{"id":"f7908972-c539-471c-adf9-f1ac69b97d17","shortId":"jAdfmF","kind":"skill","title":"auditing","tagline":"Use when reviewing a bundle-plugin for structural issues, version drift, skill quality, workflow integration, or security risks — before releasing, after changes, or after adding skills. Auto-detects scope (full project vs skill vs workflow)","description":"# Auditing Bundle-Plugins\n\n## Overview\n\nSystematically evaluate a bundle-plugin project or a single skill across applicable quality categories — including security scanning — score each, and produce a diagnostic report. This skill is a pure diagnostic tool: it identifies and reports issues but does not orchestrate fixes.\n\n**Core principle:** Measure and report. A scored audit gives orchestrating skills (blueprinting, optimizing, releasing) the information they need to decide what to fix. When sources contradict, apply the authority hierarchy in `references/source-of-truth-policy.md`.\n\n**This skill includes security scanning.** No need to invoke a separate security skill — see Category 10 under Full Project Audit.\n\n**Announce at start:** \"I'm using the auditing skill to audit [this project / this skill].\"\n\n**Plugin context:** When installed as a plugin, operate on the user's project (`$CLAUDE_PROJECT_DIR` / `<target-dir>`), not the plugin's own cache. Read files from and detect scope in the target; write all outputs (reports, JSON baselines) to the workspace's `.bundles-forge/audits/`. See `references/input-normalization.md` for edge-case input types, naming conventions, and security rules. `<plugin-root>` in commands below resolves to `$CLAUDE_PLUGIN_ROOT` (Claude Code), `$CURSOR_PLUGIN_ROOT` (Cursor), or `.` (local development).\n\n## Resolve Input & Detect Scope\n\nThe target can be a local path, a GitHub URL, or a zip file. Normalize to a local directory, then detect scope. This applies to all three audit modes.\n\n### Input Normalization\n\n**This is a mandatory step — do not skip it or improvise paths.** Resolve the target to a local directory before proceeding to Scope Detection or any audit Step 1.\n\n1. **Resolve the workspace.** The workspace is `$CLAUDE_PROJECT_DIR` or `$CURSOR_PROJECT_DIR` (plugin mode), falling back to the current working directory.\n2. **Normalize the target by type:**\n   - **Local path** — use directly; no transformation needed.\n   - **GitHub URL** — parse `<owner>` and `<repo>` from the URL. Shallow-clone to `<workspace>/.bundles-forge/repos/<owner>__<repo>/` using `--depth 1 --no-checkout`, then run `git checkout`. If the directory already exists, append a `__<YYYYMMDD>` timestamp to avoid collisions. **Do not clone to `/tmp/`, `~/`, or any path outside `.bundles-forge/repos/`.**\n   - **Zip/tar.gz** — extract to `<workspace>/.bundles-forge/repos/<archive-name>/`.\n3. **Create the target subdirectory** if it does not exist.\n4. **On failure** (network error, 404, auth required, rate limit): tell the user what failed and suggest providing a local path or zip file instead. Do not silently skip or proceed with partial data.\n\nSee `references/input-normalization.md` for the full naming convention (version/timestamp suffixes), GitHub subdirectory URLs, and security rules.\n\n### Scope Detection\n\nAfter normalization, determine the audit scope from the resolved local path:\n\n| Target | How to Detect | Mode |\n|--------|--------------|------|\n| Project root | Has `skills/` directory | **Full audit** — all 10 categories |\n| Project root + workflow request | User explicitly requests workflow audit, or specifies `--focus-skills` | **Workflow audit** — 3-layer workflow checks (W1-W11) |\n| Single skill directory | Contains `SKILL.md` but no `skills/` subdirectory | **Skill audit** — 4 applicable categories |\n| Single SKILL.md file | Path ends in `SKILL.md` | **Skill audit** — 4 applicable categories |\n\n**If the target is a single skill, skip to the Skill Audit section below.**\n**If a workflow audit is requested, skip to the Workflow Audit section below.**\n\n---\n\n## Full Project Audit\n\n`audit-plugin` orchestrates `audit-security` (security), `audit-skill` (skill quality), `audit-workflow` (workflow integration), and `audit-docs` (documentation consistency D1-D9), then adds structure, manifest, version-sync, hook, and testing checks.\n\n**Categories at a glance** (see `references/plugin-checklist.md` for 60+ individual checks):\n\n| Category | Weight |\n|----------|--------|\n| Structure | High |\n| Platform Manifests | Medium |\n| Version Sync | High |\n| Skill Quality | Medium |\n| Cross-References | Medium |\n| Workflow | High |\n| Hooks | Medium |\n| Testing | Medium |\n| Documentation | Low |\n| Security | High |\n\n**Security Scan (Category 10):** Scans 7 attack surfaces. See `references/security-checklist.md` for the full pattern list. `security-checklist.md` is the canonical source; the table below is a quick-reference summary.