Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

praneethkukunuru/.agents/skills/hephaestus-review

Name: .agents/skills/hephaestus-review
Author: praneethkukunuru

.agents/skills/hephaestus-review/SKILL.md

npx skillsauth add praneethkukunuru/synq-test-103 .agents/skills/hephaestus-review

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

hephaestus-review

Use this skill as the explicit quality gate before ship.

Purpose

Perform risk-first review for correctness, security, and maintainability.

Master Directive

This skill MUST follow .hephaestus/prompts/master-agent-directive.md. This skill MUST follow .hephaestus/prompts/db-navigation-contract.md. This skill MUST follow .hephaestus/prompts/ci-automation-contract.md. This skill MUST follow .hephaestus/prompts/security-review-contract.md.

Use When

Verification report exists.
A ship decision is being considered.

Inputs

.hephaestus/reports/<feature>-verify.md
.hephaestus/reports/<feature>-laziness-audit.md (when present)
.hephaestus/specs/<feature>.md
.hephaestus/plans/<feature>.md
Diff and changed files.
CI closeout and failure-summary artifacts when CI loop was active.
DB context (review_findings, verification_results, blockers, retrieval_chunks, raw_artifacts)
Shared API module (.hephaestus/db/storage/retrieval_api.py).

Outputs

.hephaestus/reports/<feature>-review.md
Rework requests to execute or spec-plan when needed.
DB updates in review_findings, blockers, handoffs, and artifact_index.
Security DB updates in security_findings and security retrieval chunks.

DB Reads

get_run_state, get_review_blockers, get_verification_summary, get_relevant_chunks
get_security_findings, get_security_blockers
get_ci_failure_summary, get_ci_workflow_states, get_recent_ci_failures_by_signature

DB Writes

register_artifact
insert_row on review_findings
persist_blocker (high-severity findings)
persist_retrieval_chunk
persist_security_finding
persist_security_control (for deterministic control checks asserted during review)
persist_handoff
persist_ci_workflow_state (resolved/unresolved/escalated closeout states when applicable)
create_review_gate
persist_security_gate_decision for explicit OWASP gate outcomes
persist_retrieval_audit via select_evidence_bundle
insert_row on approval_decisions for block/conditional/approve record

OWASP 2025 Security Lens

Evaluate all applicable A01-A10 categories for the changed surface.
Persist security findings with severity, category, and blocker policy.
Block ship on unresolved high/critical OWASP findings or missing security evidence.

Procedure

Query DB for minimal run context and unresolved findings first.
List findings by severity first.
Check spec-to-implementation and plan alignment.
Evaluate file growth risk, class/component growth risk, extract-module opportunities, and diff review safety.
Validate Pattern Alignment evidence:
- nearest existing precedent
- alignment decision
- deviation rationale
Validate verification evidence quality; reviewer may block ship solely on insufficient verification evidence.
Evaluate OWASP Top 10:2025 categories against changed surface and verification evidence.
Persist per-category deterministic control status (pass/fail/not_applicable) for touched categories.
Persist OWASP findings/chunks/blockers with explicit severity and blocker default.
Document security and maintainability risks.
Produce go/no-go recommendation with assets/review-report-template.md.
Persist findings by severity and blocking status using persist_review_memory(...).
Include CI automation status, unresolved CI blockers, and recurrence risk in findings.
Confirm CI loop decisions and reverification evidence are complete when CI failures occurred.
Handoff to ship or rework owner.

Guardrails

Findings first, summary second.
No ship recommendation with unresolved high-severity findings.
No ship recommendation with insufficient verification evidence.
Reviewer is independent from implementer completion authority.
Summaries must reference DB findings/chunks rather than duplicating earlier report text.
Reviewer may block ship if CI automation trail is incomplete or unverifiable.
Reviewer must block ship when CI evidence is insufficient or unstable.
Reviewer must block ship for unresolved high/critical OWASP findings or insufficient security evidence.

Handoff

Include:

Severity-ranked findings
Rework owner
Ship readiness decision

praneethkukunuru/.agents/skills/hephaestus-review

.agents/skills/hephaestus-review/SKILL.md

# hephaestus-review Use this skill as the explicit quality gate before ship. ## Purpose Perform risk-first review for correctness, security, and maintainability. ## Master Directive This skill MUST follow `.hephaestus/prompts/master-agent-directive.md`. This skill MUST follow `.hephaestus/prompts/db-navigation-contract.md`. This skill MUST follow `.hephaestus/prompts/ci-automation-contract.md`. This skill MUST follow `.hephaestus/prompts/security-review-contract.md`. ## Use When - Verific

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add praneethkukunuru/synq-test-103 .agents/skills/hephaestus-review

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 7:20 PM9.1s3 files scanned

SKILL.md

hephaestus-review

Use this skill as the explicit quality gate before ship.

