Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

uinaf/skill-audit

Name: skill-audit
Author: uinaf

skills/skill-audit/SKILL.md

npx skillsauth add uinaf/skills skill-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill Audit

Audit a skill before calling it ready. Favor Tessl output, repo conventions, and the skill's actual file shape over taste.

Tessl is the skill-evaluation CLI this repo uses to review skills, score their quality, and suggest improvements. See tessl.io and the CLI docs. If npx tessl ... or tessl ... is unavailable, install or initialize Tessl before running the audit loop.

Principles

Evidence beats hunches
Discovery matters: score name and description before polishing the body
Keep SKILL.md lean; move depth into references/ or scripts only when they earn their keep
Prefer the smallest change set that improves activation, clarity, or verification
Audit only the requested scope; flag adjacent issues separately

Handoffs

Updating AGENTS, README, or other repo docs beyond the skill surface is documentation work.
Proving a product or code change works on real surfaces is runtime verification work.
Reviewing general code or a PR instead of a skill package is outside this skill's scope.

Before You Start

Define scope: one skill folder or the whole skills repo
Load the target repo's guidance files such as AGENTS.md, CLAUDE.md, or repo rules, when present
Read the target SKILL.md first, then nearby references/, scripts/, and agents/openai.yaml only as needed
Pick the right Tessl loop:
- single skill: npx tessl skill review --json skills/<name>
- full repo batch: use a repo wrapper such as ./scripts/skills/review.sh if one exists; otherwise run direct Tessl reviews per skill
- optimizer only when explicitly requested: npx tessl skill review --optimize --yes --max-iterations 1 skills/<name>

Workflow

Quick experiential feedback mode

Use this when the ask is "what did the skills fail to guide well during the last task?" rather than a formal skill audit.

Skip Tessl unless the user asks for scoring or the proposed edits touch trigger text.
Reconstruct the task failure from actual run evidence: wrong tool selected, bespoke script invented, missing hardening gate, unclear boundary, stale path, or excessive ceremony.
Map each failure to the smallest repo-owned skill/doc update that would have changed agent behavior.
Edit only those surfaces, then run the repo's normal skill review gate if available.

1. Run Tessl first

Capture the score, summary, and concrete suggestions before proposing edits. Prefer per-skill --json when you need a narrow audit loop or structured output. If Tessl is missing, use npx tessl ... first or follow the official docs before continuing.

2. Audit discovery

Use references/scorecard.md to check:

whether name is specific and memorable
whether description states what the skill does, when to use it, and its main boundary
whether likely user phrasing would activate the skill without extra prompting

Quick example:

weak: helper — "Helps with skills"
stronger: skill-audit — "Audits existing skills with Tessl scoring, metadata checks, and repo conventions"

3. Audit workflow shape

Check that the skill tells the agent how to start, what evidence to gather, what not to change, and what "done" looks like.

Concrete failure signs:

vague verbs like "help" without a workflow
missing output expectations
commands or paths that cannot be run as written
a fragile task described with high-level prose instead of tighter guardrails

4. Audit progressive disclosure

Check whether detail belongs in SKILL.md, references/, or executable scripts:

keep core workflow in SKILL.md
move dense doctrine, examples, or score rubrics into references/
use scripts for repeated deterministic work instead of asking the model to recreate them

Use references/best-practices.md when the skill feels bloated, under-specified, or hard to trigger.

5. Audit repo fit

Check for repo-relative links, stale paths, duplicated guidance, and conflicts with the source repo's conventions.

6. Synthesize the smallest useful change set

Separate blockers from polish. If edits are requested, fix the highest-leverage issues first, rerun Tessl, and report what improved.

Output

After an audit, report a compact audit footer:

scope audited
Tessl command and score
findings: highest-priority issues only, or none
changes: files changed or smallest recommended change
rerun status if edits were made

Keep details compact:

Report the Tessl score and actionable suggestions; summarize long output
Keep the footer to 5 labeled lines or fewer
If edits were made, name the behavioral change and verification

References

references/scorecard.md — audit dimensions, severity, and a compact review template
references/best-practices.md — distilled skill-authoring guidance from common repo conventions and Claude's skill best-practices guide

uinaf/skill-audit

skills/skill-audit/SKILL.md

Audit existing skills with Tessl scoring, metadata and trigger-coverage checks, repo conventions, and skill-authoring best practices. Use when creating or revising a skill, triaging weak self-activation, or comparing a skill against source-repo guidance such as `AGENTS.md`, `CLAUDE.md`, or repo rules, plus external skill guidance. Do not use to verify general application code or to rewrite unrelated docs.

2 stars

development

Updated May 24, 2026

$ install --global

skillsauth

npx skillsauth add uinaf/skills skill-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 24, 2026, 2:05 AM175.7s11 files scanned

SKILL.md

name:: skill-audit
description:: Audit existing skills with Tessl scoring, metadata and trigger-coverage checks, repo conventions, and skill-authoring best practices. Use when creating or revising a skill, triaging weak self-activation, or comparing a skill against source-repo guidance such as `AGENTS.md`, `CLAUDE.md`, or repo rules, plus external skill guidance. Do not use to verify general application code or to rewrite unrelated docs.

Skill Audit

Audit a skill before calling it ready. Favor Tessl output, repo conventions, and the skill's actual file shape over taste.

