skill-graph-audit
- Repo stars 289
- Author updated Live
- Author repo claude-night-market
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @athola · no license declared
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- macOS · Linux · Windows
- Runtime requirements
- Node.js
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-graph-audit
description: Audit Skill() refs; detect hubs, isolates, and dangling targets. Use when auditing skills. Build…
category: security
runtime: Node.js
---
# skill-graph-audit output preview
## PART A: Task fit
- Use case: Audit Skill() refs; detect hubs, isolates, and dangling targets. Use when auditing skills. Build a directed graph of Skill(plugin:name) invocations across the marketplace and surface composition patterns: which skills are heavily makes outbound network calls; runs on Node.js. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / When To Use / When NOT To Use” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Audit Skill() refs; detect hubs, isolates, and dangling targets. Use when auditing skills. Build a directed graph of Skill(plugin:name) invocations across the marketplace and surface composition patterns: which skills are heavily makes outbound network calls; runs on Node.js. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “Overview / When To Use / When NOT To Use” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “Overview / When To Use / When NOT To Use”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-graph-audit
description: Audit Skill() refs; detect hubs, isolates, and dangling targets. Use when auditing skills. Build…
category: security
source: athola/claude-night-market
---
# skill-graph-audit
## When to use
- Audit Skill() refs; detect hubs, isolates, and dangling targets. Use when auditing skills. Build a directed graph of S…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / When To Use / When NOT To Use” and keep inference separate from source facts.
- read files, write/modify files; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-graph-audit" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / When To Use / When NOT To Use
rules -> SKILL.md triggers / order / output contract
runtime -> Node.js | read files, write/modify files | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Skill Graph Audit
Overview
Build a directed graph of Skill(plugin:name) invocations across the
marketplace and surface composition patterns: which skills are heavily
referenced (hubs), which orchestrate many others (orchestrators), which
have no incoming or outgoing references (isolates), and which point at
non-existent skills (dangling references).
The federation graph is now derivable from source rather than hand-curated.
When To Use
- Before a documentation pass on skill composition
- After a renaming or retirement to catch broken
Skill()references - During quarterly audits to spot orphaned skills
- When evaluating consolidation candidates (hubs are higher-risk to merge)
- When a new skill's outbound references should be sanity-checked
When NOT To Use
- For per-skill quality scoring, use
Skill(abstract:skills-eval)instead - For frontmatter/structure validation, use
Skill(abstract:plugin-review) - For hook-specific audits, use
Skill(abstract:hooks-eval)
Quick Start
python3 plugins/abstract/scripts/skill_graph.py \
--plugins-root plugins --top-n 10
For machine-readable output:
python3 plugins/abstract/scripts/skill_graph.py \
--plugins-root plugins --format json --output reports/skill-graph.json
See modules/usage.md for full CLI reference and example workflows.
Core Outputs
| Output | Meaning | Action when high |
|---|---|---|
| Hubs | Most-referenced skills | Treat as core API; retire with extreme care |
| Orchestrators | Skills that call many others | Verify each ref still resolves |
| Isolates | Zero in / zero out | Check role: library? entrypoint? typo? |
| Dangling: bugs | Missing internal target | Fix immediately (typo or retired skill) |
| Dangling: external | Reference to external plugin | Document plugin dependency |
| Dangling: placeholders | Template text like -NAME |
Verify intentional |
See modules/interpretation.md for false-positive guidance and
isolation taxonomy.
Dogfood Evidence
This skill itself was scaffolded TDD-first; on first run against
plugins/, it caught two genuine dangling refs that the manual
audit (2026-04-25) had missed:
attune:makefile-generation -> abstract:makefile-dogfooder(script name confused with skill name)imbue:karpathy-principles -> spec-kit:speckit-clarify(command referenced as skill)
Both were converted to correct command-style references in the same session.
Verification
Two ways to validate the audit output is trustworthy:
- Test-suite correctness check: Run
pytest -o addopts= plugins/abstract/tests/scripts/test_skill_graph.pyto confirm extraction, graph construction, ranking, isolate detection, and dangling-ref classification all pass on the current code. The-o addopts=flag bypasses the package-wide coverage gate, which would otherwise fail on a single-file run. - Round-trip smoke check: Note the dangling-ref count from a baseline run, fix one or more flagged references, then rerun and verify the count drops by at least the number fixed. If the count does not move, the report is stale or the regex missed a syntax variant.
Exit Criteria
- The graph builds:
skill_graph.pyruns againstplugins/without error and emits a node/edge count. - Dangling references are classified into bugs, external, and
placeholders (the three
Core Outputsrows resolve). - Every
Dangling: bugsentry is either fixed in the same session or filed as a tracked issue. -
pytest -o addopts= plugins/abstract/tests/scripts/test_skill_graph.pypasses. - The round-trip smoke check shows the dangling-ref count drops by at least the number of references fixed.
Related Skills
Skill(abstract:skills-eval): per-skill quality scoringSkill(abstract:plugin-review): plugin manifest and structureSkill(abstract:hooks-eval): hook-specific validationSkill(abstract:rules-eval): rules directory validation
References
- Implementation:
plugins/abstract/scripts/skill_graph.py - Tests:
plugins/abstract/tests/scripts/test_skill_graph.py - Composition documentation:
docs/quality-gates.md#skill-level-quality-gate-composition - Skill role taxonomy:
docs/skill-integration-guide.md#skill-role-taxonomy
Decide Fit First
Design Intent
How To Use It
Boundaries And Review