ClawHub

Nm Pensive Tiered Audit

v1.0.0

Audit a codebase using three escalation tiers: git history analysis, targeted deep-dives, and full codebase review with gating

0· 47·1 current·1 all-time
by@athola
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (tiered audit) match the runtime instructions: Tier 1 runs git history commands, Tier 2 reads flagged source files, Tier 3 is gated for full codebase review. The only declared requirement (night-market.imbue:proof-of-work) is referenced by the SKILL.md (output contracts / imbue modules), so it appears relevant.
Instruction Scope
Instructions explicitly run git commands, read source files in flagged areas, and write findings into .coordination/agents/*.findings.md — all expected for an audit. The doc instructs the agent to 'Load area context from plugin CLAUDE.md and skill descriptions,' which could cause the agent to open other plugin/skill metadata files in the repository; this is coherent for context-gathering but worth noting as broader file access within the repo.
Install Mechanism
There is no install spec and no code files. This is instruction-only, so nothing is downloaded or written by an installer. Risk from installs is low.
Credentials
The skill requests no environment variables or external credentials. It does declare a required config path (night-market.imbue:proof-of-work) which is referenced in the documents; this appears proportionate to the output-contract / gating mechanisms and not excessive.
Persistence & Privilege
The skill writes findings files into .coordination/agents/*.findings.md within the repository. It does not request always:true or system-wide privileges. Ensure you are comfortable with the agent creating/writing those files in your repo and that the agent is not set to auto-commit or publish these files without review.
Assessment
This skill appears coherent with its stated purpose, but check a few practical things before installing: (1) Confirm you are comfortable with the agent running git commands and reading repository files (it will read flagged source files and some plugin/skill metadata like CLAUDE.md). (2) Review what 'night-market.imbue:proof-of-work' config means in your environment — ensure it doesn't contain secrets you don't want an agent to access. (3) Be aware the skill writes findings to .coordination/agents/*.findings.md — verify your workflow for handling those artifacts (they should not be auto-committed/published unless you intend it). (4) Tier 3 requires explicit user approval; keep that guard enabled if you want to avoid full-codebase audits without confirmation.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
Confignight-market.imbue:proof-of-work
latestvk979ap88swx2bp72pq96dcc53184x7xp
47downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/pensive. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Tiered Audit

Table of Contents

When To Use

  • Auditing codebase quality, patterns, or problems
  • Reviewing what changed on a branch before merge
  • Investigating areas of instability or churn
  • Pre-PR quality assessment

When NOT to Use

  • Reviewing a specific file (use pensive:code-reviewer)
  • Architecture-only review (use pensive:architecture-review)
  • Single-commit review (use imbue:diff-analysis)

Tier 1: Git History Audit

Always runs first. Analyzes git log, diff stats, and blame to identify areas of concern without reading any source files.

What Tier 1 Analyzes

Run these git commands for the target commit range (default: current branch vs main):

# 1. Churn hotspots: files changed most often
git log --format="" --name-only {base}..HEAD \
  | sort | uniq -c | sort -rn | head -20

# 2. Diff stats: size of changes per file
git diff --stat {base}..HEAD

# 3. Fix-on-fix patterns: commits fixing previous commits
git log --oneline {base}..HEAD \
  | grep -iE "(fix|revert|patch|hotfix)"

# 4. New file clusters: modules with many new files
git diff --name-status {base}..HEAD \
  | grep "^A" | cut -f2 \
  | sed 's|/[^/]*$||' | sort | uniq -c | sort -rn

# 5. Large commits: single commits with big diffs
git log --format="%h %s" --shortstat {base}..HEAD

Verification: Confirm each command produces output. If a command returns empty, the commit range may be wrong; verify {base} resolves correctly with git merge-base.

Tier 1 Output Format

Write findings to .coordination/agents/tier1-audit.findings.md:

---
agent: tier1-audit
tier: 1
evidence_count: {N}
---

## Summary

{1-2 sentence overview of what the git history reveals}

## Churn Hotspots

{top 10 most-changed files with change counts}

[E1] Command: git log --format="" --name-only ...
     Output: {relevant output}

## Fix-on-Fix Patterns

{commits that fix previous commits in the same area}

[E2] Command: git log --oneline ... | grep -iE ...
     Output: {relevant output}

## New File Clusters

{modules with 5+ new files}

## Large Diffs

{commits with 200+ line changes}

## Escalation Recommendation

{list of areas flagged for Tier 2, or "no escalation needed"}

Escalation Decision

After Tier 1 completes, check findings against the escalation criteria in modules/escalation-criteria.md.

If NO criteria are met: audit is complete. Report findings.

If criteria ARE met: list flagged areas and proceed to Tier 2 for each area sequentially.

Tier 2: Targeted Area Audit

Runs only for areas flagged by Tier 1. Each flagged area is audited one at a time, not in parallel.

What Tier 2 Analyzes

For each flagged area:

  1. Read the source files in the area
  2. Check for patterns, anti-patterns, bugs
  3. Verify test coverage exists
  4. Check documentation currency
  5. Assess architectural fit

Tier 2 Output Format

One findings file per area: .coordination/agents/tier2-{area-name}.findings.md

Each file follows the output contract for audits (see imbue:proof-of-work/modules/output-contracts).

Tier 3: Full Codebase Audit

Requires explicit user approval. See modules/escalation-criteria.md for the gate protocol.

Tier 3 should use dedicated sessions (one per area) with file-based coordination, NOT parallel subagents.

Output Contract

All tiers use this contract:

output_contract:
  required_sections:
    - summary
    - evidence
  min_evidence_count: 3    # Tier 1
  # min_evidence_count: 8  # Tier 2
  expected_artifacts: []
  retry_budget: 1
  strictness: normal

Tier 2 raises the minimum evidence count to 8 because it reads source files and should produce deeper analysis.

Verification: After each tier completes, verify the findings file exists and contains at least the minimum evidence count ([E1], [E2], etc.) before proceeding to the next tier or reporting results.

Comments

Loading comments...