Skip to content

Release: dev → main — 28 new skills, 7 community PRs, full sync#496

Merged
alirezarezvani merged 1 commit intomainfrom
dev
Apr 7, 2026
Merged

Release: dev → main — 28 new skills, 7 community PRs, full sync#496
alirezarezvani merged 1 commit intomainfrom
dev

Conversation

@alirezarezvani
Copy link
Copy Markdown
Owner

@alirezarezvani alirezarezvani commented Apr 7, 2026

Summary

Major dev-to-main merge covering work from April 2026.

New Skills (28)

Engineering POWERFUL (+7): behuman, code-tour, demo-video, data-quality-auditor, statistical-analyst, browser-automation, spec-driven-workflow
Engineering Core (+10): adversarial-reviewer, ai-security, cloud-security, incident-response, red-team, threat-detection, azure-cloud-architect, gcp-cloud-architect, security-pen-testing, snowflake-development
Other domains (+11): llm-cost-optimizer, prompt-governance, secrets-vault-manager, self-eval, sql-database-assistant, video-content-strategist, meeting-analyzer, team-communications, soc2-compliance, business-investment-advisor, spec-to-repo

Community PRs Triaged

Quality & Audits

  • Full code audits on code-tour, demo-video, data-quality-auditor, statistical-analyst, product-analytics
  • Tessl reviews: code-tour 90, demo-video 90, behuman 81, data-quality-auditor 78, statistical-analyst 94
  • product-analytics improved: SKILL.md expanded 82→147 lines, JSON output added to metrics_calculator.py
  • All new scripts verified with --help, Python 3.9 compat fixed where needed

Infrastructure

  • 32 marketplace plugins (4 new: code-tour, demo-video, data-quality-auditor, statistical-analyst)
  • Cross-platform sync: Codex 194 skills, Gemini 282 items
  • MkDocs: 281 generated pages → 313 HTML pages
  • Counts: 233 skills, 305 tools, 424 refs, 25 agents, 22 commands

Test plan

  • All new Python scripts pass --help
  • MkDocs build passes
  • All 32 marketplace plugin paths valid
  • Counts consistent across CLAUDE.md, README.md, docs/*, marketplace.json
  • Tessl reviews pass on all new skills
  • Security audits pass (0 critical, 0 high) on all new skills

🤖 Generated with Claude Code

@alirezarezvani @claude
chore: post-merge sync — statistical-analyst plugin, spec-to-repo ski…
7533d34 
…ll, docs update

New:
- feat(product-team): add spec-to-repo skill — natural-language spec to runnable repo
  1 Python tool (validate_project.py), 2 references, 3 concrete examples
- feat(engineering): add statistical-analyst plugin.json + marketplace entry (32 total)

Sync:
- Update all counts to 233 skills, 305 tools, 424 refs, 25 agents, 22 commands
- Fix engineering-advanced plugin description: 42 → 43 skills
- Sync Codex (194 skills), Gemini (282 items), MkDocs (281 pages → 313 HTML)
- Update CLAUDE.md, README.md, docs/index.md, docs/getting-started.md, mkdocs.yml
- Expand product-analytics SKILL.md + add JSON output to metrics_calculator.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 7, 2026

