deathbyknowledge/gsv-package-review
skills/gsv-package-review/SKILL.md
Guide on how to review GSV packages before approval, including source inspection, manifests, capabilities, entrypoints, staged edits, refs, and trust boundaries.
$ install --global
skillsauthnpx skillsauth add deathbyknowledge/gsv gsv-package-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 6, 2026, 2:48 AM167.9s1 file scanned
SKILL.md
- name:
- gsv-package-review
- description:
- Guide on how to review GSV packages before approval, including source inspection, manifests, capabilities, entrypoints, staged edits, refs, and trust boundaries.
GSV Package Review
Review Procedure
Start from metadata, then verify with source:
pkg list
pkg show <package>
pkg manifest <package>
pkg capabilities <package>
pkg refs <package>
pkg log <package> --limit 20
pkg source status <package>
A review should usually start from clean source. If staged edits exist, explain what they are before trusting the tree.
Inspect /src/packages/<package> directly. Identify browser, backend, CLI, public route, daemon, signal, and package profile entrypoints.
What To Check
- Requested Kernel capabilities match code paths that need them.
- Filesystem writes/deletes are scoped and intentional.
- Shell execution is justified and bounded.
- Repository mutation uses the correct repo and ref.
- Package lifecycle calls such as install, checkout, sync, approve, enable, and public visibility are justified.
- Process spawning, IPC, schedules, adapter calls, notifications, and public routes are explicit.
- Browser code does not abuse parent-window messaging or host bridge assumptions.
- Backend/public routes do their own webhook signature or route-specific authorization.
- Network access, dynamic import, eval-like behavior, and destructive actions are called out.
Mutating Commands
Use these only when the user asked for that action:
pkg add --repo owner/repo --ref main --subdir .
pkg approve <package>
pkg enable <package>
pkg disable <package>
pkg checkout <ref> <package>
pkg public on <package>
pkg public off <package>
Approval and enablement are separate. Approval trusts a package for its requested grants. Enablement activates entrypoints.
Verdict
Lead with findings when risks exist. End with one clear verdict:
- approve
- do not approve
- approve only after named fixes
Do not approve based on display name, description, screenshots, or UI polish alone.
Related Skills
deathbyknowledge/browser-shell
development
VerifiedTrustedCommunity
Use active GSV web shell browser targets to inspect windows/apps, run browser JS, open files, and move files across targets.
58SKILL.mdUpdated May 25, 2026
deathbyknowledge/gsv-process-identity
documentation
VerifiedTrustedCommunity
Guide on what a GSV process is, how to orient around its identity, cwd, virtual filesystem paths, source mounts, and runtime events.
58SKILL.mdUpdated May 6, 2026
deathbyknowledge/gsv-process-coordination
documentation
VerifiedTrustedCommunity
Guide on how to coordinate durable GSV processes, including spawning, IPC, handoffs, scheduled work, conversation state, and compaction.
58SKILL.mdUpdated May 6, 2026
deathbyknowledge/gsv-context-and-skills
documentation
VerifiedTrustedCommunity
Guide on how context and skills work in GSV and how to add/edit them.
58SKILL.mdUpdated May 6, 2026