audit-skills brings 30 language-agnostic invariants to AI coding agents
danygiguere's `audit-skills` is an open-source GitHub repository of language- and framework-agnostic audit checklists covering security, correctness, and operability, designed to work with AI coding agents like Claude Code, GitHub Copilot, Cursor, Codex CLI, and OpenCode.
Score breakdown
The checklist-as-invariants approach lets a single set of audit rules catch reasoning-dependent bugs — such as those involving ownership, concurrency, and retries — across any language or framework, filling a gap that pattern-matching static analysis tools leave open.
- 01The repository provides 30 language- and framework-agnostic audit checklists for AI coding agents.
- 02Checklists are written as invariants and detection smells, not framework APIs, enabling cross-language use.
- 03Four checklist categories: access & data security, input/API, correctness, and operability.
danygiguere's `audit-skills` is a public GitHub repository offering language- and framework-agnostic audit checklists built for AI coding agents. The 30 invariants cover four categories — access & data security, input/API, correctness, and operability — and are expressed as invariants and detection smells rather than framework API references, allowing the same checklist content to apply across a Rails app, a Spring service, or an Express API, with the agent responsible for framework-specific translation. The package is compatible with Claude Code, GitHub Copilot, Cursor, Codex CLI, OpenCode, and any agent capable of reading files.
The repository's structure includes an `AGENTS.md` one-page digest of all 30 invariants intended to be copied into a project's own `AGENTS.md` so every agent has the content in context.
The repository's structure includes an `AGENTS.md` one-page digest of all 30 invariants intended to be copied into a project's own `AGENTS.md` so every agent has the content in context. The `.agents/skills/audit/` directory contains the router skill with all 30 checklists and remediation patterns under a `references/` subdirectory. Individual per-topic wrapper skills (e.g., `/audit-idor`, `/audit-injection`, `/audit-fix-authz`) are also provided so each checklist is individually invocable. All installed items are prefixed with `audit` to keep them grouped among other skills.
A demo included in the repository runs `/audit` on a 20-line money handler and flags six bugs — each requiring reasoning about ownership, concurrency, and retries — that static-analysis scanners cannot surface through pattern-matching. Each flagged issue is reported with severity and a suggested fix.
Key facts
- 01The repository provides 30 language- and framework-agnostic audit checklists for AI coding agents.
- 02Checklists are written as invariants and detection smells, not framework APIs, enabling cross-language use.
- 03Four checklist categories: access & data security, input/API, correctness, and operability.
- 04Compatible with Claude Code, GitHub Copilot, Cursor, Codex CLI, OpenCode, and any file-reading agent.
- 05`AGENTS.md` contains a one-page digest of all 30 invariants for easy inclusion in project context.
- 06Per-topic wrapper skills (e.g., `/audit-idor`, `/audit-injection`) allow individual checklist invocation.
- 07A demo runs `/audit` on a 20-line money handler and flags six bugs that static-analysis scanners cannot detect.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 15, 2026 · 11:57 UTC. How this works →