开源替代器：自动发现代码库自定义模块并推荐开源替代方案

ln-645-open-source-replacer by levnikolaevich/claude-code-skills

192 周安装量

335 GitHub Stars

安装命令

npx skills add https://github.com/levnikolaevich/claude-code-skills --skill ln-645-open-source-replacer

🇨🇳中文介绍

路径说明： 文件路径（shared/、references/、../ln-*）是相对于技能仓库根目录的。如果在当前工作目录未找到，请定位此 SKILL.md 文件所在目录并向上返回一级以找到仓库根目录。如果缺少 shared/ 目录，请通过 WebFetch 从 https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path} 获取文件。

开源替代器

L3 工作者，用于发现自定义模块、分析其用途，并通过 MCP 研究寻找经过实战检验的开源替代方案。

目的与范围

发现重要的自定义模块（>= 100 行代码，实用工具/集成类型）
通过阅读代码分析每个模块的目的（基于目标，而非基于模式）
通过 WebSearch、Context7、Ref 搜索开源替代方案
评估替代方案：星标数、维护状态、许可证、CVE 状态、API 兼容性
为可行的替代方案评分替换置信度（高/中/低）
生成可行的替代方案的迁移计划
输出：基于文件的报告到 docs/project/.audit/

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 1：发现 + 分类

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

# 步骤 1：查找重要的自定义文件
candidates = []
FOR EACH file IN Glob("**/*.{ts,js,py,rb,go,java,cs}", root=scan_root):
  IF file in node_modules/ OR vendor/ OR .venv/ OR dist/ OR build/ OR test/ OR __test__/:
    SKIP
  line_count = wc -l {file}
  IF line_count >= 100:
    candidates.append(file)

# 步骤 2：筛选出实用工具/库类模块
utility_paths = ["utils/", "lib/", "helpers/", "common/", "shared/", "pkg/", "internal/"]
name_patterns = ["parser", "formatter", "validator", "converter", "encoder",
                 "decoder", "serializer", "logger", "cache", "queue", "scheduler",
                 "mailer", "http", "client", "wrapper", "adapter", "connector",
                 "transformer", "mapper", "builder", "factory", "handler"]

modules = []
FOR EACH file IN candidates:
  is_utility_path = any(p in file.lower() for p in utility_paths)
  is_utility_name = any(p in basename(file).lower() for p in name_patterns)
  export_count = count_exports(file)  # Grep for export/module.exports/def/class
  IF is_utility_path OR is_utility_name OR export_count > 5:
    modules.append(file)

# 步骤 3：预分类门控
FOR EACH module IN modules:
  # 读取前 30 行进行分类
  header = Read(module, limit=30)
  classify as:
    - "utility": 通用可重用逻辑（验证、解析、格式化、HTTP、缓存）
    - "integration": 围绕外部服务的包装器（电子邮件、支付、存储）
    - "domain-specific": 项目特有的业务逻辑（评分、路由、定价规则）

  IF classification == "domain-specific":
    no_replacement_found.append({module, reason: "领域特定业务逻辑"})
    REMOVE from modules

# 上限：每次调用最多分析 15 个实用工具/集成模块
modules = modules[:15]

阶段 2：目标提取

FOR EACH module IN modules:
  # 读取代码（前 200 行 + 导出摘要）
  code = Read(module, limit=200)
  exports = Grep("export|module\.exports|def |class |func ", module)

  # 提取目标：此模块解决了什么问题？
  goal = {
    domain: "email validation" | "HTTP retry" | "CSV parsing" | ...,
    inputs: [types],
    outputs: [types],
    key_operations: ["validates email format", "checks MX records", ...],
    complexity_indicators: ["regex", "network calls", "state machine", "crypto", ...],
    summary: "Custom email validator with MX record checking and disposable domain filtering"
  }

阶段 3：替代方案搜索（MCP 研究）

FOR EACH module WHERE module.goal extracted:
  # 策略 1：WebSearch（主要）
  WebSearch("{goal.domain} {tech_stack.language} library package 2026")
  WebSearch("{goal.summary} open source alternative {tech_stack.language}")

  # 策略 2：Context7（针对已知生态系统）
  IF tech_stack.package_manager == "npm":
    WebSearch("{goal.domain} npm package weekly downloads")
  IF tech_stack.package_manager == "pip":
    WebSearch("{goal.domain} python library pypi")

