sd0xdev/risk-assess
skills/risk-assess/SKILL.md
Uncommitted code risk assessment with breaking change detection, blast radius analysis, and scope metrics. Use when: evaluating PR risk, pre-commit risk check, large refactoring review. Not for: security vulnerabilities (use /codex-security), code correctness (use /codex-review-fast). Output: 3-dimension weighted score + risk level + gate.
$ install --global
skillsauthnpx skillsauth add sd0xdev/sd0x-dev-flow risk-assessInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:14 AM40.7s4 files scanned
SKILL.md
- name:
- risk-assess
- description:
- Uncommitted code risk assessment with breaking change detection, blast radius analysis, and scope metrics. Use when: evaluating PR risk, pre-commit risk check, large refactoring review. Not for: security vulnerabilities (use /codex-security), code correctness (use /codex-review-fast). Output: 3-dimension weighted score + risk level + gate.
Risk Assessment
When NOT to Use
- Security vulnerability detection (use
/codex-security) - Code correctness / lint / test review (use
/codex-review-fast) - Project-level health audit (use
/project-audit)
Procedure
- Run
bash scripts/run-skill.sh risk-assess risk-analyze.js --jsonto collect deterministic scores - Parse the JSON output — overall_score, risk_level, dimensions, flags, gate, next_actions
- If risk_level = Critical (score 75-100) — highlight all breaking signals, recommend splitting PRs
- If risk_level = High (score 50-74) — auto-escalate to
--mode deep, detail blast radius - If risk_level = Medium (score 30-49) — summarize dimensions, note areas of concern
- If risk_level = Low (score 0-29) — brief summary, confirm safe to proceed
- Add qualitative interpretation beyond the scores (e.g., "high blast radius but all dependents are test files")
Script Integration
The script analyzes 3 dimensions + 2 conditional flags:
| Dimension | Weight | What It Measures | |-----------|--------|-----------------| | breaking_surface | 45% | Removed exports, renamed APIs, changed signatures, deleted modules | | blast_radius | 35% | Number of files importing changed modules (grep-based) | | change_scope | 20% | File count, LOC delta, directory span, rename ratio |
| Flag | Trigger | What It Checks | |------|---------|---------------| | migration_safety | Migration/schema files in diff | Rollback/down file exists | | regression_hint | (v2 stub) | Future: git history analysis |
Scoring Model
- Overall:
breaking_surface * 0.45 + blast_radius * 0.35 + change_scope * 0.20 - Each dimension: 0-100 scale
- Overall: 0-100 scale
Risk Levels
| Score | Level | Gate | Exit Code | |-------|-------|------|-----------| | 0-29 | Low | PASS | 0 | | 30-49 | Medium | PASS | 0 | | 50-74 | High | REVIEW | 1 | | 75-100 | Critical | BLOCK | 2 |
Script Failure Fallback
If the script fails, report the error and suggest running manually:
bash scripts/run-skill.sh risk-assess risk-analyze.js --json
Output Format
## Risk Assessment Report
| Field | Value |
|-------|-------|
| Score | **[N]/100** |
| Risk Level | [icon] [level] |
| Gate | [PASS/REVIEW/BLOCK] |
### Dimensions
[table of dimension scores + weights]
### Breaking Change Signals
[list of detected signals — only if any]
### Next Actions
[prioritized action items]
## Gate: [sentinel]
References
references/risk-dimensions.md— Signal catalog, import patterns, scoring bands (read when investigating a specific dimension)references/output-template.md— JSON schema, report templates per risk level (read when customizing output)
Verification
- [ ] Script ran successfully
- [ ] All 3 dimensions scored
- [ ] Qualitative interpretation added beyond raw scores
- [ ] Next actions are actionable (include commands where applicable)
- [ ] Gate sentinel present in output
Related Skills
sd0xdev/zh-tw
documentation
VerifiedTrustedCommunity
Rewrite the previous reply in Traditional Chinese
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/watch-ci
development
VerifiedTrustedCommunity
Monitor GitHub Actions CI runs until completion. Use when: watching CI after push, checking build status, monitoring PR checks, waiting for CI completion, user says 'watch CI', 'check CI', 'CI status', 'monitor build', or /watch-ci. Not for: pushing code (use push-ci), creating PRs (use create-pr). Output: per-run verdict (pass/fail/timeout).
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/verify
development
VerifiedTrustedCommunity
Verification loop — lint -> typecheck -> unit -> integration -> e2e
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/update-docs
development
VerifiedTrustedCommunity
Research current code state then update corresponding docs, ensuring docs stay in sync with code.
147SKILL.mdUpdated Apr 28, 2026