\n\n| Target | Risk Level |\n|--------|-----------|\n| SKILL.md content | High |\n| Hook scripts | High |\n| Hook configs (HTTP hooks) | High |\n| OpenCode plugins | High |\n| Agent prompts | Medium |\n| Bundled scripts | Medium |\n| MCP configs | Medium |\n\n### Step 1 — Run Script Baseline\n\n**Prerequisites:** Target directory resolved to a local path (via Input Normalization above) with a `skills/` directory (Full audit scope confirmed).\n\n**Action:**\n\n```bash\nbundles-forge audit-plugin --json --output-dir .bundles-forge/audits <target-dir>\n```\n\nThis collects the deterministic baseline — structure, manifests, version sync, skill quality, cross-references, hooks, documentation, and security patterns are verified with reproducible results regardless of agent behavior.\n\n**Expected Output:** A JSON baseline file at `.bundles-forge/audits/audit_plugin-<YYYYMMDD-HHmmss>.json`. Verify the file exists and is valid JSON before proceeding to Step 2.\n\n**Failure Handling:**\n- **Exit code 0/1/2 with valid JSON file:** Proceed to Step 2. Exit 1 = warnings, exit 2 = critical findings — both are valid baselines.\n- **Exit code non-0/1/2 or stdout empty:** Retry with `python \"<plugin-root>/bin/bundles-forge\" audit-plugin --json --output-dir .bundles-forge/audits <target-dir>`. If both fail, check Python version (requires 3.9+), report the traceback and stop.\n\n### Step 2 — Dispatch Auditor\n\n**Prerequisites:** JSON baseline file from Step 1 exists at `.bundles-forge/audits/`.\n\n**Action:** Pass the JSON baseline file contents to the `auditor` agent (`agents/auditor.md`) as input context. The auditor is the single source of truth for scoring formula, report format, and qualitative assessment criteria. It adds ±2 qualitative score adjustments, narrative evaluation, and compiles a layered report using `references/plugin-report-template.md`.\n\nFull execution details — category weights, scoring formula, report format, Go/No-Go logic — are defined in `agents/auditor.md` and supported by checklists in `references/`.\n\nWhen auditing a project created by `bundles-forge:blueprinting`, the auditor may reference the design document's \"Success Criteria\" section (if present in `.bundles-forge/blueprints/` or project root) to evaluate whether the implementation aligns with the original project goals.\n\n**Expected Output:** The auditor produces:\n1. A scored audit report saved to `.bundles-forge/audits/<project-name>-v<version>-audit.<date>.md` — must follow the template structure in `references/plugin-report-template.md`\n2. Per-skill breakdowns with Verdict, Strengths, and Key Issues\n3. A Go/No-Go recommendation with qualitative adjustment rationale\n\n**Failure Handling:**\n- **Subagent dispatch unavailable:** Ask the user — \"Subagents are not available. I can run the audit checks inline. Proceed inline?\" If confirmed, read `agents/auditor.md` and follow its execution instructions within this conversation context, using the JSON baseline file as input. The agent file contains the complete audit protocol. The inline execution must still produce all three expected outputs listed above.\n- **Auditor returns without saving report:** The report file in `.bundles-forge/audits/` is a mandatory output. If the auditor did not save it, save the report yourself following the naming convention in `agents/auditor.md`.\n\n### Step 3 — Behavioral Verification (W10-W11)\n\n**Prerequisites:** Step 2 complete. The audit report exists in `.bundles-forge/audits/`.\n\n**Action:** Decide whether to run behavioral verification:\n- **Run when:** Pre-release audits, or when the Workflow category (W1-W9) has warnings that suggest structural issues may affect runtime behavior.\n- **Skip when:** Quick post-change checks, when evaluator dispatch is unavailable, or when static and semantic layers show no issues.\n\nIf running: dispatch `evaluator` agent (`agents/evaluator.md`) with label \"chain\" for each workflow chain. Append evaluator results to the audit report.\n\nIf skipping: add the following to the Behavioral Verification section of the audit report: \"Not performed. Reason: `<reason>`. Scored as N/A (excluded from weighted average).\"\n\n**Expected Output:** The audit report's Behavioral Verification (W10-W11) section is filled — either with evaluation results or with an explicit N/A entry and skip reason. This section must never be left blank or omitted.\n\n**Failure Handling:**\n- **Evaluator dispatch unavailable:** Mark as N/A with reason \"evaluator agents unavailable\". Do not leave the section empty.\n- **Evaluator returns errors:** Include the error details in the report section and score as N/A.\n\n### Step 4 — Verify Final Report\n\n**Prerequisites:** Steps 1-3 complete.\n\n**Action:** Verify the audit report in `.bundles-forge/audits/` meets these criteria:\n1. File exists and follows the naming convention\n2. Contains Decision Brief with Go/No-Go recommendation\n3. Contains all 10 category scores\n4. Contains Behavioral Verification section (results or N/A)\n5. Contains per-skill breakdowns\n\nPresent all findings grouped by severity (Critical / Warning / Info). The audit report is the final output — the calling context decides what to fix and how.