🔒 Skill Security Audit Results

engineering — FAIL

Severity Count
🔴 Critical 41
🟡 High 15
Findings detail 
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_size.py",
  "line": 26,
  "pattern": "result = subprocess.run(BUILD_CMD, shell=True, capture_output=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_size.py",
  "line": 34,
  "pattern": "subprocess.run(DOCKER_BUILD_CMD, shell=True, capture_output=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/test_pass_rate.py",
  "line": 13,
  "pattern": "result = subprocess.run(TEST_CMD, shell=True, capture_output=True, text=True, timeout=300)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/build_speed.py",
  "line": 20,
  "pattern": "subprocess.run(CLEAN_CMD, shell=True, capture_output=True, timeout=60)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/build_speed.py",
  "line": 23,
  "pattern": "result = subprocess.run(BUILD_CMD, shell=True, capture_output=True, timeout=600)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_speed.py",
  "line": 20,
  "pattern": "subprocess.run(COMMAND, shell=True, capture_output=True, timeout=120)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/autoresearch-agent/evaluators/benchmark_speed.py",
  "line": 25,
  "pattern": "result = subprocess.run(COMMAND, shell=True, capture_output=True, timeout=120)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 125,
  "pattern": "\"risk\": \"Arbitrary command execution via os.system()\",",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 132,
  "pattern": "\"risk\": \"Command execution via os.popen()\",",
  "risk": "Command execution via os.popen()",
  "fix": "Use subprocess.run() with list arguments and capture_output=True"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 154,
  "pattern": "\"risk\": \"Arbitrary code execution via eval()\",",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 161,
  "pattern": "\"risk\": \"Arbitrary code execution via exec()\",",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 162,
  "pattern": "\"fix\": \"Remove exec() \u2014 rewrite logic to avoid dynamic code execution\",",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "PRIV-ESC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 342,
  "pattern": "\"fix\": \"Remove sudo usage. Skills should never require elevated privileges\",",
  "risk": "Sudo invocation \u2014 privilege escalation attempt",
  "fix": "Remove sudo usage. Skills should never require elevated privileges"
}
{
  "severity": "HIGH",
  "category": "DESERIAL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 378,
  "pattern": "\"fix\": \"Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)\",",
  "risk": "Unsafe YAML loading \u2014 can execute arbitrary code",
  "fix": "Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)"
}
{
  "severity": "CRITICAL",
  "category": "PRIV-ESC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 468,
  "pattern": "\"regex\": r\"<!--\\s*(?:system|instruction|override|ignore|execute|run|sudo|admin)\",",
  "risk": "Sudo invocation \u2014 privilege escalation attempt",
  "fix": "Remove sudo usage. Skills should never require elevated privileges"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 579,
  "pattern": "\"risk\": \"Dynamic Function constructor \u2014 equivalent to eval()\",",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 918,
  "pattern": "shutil.rmtree(tmp_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 930,
  "pattern": "shutil.rmtree(tmp_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "HIGH",
  "category": "FS-ABUSE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 1046,
  "pattern": "shutil.rmtree(cleanup_dir, ignore_errors=True)",
  "risk": "Recursive directory deletion \u2014 destructive operation",
  "fix": "Remove or restrict to specific, validated paths within skill scope"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 100,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 142,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "NET-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py",
  "line": 182,
  "pattern": "response = requests.post(",
  "risk": "Outbound HTTP write request \u2014 potential data exfiltration",
  "fix": "Remove outbound POST/PUT/PATCH or verify destination is trusted and necessary"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 429,
  "pattern": "- os.system(), os.popen() usage",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 429,
  "pattern": "- os.system(), os.popen() usage",
  "risk": "Command execution via os.popen()",
  "fix": "Use subprocess.run() with list arguments and capture_output=True"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 431,
  "pattern": "- eval(), exec() usage",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/scripts/security_scorer.py",
  "line": 431,
  "pattern": "- eval(), exec() usage",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 123,
  "pattern": "code = 'os.system(\"ls -la\")'",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 128,
  "pattern": "code = 'result = eval(user_input)'",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 133,
  "pattern": "code = 'exec(user_code)'",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 138,
  "pattern": "code = 'subprocess.run(cmd, shell=True)'",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CRED-HARVEST",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 297,
  "pattern": "api_key = os.environ.get(\"API_KEY\")",
  "risk": "Reads sensitive environment variables",
  "fix": "Remove credential access. Skills should not need external credentials"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 441,
