richfrem/self-audit
plugins/agent-plugin-analyzer/skills/self-audit/SKILL.md
Trigger with "run self-audit", "test the analyzer", "regression test the plugin analyzer", "audit the agent-plugin-analyzer", or "verify the analyzer works correctly". Runs the analyze-plugin skill against the agent-plugin-analyzer itself and its test fixtures as a regression smoke test. Use this after making changes to the analyzer to verify nothing broke.
$ install --global
skillsauthnpx skillsauth add richfrem/agent-plugins-skills self-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:44 PM1.8s1 file scanned
SKILL.md
- name:
- self-audit
- description:
- >
- user-invocable:
- true
- argument-hint:
- [optional: path to plugin]
- allowed-tools:
- Bash, Read, Write
Dependencies
This skill requires Python 3.8+ and standard library only. No external packages needed.
To install this skill's dependencies:
pip-compile ./requirements.in
pip install -r ./requirements.txt
See ./requirements.txt for the dependency lockfile (currently empty — standard library only).
Self-Audit: Analyze the Analyzer
Run the analyze-plugin skill against the agent-plugin-analyzer itself and the test fixtures. This is a regression smoke test that verifies the analyzer produces consistent, expected results.
Execution Steps
-
Run inventory on self (security scanning is on by default):
python ./scripts/inventory_plugin.py --path . --format json -
Run scanner against test fixtures:
python ./scripts/inventory_plugin.py --path ./tests/gold-standard-plugin --format json python ./scripts/inventory_plugin.py --path ./tests/flawed-plugin --format json -
Validate deterministic scanner results:
Self-analysis scanner must confirm:
security_flags= [] (zero security findings in the analyzer itself)issues= [] (zero structural violations)
Gold-standard fixture scanner must confirm:
security_flags= [] (zero security findings)issues= [] (zero structural violations)warnings= [] (zero missing components)
Flawed fixture scanner must confirm:
security_flagscount ≥ 4 (network calls + env access; obfuscated credential is LLM-only)issuescount ≥ 1 (bash script violation)warningscount ≥ 2 (missing acceptance criteria + references)- See
./README.mdfor the full expected findings manifest
To run assertions programmatically:
python ./scripts/assert_audit.py --fixture flawed --json-output <path-to-scan-output.json> -
Run the full 6-phase analysis on each fixture:
tests/gold-standard-plugin/— should score maturity ≥ L2, zero Critical, at least 2 patterns identifiedtests/flawed-plugin/— LLM must additionally detect: missing README file tree, missing plugin manifest
-
Validate self-analysis (full 6-phase on the analyzer itself):
- Maturity Level ≥ L3
- Security score ≥ 4/5
- Structure score ≥ 4/5
- Pattern catalog governance model present with lifecycle states
-
Report deviations:
⚠️ SELF-AUDIT REGRESSION: [dimension] expected [X] got [Y] ✅ SELF-AUDIT PASSED: [N] scanner checks passed, [M] fixtures validated, [K] 6-phase checks passed
When to Run
- After any modification to the analyzer's own files
- Before creating a bundle for external review
- Before pattern catalog updates (to verify governance compliance)
Related Skills
richfrem/vector-db-ingest
tools
VerifiedTrustedCommunity
Ingests repository files into the ChromaDB vector store. Builds or updates the vector index from a manifest or directory scan using ingest.py. Use when new files need to be indexed or the vector store is out of date. <example> user: "Index these new plugin files into the vector database" assistant: "I'll use vector-db-ingest to add them to the vector store." </example> <example> user: "The vector store is missing recent files -- update it" assistant: "I'll use vector-db-ingest to re-index the changes." </example>
3SKILL.mdUpdated Jun 2, 2026
richfrem/vector-db-cleanup
data-ai
VerifiedTrustedCommunity
Removes stale and orphaned chunks from the ChromaDB vector store for files that have been deleted or renamed. Use after files are removed or moved to keep the vector index in sync with the filesystem. <example> user: "Clean up the vector store after I deleted some files" assistant: "I'll use vector-db-cleanup to remove orphaned chunks." </example> <example> user: "The vector database has chunks for files that no longer exist" assistant: "I'll run vector-db-cleanup to prune them." </example>
3SKILL.mdUpdated Jun 2, 2026
richfrem/vector-db-audit
testing
VerifiedTrustedCommunity
Audit Vector DB coverage -- compares the live filesystem manifest against the ChromaDB index to identify coverage gaps.
3SKILL.mdUpdated Jun 2, 2026
richfrem/rlm-search
development
VerifiedTrustedCommunity
3-Phase Knowledge Search strategy for the RLM Factory ecosystem. Auto-invoked when tasks involve finding code, documentation, or architecture context in the repository. Enforces the optimal search order: RLM Summary Scan (O(1)) -> Vector DB Semantic Search -> Grep/Exact Match. Never skip phases.
3SKILL.mdUpdated Jun 2, 2026