\n\n**Expected Output:** A complete, validated audit report file in `.bundles-forge/audits/`.\n\n**Failure Handling:**\n- **Report missing required sections:** Go back to Step 2 and re-run the auditor with explicit instructions to include the missing sections.\n\n---\n\n## Skill Audit (Lightweight Mode)\n\nWhen the target is a single skill directory or SKILL.md file, run only the 4 categories that apply at skill scope. This is auto-detected — no special flags needed.\n\n| Category | Checks Run | What It Catches |\n|----------|-----------|----------------|\n| Structure | S2, S3, S9 | Skill has own directory, contains SKILL.md, directory name matches frontmatter `name` |\n| Skill Quality | Q1–Q15 | Frontmatter validity, description conventions, token budget, allowed-tools deps, section structure, conditional block reachability |\n| Cross-References | X1, X2, X3 | Outgoing `project:skill-name` refs resolve, relative paths exist, referenced subdirectories exist |\n| Security | SC1, SC9, SC13, AG1, AG6 | Sensitive file access, safety overrides, encoding tricks, scope constraints (IDs from `security-checklist.md`) |\n\n**Skipped categories:** Platform Manifests, Version Sync, Hooks, Testing, Documentation — these require project-level context.\n\n### Step 1 — Run Script Baseline\n\n**Prerequisites:** Target resolved to a local path (via Input Normalization above) containing `SKILL.md` but no `skills/` subdirectory.\n\n**Action:**\n\n```bash\nbundles-forge audit-skill --json --output-dir .bundles-forge/audits <skill-directory>\n```\n\nAlso accepts a `SKILL.md` file path directly.\n\n**Expected Output:** A JSON baseline file at `.bundles-forge/audits/audit_skill-<YYYYMMDD-HHmmss>.json`.\n\n**Failure Handling:**\n- **Exit code 0/1/2 with valid JSON file:** Proceed to Step 2.\n- **Exit code non-0/1/2 or stdout empty:** Retry with `python \"<plugin-root>/bin/bundles-forge\" audit-skill --json --output-dir .bundles-forge/audits <skill-directory>`. If both fail, check Python version (requires 3.9+), report the traceback and stop.\n\n### Step 2 — Dispatch Auditor (Skill Mode)\n\n**Prerequisites:** JSON baseline file from Step 1 exists.\n\n**Action:** Pass the JSON baseline to the `auditor` agent (`agents/auditor.md`) in Single Skill Audit Mode. The auditor runs the 4-category checks, produces a qualitative summary (Verdict, Strengths, Key Issues), scores each category, and compiles the report using `references/skill-report-template.md`.\n\n**Expected Output:** A skill audit report saved to `.bundles-forge/audits/<skill-name>-v<version>-skill-audit.<date>.md` containing:\n1. Decision Brief with Verdict, Strengths, Key Issues\n2. Findings by Category (4 categories)\n3. Skill Profile\n\n**Failure Handling:**\n- **Subagent dispatch unavailable:** Ask the user — \"Subagents are not available. I can run the skill audit checks inline. Proceed?\" If confirmed, read `agents/auditor.md` (Single Skill Audit Mode section) and follow its instructions inline. The inline execution must still produce all expected outputs.\n- **Auditor returns without saving report:** Save the report yourself following the naming convention.\n\n### Step 3 — Verify Final Report\n\n**Prerequisites:** Step 2 complete.\n\n**Action:** Verify the skill audit report exists in `.bundles-forge/audits/` and contains Decision Brief, 4 category findings, and Skill Profile.\n\n**Expected Output:** A complete skill audit report file.\n\n**Failure Handling:**\n- **Report missing sections:** Re-run Step 2 with explicit instructions to include missing sections.\n\n### Third-Party Skill Scanning\n\nWhen auditing a skill from an external source (marketplace, git, shared file):\n\n1. Clone/download the skill **without executing** any hooks or scripts\n2. Run the skill audit on the downloaded content\n3. Pay special attention to Security checks — third-party skills are the primary threat vector\n4. Review all critical/warning findings with the user before installation\n5. Never auto-install a skill that has unresolved critical security findings\n\n---\n\n## Workflow Audit\n\nWhen the user explicitly requests a workflow audit, or when the Full audit's Cross-References category (X1-X3) or Workflow category (W1-W11) has warnings, run a dedicated workflow audit. This evaluates how skills connect, hand off artifacts, and compose into coherent chains.\n\n**When to Trigger:**\n- User explicitly requests \"audit the workflow\" or \"check workflow integration\"\n- After adding skills to an existing project\n- After modifying Integration sections, Inputs/Outputs, or adding new skills to a chain\n- When the Full audit's Workflow category shows warnings — suggest: \"Workflow issues detected. Run a focused workflow audit with `--focus-skills` for detailed diagnostics.\"\n\n### Step 1 — Run Script Baseline\n\n**Prerequisites:** Target directory resolved to a local path (via Input Normalization above). User has optionally specified `--focus-skills`.