shellcheck-configuration

by wshobson

shellcheck-configuration helps you install ShellCheck, tune .shellcheckrc, and apply lint policy for CI and Code Review across bash, sh, dash, and ksh projects.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategoryCode Review

Install Command

npx skills add wshobson/agents --skill shellcheck-configuration

Curation Score

This skill scores 78/100, which makes it a solid directory listing candidate: users can reasonably expect an agent to recognize when to use it and get practical ShellCheck setup and configuration guidance with less guesswork than a generic prompt, though it is still mostly documentation-driven rather than workflow-automated.

78/100

Strengths

Clear triggerability: the skill explicitly lists when to use it, including CI/CD setup, script analysis, rule suppression, and migration to quality gates.
Good operational coverage: the body is substantial and includes installation, configuration, and ShellCheck usage guidance with code fences for concrete examples.
Credible real-world value: it focuses on a widely used shell linting tool and explains project-level configuration concerns that agents often need help applying consistently.

Cautions

No support files, scripts, or reference assets are included, so execution depends on the agent interpreting prose correctly rather than invoking packaged workflow components.
The repository evidence shows no install command in SKILL.md and no repo/file references, which reduces confidence for users looking for tightly scoped, environment-specific adoption guidance.

Shell Scripting Bash Linting Configuration Ci Cd Developer Audience

Overview

Overview of shellcheck-configuration skill

What the shellcheck-configuration skill does

The shellcheck-configuration skill helps an agent set up, interpret, and tune ShellCheck for real shell-script quality work. It is most useful when you need more than “run the linter”: project-level configuration, CI gating, shell-target selection, warning suppression strategy, and guidance on fixing findings without breaking portability.

Who should use shellcheck-configuration

This skill fits:

developers adding ShellCheck to a repository for the first time
teams standardizing shell linting in CI or code review
maintainers cleaning up legacy bash, sh, dash, or ksh scripts
reviewers who want consistent lint guidance instead of ad hoc comments

If your main need is “explain one warning code,” ordinary prompting may be enough. If you need a repeatable setup and policy, the shellcheck-configuration skill is a better fit.

The real job-to-be-done

Users usually want one of four outcomes:

install ShellCheck correctly on their platform
configure it for the right shell and rule tolerance
integrate it into CI or pre-merge checks
turn noisy lint output into actionable fixes and review standards

This skill is strongest when your goal includes both tooling and decision-making.

What makes this skill different from a generic prompt

A generic prompt can suggest “use ShellCheck.” The shellcheck-configuration skill is more useful when you need structured help with:

choosing a target shell and matching options
deciding what to suppress and what to enforce
creating a .shellcheckrc policy that matches the repo
handling false positives in a maintainable way
using ShellCheck for Code Review, not just local lint runs

Important adoption constraints

This skill is guidance-heavy rather than automation-heavy. The repository evidence shows a single SKILL.md with no helper scripts or packaged resources, so expect strong instruction and examples, not turnkey commands tailored to your repository. You will get the best results when you provide actual shell files, current errors, and your CI context.

How to Use shellcheck-configuration skill

Install context for shellcheck-configuration install

Install the skill into your agent environment with:

npx skills add https://github.com/wshobson/agents --skill shellcheck-configuration

Then make sure ShellCheck itself is available in the environment where analysis will happen:

# macOS
brew install shellcheck

# Ubuntu/Debian
apt-get install shellcheck

# Verify
shellcheck --version

The skill helps with configuration and usage; it does not replace the shellcheck binary.

Read this file first

Start with:

plugins/shell-scripting/skills/shellcheck-configuration/SKILL.md

Because this skill has no separate README.md, rules, or helper scripts, nearly all practical guidance is concentrated there. Read it first before inferring capabilities from the broader repo.

Best use cases in practice

Use shellcheck-configuration usage when you need to:

create or refine a project .shellcheckrc
choose between strict enforcement and gradual adoption
fix repeated warning patterns across many scripts
wire ShellCheck into CI/CD pipelines
review a pull request containing shell changes
decide whether an inline disable is acceptable

Inputs the skill needs to work well

Provide concrete inputs, not just “configure ShellCheck.” Best inputs include:

target shell: bash, sh, dash, ksh
sample script or repository path
current shellcheck output
whether the code runs in CI, containers, or multiple distros
team policy: fail on warnings, only on errors, or advisory only
whether portability to POSIX sh matters

Without that context, the skill can only give generic recommendations.

Turn a rough goal into a strong prompt

Weak prompt:

“Help me use ShellCheck.”

Strong prompt:

“Use the shellcheck-configuration skill to propose a .shellcheckrc for a repo with mostly bash scripts, a few POSIX sh entrypoints, CI on Ubuntu, and a goal of blocking high-confidence issues while allowing justified inline suppressions. Explain each config choice and how it affects code review.”

