GitHub CLI, and local verification. Use when asked to prioritize Sentry backlogs, group production issues, create GitHub issues or PRs from Sentry evidence, or parallelize Sentry fixes.
2SKILL.mdUpdated May 14, 2026