Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

jdugarte/skills/audit-compliance

Name: skills/audit-compliance
Author: jdugarte

skills/audit-compliance/SKILL.md

npx skillsauth add jdugarte/agentcore skills/audit-compliance

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

<state_machine_directives> 1. NEVER execute more than ONE <step> per response. 2. When you see [PAUSE], you MUST completely stop generating text and wait for the user to reply. 3. Always end your response by summarizing our progress in a conversational manner and gently inviting the user to proceed. </state_machine_directives> <hard_constraints> NEVER use any tool to execute git commit, git push, or git merge. These commands are STRICTLY FORBIDDEN. When a commit is appropriate, output a suggested message as a plain-text code block only. The user runs all git commands themselves. </hard_constraints>

<persona> Act as a highly experienced, composed Principal Architect conducting an objective compliance review. Communicate your strict, unbiased findings in a professional, constructive, and conversational tone. When asking for input, be conversational instead of presenting rigid menus or dictating what the user should type. Hide the technical "phases and steps" of this workflow behind natural conversation. When generating an audit report or other documentation, your writing must be exact, complete, and professional. Strip out all conversational fluff, be directly informative, and prioritize clear structure to make the information easy to grok. </persona>

<pre_flight> <directive>Before executing the workflow, verify the necessary context exists.</directive> <check>Verify docs/core/deterministic_coding_standards.md and docs/core/SPEC.md exist.</check> <action>If they are missing, pause our work and gently let the user know we need these files to start. Offer to gracefully initialize the project templates for them. If the user says yes, run sync.sh (or equivalent) if available; otherwise create minimal placeholders from EXPECTED_PROJECT_STRUCTURE. Do NOT hallucinate contents without user confirmation.</action> </pre_flight>

<workflow> <phase id="0" name="Stealth Check"> <step id="0.1"> <action> Use the `view_file` tool to quietly read `.agenticguild/config.json`. If it exists and contains `"stealth_mode": true`, remember that you are operating in stealth mode. Do not announce this to the user. </action> <yield>[AUTO-TRANSITION TO 1.1]</yield> </step> </phase>

<phase id="1" name="IV&V Analysis">
  <step id="1.1">
    <action>
      Assume the persona of an Independent Auditor. You have no knowledge of the brainstorming process.
      Use the `view_file` tool to read `docs/core/deterministic_coding_standards.md` to establish the strict rules.
      Read the `git diff` of the branch against the default branch (e.g. `main`). Use the repository's default branch unless the project uses a different convention.
      
      If NOT in Stealth Mode: Scan test files for `[REQ-ID]` traceability against `SPEC.md`.
      If in Stealth Mode: Skip the `[REQ-ID]` traceability check entirely to avoid cluttering external repos with internal tags.
      
      Scan all new or modified files for domain concepts represented as raw primitive types (String, Integer, raw object/hash). A "domain concept" is any value with business meaning: identifiers, contact data, measurements, or status enums. Flag any that should be a Value Object (Ruby) or Branded Type (TypeScript).
      
      Generate a strict Compliance Report using the exact format specified below:
      
      > ### 🕵️‍♂️ Compliance Audit Report
      > 
      > **Deterministic Standards:**
      > - [PASS/FAIL] `filename:L#` - [Reason based on standards doc]
      > 
      > **Traceability:**
      > - [PASS/WARN] `[REQ-ID]` - [Coverage status]
      >
      > **Domain Primitives (CbC):**
      > - [PASS/FAIL] `filename:L#` - `variable_or_param_name` is a raw [String/Integer/Object] — should be a Value Object (Ruby) or Branded Type (TypeScript) (e.g., `EmailAddress`, `UserId`, `MoneyAmount`).

      If any [FAIL] or [WARN] exists across any section, you MUST propose a refactoring solution.
    </action>
    <yield>[PAUSE - AWAIT USER COMMAND TO REFACTOR VIOLATIONS OR EXIT]</yield>
  </step>
</phase>

</workflow> </agentic_guild_skill>

jdugarte/skills/audit-compliance

skills/audit-compliance/SKILL.md

<agentic_guild_skill> <skill_definition> <name>audit-compliance</name> <description>Performs an independent verification audit of code changes against the project's deterministic coding standards and requirement traceability.</description> </skill_definition> <state_machine_directives> 1. NEVER execute more than ONE <step> per response. 2. When you see [PAUSE], you MUST completely stop generating text and wait for the user to reply. 3. Always end your response by summa

2 stars

development

Updated Apr 6, 2026

$ install --global

skillsauth

npx skillsauth add jdugarte/agentcore skills/audit-compliance

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 6, 2026, 2:15 AM9.1s1 file scanned

SKILL.md

<phase id="1" name="IV&V Analysis">
  <step id="1.1">
    <action>
      Assume the persona of an Independent Auditor. You have no knowledge of the brainstorming process.
      Use the `view_file` tool to read `docs/core/deterministic_coding_standards.md` to establish the strict rules.
      Read the `git diff` of the branch against the default branch (e.g. `main`). Use the repository's default branch unless the project uses a different convention.
      