  # 策略 3：Ref（文档搜索）
  ref_search_documentation("{goal.domain} {tech_stack.language} recommended library")

  # 策略 4：生态系统对齐 — 检查现有项目依赖项是否已覆盖此目标（例如，项目使用 Zod → 首先检查 zod 插件）
  FOR EACH dep IN tech_stack.existing_dependencies:
    IF dep.ecosystem overlaps goal.domain:
      WebSearch("{dep.name} {goal.domain} plugin extension")

  # 收集候选方案（每个模块最多 5 个）
  alternatives = top_5_by_relevance(search_results)

强制要求： 在为每个候选方案分配置信度之前，必须运行安全门控和许可证分类。

FOR EACH module, FOR EACH alternative:
  # 4a. 基本信息
  info = {
    name: "zod" | "email-validator" | ...,
    version: "latest stable",
    weekly_downloads: N,
    github_stars: N,
    last_commit: "YYYY-MM-DD",
  }

  # 4b. 安全门控（强制）
  WebSearch("{alternative.name} CVE vulnerability security advisory")
  IF unpatched HIGH/CRITICAL CVE found:
    security_status = "VULNERABLE"
    → Cap confidence at LOW, add warning to Findings
  ELIF patched CVE (older version):
    security_status = "PATCHED_CVE"
    → Note in report, no confidence cap
  ELSE:
    security_status = "CLEAN"

  # 4c. 许可证分类
  license = detect_license(alternative)
  IF license IN ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unlicense"]:
    license_class = "PERMISSIVE"
  ELIF license IN ["GPL-2.0", "GPL-3.0", "AGPL-3.0", "LGPL-2.1", "LGPL-3.0"]:
    IF project_license is copyleft AND compatible:
      license_class = "COPYLEFT_COMPATIBLE"
    ELSE:
      license_class = "COPYLEFT_INCOMPATIBLE"
  ELSE:
    license_class = "UNKNOWN"

  # 4d. 生态系统对齐
  ecosystem_match = alternative.name IN tech_stack.existing_dependencies
                    OR alternative.ecosystem == tech_stack.framework
  # 偏好：如果项目使用 zod，则优先选择 zod 插件而非独立包

  # 4e. 功能与 API 评估
  api_surface_match = HIGH | MEDIUM | LOW
  feature_coverage = percentage  # 覆盖自定义模块功能的百分比
  migration_effort = S | M | L   # S=<4h, M=4-16h, L=>16h

  # 4f. 置信度分配
  # HIGH: >10k stars, active (commit <6mo), >90% coverage,
  #       PERMISSIVE license, CLEAN security, ecosystem_match preferred
  # MEDIUM: >1k stars, maintained (commit <1yr), >70% coverage,
  #         PERMISSIVE license, no unpatched CRITICAL CVEs
  # LOW: <1k stars OR unmaintained OR <70% coverage
  #      OR COPYLEFT_INCOMPATIBLE OR VULNERABLE

阶段 5：撰写报告 + 迁移计划

必读： 加载 shared/references/audit_worker_core_contract.md 和 shared/templates/audit_worker_report_template.md。

在内存中构建报告，写入 {output_dir}/645-open-source-replacer[-{domain}].md。

# 开源替代审计报告

<!-- AUDIT-META
worker: ln-645
category: Open Source Replacement
domain: {domain_name|global}
scan_path: {scan_path|.}
score: {X.X}
total_issues: {N}
critical: 0
high: {N}
medium: {N}
low: {N}
status: complete
-->

## 检查项

| ID | 检查项 | 状态 | 详情 |
|----|-------|--------|---------|
| module_discovery | 模块发现 | passed/warning | 发现 N 个模块 >= 100 行代码 |
| classification | 预分类 | passed | N 个实用工具，M 个集成，K 个领域特定（已排除） |
| goal_extraction | 目标提取 | passed/warning | 为 N/M 个模块提取了目标 |
| alternative_search | 替代方案搜索 | passed/warning | 为 N 个模块找到了替代方案 |
| security_gate | 安全门控 | passed/warning | 检查了 N 个候选方案，M 个干净，K 个存在漏洞 |
| evaluation | 替代方案评估 | passed/failed | N 个高置信度，M 个中置信度 |
| migration_plan | 迁移计划 | passed/skipped | 为 N 个替代方案生成了计划 |

