alexandre-daubois

Produce a structured plain-language overview of what a repository does, who maintains it, its activity level, and the shape of its codebase. Use when you want a quick orientation before deeper analysis.

Audit first-party source for security vulnerabilities using an inventory-first, six-step per-sink methodology. Use when you want a thorough scan that distinguishes real findings from pattern matches and records both in a machine-readable report. The target is this codebase's own code, not its dependencies.

Run semgrep static analysis with the security-audit and secrets rulesets, then map each hit into scrutineer's findings shape so it surfaces alongside model-driven audits. Use as a fast deterministic pass before or alongside deeper skills.

Enumerate scannable sub-folders inside a repository. Identifies monorepo packages, workspaces, and discrete modules so the analyst can scope deep-dive scans to a specific sub-path instead of treating a huge tree as one unit. Runs at repo level; writes back a list that surfaces on the repo overview.

Default pipeline scrutineer runs when a repository is added. Triggers a standard set of other skills in parallel, then writes a short summary of what was enqueued. Edit the list below to change the default scan coverage without touching scrutineer's Go code.

Audit the repository's GitHub Actions workflows for common security issues (credential mishandling, untrusted inputs, template injection, overly permissive tokens) and convert findings to scrutineer's shape. Use on any repo with a .github/workflows directory.

Propose a code patch for a finding. Produces a unified diff against the current HEAD plus a short rationale, written back as a finding note so the analyst can review, adjust, and open a PR themselves. The skill never pushes to the remote.

Draft the disclosure content for a finding in GitHub Security Advisory shape. Produces a title, markdown description, affected package block, CVSS vector, CWE list, and references, then writes them back to the finding so the analyst can paste them into the GHSA form (or POST to GitHub's repository-advisories REST endpoint) rather than composing from scratch.

Deploy Ember in production environments with daemon mode, Prometheus metrics export, and Docker. Use this skill whenever someone asks about running ember headless, exporting Prometheus metrics, setting up ember in Docker or docker-compose, integrating ember with Grafana, configuring health checks, or any production deployment of Caddy/FrankenPHP monitoring. For JSON output, scripting, and CI pipelines, see the ember-json skill instead.

Guide users through installing and configuring Ember, a real-time terminal dashboard for Caddy and FrankenPHP. Use this skill whenever someone asks about installing ember, setting up ember, configuring Caddy for ember, enabling Caddy metrics, running ember for the first time, connecting ember to a Caddy server, or mentions 'ember init'. Also trigger when users mention monitoring Caddy or FrankenPHP from the terminal and need help getting started, even if they don't mention ember by name but are clearly working with Caddy monitoring.

Use Ember's JSON output to programmatically inspect Caddy and FrankenPHP state from scripts, CI pipelines, or AI coding agents. Use this skill whenever someone wants to query Caddy metrics from the command line, parse ember output with jq, write a script that checks server health, detect 5xx errors programmatically, compare metrics before and after a deployment, use ember in a CI/CD pipeline, automate Caddy monitoring, or wait for Caddy readiness in a script. Also trigger when an AI agent needs to inspect the current state of a Caddy server: ember's JSON mode is the tool for that.

Diagnose and fix common Ember CLI issues. Use this skill whenever a user reports problems with ember: connection errors, missing metrics, empty dashboards, FrankenPHP tab not showing, CPU/RSS stuck at zero, missing latency percentiles, 401 errors on the metrics endpoint, high memory usage, or any 'ember is not working' situation. Also trigger when users see 'UNREACHABLE', 'connection refused', or describe metrics that are all zeros, even if they don't explicitly say 'troubleshoot'.