\n\n**Action:**\n\n```bash\nbundles-forge audit-workflow --json --output-dir .bundles-forge/audits <target-dir>\n# or with focus:\nbundles-forge audit-workflow --json --output-dir .bundles-forge/audits --focus-skills skill-a,skill-b <target-dir>\n```\n\nScript mode covers W1-W9 (static + semantic layers). W10-W11 (behavioral layer) requires evaluator agent dispatch and is scored as N/A in script output.\n\n**Expected Output:** A JSON baseline file at `.bundles-forge/audits/audit_workflow-<YYYYMMDD-HHmmss>.json`.\n\n**Failure Handling:**\n- **Exit code 0/1/2 with valid JSON file:** Proceed to Step 2.\n- **Exit code non-0/1/2 or stdout empty:** Retry with `python \"<plugin-root>/bin/bundles-forge\" audit-workflow --json --output-dir .bundles-forge/audits <target-dir>`. If both fail, check Python version (requires 3.9+), report the traceback and stop.\n\n### Step 2 — Dispatch Auditor (Workflow Mode)\n\n**Prerequisites:** JSON baseline file from Step 1 exists.\n\n**Action:** Pass the JSON baseline to the `auditor` agent (`agents/auditor.md`) in Workflow Audit Mode. The auditor handles W1-W9 (Static Structure + Semantic Interface) across three layers defined in `references/workflow-checklist.md`. Full workflow audit protocol, focus mode, and report format are in `agents/auditor.md` (Workflow Audit Mode section).\n\n**Expected Output:** A workflow audit report saved to `.bundles-forge/audits/<project-name>-v<version>-workflow-audit.<date>.md` using `references/workflow-report-template.md`, containing:\n1. Decision Brief with Go/No-Go recommendation\n2. Findings by Layer (Static, Semantic, Behavioral)\n3. Skill Integration Map\n\n**Failure Handling:**\n- **Subagent dispatch unavailable:** Ask the user — \"Subagents are not available. I can run the workflow checks inline. Proceed?\" If confirmed, read `agents/auditor.md` (Workflow Audit Mode section) and follow its instructions inline. Must still produce all expected outputs.\n- **Auditor returns without saving report:** Save the report yourself following the naming convention.\n\n### Step 3 — Behavioral Verification (W10-W11)\n\n**Prerequisites:** Step 2 complete. The workflow report exists.\n\n**Action:** Decide whether to run behavioral verification:\n- **Run when:** Pre-release audits, or when W1-W9 has warnings suggesting runtime behavior issues.\n- **Skip when:** Quick checks, evaluator dispatch unavailable, or static+semantic layers clean.\n\nIf running: dispatch `evaluator` agent (`agents/evaluator.md`) with label \"chain\" for each workflow chain involving focus skills. Use the chain list and focus skills from the auditor's report. Append results to the workflow report.\n\nIf skipping: add to the Behavioral Verification section: \"Not performed. Reason: `<reason>`. Scored as N/A (excluded from weighted average).\"\n\n**Why two phases:** Subagents cannot dispatch other subagents, so the evaluator must be dispatched from this skill (main conversation), not from within the auditor.\n\n**Expected Output:** The workflow report's Behavioral Verification (W10-W11) section is filled — either with evaluation results or an explicit N/A entry. This section must never be left blank or omitted.\n\n**Failure Handling:**\n- **Evaluator dispatch unavailable:** Mark as N/A with reason \"evaluator agents unavailable\".\n- **Evaluator errors:** Include error details and score as N/A.\n\n### Step 4 — Verify Final Report\n\n**Prerequisites:** Steps 1-3 complete.\n\n**Action:** Verify the workflow report in `.bundles-forge/audits/` contains Decision Brief, all three layer findings (with Behavioral Verification filled), and Skill Integration Map.\n\nPresent workflow findings grouped by severity. The `workflow-report` is consumed by the calling context for targeted fixes.\n\n**Expected Output:** A complete workflow audit report file.\n\n**Failure Handling:**\n- **Report missing sections:** Re-run Step 2 with explicit instructions to include missing sections.\n\n---\n\n## Security-Only Mode\n\nWhen the user explicitly requests a security-only scan, run only Category 10 (Security) via `bundles-forge audit-security`. Skip Categories 1-9. Report in the same format but with only the Security category scored. This provides a quick security check without the overhead of a full 10-category audit.\n\n---\n\n## Common Mistakes\n\n| Mistake | Fix |\n|---------|-----|\n| Skipping version sync check | Always run `bundles-forge bump-version --check` (full audit) |\n| Not checking description anti-patterns | Descriptions that summarize workflow cause agents to shortcut |\n| Ignoring cross-reference resolution | Broken `project:skill-name` refs = broken workflow chains |\n| Running full 10-category audit on a single skill | Let scope auto-detection handle it — 6 categories don't apply |\n| Skipping workflow audit after adding third-party skills | New skills need workflow integration validation — use `--focus-skills` |\n| Skipping security because \"I wrote it myself\" | Accidental vulnerabilities are common — always scan |\n| Only scanning SKILL.md, ignoring hooks | Hooks are the highest-risk executable code (full