From antigravity-awesome-skills
Audits shipped repos for production-readiness gaps in RLS, webhooks, secrets, grants, Stripe idempotency, mobile UX, deployment health, observability, and prompt injection. Use before shipping or public launch.
npx claudepluginhub sickn33/antigravity-awesome-skillsThis skill uses the workspace's default tool permissions.
A skill that runs an external audit on a shipped repo's deployed state — live URL, GitHub signals, secrets exposure, RLS gaps, webhook idempotency, indexes, observability, prompt injection, and ten other failure modes that AI-assisted projects routinely miss.
Audits project health across 8 dimensions: security, dependencies, code quality, architecture, performance, infra, docs, mesh analytics. Delegates to specialists; generates score and action plan.
Runs comprehensive codebase audits with mechanical verification (build, lint, tests, secrets scan, git status) and specialist reviewers, producing scored reports across 7+ axes. Quick modes skip reviewers.
Deep-scans entire codebase line-by-line to map architecture, detect issues in security, performance, code quality, testing, production readiness, and apply enterprise fixes.
Share bugs, ideas, or general feedback.
A skill that runs an external audit on a shipped repo's deployed state — live URL, GitHub signals, secrets exposure, RLS gaps, webhook idempotency, indexes, observability, prompt injection, and ten other failure modes that AI-assisted projects routinely miss.
This is complementary to in-session security skills (security-review, OWASP-style, VibeSec, Trail of Bits). Those scan the editor buffer at write-time. This scans the deployed product after you commit. Different timing, different inputs, different findings. Run both for serious launches.
The skill wraps the commit.show audit engine via the public CLI (npx commitshow audit . --json). Stable JSON envelope (schema_version: "1", additive-only). Writes a .commitshow/audit.{md,json} sidecar so future agent sessions can read prior state without re-running the engine.
main (helpful as a pre-deploy gate).git log shows >20 commits since the last .commitshow/audit.md was written.security-review / OWASP-style for line-level patterns. This skill is for post-merge / pre-ship review..commitshow/audit.json already exists and is < 1 hour old, read that instead of re-running. Audit is rate-limited (anonymous: 20/IP/day · 5/repo/day · 2000/day global).not_found error.From the repo root. The CLI is pinned to a known-good range (an attacker-pushed 0.4.x won't be picked up silently — bumping the floor is a deliberate edit), the sidecar directory is created up-front, and stderr is split off so install/deprecation warnings can't corrupt the JSON envelope:
mkdir -p .commitshow
npx commitshow@^0.3.23 audit . --json \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
This also writes a human-readable .commitshow/audit.md next to it. Subsequent invocations should diff against the prior audit.json if it exists, so you can lead with "+5 since yesterday's audit" instead of just an absolute number.
If the user pointed at a remote URL instead of ., swap . for the URL — keep the same mkdir -p + version pin + stderr split:
mkdir -p .commitshow
npx commitshow@^0.3.23 audit github.com/owner/repo --json \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
The JSON envelope is stable (schema_version: "1", additive-only). Read these fields:
| Field | Meaning |
|---|---|
score.total | 0-100 production-readiness score |
score.delta_since_last | change vs. parent snapshot · positive = improving |
score.band | strong (80+) · mid (60-79) · early (<60) |
concerns[] | top issues, ordered by impact · each has axis + bullet |
strengths[] | top 3 things that work · for context only |
standing | optional · only when the project is auditioning on commit.show |
snapshot.created_at / trigger_type | when the audit ran |
Concerns are sorted by decision-impact, not severity. Position 1 is the bullet to lead with.
Lead with score + trajectory in one sentence, then the top concerns. Do not dump the full JSON. Format:
Score: 82/100 (+5 since yesterday) · band: strong
Top concerns:
↓ [Security] No API rate limiting on /auth — IP cap missing
↓ [Infrastructure] webhook handler at api/stripe.ts — signature verified, but no
idempotency-key check (replay attack window open)
Want me to fix the webhook idempotency gap first?
Rules:
concerns[].bullet — the audit engine already wrote action-oriented copy.score.delta_since_last is negative or null, lead with the absolute score only.For the chosen concern:
After applying a fix, suggest re-running with --refresh (same canonical form as Step 1, so audit.json stays the source of truth for delta calculations):
mkdir -p .commitshow
npx commitshow@^0.3.23 audit . --json --refresh \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
mkdir -p .commitshow
npx commitshow@^0.3.23 audit . --json \
> .commitshow/audit.json \
2> .commitshow/audit.stderr.log
Then surface:
Score: 67/100 · band: mid
Top concerns:
↓ [Security] members table uses column-level GRANT but paid_audits_credit
column lacks SELECT grant — silent 42501 on every read
↓ [Infrastructure] stripe.checkout.sessions.create called without
idempotencyKey — duplicate-charge surface
Want me to fix the column GRANT first? Single SQL line.
User: "show me where the webhook idempotency gap is"
cat .commitshow/audit.json | jq '.concerns[] | select(.axis=="Infrastructure")'
Find the file path in the bullet, read it, confirm the gap matches.
concerns[].bullet — they're already action-oriented.commitshow/audit.json before re-running (within 1h)--refresh after the user merges a fix so the next audit reflects it*.supabase.co, the API call fails. There is no offline mode — the audit relies on the public engine.--refresh force-bypasses cache (counts against rate limits).npx commitshow@latest audit ... which is a network call to a public API at https://api.commit.show (proxied to Supabase Edge Functions). No credentials are sent — anonymous usage subject to per-IP / per-URL / global rate limits..commitshow/audit.{md,json} in the current working directory. These files are safe to commit (no secrets) but conventionally gitignored as transient artifacts.Problem: Audit returns not_found for a private repo
Solution: The engine pulls public GitHub signals only. Either make the repo public or use --no-network for local-only deterministic checks.
Problem: Rate limit hit (429)
Solution: Wait until next day (limits reset 00:00 UTC) or sign in at commit.show for higher per-repo caps.
Problem: Score seems too low for a polished library / CLI Solution: The engine biases toward app form. CLI / library / scaffold gets a partial substitute score capped around 45/50 on the audit pillar. Calibration acknowledged trade-off.
Problem: concerns[] is empty after re-running
Solution: Re-audit may have hit cache. Use --refresh to force-bypass.
@security-review — In-session line-level security patterns. Run alongside this skill, not in place of.@vibesec — Editor-buffer security review for vibe-coded projects. Different lens.@owasp-security — OWASP Top 10 coverage during coding. Companion.@trail-of-bits-skills — CodeQL / Semgrep static analysis. Different layer.schema_version: "1" · additive-only changes.https://api.commit.show/audit?repo=...&format=json