Automated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.
Overview
This issue summarizes findings from an automated NLPM audit of this repository's skill files, conducted on 2026-04-06. The project scored an impressive 99/100 — these are minor issues that do not reflect negatively on the overall quality of the work here.
NLPM is a natural language programming linter that checks Claude Code skill files for correctness (broken CLI references, missing required flags, wrong API methods) and security hygiene.
Bugs Found
Bug 1 — recipe-post-mortem-setup: Invalid gws docs +write flags (High impact)
File: skills/recipe-post-mortem-setup/SKILL.md
Step 1 calls gws docs +write --title ... --body .... However, gws docs +write (documented in skills/gws-docs-write/SKILL.md) requires --document <ID> and --text <TEXT>. The flags --title and --body are not valid, and both required flags are absent. The command fails at runtime.
Additionally, +write appends to an existing document — it cannot create one. A gws docs documents create call is needed first to obtain the document ID.
PR: #757
Bug 2 — recipe-collect-form-responses: Nonexistent Forms API method (High impact)
File: skills/recipe-collect-form-responses/SKILL.md
Step 1 calls gws forms forms list. The Google Forms API v1 does not have a list method on the forms resource — only create, get, batchUpdate, and setPublishSettings are available. This step fails at runtime, leaving users unable to discover form IDs via this recipe.
The fix uses the Drive API to list files by MIME type, which correctly returns all Google Forms.
PR: #758
Security Improvements
Security 1 — scripts/coverage.sh: Unpinned runtime cargo install (Medium)
File: scripts/coverage.sh, line 22
cargo install cargo-llvm-cov downloads and compiles from crates.io at runtime without any version or hash constraint. Adding --locked ensures the installed version uses its own bundled Cargo.lock for reproducible dependency resolution.
PR: #759
Security 2 — package.json: Unpinned ^ semver in devDependencies (Low)
File: package.json, line 54
@changesets/cli ^2.29.8 and lefthook ^2.1.2 permit automatic minor/patch upgrades on fresh installs, bypassing review. Pinning to exact versions provides an additional layer of reproducibility on top of the lockfile.
PR: #760
What Was Not Flagged
- The
HIGH security finding in scripts/show-art.sh was correctly identified as a false positive (dev-only utility with no automated invocation path) and no PR was submitted.
- 10 quality issues were detected (informational) — these are not bugs and were not submitted as PRs.
Summary of PRs
| PR |
File |
Type |
Impact |
| #757 |
skills/recipe-post-mortem-setup/SKILL.md |
Bug |
Broken recipe — command fails at runtime |
| #758 |
skills/recipe-collect-form-responses/SKILL.md |
Bug |
Broken recipe — nonexistent API method |
| #759 |
scripts/coverage.sh |
Security (Medium) |
Unpinned runtime package install |
| #760 |
package.json |
Security (Low) |
Unpinned semver in devDependencies |
Thank you for the excellent project — a 99/100 score out of 96 skill files is remarkable work. Please feel free to close any PRs that don't align with your development direction.
Overview
This issue summarizes findings from an automated NLPM audit of this repository's skill files, conducted on 2026-04-06. The project scored an impressive 99/100 — these are minor issues that do not reflect negatively on the overall quality of the work here.
NLPM is a natural language programming linter that checks Claude Code skill files for correctness (broken CLI references, missing required flags, wrong API methods) and security hygiene.
Bugs Found
Bug 1 —
recipe-post-mortem-setup: Invalidgws docs +writeflags (High impact)File:
skills/recipe-post-mortem-setup/SKILL.mdStep 1 calls
gws docs +write --title ... --body .... However,gws docs +write(documented inskills/gws-docs-write/SKILL.md) requires--document <ID>and--text <TEXT>. The flags--titleand--bodyare not valid, and both required flags are absent. The command fails at runtime.Additionally,
+writeappends to an existing document — it cannot create one. Agws docs documents createcall is needed first to obtain the document ID.PR: #757
Bug 2 —
recipe-collect-form-responses: Nonexistent Forms API method (High impact)File:
skills/recipe-collect-form-responses/SKILL.mdStep 1 calls
gws forms forms list. The Google Forms API v1 does not have alistmethod on theformsresource — onlycreate,get,batchUpdate, andsetPublishSettingsare available. This step fails at runtime, leaving users unable to discover form IDs via this recipe.The fix uses the Drive API to list files by MIME type, which correctly returns all Google Forms.
PR: #758
Security Improvements
Security 1 —
scripts/coverage.sh: Unpinned runtimecargo install(Medium)File:
scripts/coverage.sh, line 22cargo install cargo-llvm-covdownloads and compiles from crates.io at runtime without any version or hash constraint. Adding--lockedensures the installed version uses its own bundled Cargo.lock for reproducible dependency resolution.PR: #759
Security 2 —
package.json: Unpinned^semver in devDependencies (Low)File:
package.json, line 54@changesets/cli ^2.29.8andlefthook ^2.1.2permit automatic minor/patch upgrades on fresh installs, bypassing review. Pinning to exact versions provides an additional layer of reproducibility on top of the lockfile.PR: #760
What Was Not Flagged
HIGHsecurity finding inscripts/show-art.shwas correctly identified as a false positive (dev-only utility with no automated invocation path) and no PR was submitted.Summary of PRs
skills/recipe-post-mortem-setup/SKILL.mdskills/recipe-collect-form-responses/SKILL.mdscripts/coverage.shpackage.jsonThank you for the excellent project — a 99/100 score out of 96 skill files is remarkable work. Please feel free to close any PRs that don't align with your development direction.