// Use when a repo needs a project-specific audit playbook or local `audit` skill tailored to its stack and risk surfaces.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | generate-audit |
| description | Use when a repo needs a project-specific audit playbook or local `audit` skill tailored to its stack and risk surfaces. |
| recommended_model | high |
Recommended model: high — this is a meta-skill requiring broad repo inference and tailored output shaping.
Use this skill to create a repo-specific audit plan, or to draft a local
audit skill for the current project. This is a meta-skill: it does not run
the full audit by default. It generates the audit procedure that a repo should
use.
generate-audit/scripts/audit-discover.py collects a deterministic base layer
of repo facts (project shape, build/test/lint/typecheck commands, source-of-
truth docs, interface and drift surfaces, workflow surfaces, disabled-test
signals, risk hotspots, static-analysis tool detection, documentation command
consistency) before the model shapes the audit. Invoke by script path so
approvals stay scoped.
generate-audit/scripts/audit-discover.py
Use the JSON output as the starting point, then fill gaps using
generate-audit/references/discovery-checklist.md.
audit skill ready for refinementgenerate-audit/references/discovery-checklist.md to fill in
project shape, docs review, interfaces, workflow surfaces, test health,
risk areas, documentation truthfulness, static analysis, and quality
standards — skip surfaces that do not apply.generate-audit/references/generation-rules.md.Include only modules that fit the discovered repo:
static_analysis.language_signals.Go.concurrency_signals
is non-empty, run go test -race -timeout 120s ./... in place of plain go test ./... —
any race finding is error-level, and missing -race in repo CI is warning-level
whenever the codebase has goroutines)static-analysis-tools.md;
fold semgrep results under both "static analysis" and "security review" for
polyglot repos — its rules span both surfaces)quality-standards.md)gremlins unleash and report surviving mutants per package, not a
percentage; each surviving mutant in a risk-surface function → warning;
run this module after test-coverage gap module)*.md files; distinct from the model-based
"documentation utility" pass; markdownlint/typos finding → warning;
broken link → errorOmit modules that do not match the repo. Do not invent a frontend UX section
for a backend-only service, or a migration section for a repo with no
database. Secrets scan is never optional. When recommending CI for a
repo with no .github/workflows/, include actionlint in the proposed
setup so new workflows are linted from day one.
The generated plan or skill should include: executive summary, phase-by-phase checks with concrete commands or files, severity model for findings, concrete remediation guidance tied to findings, and a final consolidated action list. For a draft skill, keep the first version lean — a useful 6-phase audit that matches the repo beats a bloated 10-phase audit full of guesses.
See generate-audit/references/generation-rules.md for grounding, static-
analysis output format, code-quality sampling, coverage handling,
documentation-finding rules, guardrails, and the draft-skill structure.