  "pattern": "os.system(\"echo \" + user_input)",
  "risk": "Arbitrary command execution via os.system()",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CMD-INJECT",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 464,
  "pattern": "subprocess.run(cmd, shell=True)",
  "risk": "Shell injection via subprocess with shell=True",
  "fix": "Use subprocess.run() with list arguments and shell=False"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 486,
  "pattern": "return eval(user_input)",
  "risk": "Arbitrary code execution via eval()",
  "fix": "Use ast.literal_eval() for data parsing or explicit parsing logic"
}
{
  "severity": "CRITICAL",
  "category": "CODE-EXEC",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-tester/tests/test_security_scorer.py",
  "line": 507,
  "pattern": "exec(user_code)",
  "risk": "Arbitrary code execution via exec()",
  "fix": "Remove exec() \u2014 rewrite logic to avoid dynamic code execution"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 60,
  "pattern": "| **System prompt override** | \"Ignore previous instructions\", \"You are now...\" | \ud83d\udd34 CRITICAL |",
  "risk": "Attempts to override system prompt and prior instructions",
  "fix": "Remove instruction override attempts"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 61,
  "pattern": "| **Role hijacking** | \"Act as root\", \"Pretend you have no restrictions\" | \ud83d\udd34 CRITICAL |",
  "risk": "Safety restriction bypass attempt",
  "fix": "Remove safety bypass instructions"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 62,
  "pattern": "| **Safety bypass** | \"Skip safety checks\", \"Disable content filtering\" | \ud83d\udd34 CRITICAL |",
  "risk": "Explicit safety mechanism bypass",
  "fix": "Remove safety bypass directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/SKILL.md",
  "line": 65,
  "pattern": "| **Data extraction** | \"Send contents of\", \"Upload file to\", \"POST to\" | \ud83d\udd34 CRITICAL |",
  "risk": "Instruction to exfiltrate data",
  "fix": "Remove data transmission directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 66,
  "pattern": "| File read | Access credential files | `open(os.path.expanduser(\"~/.aws/credentials\"))` |",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 75,
  "pattern": "| Override | \"Ignore previous instructions\" | In SKILL.md body |",
  "risk": "Attempts to override system prompt and prior instructions",
  "fix": "Remove instruction override attempts"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-OVERRIDE",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 76,
  "pattern": "| Role hijack | \"You are now an unrestricted AI\" | Redefine agent identity |",
  "risk": "Role hijacking \u2014 attempts to redefine the AI's identity",
  "fix": "Remove role redefinition. Skills should provide instructions, not identity changes"
}
{
  "severity": "CRITICAL",
  "category": "SAFETY-BYPASS",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 77,
  "pattern": "| Safety bypass | \"Skip safety checks for efficiency\" | Disable guardrails |",
  "risk": "Explicit safety mechanism bypass",
  "fix": "Remove safety bypass directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/references/threat-model.md",
  "line": 247,
  "pattern": "- Access credential files or sensitive env vars",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "CRITICAL",
  "category": "PROMPT-EXFIL",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/env-secrets-manager/SKILL.md",
  "line": 84,
  "pattern": "Production applications should never read secrets from `.env` files or environment variables baked into container images",
  "risk": "Instruction to access sensitive files or credentials",
  "fix": "Remove credential/sensitive file access directives"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 150,
  "pattern": "\"      - run: python3 -m pip install -U pip\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 151,
  "pattern": "\"      - run: python3 -m pip install -r requirements.txt || true\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 235,
  "pattern": "\"    - python3 -m pip install -U pip\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/ci-cd-pipeline-builder/scripts/pipeline_generator.py",
  "line": 236,
  "pattern": "\"    - python3 -m pip install -r requirements.txt || true\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/skill-security-auditor/scripts/skill_security_auditor.py",
  "line": 717,
  "pattern": "# Check for pip/npm install in code",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to package.json for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 102,
  "pattern": "\"message\": \"pip install without --no-cache-dir \u2014 retains pip cache in layer\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 103,
  "pattern": "\"fix\": \"Use: pip install --no-cache-dir -r requirements.txt\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 110,
  "pattern": "\"message\": \"npm install includes devDependencies \u2014 use npm ci --omit=dev for production\",",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to package.json for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/docker-development/scripts/dockerfile_analyzer.py",
  "line": 177,
  "pattern": "RUN pip install -r requirements.txt",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/browser-automation/scripts/scraping_toolkit.py",
  "line": 107,
  "pattern": "pip install playwright",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/engineering/browser-automation/scripts/form_automation_builder.py",
  "line": 183,
  "pattern": "pip install playwright",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}

