// Produce a structured plain-language overview of what a repository does, who maintains it, its activity level, and the shape of its codebase. Use when you want a quick orientation before deeper analysis.
Audit first-party source for security vulnerabilities using an inventory-first, six-step per-sink methodology. Use when you want a thorough scan that distinguishes real findings from pattern matches and records both in a machine-readable report. The target is this codebase's own code, not its dependencies.
Run semgrep static analysis with the security-audit and secrets rulesets, then map each hit into scrutineer's findings shape so it surfaces alongside model-driven audits. Use as a fast deterministic pass before or alongside deeper skills.
Enumerate scannable sub-folders inside a repository. Identifies monorepo packages, workspaces, and discrete modules so the analyst can scope deep-dive scans to a specific sub-path instead of treating a huge tree as one unit. Runs at repo level; writes back a list that surfaces on the repo overview.
Default pipeline scrutineer runs when a repository is added. Triggers a standard set of other skills in parallel, then writes a short summary of what was enqueued. Edit the list below to change the default scan coverage without touching scrutineer's Go code.
Audit the repository's GitHub Actions workflows for common security issues (credential mishandling, untrusted inputs, template injection, overly permissive tokens) and convert findings to scrutineer's shape. Use on any repo with a .github/workflows directory.
Propose a code patch for a finding. Produces a unified diff against the current HEAD plus a short rationale, written back as a finding note so the analyst can review, adjust, and open a PR themselves. The skill never pushes to the remote.
| name | repo-overview |
| description | Produce a structured plain-language overview of what a repository does, who maintains it, its activity level, and the shape of its codebase. Use when you want a quick orientation before deeper analysis. |
| license | MIT |
| compatibility | Requires the `brief` CLI (https://github.com/ecosyste-ms/brief) on PATH. |
| metadata | {"scrutineer.output_file":"report.json","scrutineer.output_kind":"repo_overview"} |
Produce an overview of the repository cloned at ./src by invoking the brief tool and writing its output verbatim as the report. brief already does the reading, summarising, and structured-output work; this skill is the thin harness around it.
./src — the cloned repository./context.json — repository url and metadata (not needed for this skill)./report.json — write the final report hereIf ./context.json has scrutineer.scan_subpath set, run brief against that sub-folder instead of the repo root:
brief --json ./src/$(jq -r '.scrutineer.scan_subpath // ""' ./context.json | sed 's:^/*::') > ./report.json
For a root scan (no scan_subpath), that reduces to the original:
brief --json ./src > ./report.json
That is the whole workflow. If brief exits non-zero, read its stderr and write a short {"error": "..."} JSON document to ./report.json so the caller can see what went wrong rather than getting an empty file.
brief is pinned by the deployment (container image or host install). Do not try to install it here.