meta-security-review-bundle
The meta-security-review-bundle runs three independent security gates (policy review, credential scanning, audit logging) in parallel over a proposed operation, then applies a strict priority rule where policy denial overrides scanner warnings, which override approval. Use this skill when evaluating code changes, scripts, or environment manipulations that require simultaneous governance, credential, and audit oversight with enforceable decision precedence.
git clone --depth 1 https://github.com/opensquilla/opensquilla /tmp/meta-security-review-bundle && cp -r /tmp/meta-security-review-bundle/src/opensquilla/skills/exp/meta-security-review-bundle ~/.claude/skills/meta-security-review-bundleSKILL.md
# Security Review Bundle (Combinator Meta-Skill)
A **combinator-style** meta-skill: three independent gates run in
parallel over the candidate operation, then a fourth step arbitrates
the verdicts with a strict priority rule. The fifth step emits an
audit record so the run is recallable later.
This bundle is the OpenSquilla equivalent of pptx slide 7's combinator
pattern: multiple rule sets active simultaneously, with the arbitration rule
explicit in the SKILL.md rather than implicit in the LLM's good judgement.
## Arbitration rule
The arbitrate step encodes the priority `policy > scanner > allow`
verbatim in its task prompt. The rule is **not** soft-suggested
("consider whether…"); it's an enforceable check (`startswith("DENY")`).
This follows the pptx slide 7 recommendation to combine extensive scenario
testing with an explicit non-negotiable-rule fallback sentence.
## Fallback
If any of the three primary gates fails (sub-agent error, timeout,
empty deliverable), the orchestrator's existing failure cascade
produces a structured failure payload. Operators should review the
partial verdicts in `step_outputs` and decide manually.
## Use sparingly
This pattern multiplies token cost by N (number of gates) for a
single user turn. Don't reach for the combinator unless multiple
independent rule sets *genuinely must* both apply — otherwise prefer
an orchestrator with a single, well-defined sequence.Submit audio or video for multilingual dubbing, poll status, and download dubbed audio. Use when the user asks for dubbing, 多语言配音, 视频翻译配音, 译制片, or wants a source clip dubbed into another language.
Generate a structured short-video shooting script from a topic. Emits a strict, machine-parseable shot list (3 shots by default) with image prompt + video prompt + voiceover + on-screen text per shot. Trigger when the user asks for a video script, 分镜, 短视频文案, AI视频, 短剧脚本, or wants visual prompts ready for image/video generation.
Use when the user asks to schedule recurring tasks, one-off reminders, timers, or cron-style jobs through the OpenSquilla cron tool.
Multi-round research with explicit methodology, evidence tracking, and citation-tagged synthesis. Trigger on 'deep dive', 'research report', 'literature review', 'investigate X across sources', 'multi-round investigation'. Distinct from the `summarize` skill, which is a single-pass condensation; this skill maintains a state file across iterations, tracks coverage, and produces a long-form report with per-claim citations. Three execution stages: plan (scope into sub-questions), iterate (record evidence per round), compile (synthesize report). The skill itself does not fetch the web — it tells the host agent which fetches to perform via OpenSquilla's existing web tools, and records what comes back.
Read, edit, or create Microsoft Word `.docx` files. Trigger this skill whenever the user mentions a Word document, .docx file, contract, report, brief, memo, or asks to extract text, modify an existing doc, generate one from a brief, or audit tracked changes. Three execution paths: text-and-structure extraction, in-place edit-by-run (preserves styles), and create-from-scratch with python-docx. Falls back to OOXML unzip-and-patch for layout work python-docx cannot reach.
Capture the current git diff (staged, working-tree, or staged file list) as text. Direct shell call for workflows that need repository diffs without an LLM agent loop.
GitHub operations via `gh` CLI: issues, PRs, CI runs, code review, API queries. Use when: (1) checking PR status or CI, (2) creating/commenting on issues, (3) listing/filtering PRs or issues, (4) viewing run logs. NOT for: complex web UI interactions requiring manual browser flows (use browser tooling when available), bulk operations across many repos (script with gh api), or when gh auth is not configured.
Query the per-turn DecisionEntry log for skill co-occurrence patterns, meta-skill usage stats, and the router fixture corpus. Returns a JSON summary suitable for downstream LLM consumption. Used by meta-skill-creator's harvest step but also useful standalone for 'which skills did I use most this week?'