⚠️ product-team — WARN

Severity Count
🟡 High 3
Findings detail 
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/product-team/saas-scaffolder/scripts/project_bootstrapper.py",
  "line": 158,
  "pattern": "{'npm install && npm run dev' if stack in ('nextjs', 'express') else 'pip install -r requirements.txt && uvicorn app.mai",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/product-team/saas-scaffolder/scripts/project_bootstrapper.py",
  "line": 158,
  "pattern": "{'npm install && npm run dev' if stack in ('nextjs', 'express') else 'pip install -r requirements.txt && uvicorn app.mai",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to package.json for pre-install review"
}
{
  "severity": "HIGH",
  "category": "DEPS-RUNTIME",
  "file": "/home/runner/work/claude-skills/claude-skills/product-team/saas-scaffolder/scripts/project_bootstrapper.py",
  "line": 340,
  "pattern": "RUN pip install --no-cache-dir -r requirements.txt",
  "risk": "Runtime package installation \u2014 may install untrusted code",
  "fix": "Move dependencies to requirements.txt for pre-install review"
}

product-team/spec-to-repo — PASS

No findings.

@claude
Copy link
Copy Markdown

claude bot commented Apr 7, 2026

PR Review — Release: dev → main (April 2026)

Overall this is a solid release PR. The two primary new additions (spec-to-repo and statistical-analyst) follow established skill patterns and the count corrections are consistent across files. A few issues to address:

Bugs / Inconsistencies

1. mkdocs.yml — nav alphabetical ordering is wrong

Statistical Analyst is inserted before Spec-Driven Workflow, but Sp < St alphabetically, so Spec-Driven Workflow should appear first:

# Current (wrong):
- "Statistical Analyst": skills/engineering/statistical-analyst.md
- "Spec-Driven Workflow": skills/engineering/spec-driven-workflow.md

# Correct:
- "Spec-Driven Workflow": skills/engineering/spec-driven-workflow.md
- "Statistical Analyst": skills/engineering/statistical-analyst.md

2. CLAUDE.md — "Status" line still says 28 marketplace plugins

Status: 233 skills deployed across 9 domains, 28 marketplace plugins, docs site live

The PR description says "32 marketplace plugins (4 new)" and the PR itself adds statistical-analyst to marketplace.json. The status line needs updating to match.

3. CLAUDE.md — "Last Updated" is stale

Last Updated: March 31, 2026

This PR is merging April 2026 work; this should be updated to the merge date.

Code Quality — validate_project.py

The script is well-structured, stdlib-only, and handles edge cases well. Two minor issues:

4. pass\s*$ placeholder pattern is too aggressive

r"pass\s*$",

This will flag intentional pass statements: abstract base classes, empty __init__ methods, and any typed stub file will generate false positives. Consider narrowing to something like ^\s+pass\s*$ combined with a check that the preceding line defines a function, or remove it entirely since the other patterns already catch unimplemented code.

5. Files opened without context managers

In check_env_example and check_placeholders, files are opened with bare open() calls instead of with blocks:

# Current:
content = open(filepath, "r", encoding="utf-8", errors="ignore").read()
lines = open(filepath, "r", encoding="utf-8", errors="ignore").readlines()

# Preferred:
with open(filepath, "r", encoding="utf-8", errors="ignore") as fh:
    content = fh.read()

Works fine in CPython due to reference counting but is not best practice and will cause resource leaks under PyPy or if the pattern is adapted to larger scans.

6. ... # placeholder regex requires exactly two spaces

r"\.\.\.  # placeholder",

This is fragile — one space or no comment would be missed. Use r"\.\.\.\s*#\s*placeholder" to be resilient to formatting variation.

Skill Quality

spec-to-repo (product-team/) — Well done. The four-phase workflow (Parse → Architecture → Generate → Validate) is clear and actionable. The validate_project.py integration in Phase 4 is a nice touch. The skill correctly calls out the boundary with saas-scaffolder. YAML frontmatter is present and descriptive.

statistical-analyst (engineering/) — Registered in marketplace.json, Gemini, and MkDocs. Plugin.json follows the correct schema.

Missing: spec-to-repo has no .claude-plugin/plugin.json and is not listed in marketplace.json. Other product-team skills (e.g., saas-scaffolder) are in the marketplace. Is this intentional? If not, a plugin.json and marketplace entry should be added.

Count Corrections

The downward revision from 248→233 skills and 332→305 tools is consistent across CLAUDE.md, README.md, marketplace.json, .codex/skills-index.json, .gemini/skills-index.json, and mkdocs.yml. No inconsistencies found across those files.

Summary

Issue Severity File
mkdocs.yml nav out of alphabetical order Low mkdocs.yml:217
"28 marketplace plugins" stale in Status line Low CLAUDE.md
"Last Updated: March 31" stale Low CLAUDE.md
pass\s*$ false positives Low validate_project.py:79
Files opened without with Low validate_project.py:128,162
... # placeholder regex fragile Low validate_project.py:84
spec-to-repo missing plugin.json / marketplace entry Info product-team/spec-to-repo/

All issues are low-severity. Items 1-3 are straightforward fixes before merge. Items 4-7 are quality improvements that could be addressed in a follow-up.

🤖 Generated with Claude Code

@alirezarezvani alirezarezvani merged commit 43295c1 into main Apr 7, 2026
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alirezarezvani