Audit OAuth scopes requested by an application against the API calls it actually issues, and suggest the minimum scope set with rollout steps.
Inspects an application's OAuth client config and grep-traces the actual API calls it issues, then proposes the minimum set of scopes that still allows the observed calls. Output includes a delta and a user-consent re-prompt plan.
repo_dir: source root of the app.current_scopes: array of currently-requested scopes (e.g., ["user:read", "repo:write", "admin:org"]).provider: google, github, slack, microsoft, etc. — drives the scope-to-API mapping.usage_logs: API access logs, used to verify the static-scan results.rg -nN 'fetch\(|axios\.|got\(|apiClient\.' <repo_dir>. Extract the URL paths.current_scopes. The difference is over-grant.usage_logs are provided, intersect with logged endpoints to remove false-positives (code paths defined but never exercised).admin:org, repo:delete, mail.send) deserve extra scrutiny — confirm the app actually sends destructive calls.oauth-scope-min.md with: current vs proposed scopes, per-removed-scope justification, dangerous-scope discussion, re-consent rollout steps. Stdout prints scope-count delta.
Implement the new scope set in a staging environment, complete the OAuth flow with a test account, and exercise every feature; any feature failure indicates the scope-to-endpoint map missed a call. After production rollout, monitor 401/403 rates and the OAuth provider's audit log for "scope denied" events. If a scope was removed but a hidden code path still calls the API, the failure rate exposes it.
user vs user:email on GitHub): respect both forms in the mapping.repo) into the finer ones (repo:status, repo:contents).Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/oauth-scope-minimizer.
Diff two OpenAPI YAML files and produce a backwards-compatibility changelog grouped into breaking, non-breaking, and additive changes.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.