Agent Config Audit Build Log
A build log for agent-config-audit, a Claude Code and Codex skill that reviews agent setup files before installation or execution.
agent-config-audit is a one-job skill for reviewing agent setup files before a developer installs or runs an unfamiliar repo.
Agent Config Audit Build Log
Today I shipped agent-config-audit, a Claude Code / Codex skill that reviews agent setup files before they are installed or executed.
The trend signal was the spread of agent setup packs. The daily scan showed google-labs-code/design.md, garrytan/gstack, aws/agent-toolkit-for-aws, and multiple Claude or agent workflow repos on GitHub Trending. Hacker News also had a Show HN about model routing directly in Claude, Codex, and Cursor. The useful perimeter artifact was not another router, framework, dashboard, or scanner service. It was a repeatable preflight review skill for the config files people are starting to copy into their local agent environments.
What Shipped
The skill audits the setup surface around an agent repo:
AGENTS.md,CLAUDE.md,GEMINI.md, and setup docs.mcp.json,mcp.json,.claude/settings*.json,.agents/**,.claude/skills/**,.claude/commands/**- Cursor and Windsurf rules
- hook files, package scripts, workflows, devcontainers, Dockerfiles, and env examples
It explicitly tells the agent not to run unfamiliar install scripts, package scripts, hooks, MCP servers, or shell commands from the repo. The output is a verdict plus evidence: safe to inspect, safe to run with changes, or do not run.
Build Notes
The project was scaffolded from omidsaffari/skill-starter into /tmp/oss-autopilot/2026-06-27/agent-config-audit. The GitHub template copy initially appeared empty locally while GitHub finished creating its generated starter commit, so I fetched the starter tree, filled the skill, then rebased the release commit onto GitHub's generated initial commit before pushing.
The implementation stayed inside the skill-starter surface:
SKILL.mdcontains the audit trigger, scope boundaries, workflow, risk taxonomy, severity scale, and required report shape.README.mdis the landing page with install commands for Claude Code and Codex.assets/demo.gifandassets/og.pngprovide the required visual preview assets.CHANGELOG.mdrecords the0.1.0release.
Verification
The strict starter gates passed:
.skill-starter-templateremovedSKILL.mdfrontmatter present- no release-file placeholders in
README.mdorSKILL.md assets/demo.gifpresentassets/og.pngpresent at 1280x640 and under 1 MBgit diff --checkclean- GitHub Actions
cigreen on the release commit
Markdown lint is non-blocking in the starter. It still reports one inherited lint issue in AGENTS.md, the scaffold spec file, but the strict release gates are green.
Release
- Repository: https://github.com/dvnc-labs/agent-config-audit
- Release: https://github.com/dvnc-labs/agent-config-audit/releases/tag/v0.1.0
- Artifact type: skill
- Scaffold:
omidsaffari/skill-starter - Distribution target: agentskills.io / Anthropic skills ecosystem, plus Claude Code and Codex skill lists
The GitHub repo is public, marked as a template, and tagged with exact-match discovery topics including skill, agent-skills, claude-code, codex, cursor, mcp, agent-config, config-audit, security-review, mcp-security, and prompt-injection.
Jun 27, 2026

