agentlint · audit ikhnc

DomVinyard/dom.vin

Found 1 critical · 2 warnings across 7 rules files.

The rule surface contains a critical contradiction between Cloudflare deployment instructions and the repository policy, plus two warnings about fragile external fetches and a potential security gap in the illustration debugging skill.

Audited: 2026-05-03 · ref main
Trigger: manual
Rules files: .claude/skills/cloudflare/SKILL.md, .claude/skills/debug-illustrations/SKILL.md, .claude/skills/dom.vin/SKILL.md, .claude/skills/frontend-design/SKILL.md, .claude/skills/vercel/SKILL.md, .claude/skills/web-design-guidelines/SKILL.md, AGENTS.md
Bundle: ~25.3k tokens (truncated — bundle too large)
Model: @cf/openai/gpt-oss-120b

Cross-referenced files included: .claude/skills/cloudflare/references/upstream/cloudflare.md, .claude/skills/cloudflare/references/upstream/wrangler.md, blog/src/components/illustrations/mechanics.md, blog/src/components/illustrations/style.md, blog/src/components/illustrations/narrative.md, .claude/skills/dom.vin/about.md, .claude/skills/dom.vin/philosophy.md, .claude/skills/dom.vin/writing_style.md, AGENTS.md.

critical .claude/skills/cloudflare/SKILL.md

Contradictory deployment guidance: Cloudflare skill permits direct wrangler deploy while AGENTS.md forbids it

### Manual deploy (out-of-band) If you need to push a build without going through git: ```bash cd blog pnpm install pnpm build npx wrangler deploy ```

The Cloudflare skill (conditionally loaded) tells the agent to run `npx wrangler deploy` for an out‑of‑band manual deployment. AGENTS.md (always‑loaded) explicitly states: “Never publish straight to Cloudflare (or any other host) — always push to the repo and let the repo deploy. The `cloudflare` skill is for DNS, analytics, and inspection only; **never call `wrangler deploy`**, `vercel --prod`, or any direct deploy command yourself.” This direct conflict can cause agents to perform disallowed actions, breaking the repo’s deployment policy.

Suggested rewrite

Remove the manual deploy section from `.claude/skills/cloudflare/SKILL.md` or replace it with a note directing the user to push to git instead of using `wrangler deploy`.

warning .claude/skills/web-design-guidelines/SKILL.md

Web‑design‑guidelines skill lacks error handling for external guideline fetch

## Guidelines Source Fetch fresh guidelines before each review: ``` https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md ```

The skill (conditionally loaded) depends on fetching a remote file at runtime. No fallback or error handling is described, so if the network is unavailable or the URL changes, the skill will fail silently, leaving the agent without guidance but also without a clear error message. This can lead to wasted turns or incorrect assumptions about compliance.

Suggested rewrite

Add a note about handling fetch failures, e.g., "If the fetch fails, report the error to the user and fall back to the last cached version of the guidelines if available."

warning .claude/skills/debug-illustrations/SKILL.md

Potential security leak in debug‑illustrations skill's cold‑read pass

The cold‑read pass is not bulletproof. The wrapper isolates the frames, but the agent could in principle read other paths if it ignored the prompt. If the cold‑read output quotes specific source code or names files outside the isolated dir, throw that run out and re‑run.

The debug‑illustrations skill (conditionally loaded) acknowledges that the isolation of frame files is enforced only by prompting. A malicious or misbehaving sub‑agent could read arbitrary repository files, potentially exposing secrets or internal code. Since there is no technical sandboxing, this reliance on prompt compliance is a security risk.

Suggested rewrite

Implement a true filesystem sandbox for the cold‑read sub‑agent (e.g., mount a temporary directory with only the frame files) or explicitly sanitize any output that references paths outside the allowed directory.