Claude Code and Codex Skills for Software Correctness
Formal verification, model checking, security auditing, proof repair, and benchmarking — as slash commands.
Contents
Quick Start
Install every plugin for Claude Code in one command:
npx skills add workersio/spec
Individual plugins can be selected during installation. Once installed, invoke any skill by name inside Claude Code:
/fuzzer Coverage-guided fuzzing with audit-driven harness design
/kani-proof Write bounded model checker proofs for Rust and Solana
/solana-audit Run a structured smart contract security audit
/axiom Verify and repair Lean 4 proofs
/skill-benchmark Benchmark a skill with controlled eval sessions
/workers-app-tester Pentest an Android app on a rooted device
/save Save the current session as a reusable agent
Codex support is included through repo-local metadata:
- Codex marketplace catalog:
.agents/plugins/marketplace.json
- Per-plugin Codex manifests:
plugins/<name>/.codex-plugin/plugin.json
- All repo plugins are marked
AVAILABLE for Codex: axiom, fuzzer, kani-proof, save, skill-benchmark, solana-audit, workers-app-tester
To use this repo as a repo-scoped Codex marketplace:
- Keep the repository layout intact so
.agents/plugins/marketplace.json can resolve ./plugins/<name> relative to the repo root.
- Restart Codex after cloning the repo or after changing marketplace metadata.
- In Codex CLI, run
codex, then /plugins, open the workersio marketplace, and install the plugins you want.
Codex User-Level Install
If you want the plugins available user-wide and automatically synced to this repo, use the PowerShell installer:
pwsh -ExecutionPolicy Bypass -File .\scripts\install-user-level.ps1 -Mode install
Useful commands:
pwsh -ExecutionPolicy Bypass -File .\scripts\install-user-level.ps1 -Mode status
pwsh -ExecutionPolicy Bypass -File .\scripts\install-user-level.ps1 -Mode uninstall
pwsh -ExecutionPolicy Bypass -File .\scripts\install-user-level.ps1 -Mode install -Force
-Force backs up conflicting user-level paths to *.backup-YYYYMMDD-HHMMSS before replacing them with junctions.
What it creates:
%USERPROFILE%\.codex\.agents\plugins -> junction to this repo's .agents\plugins
%USERPROFILE%\.codex\plugins\<plugin-name> -> junctions to this repo's plugins\<plugin-name>
Why this layout:
- Codex keeps reading the marketplace from the user-level
.codex home
- The plugin content stays in this repo as the single source of truth
- Future updates are simple: pull the repo, then restart Codex
- If new plugins are added later, re-run
-Mode install
For dry runs or custom targets, override the Codex home:
pwsh -ExecutionPolicy Bypass -File .\scripts\install-user-level.ps1 -Mode status -CodexHome D:\temp\codex-home
Plugins
fuzzer
Coverage-guided fuzzing workflow for C/C++, Rust, and Go targets. Runs a deep audit-context-building pass first to locate suspicious code, then writes a targeted harness, builds with sanitizers, runs the fuzzer, and reports crashes with reproducers.
Use case — Find memory safety bugs, integer overflows, and logic faults in native code through coverage-guided fuzzing driven by prior code understanding.
/fuzzer
What's included
fuzzer skill — end-to-end harness authoring, build, run, and triage workflow
audit-context-building skill — line-by-line analysis using First Principles, 5 Whys, and 5 Hows to locate fuzz targets
- Function-analyzer agent and reference docs for completeness, output requirements, and worked micro-analysis examples
kani-proof