Workspace Surface Audit

Read-only audit skill for answering the question "what can this workspace and machine actually do right now, and what should we add or enable next?"

This is the ECC-native answer to setup-audit plugins. It does not modify files unless the user explicitly asks for follow-up implementation.

When to Use

User says "set up Claude Code", "recommend automations", "what plugins or MCPs should I use?", or "what am I missing?"
Auditing a machine or repo before installing more skills, hooks, or connectors
Comparing official marketplace plugins against ECC-native coverage
Reviewing .env, .mcp.json, plugin settings, or connected-app surfaces to find missing workflow layers
Deciding whether a capability should be a skill, hook, agent, MCP, or external connector

Non-Negotiable Rules

Never print secret values. Surface only provider names, capability names, file paths, and whether a key or config exists.
Prefer ECC-native workflows over generic "install another plugin" advice when ECC can reasonably own the surface.
Treat external plugins as benchmarks and inspiration, not authoritative product boundaries.
Separate three things clearly:
- already available now
- available but not wrapped well in ECC
- not available and would require a new integration

Audit Inputs

Inspect only the files and settings needed to answer the question well:

Repo surface
- package.json, lockfiles, language markers, framework config, README.md
- .mcp.json, .lsp.json, .claude/settings*.json, .codex/*
- AGENTS.md, CLAUDE.md, install manifests, hook configs
Environment surface
- .env* files in the active repo and obvious adjacent ECC workspaces
- Surface only key names such as STRIPE_API_KEY, TWILIO_AUTH_TOKEN, FAL_KEY
Connected tool surface
- Installed plugins, enabled connectors, MCP servers, LSPs, and app integrations
ECC surface
- Existing skills, commands, hooks, agents, and install modules that already cover the need

Audit Process

Phase 1: Inventory What Exists

Produce a compact inventory:

active harness targets
installed plugins and connected apps
configured MCP servers
configured LSP servers
env-backed services implied by key names
existing ECC skills already relevant to the workspace

If a surface exists only as a primitive, call that out. Example:

"Stripe is available via connected app, but ECC lacks a billing-operator skill"
"Google Drive is connected, but there is no ECC-native Google Workspace operator workflow"

Phase 2: Benchmark Against Official and Installed Surfaces

Compare the workspace against:

official Claude plugins that overlap with setup, review, docs, design, or workflow quality
locally installed plugins in Claude or Codex
the user's currently connected app surfaces

Do not just list names. For each comparison, answer:

what they actually do
whether ECC already has parity
whether ECC only has primitives
whether ECC is missing the workflow entirely

Phase 3: Turn Gaps Into ECC Decisions

For every real gap, recommend the correct ECC-native shape:

Gap Type	Preferred ECC Shape
Repeatable operator workflow	Skill
Automatic enforcement or side-effect	Hook
Specialized delegated role	Agent
External tool bridge	MCP server or connector
Install/bootstrap guidance	Setup or audit skill

Default to user-facing skills that orchestrate existing tools when the need is operational rather than infrastructural.

Output Format

Return five sections in this order:

Current surface
- what is already usable right now
Parity
- where ECC already matches or exceeds the benchmark
Primitive-only gaps
- tools exist, but ECC lacks a clean operator skill
Missing integrations
- capability not available yet
Top 3-5 next moves
- concrete ECC-native additions, ordered by impact

Recommendation Rules

Recommend at most 1-2 highest-value ideas per category.
Favor skills with obvious user intent and business value:
- setup audit
- billing/customer ops
- issue/program ops
- Google Workspace ops
- deployment/ops control
If a connector is company-specific, recommend it only when it is genuinely available or clearly useful to the user's workflow.
If ECC already has a strong primitive, propose a wrapper skill instead of inventing a brand-new subsystem.

Good Outcomes

The user can immediately see what is connected, what is missing, and what ECC should own next.
Recommendations are specific enough to implement in the repo without another discovery pass.
The final answer is organized around workflows, not API brands.

Files1

1 files · 1.0 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

92

Quality

80

Clarity

85

Completeness

72

Summary

A read-only audit skill that inventories a workspace's repository setup, MCP servers, plugins, environment configuration, and connected tools, then recommends which capabilities should be wrapped as ECC-native skills, hooks, agents, or connectors. It surfaces configuration names and key existence without exposing secret values.

Static Analysis Findings

1 finding

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Credential Exposure

SEC-020Direct .env File Access2x in 1 file

Direct .env file access

SKILL.md.env2x

85% confidenceCWE-538: Sensitive Info in Externally-Accessible File

Detected Capabilities

Inventory repository configuration and framework setupScan environment variable names from .env filesDetect installed plugins and connected applicationsIdentify configured MCP and LSP serversCatalog existing ECC skills and hooksBenchmark against official Claude pluginsRecommend ECC-native workflow shapes (skill vs hook vs agent)

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

set up claude codeworkspace auditrecommend skillswhat can i domcp server inventoryplugin gap analysisenv surface reviewworkflow coverage

Risk Signals

INFO

Direct .env file access (SEC-020)

SKILL.md | Audit Inputs section

Use Cases

Audit workspace setup before installing new skills or integrations
Discover what capabilities are already available and what gaps exist
Benchmark local plugins against ECC-native coverage options
Decide whether to build a skill, hook, agent, or external connector for a given workflow
Recommend high-value ECC automations based on existing infrastructure

Quality Notes

Positive: Clear non-negotiable rules upfront establish security boundaries (never print secret values, surface only key names and file paths).
Positive: Three-phase audit process with explicit decision logic (Phase 3 maps gaps to ECC shapes) makes it clear how the agent should interpret findings.
Positive: Structured output format (5 sections) gives the agent unambiguous completion criteria.
Positive: Recommendation rules are specific and opinionated (favor user-facing skills, limit to 1-2 highest-value ideas per category) reducing ambiguity.
Positive: Includes a comparison table (Gap Type → Preferred ECC Shape) that directly answers the 'what should we build' question.
Minor: 'Good Outcomes' section defines success but could benefit from an example audit output to show the agent what a completed report looks like.
Minor: 'Audit Inputs' section lists files to inspect but does not specify how to handle missing files (e.g., if .env does not exist, what should the agent report?).

Model: claude-haiku-4-5-20251001Analyzed: Apr 20, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest

v1.0

No changelog

2026-04-12

workspace-surface-audit