Why this works:

it names the shell mix
defines enforcement level
gives environment constraints
asks for rationale, not just a file dump

Example prompt for shellcheck-configuration for Code Review

Use a prompt like:

Use the shellcheck-configuration skill for Code Review. Review this shell script diff, identify the ShellCheck issues most likely to matter in production, separate correctness bugs from style issues, and recommend whether to fix, suppress, or ignore each one. Assume the repo standard is Bash in CI but portability matters for small utility scripts.

This gets better results than “review this script,” because it asks the agent to classify issues and apply policy.

Suggested workflow from install to enforcement

Install ShellCheck.
Invoke the shellcheck-configuration skill with your shell targets and repo goals.
Generate or refine .shellcheckrc.
Run shellcheck on representative scripts first.
Fix high-signal warnings before enforcing in CI.
Decide suppression policy for justified exceptions.
Add CI or pre-commit integration only after warning volume is manageable.

This sequence reduces the common failure mode where teams enable lint gates before aligning on policy.

How to use the skill with existing lint output

If you already ran shellcheck, paste:

warning codes such as SC2086, SC2046, SC2155
the affected lines
whether the issue is intentional
the shell declared by the script shebang

The skill is especially valuable when you want guidance on whether a warning reflects:

a real bug
a portability risk
a style preference
a false positive worth suppressing

Configuration decisions that matter most

The highest-impact choices are usually:

target shell correctness
whether to use project-level .shellcheckrc
when to prefer inline disables over global ignores
whether CI should fail on all findings or a subset
how much legacy code to grandfather in

These decisions affect trust in the tool more than any single warning fix.

Practical tips that improve output quality

Ask the skill to produce:

a draft .shellcheckrc
a suppression policy with examples
CI command examples
a “fix-now vs later” triage of warnings
code-review guidance for recurring findings

This is more useful than asking for raw ShellCheck theory. The skill contains fundamentals, but the real value is turning them into repo policy.

shellcheck-configuration skill FAQ

Is shellcheck-configuration good for beginners?

Yes, if you are actively working on shell scripts. The skill includes ShellCheck fundamentals and installation guidance, so it can help a beginner get started. It is still most valuable when paired with real scripts and real warnings.

Do I need the shellcheck-configuration skill if I already know ShellCheck?

Possibly. If you already know the warning catalog and command-line basics, the skill is still useful for repository-wide configuration, CI policy, suppression strategy, and ShellCheck-driven review workflows.

Does it include automation scripts or ready-made CI templates?

No strong evidence of that in this skill. The repository signals show only SKILL.md, so expect conceptual guidance and examples rather than bundled scripts or reusable templates.

When should I not use shellcheck-configuration?

Skip it if:

you only need to run shellcheck file.sh once
your issue is unrelated to static analysis policy
you want an auto-fixer; ShellCheck primarily reports issues rather than rewriting code
your team has already settled configuration and only needs a command reference

How is this different from ordinary prompting?

Ordinary prompting can explain warnings, but it often misses repo-level decisions: shell target, suppression boundaries, rollout strategy, and code review standards. The shellcheck-configuration guide is better when you want a repeatable linting approach, not a one-off answer.

Is shellcheck-configuration suitable for mixed shell repos?

Yes, but only if you tell the skill the mix. Repos that contain both bash and POSIX sh scripts need explicit scoping; otherwise recommendations may overfit one shell and create noise for the other.

How to Improve shellcheck-configuration skill

Give the skill your actual shell environment

The fastest way to improve shellcheck-configuration results is to specify:

shell dialect per script group
OS or CI runner
whether scripts are sourced or executed directly
whether portability is required

ShellCheck recommendations depend heavily on shell semantics. Ambiguous inputs lead to overbroad advice.

Provide real files, not summaries

Instead of saying “we have some shell scripts,” give:

one representative script
current .shellcheckrc, if any
a few current warning codes
CI snippets that run linting today

This lets the skill move from generic best practices to concrete configuration.

Ask for policy, not just syntax

A stronger request is:

“draft a .shellcheckrc and explain what the team should enforce”

A weaker request is:

“show shellcheck config options”

Users care more about what to standardize than about memorizing flags. Ask the skill to help you choose a maintainable policy.

Watch for common failure modes

Common ways to get poor output:

not specifying bash vs sh
asking for zero-warning enforcement on a noisy legacy repo
suppressing warnings globally before understanding them
treating all findings as equally severe
ignoring code review workflow and focusing only on local runs

The skill is most helpful when you use it to prioritize, not just enumerate.

Improve shellcheck-configuration for Code Review workflows

For review use, ask the skill to categorize findings into:

correctness
quoting and expansion safety
portability
maintainability
style-only

That helps reviewers avoid blocking merges for low-value style issues while still catching dangerous shell patterns.

Iterate after the first output

After the first response, follow up with:

“tighten this config for CI”
“make this safer for POSIX portability”
“reduce false positives for sourced helper files”
“which suppressions should stay inline rather than in .shellcheckrc?”

The first pass should establish direction; the second should tailor enforcement.

Use the skill to stage adoption

For large legacy repos, ask for:

a baseline advisory configuration
a prioritized fix list
a stricter future-state config

This staged approach is often better than flipping on hard-fail linting immediately and creating broad developer resistance.

Compare recommendations against actual ShellCheck output

The best validation loop is simple:

ask the skill for config and policy
run shellcheck
inspect the resulting warning mix
feed the results back into the skill for refinement

That loop turns the shellcheck-configuration skill from static guidance into a practical rollout tool.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

laravel-tdd

by affaan-m

laravel-tdd is a Laravel test-driven-development guide for PHPUnit and Pest. It helps with unit, feature, and integration test choices, database strategy, fakes, coverage targets, and a practical workflow for test automation.

Test Automation

Favorites 0GitHub 156.2k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

react-native-best-practices

by callstackincubator

react-native-best-practices is a practical React Native performance optimization guide for slow startup, dropped frames, heavy renders, memory leaks, bundle bloat, and animation jank. Use it when you need evidence-backed fixes for Hermes, bridge overhead, FlashList, native modules, or profiling a release regression.

Performance Optimization

Favorites 0GitHub 1.3k

github-pr-review

by fvadicamo

github-pr-review is a GitHub PR review skill for collecting inline comments, PR-level review bodies, and replies, then organizing feedback by severity so you can fix blockers first. Use it to resolve PR comments, respond to reviewers, and update the branch with targeted commits and thread replies. It fits the github-pr-review guide for authenticated GitHub CLI workflows.

PR Review

Favorites 0GitHub 0

autofix

by coderabbitai

autofix helps safely turn CodeRabbit PR review-thread feedback into validated code changes on the current GitHub branch. Use this autofix skill when you need a branch-aware CodeRabbit for Code Review workflow with explicit approval, not a generic prompt-following fixer. It checks repo state, reads trusted instructions, and applies only verified fixes.

Code Review

Favorites 0GitHub 0

security-ownership-map

by openai

Use security-ownership-map to analyze git history for security ownership risk, bus factor, and sensitive-code ownership. It maps people to files, surfaces orphaned or under-owned areas, and exports CSV/JSON for graph analysis. Best for security audit questions, CODEOWNERS reality checks, and ownership clusters grounded in commit history.

Security Audit

Favorites 0GitHub 0

frontend-design-review

by microsoft

frontend-design-review is a GitHub skill for reviewing frontend UI work and creating distinctive, production-grade interfaces from scratch. It helps assess design system compliance, accessibility, visual quality, and whether a UI feels generic or intentionally designed. Use it for PR reviews, component reviews, and frontend-design-review for UI Design.

UI Design

Favorites 0GitHub 0

sarif-parsing

by trailofbits

sarif-parsing is a post-scan skill for reading, filtering, deduplicating, summarizing, and converting SARIF 2.1.0 results from tools like CodeQL and Semgrep. Use it when you already have scan output and need clear parsing, aggregation, or CI/CD-ready transformation. It is not for running scans.

Code Editing

Favorites 0GitHub 5k

property-based-testing

by trailofbits

property-based-testing skill guide for writing, reviewing, and improving PBT across languages and smart contracts. Use this property-based-testing guide to spot roundtrip, idempotence, invariant, parser, validator, and normalization cases, choose generators, and decide when property-based-testing is stronger than example-based tests.

Skill Testing

Favorites 0GitHub 5k

investigate

by garrytan

The investigate skill guides systematic debugging and root-cause analysis for broken, flaky, or unexpected behavior. Use it for code review, incident triage, bug fixes, and "it worked yesterday" cases when you need evidence before changing code. It follows a four-phase workflow: investigate, analyze, hypothesize, implement.

Code Review

Favorites 0GitHub 91.8k

ruzzy

by trailofbits

ruzzy is a coverage-guided Ruby fuzzing skill for testing pure Ruby code and Ruby C extensions. Use the ruzzy guide to set up a supported Linux environment, verify sanitizer wiring, and build practical fuzzing workflows for Security Audit work.

Security Audit

Favorites 0GitHub 5k

vue-best-practices

by vuejs-ai

vue-best-practices is a Vue 3 skill for code generation, review, and refactoring. It guides agents toward Composition API, <script setup lang="ts">, explicit data flow, SSR-aware choices, and core references for reactivity, SFCs, composables, Router, Pinia, and Vite-based apps.

Frontend Development

Favorites 0GitHub 2.1k