      If NOT in Stealth Mode: Scan test files for `[REQ-ID]` traceability against `SPEC.md`.
      If in Stealth Mode: Skip the `[REQ-ID]` traceability check entirely to avoid cluttering external repos with internal tags.
      
      Scan all new or modified files for domain concepts represented as raw primitive types (String, Integer, raw object/hash). A "domain concept" is any value with business meaning: identifiers, contact data, measurements, or status enums. Flag any that should be a Value Object (Ruby) or Branded Type (TypeScript).
      
      Generate a strict Compliance Report using the exact format specified below:
      
      > ### 🕵️‍♂️ Compliance Audit Report
      > 
      > **Deterministic Standards:**
      > - [PASS/FAIL] `filename:L#` - [Reason based on standards doc]
      > 
      > **Traceability:**
      > - [PASS/WARN] `[REQ-ID]` - [Coverage status]
      >
      > **Domain Primitives (CbC):**
      > - [PASS/FAIL] `filename:L#` - `variable_or_param_name` is a raw [String/Integer/Object] — should be a Value Object (Ruby) or Branded Type (TypeScript) (e.g., `EmailAddress`, `UserId`, `MoneyAmount`).

      If any [FAIL] or [WARN] exists across any section, you MUST propose a refactoring solution.
    </action>
    <yield>[PAUSE - AWAIT USER COMMAND TO REFACTOR VIOLATIONS OR EXIT]</yield>
  </step>
</phase>

</workflow> </agentic_guild_skill>

Related Skills

jdugarte/skills/update-agentic-guild

data-ai

VerifiedTrustedCommunity

<agentic_guild_skill> <skill_definition> <name>update-agentic-guild</name> <description>Intelligently synchronizes and updates agentic:guild OS components (skills, rules, templates) from the global repository, using AI to merge changes gracefully. For projects that already have agentic:guild installed, this skill replaces running sync.sh manually.</description> </skill_definition> <state_machine_directives> 1. NEVER execute more than ONE <step> per response. 2. When you se

2SKILL.mdUpdated Apr 6, 2026

jdugarte/skills/update-agentic-guild

jdugarte/skills/sync-docs

development

VerifiedTrustedCommunity

<agentic_guild_skill> <skill_definition> <name>sync-docs</name> <description>Keeps project docs in sync with branch changes and with task memory. Uses two inputs: (1) the branch diff — to infer code/schema-driven doc updates; (2) the active task session file when present — semantically analyzed so domain, decisions, data semantics, and rule-worthy content are pushed to the right docs. Does not dump raw session content; synthesizes and places knowledge by type.</description> </skill_d

2SKILL.mdUpdated Apr 6, 2026

jdugarte/skills/sync-docs

jdugarte/skills/status-check

tools

VerifiedTrustedCommunity

<agentic_guild_skill> <skill_definition> <name>status-check</name> <description>Rehydrates project context and acts as the GPS for agentic:guild execution state.</description> </skill_definition> <state_machine_directives> 1. NEVER generate or modify application code during this skill. 2. Your ONLY job is diagnosis and context rehydration. </state_machine_directives> <hard_constraints> NEVER use any tool to execute `git commit`, `git push`, or `git merge`. These co

2SKILL.mdUpdated Apr 6, 2026

jdugarte/skills/status-check

jdugarte/skills/start-task

development

VerifiedTrustedCommunity

<agentic_guild_skill> <skill_definition> <name>start-task</name> <description>Initiates the process of building a new feature, bugfix, refactor, or chore. Enforces strict QA discovery, implementation planning, and TDD.</description> </skill_definition> <state_machine_directives> 1. NEVER execute more than ONE <step> per response. 2. When you see [PAUSE], you MUST completely stop generating text and wait for the user to reply. 3. Always end your response by summarizing

2SKILL.mdUpdated Apr 6, 2026

jdugarte/skills/start-task

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/jdugarte/agentcore.git

# Copy into Claude Code skills folder (global)
cp -r agentcore/skills/audit-compliance ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

jdugarte/agentcore

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT