Audit

workspace-surface-audit is a read-only audit skill for checking what a workspace and machine can do right now. It inspects the repo, MCP servers, plugins, connectors, env surfaces, and harness setup, then recommends the best ECC-native skills, hooks, agents, and workflows for Workflow Automation.

security-bounty-hunter helps you find bounty-worthy vulnerabilities in repositories, with a focus on remotely reachable, user-controlled issues that are likely to survive triage. Use it for Security Audit work when you want practical reportable findings instead of noisy local-only concerns.

repo-scan is a cross-stack source audit skill that classifies files, detects embedded third-party libraries, and helps you judge what is core, duplicated, or dead weight. It is useful for repo-scan for Code Review, legacy migrations, and refactor planning. See repo-scan install and repo-scan usage guidance in the skill.

quality-nonconformance is a regulated-manufacturing skill for NCR intake, root cause analysis, CAPA, SPC interpretation, and final disposition. Use it for Compliance Review, supplier quality issues, and evidence-based decisions where traceability, risk, and audit-ready judgment matter.

product-lens is a decision-support skill for validating the why before building, pressure-testing product direction, and turning vague requests into sharper briefs. Use product-lens when you need a quick product diagnosis, not a full spec, and want a clearer go/no-go answer before engineering planning.

healthcare-phi-compliance helps review healthcare apps for PHI/PII risk across data models, APIs, logs, and access paths. Use it to check data classification, access control, encryption, audit trails, and common leak vectors for HIPAA, DISHA, GDPR, and related security audit needs.

ecc-tools-cost-audit is an evidence-first audit skill for ECC Tools cost spikes, runaway PR creation, quota bypass, premium-model leakage, and duplicate jobs. Use it for Backend Development investigations that trace a request from webhook to worker to billing decision and prove where spend is being created.

The click-path-audit skill helps trace UI handlers through every state change to catch sequence bugs, shared-state collisions, and final-state mismatches after refactors or during code review.

automation-audit-ops is an evidence-first automation inventory and overlap audit skill for Workflow Automation. Use it to identify which jobs, hooks, connectors, MCP servers, or wrappers are live, broken, redundant, or missing before fixing anything.

cso is a Chief Security Officer–style security audit skill for agents. It helps review codebases and workflows for secrets exposure, dependency and supply-chain risk, CI/CD security, and LLM/AI security using OWASP Top 10 and STRIDE. Use cso for structured Security Audit reviews with confidence gates, active verification, and trend tracking.

design-review is a UX-minded design QA skill for auditing live interfaces, spotting spacing, hierarchy, visual consistency, and interaction issues, then fixing them iteratively with verification. It supports plan-mode review before implementation and is useful when you want a design-review guide for concrete source changes instead of vague advice.

The accessibility-compliance skill helps teams audit and improve web or mobile UI with practical WCAG 2.2, ARIA, keyboard access, screen reader, and mobile accessibility guidance. Best for UX audits, component fixes, and implementation-ready recommendations.

security-requirement-extraction turns threat models and business context into testable security requirements, user stories, acceptance criteria, and backlog-ready outputs for Requirements Planning.

stride-analysis-patterns helps agents run a structured STRIDE threat-modeling pass for architectures, APIs, and data flows. Install from the wshobson/agents repo, read the SKILL.md file, and use it to turn system descriptions into categorized threats and control-focused review output.

The threat-mitigation-mapping skill helps map identified threats to preventive, detective, and corrective controls across layers, supporting defense-in-depth, remediation planning, and control coverage review.

Use the pci-compliance skill to guide PCI DSS architecture reviews, scope reduction, gap analysis, and payment data handling decisions. Best for teams designing payment flows, preparing for assessments, or reviewing controls before a compliance review.

The gdpr-data-handling skill helps teams turn GDPR requirements into practical review guidance for consent, lawful basis, data subject rights, retention, and privacy-by-design decisions.

wcag-audit-patterns is a structured WCAG 2.2 audit skill for accessibility reviews. Use it to combine automated findings with manual checks, prioritize issues by severity and conformance level, and generate actionable remediation guidance for pages, flows, and components.

ai-prompt-engineering-safety-review is a prompt audit skill for reviewing LLM prompts for safety, bias, security weaknesses, and output quality before production, evaluation, or customer-facing use.

agent-governance is a documentation-first skill for designing AI agent guardrails, policy checks, trust rules, tool restrictions, and audit logging for tool-using and multi-agent systems.

seo-audit is a structured SEO review skill for diagnosing crawlability, indexation, technical, on-page, and content issues. It helps agents ask for site context, follow a clear audit order, avoid unsupported schema claims, and turn findings into a prioritized action plan.

page-cro is a CRO skill for reviewing marketing pages and finding practical ways to improve conversions. Use it to analyze landing, pricing, homepage, feature, and blog pages with clear input on goal, traffic source, audience, and blockers. Includes install guidance, workflow tips, prompt examples, and experiment-focused usage.

free-tool-strategy helps Product Marketing and growth teams evaluate whether to build a free marketing tool, compare calculators, graders, analyzers, or generators, and define MVP scope, gating, and implementation tradeoffs. Includes repo-based install context, key files, and practical usage guidance.

form-cro is a skill for auditing and improving non-signup forms like lead, contact, demo request, application, survey, quote, and checkout-style forms. It helps teams reduce field friction, diagnose abandonment, and restructure forms using repo-backed guidance, eval examples, and a clear install and usage path.