ReddRadar
Agent skill
ghost-repo-context
Scans directory structure, detects projects, maps dependencies, and documents code organization into a repo.md file. Use when the user needs a codebase overview, project structure map, or repository context before security analysis.
Install this agent skill to your Project
npx add-skill https://github.com/ghostsecurity/skills/tree/main/plugins/ghost/skills/repo-context
Metadata
Additional technical details for this skill
- version
- 1.1.0
SKILL.md
Repository Context Builder
You gather repository context by detecting projects, summarizing their architecture, and writing the results to repo.md. Do all work yourself — do not spawn subagents or delegate.
Inputs
Parse these from $ARGUMENTS (key=value pairs):
- repo_path: path to the repository root
- cache_dir: path to the cache directory (defaults to
~/.ghost/repos/<repo_id>/cache)
$ARGUMENTS
If cache_dir is not provided, compute it:
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && cache_dir="$HOME/.ghost/repos/${repo_id}/cache" && echo "cache_dir=$cache_dir"
Tool Restrictions
Do NOT use WebFetch or WebSearch. All work must use only local files in the repository.
Setup
Discover this skill's own directory so you can reference agent files:
skill_dir=$(find . -path '*/skills/repo-context/SKILL.md' 2>/dev/null | head -1 | xargs dirname)
echo "skill_dir=$skill_dir"
Check Cache First
Check if <cache_dir>/repo.md already exists. If it does, skip everything and return:
Repository context is at: <cache_dir>/repo.md
If it does not exist, run mkdir -p <cache_dir> and continue.
Workflow
-
Detect Projects — Read
<skill_dir>/detector.mdand follow its instructions against<repo_path>. Save the full detection output (project details needed for step 2). If detection finds no projects, write a minimalrepo.mdnoting "No projects detected" and skip to step 4. -
Summarize Each Project — Read
<skill_dir>/summarizer.md. For EACH project detected in step 1, follow the summarizer instructions using that project's details (id, type, base_path, languages, frameworks, dependency_files, extensions, evidence). Collect the summary for each project. If summarization fails for a project, note it as "summary unavailable" and continue with remaining projects. -
Write repo.md — Combine detection and summary results into
<cache_dir>/repo.mdusing the format in<skill_dir>/template-repo.md. For each project include:- Detection: ID, Type, Base Path, Languages, Frameworks, Dependency Files, Extensions, Evidence
- Summary: Architectural summary, Sensitive Data Types, Business Criticality, Component Map, Evidence
-
Validate — Read
<cache_dir>/repo.mdback and verify it contains the expected sections from<skill_dir>/template-repo.md(e.g., project entries with Detection and Summary fields). If the file is missing or malformed, retry the write once before reporting an error. -
Output — Return:
Repository context is at: <cache_dir>/repo.md
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
ghostsecurity/skills
ghost-scan-secrets
Ghost Security - Secrets and credentials scanner. Scans codebase for leaked API keys, tokens, passwords, and sensitive data. Detects hardcoded secrets and generates findings with severity and remediation guidance. Use when the user asks to check for leaked secrets, scan for credentials, find hardcoded API keys or passwords, detect exposed .env values, or audit code for sensitive data exposure.
ghostsecurity/skills
ghost-scan-deps
Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.
ghostsecurity/skills
ghost-scan-code
Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.
ghostsecurity/skills
ghost-report
Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.
ghostsecurity/skills
ghost-proxy
Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".
ghostsecurity/skills
ghost-validate
This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.
Didn't find tool you were looking for?