jmagly/committer-2fa-audit
agentic/code/frameworks/security-engineering/skills/committer-2fa-audit/SKILL.md
Audit source-control organization settings for strong 2FA/MFA requirements across all committers
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg committer-2fa-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 6:20 AM90.0s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- committer-2fa-audit
- platforms:
- [all]
- description:
- Audit source-control organization settings for strong 2FA/MFA requirements across all committers
- - tracker-platform:
- github or gitea
- - token:
- org-admin token when querying member 2FA status
- - report:
- committer 2FA enforcement status and platform setting guidance
- - token-missing:
- org-admin token required for platform member audit
- - unsupported-platform:
- selected tracker does not expose 2FA enrollment status
- argumentHint:
- [--platform github|gitea] [--org <name>] [--report-only]
- allowedTools:
- Read, Bash
- model:
- sonnet
- category:
- security
- orchestration:
- false
Committer 2FA Audit
Audit whether all committers are covered by strong two-factor authentication policy. This enforces committer-2fa-required and maps curl Practice 25 into source-control governance.
GitHub
Requires an org-admin token supplied outside the prompt context. Query the org member endpoint with the 2FA-disabled filter and report non-compliant users.
Gitea
Gitea support is instance-dependent. When the API exposes 2FA status, report non-compliant users. When it does not, report the configured organization/site policy and mark member-level visibility as unavailable.
Token Handling
Follow token-security: read tokens from a secure environment or secret manager, do not echo them, do not paste them into issue comments, and do not persist audit responses containing token material.
References
agentic/code/frameworks/security-engineering/rules/committer-2fa-required.mdagentic/code/addons/aiwg-utils/rules/token-security.md
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026