spectra-audit

Solid

Audit changed code for security sharp edges — dangerous defaults, type confusion, and silent failures

AI & Automation 29 stars 8 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 88/100

Stars 20%
49
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

Audit changed code for security sharp edges — API design traps, dangerous defaults, and interfaces that make it easy to do the wrong thing. Good APIs don't require developers to "be careful" to stay secure. If the correct usage requires reading docs, remembering rules, or understanding cryptography, the API has failed. **Core principle:** Security should be the path of least resistance. Insecure usage should be harder than secure usage. ## Two Modes This skill operates in two modes depending on how it's invoked: - **Standalone** (`/spectra-audit`): Full 3-agent parallel analysis on current git diff. See [Standalone Mode](#standalone-mode). - **Discipline** (via `/spectra-apply` when `audit: true`): Condensed checklist applied during implementation. See [Discipline Mode](#discipline-mode). Both modes share the same [Core Framework](#core-framework). --- ## Standalone Mode When invoked directly as `/spectra-audit`: ### Phase 1: Gather Changes Run `git diff HEAD` to get the full diff of current modifications. If there are no changes, report "No changes to audit" and stop. ### Phase 2: Parallel 3-Agent Analysis Launch 3 agents in parallel (one message, 3 tool calls). Each agent receives the full diff and analyzes it through one adversary lens. **Agent 1 — The Scoundrel (壞蛋)** A malicious developer or attacker deliberately manipulating configuration. Search the diff for: - Config options that can disable security mechanisms - Algorithm parameters that accept down...

Details

Author
PsychQuant
Repository
PsychQuant/che-ical-mcp
Created
4 months ago
Last Updated
yesterday
Language
Swift
License
MIT

Integrates with

Model Context Protocol · AI

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

audit

Comprehensive multi-agent code audit that delegates to the code-reviewer and security-scanner sub-agents. Always runs security-scanner; set only_security_scan=true to restrict to a security-only review. Use when (1) verifying changes before shipping, (2) running review feedback inside the /impl Generator-Evaluator loop, or (3) reviewing a topic branch with no active ticket directory. Triggers on "audit changes", "review the diff", "code review", "security review", "/audit". Chain-invoked by /impl Step 17 and /ship review-gate; disable-model-invocation: false is intentional because callers reference this skill by name.

1 Updated today
aimsise
AI & Automation Listed

secure-review

Deep semantic security review of code changes with data flow tracing, taint analysis, and trust boundary validation. Composable building block invoked by /audit when deployed.

15 Updated 6 days ago
backspace-shmackspace
AI & Automation Listed

agent-activity-audit

Audit recent agent transcripts (Claude Code and Codex) to learn how a tool, system, or skill is actually being used in the wild. Surfaces failure modes, friction, success patterns, and concrete improvement candidates from real session data. Use this when you want to improve a developer-facing system that agents interact with regularly.

27 Updated today
hyperb1iss
AI & Automation Listed

devsecops-supply-chain-audit

Audit software supply chain across every ecosystem (npm, pip, Go, Ruby, Cargo, Maven, Docker, Terraform) — pinning, vulnerabilities, secrets, SBOM, signing, branch protection, CODEOWNERS. One sub-agent per ecosystem. Three modes.

3 Updated today
anthril
Data & Documents Listed

security-audit

Deep adversarial security audit engine for full-stack web applications. Use this skill when the user wants to audit a codebase for security vulnerabilities, broken access control, injection risks, authentication weaknesses, payment security, file upload exploits, IDOR, CSRF, SSRF, RLS bypass, business logic abuse, rate limiting gaps, or deployment security issues. Trigger whenever the user says "audit my security", "find vulnerabilities", "pen test my app", "is this secure", "check for IDOR", "harden my auth", "review my payment flow for exploits", "can someone bypass this", "what can an attacker do", or shares code and asks about security, exploits, or hardening. Also trigger proactively when reviewing any app that handles auth, payments, file uploads, admin routes, or user-generated content — even if the user doesn't use the word "security".

2 Updated 2 days ago
Heet-P