Audit Integrity Skill

Enforces output quality, intellectual honesty, and continuous improvement across all AppSec agents.

When to Use

Every security analysis, code review, threat model, or quality scan agent run
Applied automatically as a post-analysis quality gate
Applicable to any agent performing SAST, SCA, threat modeling, or code quality analysis

Components

This skill provides 7 reusable capabilities. Agents apply all 7 unless their scope excludes a specific component.

Component	Reference File	Purpose
Clarification Protocol	clarification-protocol.md	Ask ≤2 targeted questions before analysis when scope is ambiguous
Anti-Rationalization Guard	anti-rationalization-guard.md	Table of prohibited rationalizations with mandatory responses
Self-Critique Loop	self-critique-loop.md	Mandatory second-pass review after initial analysis
Retry Protocol	retry-protocol.md	Tool failure handling — retry once, then document
Non-Negotiable Behaviors	non-negotiable-behaviors.md	Hard rules: never fabricate, always cite evidence, report gaps
Self-Reflection Quality Gate	self-reflection-quality-gate.md	1–10 scoring rubric with ≥8 threshold per category
Self-Learning System	self-learning-system.md	Lesson/Memory templates and governance rules

Execution Flow

Before analysis: Apply Clarification Protocol if scope is ambiguous
During analysis: Apply Anti-Rationalization Guard at every decision point
After initial pass: Execute Self-Critique Loop (mandatory second pass)
On tool failure: Apply Retry Protocol
Before delivery: Run Self-Reflection Quality Gate (all categories must score ≥8)
After delivery: Create Lessons/Memories for novel findings, false positives, or methodology gaps (see Self-Learning System)

Agent-Specific Adaptation

Each agent customizes the Self-Critique Loop checklist and Self-Reflection Quality Gate categories to match its domain. The reference files provide the base templates; agents extend them with domain-specific items.

Example extensions per agent type

SAST/SCA agents: Add taint trace completeness and manifest coverage checks
SonarQube-style agents: Add rating sanity check (A–E consistency with findings)
Threat modeling agents: Add STRIDE category completeness per trust boundary
Code review agents: Add trust boundary audit with data flow tracing

Files8

8 files · 15.1 KB

Select a file to preview

Overall Score

88/100

Grade

A

Excellent

Safety

90

Quality

88

Clarity

87

Completeness

85

Summary

This is a shared audit integrity framework designed to enforce quality, intellectual honesty, and continuous improvement across all AppSec security analysis agents. It provides seven reusable components (clarification protocol, anti-rationalization guard, self-critique loop, retry protocol, non-negotiable behaviors, self-reflection quality gate, and self-learning system) that agents apply during analysis to guard against rationalization, ensure evidence-based reporting, and continuously improve through lessons and memories.

Detected Capabilities

File reading (referenced files)Knowledge base management (lessons/memories directory)Self-reflection and scoring logicDocumentation templates and governance rules

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

audit integrity frameworksecurity analysis quality gateprevent findings rationalizationthreat model completenessevidence-based reportingsecurity lessons repositoryappsec agent coordination

Use Cases

Enforce quality gates on security analysis outputs across SAST, SCA, threat modeling, and code review agents
Prevent rationalization and incomplete coverage in threat models by requiring STRIDE category completeness per trust boundary
Catch false positives and methodology gaps through mandatory second-pass self-critique before delivering findings
Build institutional knowledge by capturing lessons from false positives, missed categories, and tool limitations in a searchable repository
Validate findings are evidence-backed (file:line, CVE ID, component reference) rather than speculative before reporting
Handle tool failures gracefully by documenting gaps and retrying once rather than silently skipping analysis phases

Quality Notes

Excellent scope clarity: explicitly documents that this is a meta-skill for AppSec agents, not a primary analysis tool
Strong enforcement of evidence-based reporting: requires file:line, CVE ID, or component references for every finding — prevents speculation and hallucination
Well-structured domain-specific extensions: provides domain-scoped checklists for STRIDE, SAST/SCA, Code Quality (SonarQube-style), and multi-tool pipelines rather than one-size-fits-all
Comprehensive coverage of agent failure modes: anti-rationalization guard identifies and blocks common shortcuts (e.g., 'looks fine', 'probably lower risk in practice')
Self-learning system with governance: lesson/memory templates and dedup/supersede rules prevent knowledge base bloat and conflicting guidance
Clear execution flow diagram helps agents understand ordering (clarification → anti-rationalization → critique → retry → quality gate → learning)
Non-negotiable behaviors are properly hardened: 'never fabricate findings', 'always cite evidence', 'complete all phases' with explicit gap reporting
Self-reflection quality gate uses quantified threshold (≥8 on 1-10 scale) rather than vague 'good enough' — operationalizable by agents
Retry protocol is pragmatic: retry once, then document rather than infinite retry loops or silent failure
File manifest is complete: all 7 referenced files present, no broken links

Model: claude-haiku-4-5-20251001Analyzed: Jun 26, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

audit-integrity