audit) |\n| Treating script output as the final report | Script output is a baseline — always dispatch auditor or read `agents/auditor.md` inline to produce the full report |\n| Bypassing `--json` failure without diagnosis | If `--json` returns empty output or unexpected exit code, retry with the direct Python call before falling back to non-JSON mode |\n| Not persisting JSON baseline to disk | Always use `--output-dir .bundles-forge/audits` to ensure intermediate results are saved regardless of agent behavior |\n| Skipping W10-W11 without marking N/A in report | If Behavioral Verification is skipped, the report must contain the section with \"N/A\" and the skip reason |\n\n## Inputs\n\n- `project-directory` (required) — bundle-plugin project root, single skill directory, or SKILL.md file path (local, GitHub URL, or archive)\n\n## Outputs\n\n- `audit-report` — scored report with findings across 10 categories (full project), written to `.bundles-forge/audits/` by the auditor agent. Contains per-skill breakdowns\n- `skill-report` (skill mode) — 4-category scored report (Structure, Quality, Cross-Refs, Security) for a single skill, written to `.bundles-forge/audits/`\n- `workflow-report` (workflow mode) — workflow-specific report with W1-W11 findings across static/semantic/behavioral layers, written to `.bundles-forge/audits/`\n\n## Integration\n\n**Called by:**\n- **bundles-forge:blueprinting** — Phase 4: initial quality check on new projects\n- **bundles-forge:optimizing** — post-change verification after applying optimizations\n- **bundles-forge:releasing** — pre-release quality and security check\n- User directly — standalone audit of any project or skill","tags":["auditing","bundles","forge","odradekai","agent-skills","bundle-plugin","claude-code","claude-plugin","claude-skills","cursor-plugin"],"capabilities":["skill","source-odradekai","skill-auditing","topic-agent-skills","topic-bundle-plugin","topic-claude-code","topic-claude-plugin","topic-claude-skills","topic-cursor-plugin"],"categories":["bundles-forge"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/OdradekAI/bundles-forge/auditing","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add OdradekAI/bundles-forge","source_repo":"https://github.com/OdradekAI/bundles-forge","install_from":"skills.sh"}},"qualityScore":"0.554","qualityRationale":"deterministic score 0.55 from registry signals: · indexed on github topic:agent-skills · 208 github stars · SKILL.md body (21,191 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-02T12:54:05.518Z","embedding":null,"createdAt":"2026-04-18T22:12:10.232Z","updatedAt":"2026-05-02T12:54:05.518Z","lastSeenAt":"2026-05-02T12:54:05.518Z","tsv":"'-0':795,1601,2136 '-3':1289,2507 '-9':2607 '/.bundles-forge/repos':339,377 '/1/2':796,1602,2137 '/audits':197,714,814,844,970,1073,1114,1300,1376,1565,1620,1698,1799,2055,2072,2155,2240,2518,2816,2893,2927,2950 '/audits/audit_plugin-':753 '/audits/audit_skill-':1583 '/audits/audit_workflow-':2118 '/bin/bundles-forge':803,1609,2144 '/blueprints':940 '/repos':373 '/tmp':365 '0/1/2':772,1589,2124 '1':291,292,342,675,782,838,960,1288,1304,1529,1646,1705,1852,2017,2181,2249,2506,2606 '10':133,463,622,1322,2595,2632,2684,2884 '2':315,767,780,785,829,879,981,1104,1312,1387,1597,1635,1713,1786,1827,1862,2132,2170,2255,2327,2570 '3':378,481,992,1096,1319,1719,1780,1871,2262,2319 '3.9':822,1628,2163 '4':388,499,511,1282,1325,1420,1667,1717,1804,1887,2500,2908,2959 '404':393 '5':1333,1897 '6':2698 '60':589 '7':624 'accept':1567 'access':1503 'accident':2729 'across':55,2207,2883,2942 'action':699,845,1115,1291,1550,1648,1788,2040,2183,2333,2509 'ad':27,1973,1985,2707 'add':572,878,1189,2405 'adjust':882,998 'affect':1143 'ag1':1499 'ag6':1500 'agent':665,741,855,1042,1171,1258,1656,2098,2191,2373,2488,2665,2825,2897 'agents/auditor.md':856,906,1024,1094,1657,1746,2192,2224,2289,2767 'agents/evaluator.md':1172,2374 'align':949 'allow':1468 'allowed-tool':1467 'alreadi':353 'also':1566 'alway':2643,2733,2762,2808 'announc':138 'anti':2658 'anti-pattern':2657 'append':355,1180,2397 'appli':112,255,1423,2702,2975 'applic':56,500,512 'archiv':2874 'artifact':1953 'ask':1005,1727,2271 'assess':875 'attack':625 'attent':1874 'audit':1,39,93,137,145,148,259,289,443,461,473,480,498,510,525,531,538,543,545,549,553,558,564,696,705,805,914,963,972,1016,1047,1107,1127,1185,1199,1214,1294,1349,1369,1403,1556,1611,1661,1691,1702,1739,1749,1792,1815,1841,1866,1911,1919,1924,1945,1965,1994,2008,2046,2063,2146,2195,2215,2226,2233,2244,2291,2345,2558,2602,2634,2653,2686,2705,2749,2877,2991 'audit-doc':563 'audit-plugin':544,704,804 'audit-report':2876 'audit-secur':548,2601 'audit-skil':552,1555,1610 'audit-workflow':557,2045,2062,2145 'auditor':831,854,861,924,958,1061,1080,1393,1637,1655,1664,1766,2172,2190,2198,2305,2394,2444,2764,2896 'auth':394 'author':114 'auto':30,1430,1900,2694 'auto-detect':29,1429,2693 'auto-instal':1899 'avail':1011,1733,2277 'averag':1210,2420 'avoid':359 'b':2081 'back':309,1384,2796 'baselin':189,678,719,747,791,834,849,1037,1532,1577,1642,1652,2020,2112,2177,2187,2761,2805 'bash':700,1551,2041 'behavior':742,1097,1120,1145,1194,1217,1327,2094,2261,2320,2338,2355,2408,2451,2527,2826,2837 'blank':1244,2474 'block':1474 'blueprint':97,922,2957 'breakdown':985,1338,2902 'brief':1315,1707,1803,2251,2521 'broken':2673,2679 'budget':1466 'bump':2649 'bump-vers':2648 'bundl':7,41,48,195,371,668,702,712,751,812,842,920,938,968,1071,1112,1298,1374,1553,1563,1581,1618,1696,1797,2043,2053,2060,2070,2116,2153,2238,2516,2599,2646,2814,2859,2891,2925,2948,2955,2967,2978 'bundle-plugin':6,40,47,2858 'bundles-forg':194,370,701,711,750,811,841,919,937,967,1070,1111,1297,1373,1552,1562,1580,1617,1695,1796,2042,2052,2059,2069,2115,2152,2237,2515,2598,2645,2813,2890,2924,2947,2954,2966,2977 'bypass':2774 'cach':174 'call':1356,2548,2793,2952 'cannot':2425 'canon':637 'case':203 'catch':1441 'categori':58,132,464,501,513,582,592,621,895,1132,1323,1421,1436,1514,1668,1680,1716,1718,1805,1929,1935,1997,2594,2605,2618,2633,2685,2699,2885,2909 'caus':2664 'chain':1175,1179,1958,1990,2377,2381,2387,2681 'chang':24,1151,2972 'check':484,581,591,818,1017,1152,1437,1624,1669,1740,1877,1969,2159,2283,2360,2625,2642,2651,2655,2962,2987 'checklist':910 'checkout':345,349 'claud':166,216,219,299 'clean':2368 'clone':337,363 'clone/download':1853 'code':220,771,793,1588,1599,2123,2134,2747,2787 'coher':1957 'collect':716 'collis':360 'command':212 'common':2635,2732 'compil':886,1682 'complet':1046,1105,1290,1367,1787,1813,2328,2508,2556 'compos':1955 'condit':1473 'config':658,672 'confirm':698,1022,1744,2287 'connect':1950 'consist':567 'constraint':1509 'consum':2545 'contain':491,1044,1313,1320,1326,1334,1450,1544,1704,1801,2248,2519,2844,2898 'content':652,851,1870 'context':154,859,1033,1357,1527,2549 'contradict':111 'convent':207,428,1092,1311,1464,1778,2317 'convers':1032,2439 'core':86 'cover':2084 'creat':379,917 'criteria':876,932,1303 'critic':786,1345,1907 'critical/warning':1890 'cross':606,727,1477,1927,2670,2915 'cross-ref':2914 'cross-refer':605,726,1476,1926,2669 'current':312 'cursor':221,224,303 'd1':569 'd1-d9':568 'd9':570 'data':421 'decid':105,1116,1358,2334 'decis':1314,1706,1802,2250,2520 'dedic':1943 'defin':904,2210 'dep':1470 'depth':341 'descript':1463,2656,2660 'design':928 'detail':894,1272,2014,2494 'detect':31,179,230,252,286,438,453,1431,2003,2695 'determin':441 'determinist':718 'develop':227 'diagnosi':2778 'diagnost':67,74,2015 'dir':168,301,305,710,810,1561,1616,2051,2068,2151,2812 'direct':324,1572,2791,2989 'directori':250,281,314,352,459,490,681,694,1413,1449,1452,2023,2856,2865 'disk':2807 'dispatch':830,1003,1155,1169,1250,1636,1725,2099,2171,2269,2362,2371,2426,2434,2480,2763 'doc':565 'document':566,615,730,929,1521 'download':1869 'drift':13 'edg':202 'edge-cas':201 'either':1225,2459 'empti':799,1265,1605,2140,2782 'encod':1506 'end':506 'ensur':2818 'entri':1234,2467 'error':392,1268,1271,2491,2493 'evalu':45,884,945,1154,1170,1181,1227,1249,1257,1266,1947,2097,2361,2372,2431,2461,2479,2487,2490 'exclud':1207,2417 'execut':893,1028,1051,1759,1857,2746 'exist':354,387,758,839,1109,1306,1491,1494,1647,1794,1977,2182,2332 'exit':770,781,784,792,1587,1598,2122,2133,2786 'expect':743,955,1057,1211,1364,1573,1687,1764,1810,2108,2229,2303,2445,2553 'explicit':470,1232,1395,1829,1915,1963,2465,2572,2585 'extern':1846 'extract':375 'fail':402,817,1623,2158 'failur':390,768,1000,1247,1377,1585,1722,1818,2120,2266,2477,2561,2776 'fall':308,2795 'file':176,245,411,504,748,757,776,835,850,1038,1043,1068,1305,1371,1416,1502,1570,1578,1593,1643,1817,1851,2113,2128,2178,2560,2868 'fill':1224,2458,2529 'final':1284,1353,1782,2502,2755 'find':787,1341,1714,1806,1891,1909,2256,2525,2536,2882,2941 'fix':85,108,1361,2552,2638 'flag':1434 'focus':477,2006,2011,2038,2058,2074,2217,2383,2390,2720 'focus-skil':476,2010,2037,2073,2719 'follow':975,1026,1089,1191,1308,1753,1775,2295,2314 'forg':196,372,703,713,752,813,843,921,939,969,1072,1113,1299,1375,1554,1564,1582,1619,1697,1798,2044,2054,2061,2071,2117,2154,2239,2517,2600,2647,2815,2892,2926,2949,2956,2968,2979 'format':872,900,2221,2612 'formula':870,898 'frontmatt':1455,1461 'full':33,135,426,460,541,631,695,892,1923,1993,2213,2631,2652,2683,2748,2772,2886 'git':348,1849 'github':240,328,431,2871 'give':94 'glanc':585 'go':1383 'go/no-go':901,994,1317,2253 'goal':954 'group':1342,2537 'hand':1951 'handl':769,1001,1248,1378,1586,1723,1819,2121,2199,2267,2478,2562,2696 'hierarchi':115 'high':595,601,610,618,653,656,661,664 'highest':2744 'highest-risk':2743 'hook':578,611,654,657,660,729,1519,1859,2739,2740 'http':659 'id':1510 'identifi':77 'ignor':2668,2738 'implement':948 'improvis':273 'includ':59,120,1269,1398,1832,2492,2575 'individu':590 'info':1347 'inform':101 'initi':2960 'inlin':1018,1020,1050,1741,1756,1758,2284,2298,2768 'input':204,229,261,688,858,1040,1541,2030,2853 'inputs/outputs':1983 'instal':156,1896,1901 'instead':412 'instruct':1029,1396,1755,1830,2297,2573 'integr':17,561,1971,1981,2264,2532,2716,2951 'interfac':2206 'intermedi':2819 'invok':126 'involv':2382 'issu':11,80,991,1141,1166,1677,1712,2002,2356 'json':188,707,746,754,762,775,807,833,848,1036,1558,1576,1584,1592,1613,1641,1651,2048,2065,2111,2119,2127,2148,2176,2186,2775,2780,2800,2804 'key':990,1676,1711 'label':1174,2376 'layer':482,888,1163,2090,2095,2209,2258,2367,2524,2944 'leav':1262 'left':1243,2473 'let':2691 'level':650,1526 'lightweight':1404 'limit':397 'list':633,1059,2388 'local':226,237,249,280,321,407,448,685,1538,2027,2870 'logic':902 'low':616 'm':142 'main':2438 'mandatori':266,1076 'manifest':574,597,721,1516 'map':2265,2533 'mark':1252,2482,2832 'marketplac':1848 'match':1454 'may':925,1142 'mcp':671 'md':973,1703,2245 'measur':88 'medium':598,604,608,612,614,667,670,673 'meet':1301 'miss':1380,1400,1821,1833,2564,2576 'mistak':2636,2637 'mode':260,307,454,1405,1639,1662,1750,2083,2174,2196,2218,2227,2292,2581,2801,2907,2932 'modifi':1980 'must':974,1052,1240,1760,2299,2432,2470,2843 'n/a':1206,1233,1254,1280,1332,2104,2416,2466,2484,2498,2833,2848 'name':206,427,1091,1310,1453,1456,1486,1777,2316,2677 'narrat':883 'need':103,124,327,1435,2714 'network':391 'never':1241,1898,2471 'new':1986,2712,2964 'no-checkout':343 'non':794,1600,2135,2799 'non-json':2798 'normal':246,262,316,440,689,1542,2031 'omit':1246,2476 'opencod':662 'oper':160 'optim':98,2969,2976 'option':2035 'orchestr':84,95,547 'origin':952 'outgo':1482 'output':186,709,744,809,956,1058,1077,1212,1354,1365,1560,1574,1615,1688,1765,1811,2050,2067,2107,2109,2150,2230,2304,2446,2554,2752,2758,2783,2811,2875 'output-dir':708,808,1559,1614,2049,2066,2149,2810 'outsid':369 'overhead':2628 'overrid':1505 'overview':43 'pars':330 'parti':1837,1880,2710 'partial':420 'pass':846,1649,2184 'path':238,274,322,368,408,449,505,686,1490,1539,1571,2028,2869 'pattern':632,733,2659 'pay':1872 'per':983,1336,2900 'per-skil':982,1335,2899 'perform':1202,2412 'persist':2803 'phase':2423,2958 'platform':596,1515 'plugin':8,42,49,153,159,171,217,222,306,546,663,706,806,2860 'post':1150,2971 'post-chang':1149,2970 'pre':1125,2343,2982 'pre-releas':1124,2342,2981 'prerequisit':679,832,1102,1286,1533,1640,1784,2021,2175,2325,2504 'present':935,1339,2534 'primari':1884 'principl':87 'proceed':283,418,764,777,1019,1594,1742,2129,2285 'produc':65,959,1054,1670,1762,2301,2770 'profil':1721,1809 'project':34,50,136,150,165,167,300,304,455,465,542,916,942,953,1483,1525,1978,2674,2855,2861,2887,2965,2994 'project-directori':2854 'project-level':1524 'prompt':666 'protocol':1048,2216 'provid':405,2621 'pure':73 'python':802,819,1608,1625,2143,2160,2792 'q1':1459 'q15':1460 'qualit':874,880,997,1672 'qualiti':15,57,556,603,725,1458,2913,2961,2984 'quick':645,1148,2359,2623 'quick-refer':644 'rate':396 'rational':999 're':1390,1824,2567 're-run':1389,1823,2566 'reachabl':1475 'read':175,1023,1745,2288,2766 'reason':1203,1237,1256,2413,2486,2852 'recommend':995,1318,2254 'ref':1487,2678,2916 'refer':607,646,728,912,926,1478,1928,2671 'referenc':1492 'references/input-normalization.md':199,423 'references/plugin-checklist.md':587 'references/plugin-report-template.md':891,980 'references/security-checklist.md':628 'references/skill-report-template.md':1686 'references/source-of-truth-policy.md':117 'references/workflow-checklist.md':2212 'references/workflow-report-template.md':2247 'regardless':739,2823 'relat':1489 'releas':22,99,1126,2344,2980,2983 'report':68,79,90,187,823,871,889,899,964,1065,1067,1087,1108,1186,1200,1215,1275,1285,1295,1350,1370,1379,1629,1684,1692,1770,1773,1783,1793,1816,1820,2164,2220,2234,2309,2312,2331,2396,2402,2449,2503,2513,2543,2559,2563,2608,2756,2773,2835,2842,2878,2880,2905,2911,2930,2936 'reproduc':737 'request':468,471,533,1916,1964,2586 'requir':395,821,1381,1523,1627,2096,2162,2857 'resolut':2672 'resolv':214,228,275,293,447,682,1488,1535,2024 'result':738,1182,1228,1330,2398,2462,2820 'retri':800,1606,2141,2788 'return':1062,1267,1767,2306,2781 'review':4,1888 'risk':20,649,2745 'root':218,223,456,466,943,2862 'rule':210,436 'run':347,676,1014,1119,1122,1168,1391,1417,1438,1530,1665,1736,1825,1863,1941,2004,2018,2280,2337,2340,2370,2568,2592,2644,2682 'runtim':1144,2354 's2':1443 's3':1444 's9':1445 'safeti':1504 'save':965,1064,1083,1085,1693,1769,1771,2235,2308,2310,2822 'sc1':1496 'sc13':1498 'sc9':1497 'scan':61,122,620,623,1839,2591,2734,2736 'scope':32,180,231,253,285,437,444,697,1426,1508,2692 'score':62,92,869,881,897,962,1204,1278,1324,1678,2102,2414,2496,2619,2879,2910 'script':655,669,677,1531,1861,2019,2082,2106,2751,2757 'section':526,539,933,1196,1222,1239,1264,1276,1329,1382,1401,1471,1751,1822,1834,1982,2228,2293,2410,2456,2469,2565,2577,2846 'secur':19,60,121,129,209,435,550,551,617,619,732,1495,1876,1908,2579,2589,2596,2603,2617,2624,2723,2917,2986 'security-checklist.md':634,1512 'security-on':2578,2588 'see':131,198,422,586,627 'semant':1162,2089,2205,2260,2366 'sensit':1501 'separ':128 'sever':1344,2539 'shallow':336 'shallow-clon':335 'share':1850 'shortcut':2667 'show':1164,1998 'silent':415 'singl':53,488,502,519,864,1411,1659,1747,2689,2863,2920 