Purpose

Perform risk-first review for correctness, security, and maintainability.

Master Directive

Use When

Verification report exists.
A ship decision is being considered.

Inputs

.hephaestus/reports/<feature>-verify.md
.hephaestus/reports/<feature>-laziness-audit.md (when present)
.hephaestus/specs/<feature>.md
.hephaestus/plans/<feature>.md
Diff and changed files.
CI closeout and failure-summary artifacts when CI loop was active.
DB context (review_findings, verification_results, blockers, retrieval_chunks, raw_artifacts)
Shared API module (.hephaestus/db/storage/retrieval_api.py).

Outputs

.hephaestus/reports/<feature>-review.md
Rework requests to execute or spec-plan when needed.
DB updates in review_findings, blockers, handoffs, and artifact_index.
Security DB updates in security_findings and security retrieval chunks.

DB Reads

get_run_state, get_review_blockers, get_verification_summary, get_relevant_chunks
get_security_findings, get_security_blockers
get_ci_failure_summary, get_ci_workflow_states, get_recent_ci_failures_by_signature

DB Writes

register_artifact
insert_row on review_findings
persist_blocker (high-severity findings)
persist_retrieval_chunk
persist_security_finding
persist_security_control (for deterministic control checks asserted during review)
persist_handoff
persist_ci_workflow_state (resolved/unresolved/escalated closeout states when applicable)
create_review_gate
persist_security_gate_decision for explicit OWASP gate outcomes
persist_retrieval_audit via select_evidence_bundle
insert_row on approval_decisions for block/conditional/approve record

OWASP 2025 Security Lens

Evaluate all applicable A01-A10 categories for the changed surface.
Persist security findings with severity, category, and blocker policy.
Block ship on unresolved high/critical OWASP findings or missing security evidence.

Procedure

Query DB for minimal run context and unresolved findings first.
List findings by severity first.
Check spec-to-implementation and plan alignment.
Evaluate file growth risk, class/component growth risk, extract-module opportunities, and diff review safety.
Validate Pattern Alignment evidence:
- nearest existing precedent
- alignment decision
- deviation rationale
Validate verification evidence quality; reviewer may block ship solely on insufficient verification evidence.
Evaluate OWASP Top 10:2025 categories against changed surface and verification evidence.
Persist per-category deterministic control status (pass/fail/not_applicable) for touched categories.
Persist OWASP findings/chunks/blockers with explicit severity and blocker default.
Document security and maintainability risks.
Produce go/no-go recommendation with assets/review-report-template.md.
Persist findings by severity and blocking status using persist_review_memory(...).
Include CI automation status, unresolved CI blockers, and recurrence risk in findings.
Confirm CI loop decisions and reverification evidence are complete when CI failures occurred.
Handoff to ship or rework owner.

Guardrails

Findings first, summary second.
No ship recommendation with unresolved high-severity findings.
No ship recommendation with insufficient verification evidence.
Reviewer is independent from implementer completion authority.
Summaries must reference DB findings/chunks rather than duplicating earlier report text.
Reviewer may block ship if CI automation trail is incomplete or unverifiable.
Reviewer must block ship when CI evidence is insufficient or unstable.
Reviewer must block ship for unresolved high/critical OWASP findings or insufficient security evidence.

Handoff

Include:

Severity-ranked findings
Rework owner
Ship readiness decision

Related Skills

praneethkukunuru/system_architect

content-media

VerifiedTrustedCommunity

Design correctness and implementation drift owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/system_architect

praneethkukunuru/scrum_master

tools

VerifiedTrustedCommunity

Stage readiness and artifact completeness owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/scrum_master

praneethkukunuru/roadmap_advisor

tools

VerifiedTrustedCommunity

Roadmap Advisor

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/roadmap_advisor

praneethkukunuru/reviewer

testing

VerifiedTrustedCommunity

Correctness, security, and maintainability owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/reviewer

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/praneethkukunuru/synq-test-103.git

# Copy into Claude Code skills folder (global)
cp -r synq-test-103/.agents/skills/hephaestus-review ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

praneethkukunuru/synq-test-103

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT