This is the missing layer between linters and actual security work. Point it at a codebase where you've already documented intent (permissions.md, architecture.md, that kind of thing) and it finds the gaps: documented rules that aren't enforced, endpoints marked internal-only with no auth check, fields leaking data they shouldn't. It's designed for auditing AI-generated code or checking whether implementations match their own docs. The method is rigid on purpose: every finding needs a quoted doc claim, a cited code reality, and a concrete fix. No hand-waving allowed. If you don't have documented intent yet, that absence is the first finding.
npx -y skills add phuryn/pm-skills --skill intended-vs-implemented --agent claude-codeInstalls into .claude/skills of the current project.
Select a file.
juliusbrussee/caveman
mattpocock/skills
obra/superpowers
forrestchang/andrej-karpathy-skills
vercel-labs/skills