Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

datashaman/skills/review

Name: skills/review
Author: datashaman

skills/review/SKILL.md

npx skillsauth add datashaman/agentfiles skills/review

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

name: review

description: Produce an approve or block decision with reviewer-grade checks—maintainability, team policy, and OWASP-style web review—captured in review_decision.json.

Review

When to use

Reviewer Agent (or human) after verification_report.json is pass for merge-worthy work—or fail with documented risk acceptance (rare; usually fix first).

Inputs

verification_report.json, diff, team standards (CONTRIBUTING, security doc, ADRs).

Review sequence (grounded)

1. Verifier residual risk

Re-read findings. If any critical/high is open, default is block unless an explicit exception is documented (ticket + owner).

2. Correctness vs intent

Thoroughly verify the change against spec.json contracts: walk every declared API endpoint (method, path, request/response shapes, success and error status codes), data assumptions, and UI states (loading, success, error, empty). Treat naming mismatches, missing paths, wrong codes, and edge cases called out in ACs as defects—do not rely on the Verifier having caught them all.

3. Maintainability (quick)

Size: small PRs easier; if huge, note risk.
Duplication: new helpers vs copy-paste.
Naming & types: public API surface clear?
Tests: meaningful assertions, not only coverage theater.

4. Web security pass (diff-aware)

Answer these from the changed code:

AuthZ: Does every mutating or sensitive read check permission for the right resource (not only “logged in”)?
Input: Validation on boundary; reject oversize payloads where relevant.
Injection: Parameterized queries/ORM; no innerHTML with untrusted data; careful eval, exec, shell.
Secrets: No tokens/keys in code or logs; use existing secret patterns.
Headers / cookies: HttpOnly, Secure, SameSite where cookies carry auth.
SSRF / redirects: User-supplied URLs fetching server-side?

(Aligns with common OWASP categories; depth scales with exposure—internal admin vs public internet.)

5. Policy & compliance

License headers, PII handling, logging PII restrictions, feature flags per team rules.

Decision output

review_decision.json: decision approve | block, verification_ref, summary, blocking_findings (each with impact, owner per workflow), non_blocking_notes, metadata.

Anti-patterns

Blocking on taste without policy or defect link.
Approving with silent critical/high verifier findings.

datashaman/skills/review

skills/review/SKILL.md

--- ## name: review description: Produce an approve or block decision with reviewer-grade checks—maintainability, team policy, and OWASP-style web review—captured in review_decision.json. # Review ### When to use - Reviewer Agent (or human) after `verification_report.json` is **pass** for merge-worthy work—or **fail** with documented risk acceptance (rare; usually fix first). ### Inputs - `verification_report.json`, diff, team standards (CONTRIBUTING, security doc, ADRs). ### Review seque

development

Updated Apr 20, 2026

$ install --global

skillsauth

npx skillsauth add datashaman/agentfiles skills/review

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 20, 2026, 3:00 PM15.9s1 file scanned

SKILL.md

name: review

description: Produce an approve or block decision with reviewer-grade checks—maintainability, team policy, and OWASP-style web review—captured in review_decision.json.

Review

When to use

Reviewer Agent (or human) after verification_report.json is pass for merge-worthy work—or fail with documented risk acceptance (rare; usually fix first).

Inputs

verification_report.json, diff, team standards (CONTRIBUTING, security doc, ADRs).

Review sequence (grounded)

1. Verifier residual risk

Re-read findings. If any critical/high is open, default is block unless an explicit exception is documented (ticket + owner).

2. Correctness vs intent

Thoroughly verify the change against spec.json contracts: walk every declared API endpoint (method, path, request/response shapes, success and error status codes), data assumptions, and UI states (loading, success, error, empty). Treat naming mismatches, missing paths, wrong codes, and edge cases called out in ACs as defects—do not rely on the Verifier having caught them all.

3. Maintainability (quick)

Size: small PRs easier; if huge, note risk.
Duplication: new helpers vs copy-paste.
Naming & types: public API surface clear?
Tests: meaningful assertions, not only coverage theater.

4. Web security pass (diff-aware)

Answer these from the changed code:

AuthZ: Does every mutating or sensitive read check permission for the right resource (not only “logged in”)?
Input: Validation on boundary; reject oversize payloads where relevant.
Injection: Parameterized queries/ORM; no innerHTML with untrusted data; careful eval, exec, shell.
Secrets: No tokens/keys in code or logs; use existing secret patterns.
Headers / cookies: HttpOnly, Secure, SameSite where cookies carry auth.
SSRF / redirects: User-supplied URLs fetching server-side?

(Aligns with common OWASP categories; depth scales with exposure—internal admin vs public internet.)

5. Policy & compliance

License headers, PII handling, logging PII restrictions, feature flags per team rules.

Decision output

review_decision.json: decision approve | block, verification_ref, summary, blocking_findings (each with impact, owner per workflow), non_blocking_notes, metadata.

Anti-patterns

Blocking on taste without policy or defect link.
Approving with silent critical/high verifier findings.

Related Skills

datashaman/skills/verify

testing

VerifiedTrustedCommunity

--- ## name: verify description: Run the project’s quality gates, map results to spec acceptance criteria, and produce verification_report.json with evidence and severities. # Verify ### When to use - Verifier Agent after a change is claimed ready for review. - You need a **pass/fail** tied to evidence, not gut feel. ### Part A — Automated gates (use the repo’s real commands) Run what this repository already defines (examples—substitute from `package.json` scripts, `Makefile`, CI config):

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/verify

datashaman/skills/specify

development

VerifiedTrustedCommunity

--- ## name: specify description: Turn a GitHub issue, ticket, or chat into scope, testable acceptance criteria, and concrete API/data/UI contracts for spec.json. Stop and consult the human stakeholder whenever anything is ambiguous or the source material is broken—never guess. Use before any implementation. # Specify ### When to use - Spec Agent (or anyone) must produce `spec.json` from messy input. - You need a **single source of truth** for what “done” means before code changes. ### Con

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/specify

datashaman/skills/ship

testing

VerifiedTrustedCommunity

--- ## name: ship description: Cut a versioned release, run CI/deploy with health verification, and document rollback—output release_report.json aligned to your platform (Fly, Vercel, k8s, etc.). # Ship ### When to use - Release Agent after `review_decision.json` is **approve** and CI is green on the merging branch. ### Preconditions - You know **where** production runs and how deploys are triggered (GitHub Action, Git push tag, `fly deploy`, `vercel --prod`, etc.). - **Health check** URL

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/ship

datashaman/skills/implement

development

VerifiedTrustedCommunity

--- ## name: implement description: Implement features with minimal surface area—match repo conventions, honor spec contracts, add focused tests, open a reviewable pull request, and record deviations in build_report.json. The finished artifact is a PR, not merely a local branch. # Implement ### When to use - Builder Agent (or developer) is turning an approved `spec.json` into a **pull request** reviewers can land (code + tests + PR description), not just a private branch. ### Preconditions

SKILL.mdUpdated Apr 20, 2026

datashaman/skills/implement

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/datashaman/agentfiles.git

# Copy into Claude Code skills folder (global)
cp -r agentfiles/skills/review ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

datashaman/agentfiles

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT