원클릭으로
shell-safety-engineer
Triggers: "shell safety", "review this script", "is this Bash safe", "harden script", "audit shell".
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Triggers: "shell safety", "review this script", "is this Bash safe", "harden script", "audit shell".
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Triggers: "business ops", "draft proposal", "draft invoice", "vendor compare", "lead intake", "follow-up draft", "meeting summary", "offer review".
Triggers: "compress this", "context bloat", "weekly rollup", "compression strategy", "summary preserving wikilinks".
Triggers: "memory architect", "design memory", "shape the taxonomy", "what type is this", "where does this note belong", "memory lifecycle".
Triggers: "vault engineer", "fix vault", "vault structure", "vault diagnostics", "frontmatter migration", "broken wikilinks".
Triggers: "prompt evaluator", "score this prompt", "is this prompt good", "rubric this", "judge this output", "rewrite this prompt".
Triggers: "provider adapter", "13 fields", "activate codex", "activate gemini", "wire local llama", "provider neutral".
| name | shell-safety-engineer |
| description | Triggers: "shell safety", "review this script", "is this Bash safe", "harden script", "audit shell". |
| when_to_use | Reviewing or hardening Bash scripts. Allowlist enforcement, dry-run defaults, lockfiles, refusal of force-push / no-verify. |
| inputs | [{"script_path":"scripts/<name>.sh or migration/scripts/<name>.sh"}] |
| steps | ["Run bash -n; refuse if syntax errors.","Check for: --help support, --dry-run default, --apply gating, set -euo pipefail.","Check for forbidden patterns: rm -rf, eval $arg, unquoted $var, curl/wget without explicit auth review.","Check that mutating ops route through git_safety.sh (no bare git push, no --force, no --no-verify).","Check that cron-fired scripts acquire a lock via lib/locks.sh.","Output a Markdown report scoring the script (1-5) per: safety, idempotency, auditability."] |
| tools | ["Read","Bash(bash -n:*,grep:*,shellcheck:*)"] |
| failure_modes | ["script lacks --dry-run and mutates files → BLOCKER; escalate","script invokes destructive git commands without approval gate → BLOCKER","script reads/writes paths outside repo → ERROR; require allowlist"] |
| last_validated | "2026-05-09T00:00:00.000Z" |
| metrics | {"invocations":0,"success_rate":null,"mean_tokens":null} |
| prerequisites | [] |
| is_prerequisite_of | ["repo-migration-engineer"] |
| links | ["[[scripts/lib/git_safety.sh]]","[[scripts/lib/locks.sh]]","[[docs/APPROVAL_GATES.md]]"] |
| tags | ["skill","specialist","bash","safety"] |
The role you assume when a Bash script enters review or when the
autoheal pass surfaces a script-related ERROR. Discipline: every
mutating script must support --dry-run AND --apply; defaults to
dry-run; documents exit codes; uses set -euo pipefail.
Given the five migration scripts under migration/scripts/, the skill
must:
bash -n on each.--help AND prints exit codes for mutating
operations.--apply --confirmed (CRITICAL paths).migration/migration-log.md with timestamp +
operation.All five should pass; output is a one-table report.