Principles

Evidence beats hunches
Discovery matters: score name and description before polishing the body
Keep SKILL.md lean; move depth into references/ or scripts only when they earn their keep
Prefer the smallest change set that improves activation, clarity, or verification
Audit only the requested scope; flag adjacent issues separately

Handoffs

Updating AGENTS, README, or other repo docs beyond the skill surface is documentation work.
Proving a product or code change works on real surfaces is runtime verification work.
Reviewing general code or a PR instead of a skill package is outside this skill's scope.

Before You Start

Define scope: one skill folder or the whole skills repo
Load the target repo's guidance files such as AGENTS.md, CLAUDE.md, or repo rules, when present
Read the target SKILL.md first, then nearby references/, scripts/, and agents/openai.yaml only as needed
Pick the right Tessl loop:
- single skill: npx tessl skill review --json skills/<name>
- full repo batch: use a repo wrapper such as ./scripts/skills/review.sh if one exists; otherwise run direct Tessl reviews per skill
- optimizer only when explicitly requested: npx tessl skill review --optimize --yes --max-iterations 1 skills/<name>

Workflow

Quick experiential feedback mode

Use this when the ask is "what did the skills fail to guide well during the last task?" rather than a formal skill audit.

Skip Tessl unless the user asks for scoring or the proposed edits touch trigger text.
Reconstruct the task failure from actual run evidence: wrong tool selected, bespoke script invented, missing hardening gate, unclear boundary, stale path, or excessive ceremony.
Map each failure to the smallest repo-owned skill/doc update that would have changed agent behavior.
Edit only those surfaces, then run the repo's normal skill review gate if available.

1. Run Tessl first

2. Audit discovery

Use references/scorecard.md to check:

whether name is specific and memorable
whether description states what the skill does, when to use it, and its main boundary
whether likely user phrasing would activate the skill without extra prompting

Quick example:

weak: helper — "Helps with skills"
stronger: skill-audit — "Audits existing skills with Tessl scoring, metadata checks, and repo conventions"

3. Audit workflow shape

Check that the skill tells the agent how to start, what evidence to gather, what not to change, and what "done" looks like.

Concrete failure signs:

vague verbs like "help" without a workflow
missing output expectations
commands or paths that cannot be run as written
a fragile task described with high-level prose instead of tighter guardrails

4. Audit progressive disclosure

Check whether detail belongs in SKILL.md, references/, or executable scripts:

keep core workflow in SKILL.md
move dense doctrine, examples, or score rubrics into references/
use scripts for repeated deterministic work instead of asking the model to recreate them

Use references/best-practices.md when the skill feels bloated, under-specified, or hard to trigger.

5. Audit repo fit

Check for repo-relative links, stale paths, duplicated guidance, and conflicts with the source repo's conventions.

6. Synthesize the smallest useful change set

Separate blockers from polish. If edits are requested, fix the highest-leverage issues first, rerun Tessl, and report what improved.

Output

After an audit, report a compact audit footer:

scope audited
Tessl command and score
findings: highest-priority issues only, or none
changes: files changed or smallest recommended change
rerun status if edits were made

Keep details compact:

Report the Tessl score and actionable suggestions; summarize long output
Keep the footer to 5 labeled lines or fewer
If edits were made, name the behavioral change and verification

References

references/scorecard.md — audit dimensions, severity, and a compact review template
references/best-practices.md — distilled skill-authoring guidance from common repo conventions and Claude's skill best-practices guide

Related Skills

uinaf/react-ban-use-effect

development

VerifiedTrustedCommunity

Ban direct `useEffect` in React code. Use when writing, refactoring, reviewing, or migrating React components or hooks that import, call, add, or replace direct `useEffect`; when an agent reaches for effects for derived state, fetching, event reactions, resets, or external sync; or when adding lint/agent rules for a no-direct-useEffect policy. Do not use for ordinary React work with no effect smell, non-React code, or legitimate effect architecture outside React.

2SKILL.mdUpdated May 29, 2026

uinaf/react-ban-use-effect

uinaf/review-gang

development

VerifiedTrustedCommunity

Independently audit existing code, diffs, branches, or pull requests by spawning mandatory concern-specific reviewer subagents, then synthesizing their evidence into a ship decision. Use when triaging PR risk, deciding whether someone else's change is safe to ship, or following up after runtime proof. Produces a `ship it` / `needs review` / `blocked` verdict. Do not use to self-check a change you just authored.

2SKILL.mdUpdated May 24, 2026

uinaf/gh-setup

testing

VerifiedTrustedCommunity

Set up or align a repository's GitHub collaboration and delivery surface: repo settings, branch/ruleset policy, PR and security templates, Actions hardening, GitHub Environments, release workflows, and deploy workflows. Use when standardizing GitHub setup for repos, CI/CD, publishing versioned packages, or deploying running apps; route app deploy details to deploy references and package publish details to release references.

2SKILL.mdUpdated May 24, 2026

uinaf/autoreview

tools

VerifiedTrustedCommunity

Run structured Codex/Claude autoreview closeout for uncommitted changes, branch/PR diffs, or single commits: choose the target, run the bundled review helper, validate findings, and rerun focused tests until clean. Use when asked for autoreview, Codex review, Claude review, automated PR review, second-model review, or merge-readiness review.

2SKILL.mdUpdated May 24, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/uinaf/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/skill-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

uinaf/skills

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT