with one click
socket-cli
socket-cli contains 59 collected skills from SocketDev, with repository-level occupation coverage and site-owned skill detail pages.
Skills in this repository
Regroup the commits since the previous bump (or a given base) into logical commits — one per concern, bump kept last — via scripts/fleet/consolidate-commits.mts. "Consolidate commits" never means squash-to-one; that is squashing-history.
Drives the Cursor Bugbot review-and-fix loop on a PR. Inventories open Bugbot threads, classifies each (real bug / false positive / already fixed), fixes the real ones, replies on the inline thread (never as a detached PR comment), updates the PR title/body if scope shifted, and pushes. Use when reviewing a PR you just authored, after `gh pr create`, or after a new Bugbot pass on an existing PR.
Reviews the current branch against a base ref using multiple AI backends. Runs a Workflow that streams the diff through discovery, discovery-secondary, remediation, and adversarial-verify stages, routing each stage to the available agents (codex, claude, opencode, kimi, …) and gracefully skipping any backend that isn't installed. Writes a markdown findings report under docs/. Use when preparing or updating a PR, before merging a feature branch, or when wanting an independent second opinion from a different agent.
Full repo onboarding wizard. Orchestrates all setup concerns for a new engineer or a fresh clone — API token, OS keychain, shell rc bridge, native messaging host, security tools, and repo-specific initialization. Invoke with /setup-repo.
Propagate a wheelhouse template change to every fleet repo. Packages the canonical fleet-repo list, the FLEET_SYNC=1 sentinel pattern, the worktree-per-repo loop, push-direct + PR-fallback, and worktree-cleanup that survives mid-loop crashes. Use when a wheelhouse template SHA needs to land in every fleet repo, or when batching multiple template SHAs into one cascade wave. Tool-version pin propagation is the wheelhouse pipeline's job (scripts/repo/pipeline.mts), not this skill's.
Manages git worktrees per the fleet's parallel-Claude-sessions rule. Creates new task-worktrees, fans out one worktree per open PR for parallel review, and prunes spent worktrees that have nothing left to land — clean trees whose branch was deleted upstream OR is fully merged into the remote default branch. Use when starting a task that needs an isolated working tree, when reviewing every open PR locally without disturbing the primary checkout, or when cleaning up after merges.
Regenerates plugin-cache patches in scripts/fleet/plugin-patches/ against the pinned upstream plugin source when they go stale after a plugin SHA bump. Use when install-claude-plugins.mts warns that a patch no longer applies, or after bumping a plugin's source.sha in marketplace.json.
Sweeps every fleet repo for never-wanted junk (.DS_Store, Thumbs.db, *.orig, *.rej, *.swp, *.pyc, __pycache__) and stray AI/temp scratch (orphaned /tmp cascade dirs, dry-run logs), deleting only untracked-or-ignored paths — never a git-tracked file, never anything inside a submodule. Conservative and no-prompt: dry-run by default, /loop-able. Use for periodic low-friction cleanup of accreted junk across the fleet, or before a commit/cascade.
Keeps rolldown-bundled fleet repos lean — reports (and with --fix, runs `pnpm dedupe` for) collapsible lockfile transitives, checks that Socket-published packages route through the `catalog:` overrides, and flags any `external/` re-export shim that has grown into a fat re-vendored tree. Conservative and no-prompt: the only mutation is a lockfile-only `pnpm dedupe`; anything that would change the published bundle is reported for a human. Use for periodic dependency hygiene on bundle repos, or before a release.
Scans the codebase for bugs, logic errors, cache races, workflow problems, insecure defaults, security regressions in the diff, and variant analysis on prior findings. Runs a Workflow that fans out one finder per scan type in parallel, runs variant-analysis as a dependent stage, adversarially verifies High/Critical findings, deduplicates, and produces an A-F prioritized report. Use when preparing a release, investigating quality issues, running pre-merge checks, or whenever a recent diff touches security-sensitive code.
Audits a lib's published export surface for dead/unconsumed subpaths. For each `package.json#exports` subpath, checks whether any other fleet repo imports it and whether the lib's own `src/` references it, then classifies every subpath (dead / single-consumer / internal-only / consumed) into a ranked report. Read-only — reports prune candidates, never deletes. Use weekly (the `audit-api-surface.lock.yml` gh-aw cron drives it), before a major version bump, or when trimming bundle size on an infra lib.
Audits a repo's GitHub Actions permissions + allowlist against the fleet baseline. Reports drift only. Fixes are manual in Settings → Actions because flipping these silently is unsafe. Use when a CI failure looks like "action X is not allowed to be used", when onboarding a new fleet repo, or as a periodic fleet-wide health check.
Sweeps a fleet repo (or every fleet repo) for redundant CI surface. Three classes: orphan workflow YAML files (lint.yml / check.yml / type.yml / test.yml that the unified ci.yml replaced), GitHub-Dependabot auto-fix PRs that the fleet handles via /updating-security, and stale workflow run history in the Actions sidebar. Deletes the YAML files, disables Dependabot automated-security-fixes via gh api, and reports anything that needs a manual UI toggle. Once-and-never-again sweep meant to leave a repo clean.
Drive a repo's CI to green LOCALLY with Agent-CI (Docker), the local analog of greening-ci. Runs a workflow (or all PR/push workflows) in containers, and on the first paused step reads the failure log, fixes the code locally, and `agent-ci retry`s the SAME paused runner — looping until the run lands green or a wall-clock budget expires. Use to validate a workflow change or a release dispatch BEFORE burning a remote run, to catch a CI failure on your own machine, or as the local pre-flight before `republishing-stubs` / any remote build-matrix dispatch. Where greening-ci watches GitHub Actions remotely and fixes-then-pushes, this runs in local containers and fixes-then-retries in place — no push, no remote runner minutes.
Drive a target repo's CI back to green. Watches GitHub Actions, surfaces the first failure log, fixes it locally, commits + pushes, and re-watches until the run lands green (or a wall-clock budget expires). Three modes: fast (ci.yml), release (build-server matrices, fail-fast 30s polls then cool down on first success), cool (just confirm the rest of a matrix). Use when main goes red, when a build-server dispatch is failing, or when babysitting a freshly-pushed fix to verify it lands green.
Run a code migration (zod → typebox, fetch → http-request, lib → lib-stable, etc.) as a rule-pack-driven autonomous loop across many target files in parallel. Runs a Workflow that streams the target files through a transform → build/fix/check/test pipeline, one worktree-isolated agent per file, with a feedback channel that rewrites PR-review comments back into the rule files. Use when a migration touches 10+ files with a deterministic transformation, when each target file is independently transformable, or when human-led serial editing would dominate the wall-clock time. The skill packages the four pieces a rule-pack migration needs: a rule-pack format, an autonomous per-file build/fix/check/test loop, parallel worktree execution, and a feedback channel that rewrites PR-review comments back into the rule files.
Squashes the repo's default branch (main, falling back to master) to a single signed "Initial commit", refreshes deps + lockfile, runs format / fix / check / type passes, amends results, and force-pushes. Wraps the lower-level `squashing-history` skill with a dep-refresh + integrity check + verified-signature workflow. Use when cutting a fleet-wide history reset or preparing a clean baseline before a major release.
Render a web page, local HTML file, or a real unpacked Chrome MV3 extension popup to a PNG so you can SEE it — then Read the image to put the actual rendered pixels in context. Catches layout / color / empty-state / render-throw bugs that code-reading misses (a view can look correct in source and render broken). Use before redesigning UI, when "verify rendered output before commit" applies, or to inspect an extension popup with its real chrome.* powers. Page mode renders any url/file; extension mode loads an unpacked MV3 extension (background SW + content scripts + popup) and screenshots a page inside it.
Moves an existing `chore: bump version to X.Y.Z` commit to the tip of the default branch when work landed on top of it, then retags vX.Y.Z onto the moved commit and force-pushes — with a timestamped backup branch, tree-identical integrity verification, and the package.json+CHANGELOG-only bump check. Use when a release bump is no longer the latest commit and needs to be again.
Squashes all commits on the repo's default branch (main, falling back to master) to a single conventional-commit "chore: initial commit" with backup branch, integrity verification, and user confirmation before force push. Use when cleaning history or preparing for fresh start.
For repos that ship a built bundle, finds unused code paths in dist/ and iteratively stubs them via the bundler's stub plugin. Each candidate stub goes through stub → rebuild → test loop; only paths that pass the loop are kept. Today the only supported bundler is rolldown (createLibStubPlugin); the skill shape generalizes to other bundlers if the fleet adopts them. Use after a bundler migration, before publishing a new version, or whenever bundle size grows unexpectedly.
Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Discovers what applies via a parallel read-only Workflow sweep, then applies per-category drift (per-row lockstep bumps, per-alert security) as pipeline fan-out. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.
Synthesize the current conversation into a spec (problem, solution, user stories, decisions, test seams, enforcement plan) and publish it to the tracker. No interview — pure synthesis. Use when the user wants a spec (aka PRD) written up from what's been discussed.
Test-driven development — build a feature or fix a bug test-first. Use when the user wants test-first / red-green-refactor, or asks to build a feature with tests.
Scans a repo for disciplines that exist only in prose, convention, or agent memory but are NOT enforced by executable code, then codifies each into the right surface — a script, a hook, a lint rule, or a CLAUDE.md rule. Runs a Workflow that fans out scanner agents (CLAUDE.md rules with no enforcer, repeated review/PR feedback, build/release steps relying on humans remembering, conventions stated in docs but unchecked), dedups, ranks by blast radius, and for each gap proposes the lowest-friction codification with a concrete diff. "Code is law" — agent memory and prose don't enforce; scripts/hooks/rules do. Use after a session surfaces a recurring discipline, when onboarding a repo, or whenever "we keep having to remember X" comes up.
How to author or convert a fleet PreToolUse / PostToolUse / Stop hook guard to the uniform contract (export const check + block/notify/undefined verdict + runGuard), so the per-event dispatcher runs it in ONE process instead of spawning a node process per guard. Loads on demand when adding a `.claude/hooks/fleet/<name>/` guard or converting an old one.
Break a plan, spec, or findings report into independently-grabbable tracker tickets using vertical-slice tracer bullets. Use when the user wants to turn a plan into tickets, or to decompose a findings report into assignable work.
Reduce duplicate installs across the fleet through safe pnpm overrides, @socketregistry hardened drop-ins, and compatibility patches. Packages the dedup decision tree (collapse / scope / force-ESM-for-bundling / patch-for-compat), the mandatory consumer-grep verification, and the cross-repo frozen-lockfile safety gate. Use on the weekly-update cadence, during a tidying/cleaning pass, or whenever the lockfile carries duplicate majors of a package.
Route non-trivial build/design work through the tier cycle — big-brain plan, floor execute, big-brain review, floor follow-up. Use when a task deserves a written plan and the execution is delegable grunt work; benign infra/docs planning routes to Fable, security-sensitive planning to Opus 4.8.
Diagnosis loop for hard bugs and performance regressions. Use when the user says "diagnose" / "debug this", or reports something broken, throwing, failing, or slow.
Interview the user relentlessly to stress-test a plan or design BEFORE building, one question at a time. Use when the user wants to grill / pressure-test a plan, or before a change that touches fleet-shared resources (template/, _shared/, a new hook/lint rule/check).
Consolidate a bloated task backlog into a lean, accurate set — complete verified-done tasks, fold related clusters into umbrella survivors (folding each child's scope into the umbrella BEFORE deleting), delete superseded/duplicate/stale/parked, and keep in_progress honest (only actively-worked items). Use when the task list is noisy, when asked to "get pending under N", or to triage a stale in_progress list. The inverse of decomposing-tickets.
Audits and fixes path duplication in a Socket repo. Applies the strict "1 path, 1 reference" rule: every build/test/runtime/config path is constructed exactly once; everywhere else references the constructed value. Default mode finds and fixes; `check` mode reports only; `install` mode drops the gate + hook + rule into a fresh repo. Use when path drift surfaces from `pnpm check`, when a new sibling package needs path conventions, or when bootstrapping a fresh Socket repo.
Reference for locking down programmatic Claude invocations (the `claude` CLI in workflows/scripts, the `@anthropic-ai/claude-agent-sdk` `query()` in code). Loads on demand when writing or reviewing any callsite that runs Claude programmatically. Source: https://code.claude.com/docs/en/agent-sdk/permissions.
Implement a fix for an issue / finding / request, ensure it has a unit test or a verification path, and open the PR. Use when the user wants a change shipped as a PR — not just described, but fixed AND verified.
Removes AI writing patterns from prose. Use when drafting, editing, or reviewing essays, blog posts, docs, release notes, commit message bodies, PR descriptions, CHANGELOG entries, README content, or any human-facing text that reads AI-generated: hedged, metronomic, padded with throat-clearing, or full of em-dashes, adverbs, and "not X, it's Y" contrasts.
Run the pre-push gate (update, install, fix --all, check --all, cover) and, only on all-green, push origin + watch CI to green. The deterministic executor for the fleet push workflow — landing on local main is the default; this guards the push when you choose to send it. Use before pushing the wheelhouse (the fleet's canonical source) to origin.
End-to-end release of a single-package fleet repo — pre-bump wave, public-facing CHANGELOG, a `chore: bump version to X.Y.Z` commit, a `vX.Y.Z` tag, a CI staged-publish (OIDC trusted publisher + provenance) via `scripts/fleet/npm-publish.mts --staged`, then a local human 2FA `--approve` (web-OTP browser flow). Use when shipping a new version of a repo whose `publish` script is the canonical `scripts/fleet/npm-publish.mts`. NOT for socket-registry / socket-addon, which keep a bespoke multi-package publish.mts.
Sync a NAMED slice of the wheelhouse cascade — call out a target (pnpm-workspace, lint-config, foundationals, …) and sync just that, at one of three scopes (dogfood self, the whole fleet, or one member repo). The thin vocabulary layer over the cascade engine; full sync logic lives in scripts/fleet/sync.mts. Use when you want to cascade ONE concern instead of the full template, or to push a one-repo override.
Sweeps every fleet repo and removes spent git worktrees — clean trees whose branch is fully merged into the remote base, or gone from the remote with nothing unpushed. Conservative and no-prompt: a dirty worktree, or one carrying unpushed commits, is always kept (it may be a parallel session's live work). Use for periodic low-friction care of the fleet's worktree clutter, or before a cascade wave to clear interrupted-wave leftovers. Defaults to dry-run; pass --fix to act.