coalesce-labs/audit-references
plugins/meta/skills/audit-references/SKILL.md
Audit plugin health and find broken references in manifests, commands, agents, and skills
$ install --global
skillsauthnpx skillsauth add coalesce-labs/catalyst audit-referencesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 1, 2026, 3:15 AM69.4s1 file scanned
SKILL.md
- name:
- audit-references
- description:
- Audit plugin health and find broken references in manifests, commands, agents, and skills
- disable-model-invocation:
- false
- allowed-tools:
- Bash, Read, Task, Glob, Grep, Edit
- version:
- 1.0.0
Audit References
You are tasked with auditing plugin health by finding broken references across all plugin manifests, commands, agents, skills, and documentation.
Initial Response
When invoked, immediately run the backing script to gather results:
SCRIPT_DIR="${CLAUDE_PLUGIN_ROOT}/scripts"
"${SCRIPT_DIR}/audit-references.sh" --json --all
Parse the JSON output to understand the full picture.
Process
Step 1: Run the Audit
Run the script with --json to get machine-readable output. The script checks three severity
levels:
- CRITICAL — Manifest entries (
plugin.json) pointing to files that don't exist on disk - WARNING — Path references in plugin source files (commands, agents, skills) that don't resolve
- INFO — Stale path references in documentation (cosmetic)
Step 2: Categorize and Present Results
Present findings grouped by severity:
## Plugin Reference Audit
### CRITICAL ({count})
These manifest entries declare files that don't exist. Plugins will fail to load these.
| Plugin | Manifest | Reference | Detail |
|--------|----------|-----------|--------|
| {plugin} | {manifest} | {ref} | {detail} |
### WARNING ({count})
Path references in plugin source files that don't resolve.
| Source File | Line | Reference | Detail |
|-------------|------|-----------|--------|
| {file} | {line} | {ref} | {detail} |
### INFO ({count})
Stale documentation references (cosmetic only).
| Source File | Line | Reference |
|-------------|------|-----------|
| {file} | {line} | {ref} |
Step 3: Attempt Auto-Resolution (CRITICAL and WARNING only)
For each broken reference at CRITICAL or WARNING level, try to find the actual file:
For CRITICAL (manifest entries):
- Extract the filename from the broken path (e.g.,
commands/deep_research.md) - Search the plugin directory for that filename using Glob
- If found elsewhere, report the correct path
- If not found anywhere, mark as genuinely missing
For WARNING (source references):
- Extract the filename from the broken path
- Search the repo for files with that name using Glob
- If found, suggest the reference update
- If not found, it may be a removed file — suggest removing the reference
Step 4: Present Resolution Plan
## Resolution Plan
### Auto-fixable ({count})
These broken references have clear fixes:
| # | File | Line | Current Reference | Suggested Fix | Confidence |
|---|------|------|-------------------|---------------|------------|
| 1 | {file} | {line} | {old_ref} | {new_ref} | High |
| 2 | {file} | {line} | {old_ref} | {new_ref} | Medium |
### Needs Manual Review ({count})
These references couldn't be auto-resolved:
| File | Line | Reference | Reason |
|------|------|-----------|--------|
| {file} | {line} | {ref} | File not found anywhere in repo |
### Safe to Ignore ({count})
These are documentation examples, templates, or prose references:
| File | Line | Reference | Why Safe |
|------|------|-----------|----------|
| {file} | {line} | {ref} | Example path in documentation |
Would you like me to:
1. Apply all auto-fixes
2. Apply fixes selectively (I'll ask about each)
3. Just show the report (no changes)
Wait for user response.
Step 5: Apply Fixes (if approved)
For each approved fix:
- Manifest entries: Use Edit to update the path in
plugin.json - Source references: Use Edit to update the path in the source file
- Removed files: Use Edit to remove or update the stale reference
After applying fixes, re-run the audit to verify:
"${SCRIPT_DIR}/audit-references.sh" --json
Present the before/after comparison:
## Audit Results After Fix
| Severity | Before | After |
|----------|--------|-------|
| CRITICAL | {before} | {after} |
| WARNING | {before} | {after} |
| INFO | {before} | {after} |
{remaining issues if any}
Important Notes
- Non-destructive by default: Only makes changes after user approval
- Manifest fixes are highest priority: CRITICAL issues mean plugins won't load correctly
${CLAUDE_PLUGIN_ROOT}paths are excluded: These resolve at runtime and are always valid- Template/example paths are excluded: Paths containing YYYY, XXXX, or example names are skipped
- Re-run after fixes: Always verify changes by re-running the audit
- The backing script can also be run standalone:
plugins/meta/scripts/audit-references.sh - For CI usage, run with
--jsonand check thecriticalcount in the output
Error Handling
- If the audit script is not found, report the error and suggest checking the plugin installation
- If
jqis not installed, the script will report this as a CRITICAL issue - If not in a git repository, the script will exit with an error
Related Skills
coalesce-labs/phase-remediate
testing
VerifiedTrustedCommunity
Phase-agent that fixes a failing verify verdict so the pipeline self-heals instead of stalling to needs-human (CTL-653). Reads `${ORCH_DIR}/workers/<ticket>/verify.json`, fixes the `findings[]` (every severity:"high" plus the regression_risk drivers) directly via Edit/Write, commits the remediation, and emits `phase.remediate.complete.<ticket>`. The scheduler's router then re-dispatches `verify` to re-check (the verify⇄remediate cycle, cap 3). Dispatched as a `claude --bg` job by `phase-agent-dispatch`, which invokes it via slash command — hence `user-invocable: true`.
14SKILL.mdUpdated May 28, 2026
coalesce-labs/plugins/dev/skills/phase-triage
tools
VerifiedTrustedCommunity
--- name: phase-triage description: Phase agent that triages a Linear ticket — expands acronyms, classifies (feature/bug/docs/refactor/chore), identifies genuine blockers (a semantic second-pass over the backlog — NOT a prose scrape; CTL-838), estimates scope, writes triage.json, and posts a triage analysis comment to Linear. Triage completion is signaled by that comment plus the local triage.json — there is no `triaged` label. Emits phase.triage.complete.<TICKET> on success and phase.triage.fai
14SKILL.mdUpdated May 18, 2026
coalesce-labs/phase-research
tools
VerifiedTrustedCommunity
Phase agent for the research step of the 9-phase orchestrator pipeline (CTL-450). Wraps /catalyst-dev:research-codebase and produces thoughts/shared/research/<date>-<ticket>.md, then emits phase.research.complete.<ticket>. Reads triage.json from the worker dir as its prior-phase artifact. Spawned via plugins/dev/scripts/phase-agent-dispatch, which invokes it via slash command — hence `user-invocable: true`.
14SKILL.mdUpdated May 18, 2026
coalesce-labs/phase-pr
development
VerifiedTrustedCommunity
Phase-agent wrapper that opens the pull request after implementation completes (CTL-449 Initiative 1 Phase 3). Delegates to `/catalyst-dev:create-pr` (which already auto-runs `describe-pr` and transitions Linear to `inReview`), then writes the PR number + URL into the phase signal file so the downstream `phase-monitor-merge` agent can read it without re-querying GitHub. Dispatched as a `claude --bg` job by `phase-agent-dispatch`, which invokes it via slash command — hence `user-invocable: true`.
14SKILL.mdUpdated May 18, 2026