'skill':14,28,36,54,70,96,119,130,146,152,458,478,489,495,497,509,520,524,554,555,602,693,724,984,1337,1402,1412,1425,1446,1457,1485,1548,1557,1612,1638,1660,1690,1701,1720,1738,1748,1791,1808,1814,1838,1843,1855,1865,1881,1903,1949,1974,1987,2012,2039,2075,2077,2080,2263,2384,2391,2437,2531,2676,2690,2711,2713,2721,2864,2901,2904,2906,2921,2996 'skill-a':2076 'skill-audit':1700 'skill-auditing' 'skill-b':2079 'skill-nam':1484,2675 'skill-report':2903 'skill.md':492,503,508,651,1415,1451,1545,1569,2737,2867 'skip':270,416,521,534,1146,1188,1236,1513,2357,2404,2604,2639,2703,2722,2827,2840,2851 'sourc':110,638,865,1847 'source-odradekai' 'special':1433,1873 'specif':2935 'specifi':475,2036 'standalon':2990 'start':140 'static':1160,2088,2203,2259,2365 'static/semantic/behavioral':2943 'stdout':798,1604,2139 'step':267,290,674,766,779,828,837,1095,1103,1281,1287,1386,1528,1596,1634,1645,1779,1785,1826,2016,2131,2169,2180,2318,2326,2499,2505,2569 'still':1053,1761,2300 'stop':827,1633,2168 'strength':988,1675,1710 'structur':10,573,594,720,978,1140,1442,1472,2204,2912 'subag':1002,1008,1724,1730,2268,2274,2424,2428 'subdirectori':382,432,496,1493,1549 'success':931 'suffix':430 'suggest':404,1139,2000,2353 'summar':2662 'summari':647,1673 'support':908 'surfac':626 'sync':577,600,723,1518,2641 'systemat':44 'tabl':640 'target':183,233,277,318,381,450,516,648,680,1408,1534,2022,2551 'tell':398 'templat':977 'test':580,613,1520 'third':1836,1879,2709 'third-parti':1835,1878,2708 'threat':1885 'three':258,1056,2208,2523 'timestamp':357 'token':1465 'tool':75,1469 'topic-agent-skills' 'topic-bundle-plugin' 'topic-claude-code' 'topic-claude-plugin' 'topic-claude-skills' 'topic-cursor-plugin' 'traceback':825,1631,2166 'transform':326 'treat':2750 'trick':1507 'trigger':1961 'truth':867 'two':2422 'type':205,320 'unavail':1004,1157,1251,1259,1726,2270,2363,2481,2489 'unexpect':2785 'unresolv':1906 'url':241,329,334,433,2872 'use':2,143,323,340,890,1034,1685,2246,2385,2718,2809 'user':163,400,469,1007,1729,1894,1914,1962,2033,2273,2584,2988 'v':971,1699,2241 'valid':761,774,790,1368,1462,1591,2126,2717 'vector':1886 'verdict':987,1674,1709 'verif':1098,1121,1195,1218,1328,2321,2339,2409,2452,2528,2838,2973 'verifi':735,755,1283,1292,1781,1789,2501,2510 'version':12,576,599,722,820,1517,1626,2161,2640,2650 'version-sync':575 'version/timestamp':429 'via':687,1540,2029,2597 'vs':35,37 'vulner':2730 'w1':486,1134,1937,2086,2201,2349,2939 'w1-w11':485,1936,2938 'w1-w9':1133,2085,2200,2348 'w10':1100,1220,2092,2323,2454,2829 'w10-w11':1099,1219,2091,2322,2453,2828 'w11':487,1101,1221,1938,2093,2324,2455,2830,2940 'w9':1135,2087,2202,2350 'warn':783,1137,1346,1940,1999,2352 'weight':593,896,1209,2419 'whether':946,1117,2335 'within':1030,2442 'without':1063,1768,1856,2307,2626,2777,2831 'work':313 'workflow':16,38,467,472,479,483,530,537,559,560,609,1131,1178,1910,1918,1934,1944,1967,1970,1996,2001,2007,2047,2064,2147,2173,2194,2214,2225,2232,2243,2282,2290,2330,2380,2401,2448,2512,2535,2542,2557,2663,2680,2704,2715,2929,2931,2934 'workflow-audit':2242 'workflow-report':2541,2928 'workflow-specif':2933 'workspac':192,295,297 'write':184 'written':2888,2922,2945 'wrote':2726 'x1':1479,1931 'x1-x3':1930 'x2':1480 'x3':1481,1932 'zip':244,410 'zip/tar.gz':374","prices":[{"id":"8a79b42b-1245-4113-95b5-0a6c61576d07","listingId":"f7908972-c539-471c-adf9-f1ac69b97d17","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"OdradekAI","category":"bundles-forge","install_from":"skills.sh"},"createdAt":"2026-04-18T22:12:10.232Z"}],"sources":[{"listingId":"f7908972-c539-471c-adf9-f1ac69b97d17","source":"github","sourceId":"OdradekAI/bundles-forge/auditing","sourceUrl":"https://github.com/OdradekAI/bundles-forge/tree/main/skills/auditing","isPrimary":false,"firstSeenAt":"2026-04-18T22:12:10.232Z","lastSeenAt":"2026-05-02T12:54:05.518Z"}],"details":{"listingId":"f7908972-c539-471c-adf9-f1ac69b97d17","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"OdradekAI","slug":"auditing","github":{"repo":"OdradekAI/bundles-forge","stars":208,"topics":["agent-skills","bundle-plugin","claude-code","claude-plugin","claude-skills","cursor-plugin"],"license":"apache-2.0","html_url":"https://github.com/OdradekAI/bundles-forge","pushed_at":"2026-04-27T02:13:58Z","description":"An agentic skills framework & bundle-plugin engineering toolkit that works.","skill_md_sha":"59891a56792b77aeee972093bfb196557cbc5624","skill_md_path":"skills/auditing/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/OdradekAI/bundles-forge/tree/main/skills/auditing"},"layout":"multi","source":"github","category":"bundles-forge","frontmatter":{"name":"auditing","description":"Use when reviewing a bundle-plugin for structural issues, version drift, skill quality, workflow integration, or security risks — before releasing, after changes, or after adding skills. Auto-detects scope (full project vs skill vs workflow)"},"skills_sh_url":"https://skills.sh/OdradekAI/bundles-forge/auditing"},"updatedAt":"2026-05-02T12:54:05.518Z"}}