julianobarbosa/shellcheck
skills/shellcheck/SKILL.md
Shell script static analysis and linting. USE WHEN shellcheck, lint shell, bash lint, sh lint, script analysis, shell errors, SC codes, shell best practices. Comprehensive shell script validation with CI/CD integration.
$ install --global
skillsauthnpx skillsauth add julianobarbosa/claude-code-skills shellcheckInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 7:40 AM100.0s9 files scanned
SKILL.md
- name:
- shellcheck
- description:
- Shell script static analysis and linting. USE WHEN shellcheck, lint shell, bash lint, sh lint, script analysis, shell errors, SC codes, shell best practices. Comprehensive shell script validation with CI/CD integration.
ShellCheck - Shell Script Static Analysis
Auto-routes when user mentions shellcheck, shell linting, bash script analysis, or SC error codes.
Overview
ShellCheck is a GPLv3-licensed static analysis tool that identifies bugs in bash/sh shell scripts. It detects:
- Syntax errors and parsing issues
- Semantic problems causing unexpected behavior
- Quoting issues and word splitting bugs
- POSIX compatibility warnings
- Style and best practice violations
Voice Notification
When executing a workflow, do BOTH:
-
Send voice notification:
curl -s -X POST http://localhost:8888/notify \ -H "Content-Type: application/json" \ -d '{"message": "Running the WORKFLOWNAME workflow from the ShellCheck skill"}' \ > /dev/null 2>&1 & -
Output text notification:
Running the **WorkflowName** workflow from the **ShellCheck** skill...
Workflow Routing
| Workflow | Trigger | File |
|----------|---------|------|
| Analyze | "shellcheck this", "lint script", "check shell" | Workflows/Analyze.md |
| Fix | "fix shell errors", "apply shellcheck fixes" | Workflows/Fix.md |
| Setup | "setup shellcheck", "configure shellcheck" | Workflows/Setup.md |
| Explain | "explain SC2086", "what is SC code" | Workflows/Explain.md |
Quick Reference
Basic Usage
# Check a script
shellcheck myscript.sh
# Specify shell dialect
shellcheck -s bash myscript.sh
# Exclude specific codes
shellcheck -e SC2086,SC2046 myscript.sh
# Output formats
shellcheck -f gcc myscript.sh # Editor integration
shellcheck -f json myscript.sh # Machine readable
shellcheck -f diff myscript.sh # Auto-fix patches
Common SC Codes
| Code | Issue | Fix |
|------|-------|-----|
| SC2086 | Unquoted variable | "$var" |
| SC2046 | Unquoted command substitution | "$(cmd)" |
| SC2034 | Unused variable | Remove or export |
| SC2154 | Unassigned variable | Assign or disable |
| SC2155 | Declare and assign separately | Split declaration |
Inline Directives
# Disable for next command
# shellcheck disable=SC2086
echo $var
# Disable for entire file (after shebang)
#!/bin/bash
# shellcheck disable=SC2086,SC2046
Full Documentation
- Error Codes:
SkillSearch('shellcheck error codes')-> loads ErrorCodes.md - Configuration:
SkillSearch('shellcheck config')-> loads Configuration.md - CI/CD Integration:
SkillSearch('shellcheck ci')-> loads Integration.md - Best Practices:
SkillSearch('shellcheck practices')-> loads BestPractices.md
Examples
Example 1: Analyze a script
User: "shellcheck my deploy script"
-> Invokes Analyze workflow
-> Runs shellcheck with JSON output
-> Presents findings grouped by severity
-> Suggests fixes with wiki links
Example 2: Fix common issues
User: "fix the shellcheck errors in scripts/"
-> Invokes Fix workflow
-> Generates diff output
-> Applies fixes interactively
-> Re-runs validation
Example 3: Setup for project
User: "setup shellcheck for this repo"
-> Invokes Setup workflow
-> Creates .shellcheckrc
-> Adds pre-commit hook
-> Configures CI workflow
Example 4: Explain an error code
User: "what does SC2086 mean?"
-> Invokes Explain workflow
-> Fetches wiki documentation
-> Shows examples and fixes
-> Provides context-specific guidance
Gotchas
- SC2086 is wrong inside
[[ ]]: Bash's[[ ]]does not word-split, so[[ -n $var ]]is safe unquoted. Disabling SC2086 on[[ ]]blocks is a sign you're applying the lint to the wrong construct, not a sign the rule is broken. - SC2034 fires on indirectly-used variables: Variables consumed via
${!prefix*}indirection,declare -pintrospection, or sourced into another script trigger "unused" false positives. Use# shellcheck disable=SC2034with a comment explaining the indirection — don't silence globally. - Shebang determines the dialect, not the filename:
script.shwith#!/bin/shis checked as POSIX sh and rejects bashisms like[[ ]]or arrays. Either set the correct shebang or pass-s bashexplicitly; never rely on the.shextension. shellcheck -e SC2086,SC2046in.shellcheckrchides real bugs: Project-wide disables compound — a year later nobody remembers why and unquoted expansions ship to prod. Prefer inline disables with a justification comment over global suppression.- Source-following requires
-xflag:source ./lib.shis not analyzed by default. Run withshellcheck -x script.shfor full coverage, or add# shellcheck source=./lib.shdirectives. CI configs frequently miss this and ship un-linted sourced files. -f diffpatches assume the script parses cleanly: Syntax errors prevent the auto-fix output entirely, with no clear message. If-f diffproduces nothing, run without-ffirst and fix parse errors before re-running for patches.
Related Skills
julianobarbosa/ship
development
VerifiedTrustedCommunity
End-to-end branch delivery: commit (no AI attribution) → push → open a pull request → ensure a Board work item exists (create one per task, assigned to the configured user, if none) and link it → after merge, clean up branch and worktree. Auto-detects the platform from the remote — Azure Repos + Boards (azure-devops-node-api SDK; OAuth Bearer push fallback via `az`) or GitHub (Octokit; `gh` for auth). Scripts are TypeScript, run via `bun`. Use whenever asked to "ship", "ship it", "ship this branch", "open a PR", "push and open a PR", "raise a PR", "deliver this", "send this for review", or "create a PR and link the work item" — and when a direct push to main is blocked and the change needs to go through a PR instead.
78SKILL.mdUpdated May 30, 2026
julianobarbosa/your-skill-name
testing
VerifiedTrustedCommunity
Brief description of what this skill does. Include specific triggers - when should Claude use this skill? Example triggers, file types, or keywords that indicate this skill applies.
76SKILL.mdUpdated May 30, 2026
julianobarbosa/zsh-path
tools
VerifiedTrustedCommunity
Manage and troubleshoot PATH configuration in zsh. Use when adding tools to PATH (bun, nvm, Python venv, cargo, go), diagnosing "command not found" errors, validating PATH entries, or organizing shell configuration in .zshrc and .zshrc.local files.
76SKILL.mdUpdated May 30, 2026
julianobarbosa/zabbix-api
tools
VerifiedTrustedCommunity
Zabbix monitoring system automation via API and Python. Use when: (1) Managing hosts, templates, items, triggers, or host groups, (2) Automating monitoring configuration, (3) Sending data via Zabbix trapper/sender, (4) Querying historical data or events, (5) Bulk operations on Zabbix objects, (6) Maintenance window management, (7) User/permission management
76SKILL.mdUpdated May 30, 2026