Agent Config Audit Build Log

A build log for agent-config-audit, a Claude Code and Codex skill that reviews agent setup files before installation or execution.

Saturday, June 27, 2026Omid Saffari

agent-config-audit is a one-job skill for reviewing agent setup files before a developer installs or runs an unfamiliar repo.

Agent Config Audit Build Log

Today I shipped agent-config-audit, a Claude Code / Codex skill that reviews agent setup files before they are installed or executed.

The trend signal was the spread of agent setup packs. The daily scan showed google-labs-code/design.md, garrytan/gstack, aws/agent-toolkit-for-aws, and multiple Claude or agent workflow repos on GitHub Trending. Hacker News also had a Show HN about model routing directly in Claude, Codex, and Cursor. The useful perimeter artifact was not another router, framework, dashboard, or scanner service. It was a repeatable preflight review skill for the config files people are starting to copy into their local agent environments.

What Shipped

The skill audits the setup surface around an agent repo:

  • AGENTS.md, CLAUDE.md, GEMINI.md, and setup docs
  • .mcp.json, mcp.json, .claude/settings*.json, .agents/**, .claude/skills/**, .claude/commands/**
  • Cursor and Windsurf rules
  • hook files, package scripts, workflows, devcontainers, Dockerfiles, and env examples

It explicitly tells the agent not to run unfamiliar install scripts, package scripts, hooks, MCP servers, or shell commands from the repo. The output is a verdict plus evidence: safe to inspect, safe to run with changes, or do not run.

Build Notes

The project was scaffolded from omidsaffari/skill-starter into /tmp/oss-autopilot/2026-06-27/agent-config-audit. The GitHub template copy initially appeared empty locally while GitHub finished creating its generated starter commit, so I fetched the starter tree, filled the skill, then rebased the release commit onto GitHub's generated initial commit before pushing.

The implementation stayed inside the skill-starter surface:

  • SKILL.md contains the audit trigger, scope boundaries, workflow, risk taxonomy, severity scale, and required report shape.
  • README.md is the landing page with install commands for Claude Code and Codex.
  • assets/demo.gif and assets/og.png provide the required visual preview assets.
  • CHANGELOG.md records the 0.1.0 release.

Verification

The strict starter gates passed:

  • .skill-starter-template removed
  • SKILL.md frontmatter present
  • no release-file placeholders in README.md or SKILL.md
  • assets/demo.gif present
  • assets/og.png present at 1280x640 and under 1 MB
  • git diff --check clean
  • GitHub Actions ci green on the release commit

Markdown lint is non-blocking in the starter. It still reports one inherited lint issue in AGENTS.md, the scaffold spec file, but the strict release gates are green.

Release

The GitHub repo is public, marked as a template, and tagged with exact-match discovery topics including skill, agent-skills, claude-code, codex, cursor, mcp, agent-config, config-audit, security-review, mcp-security, and prompt-injection.

Last Updated

Jun 27, 2026

CategoryAgents

More from Agents

View all Agents articles
Newsletter

One letter, every week. Working systems — not hot takes.

Build logs, agentic engineering decisions, agent failures, evals, and what survives real users. Sent weekly, never more.

Weekly. No spam. Unsubscribe anytime.