richfrem/self-audit
plugins/agent-scaffolders/skills/self-audit/SKILL.md
Trigger with "run self-audit", "test the analyzer", "regression test the plugin analyzer", "audit the agent-scaffolders", or "verify the analyzer works correctly". Runs the analyze-plugin skill against the agent-scaffolders itself and its test fixtures as a regression smoke test. Use this after making changes to the analyzer to verify nothing broke.
$ install --global
skillsauthnpx skillsauth add richfrem/agent-plugins-skills self-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 7:21 AM60.6s6 files scanned
SKILL.md
- name:
- self-audit
- plugin:
- agent-scaffolders
- description:
- >
- user-invocable:
- true
- argument-hint:
- [optional: path to plugin]
- allowed-tools:
- Bash, Read, Write
Dependencies
This skill requires Python 3.8+ and standard library only. No external packages needed.
To install this skill's dependencies:
pip-compile ./requirements.in
pip install -r ./requirements.txt
See ./requirements.txt for the dependency lockfile (currently empty — standard library only).
Self-Audit: Analyze the Analyzer
Run the analyze-plugin skill against the agent-scaffolders itself and the test fixtures. This is a regression smoke test that verifies the analyzer produces consistent, expected results.
Execution Steps
-
Run inventory on self (security scanning is on by default):
python ./scripts/inventory_plugin.py --path . --format json -
Run scanner against test fixtures:
python ./scripts/inventory_plugin.py --path ./tests/gold-standard-plugin --format json python ./scripts/inventory_plugin.py --path ./tests/flawed-plugin --format json -
Validate deterministic scanner results:
Self-analysis scanner must confirm:
security_flags= [] (zero security findings in the analyzer itself)issues= [] (zero structural violations)
Gold-standard fixture scanner must confirm:
security_flags= [] (zero security findings)issues= [] (zero structural violations)warnings= [] (zero missing components)
Flawed fixture scanner must confirm:
security_flagscount ≥ 4 (network calls + env access; obfuscated credential is LLM-only)issuescount ≥ 1 (bash script violation)warningscount ≥ 2 (missing acceptance criteria + references)- See
./README.mdfor the full expected findings manifest
To run assertions programmatically:
python ./scripts/assert_audit.py --fixture flawed --json-output <path-to-scan-output.json> -
Run the full 6-phase analysis on each fixture:
tests/gold-standard-plugin/— should score maturity ≥ L2, zero Critical, at least 2 patterns identifiedtests/flawed-plugin/— LLM must additionally detect: missing README file tree, missing plugin manifest
-
Validate self-analysis (full 6-phase on the analyzer itself):
- Maturity Level ≥ L3
- Security score ≥ 4/5
- Structure score ≥ 4/5
- Pattern catalog governance model present with lifecycle states
-
Report deviations:
⚠️ SELF-AUDIT REGRESSION: [dimension] expected [X] got [Y] ✅ SELF-AUDIT PASSED: [N] scanner checks passed, [M] fixtures validated, [K] 6-phase checks passed
When to Run
- After any modification to the analyzer's own files
- Before creating a bundle for external review
- Before pattern catalog updates (to verify governance compliance)
Related Skills
richfrem/task-agent
data-ai
VerifiedTrustedCommunity
Task management agent. Auto-invoked for task creation, status tracking, and kanban board operations using Markdown files across lane directories. V2 enforces Kanban Sovereignty constraints preventing manual task file edits.
3SKILL.mdUpdated Jun 9, 2026
richfrem/symlink-manager
development
VerifiedTrustedCommunity
Create, audit, repair, and document cross-platform symlinks that work correctly on both Windows and macOS/Linux. Use this skill whenever the user mentions symlinks, symbolic links, junction points, .gitconfig symlinks, broken links after git pull, cross-platform path issues, or needs help with ln -s equivalents on Windows. Also trigger when the user reports that files are missing or wrong after switching between Mac and Windows machines using Git. This skill solves the common problem where symlinks committed on macOS show up as plain text files on Windows (and vice versa) because of Git's core.symlinks setting or missing Developer Mode / elevated permissions. **IMPORTANT FOR WINDOWS USERS:** Developer Mode must be enabled before creating symlinks. Without it, Git will check out symlinks as plain-text files or hardlinks, breaking cross-platform workflows.
3SKILL.mdUpdated Jun 9, 2026
richfrem/red-team-bundler
development
VerifiedTrustedCommunity
Interactively prepares a targeted Red Team Review package. It conducts a brief discovery interview to determine the threat model, generates a strict security auditor prompt, compiles a manifest of relevant project files, and bundles them into a single Markdown artifact or ZIP archive ready for an external LLM (like Grok, ChatGPT, or Gemini) or a human reviewer.
3SKILL.mdUpdated Jun 9, 2026
richfrem/optimize-context
tools
VerifiedTrustedCommunity
Reduces AI agent context bloat across three dimensions: (1) duplicate skill deduplication — clears stale agent directory copies since the IDE already reads from plugins/ directly; (2) instruction file optimization — rewrites CLAUDE.md, GEMINI.md, or .github/copilot-instructions.md to under ~80 lines, keeping only rules that directly change agent behaviour; (3) session token efficiency — guidance on cheap subagent delegation, context compounding across turns, and session hygiene. Trigger with "optimize context", "reduce context bloat", "deduplicate skills", "trim CLAUDE.md", "trim GEMINI.md", "fix my context usage", "why are my skills loading twice", "how do I reduce token usage", or "clean up agent directories".
3SKILL.mdUpdated Jun 9, 2026