## 发现项

| 严重性 | 位置 | 问题 | 原则 | 建议 | 工作量 |
|----------|----------|-------|-----------|----------------|--------|
| HIGH | src/utils/email-validator.ts (245 LOC) | 自定义电子邮件验证（含 MX 检查） | 复用 / 有可用开源方案 | 替换为 zod + zod-email (28k stars, MIT, 95% 覆盖率) | M |

## 迁移计划

| 优先级 | 模块 | 代码行数 | 替代方案 | 置信度 | 工作量 | 步骤 |
|----------|--------|-------|-------------|------------|--------|-------|
| 1 | src/utils/email-validator.ts | 245 | zod + zod-email | HIGH | M | 1. 安装 2. 创建模式 3. 替换调用 4. 移除模块 5. 测试 |

<!-- DATA-EXTENDED
{
  "modules_scanned": 15,
  "modules_with_alternatives": 8,
  "reuse_opportunity_score": 6.5,
  "replacements": [
    {
      "module": "src/utils/email-validator.ts",
      "lines": 245,
      "classification": "utility",
      "goal": "Email validation with MX checking",
      "alternative": "zod + zod-email",
      "confidence": "HIGH",
      "stars": 28000,
      "last_commit": "2026-02-10",
      "license": "MIT",
      "license_class": "PERMISSIVE",
      "security_status": "CLEAN",
      "ecosystem_match": true,
      "feature_coverage": 95,
      "effort": "M",
      "migration_steps": ["Install zod + zod-email", "Create validation schema", "Replace validate() calls", "Remove custom module", "Run tests"]
    }
  ],
  "no_replacement_found": [
    {"module": "src/lib/domain-scorer.ts", "reason": "Domain-specific business logic", "classification": "domain-specific"}
  ]
}
-->

阶段 6：返回摘要

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/645-open-source-replacer[-{domain}].md
Score: X.X/10 | Issues: N (C:0 H:N M:N L:N)

使用 shared/references/audit_scoring.md 中的标准惩罚公式：

penalty = (critical x 2.0) + (high x 1.0) + (medium x 0.5) + (low x 0.2)
score = max(0, 10 - penalty)

高：针对 >200 行代码的模块，有高置信度替代方案
中：中置信度，或针对 100-200 行代码的模块有高置信度替代方案
低：低置信度（仅部分覆盖）
例外： 具有领域特定逻辑且开源包未覆盖的自定义模块 → 跳过。功能覆盖率 <80% → 跳过推荐。第 2 层： 在推荐之前验证替代方案具有完整的功能对等性。

必读： 加载 shared/references/audit_worker_core_contract.md。

基于目标，而非基于模式： 在搜索替代方案之前，先阅读代码以理解目的
强制进行 MCP 研究： 始终通过 WebSearch/Context7/Ref 搜索，切勿假设包存在
强制进行安全门控： 在推荐任何包之前，通过 WebSearch 搜索 CVE；切勿推荐存在未修复的高/严重 CVE 的包
强制进行许可证分类： 优先选择宽松许可证（MIT/Apache/BSD）；仅当项目兼容时才选择 Copyleft 许可证
生态系统对齐： 优先选择项目现有依赖树中的包（例如，如果项目使用 zod，则优先选择 zod 插件而非独立包）
预分类门控： 在分析前对模块进行分类；排除领域特定的业务逻辑
无自动修复： 仅报告，切勿安装包或修改代码
工作量现实性： S = <4h, M = 4-16h, L = >16h（迁移工作量大于简单修复）
分析上限： 每次调用最多 15 个模块，以保持在令牌预算内
始终提供证据： 为每个发现项包含文件路径 + 代码行数

必读： 加载 shared/references/audit_worker_core_contract.md。

已发现自定义模块（>= 100 行代码，实用工具/集成类型）
已应用预分类门控：领域特定模块已排除并记录原因
已为每个模块提取目标（领域、输入、输出、操作）
已通过 MCP 研究（WebSearch、Context7、Ref）搜索开源替代方案
已通过安全门控：所有候选方案已通过 WebSearch 检查 CVE
已分类许可证：为每个候选方案分类为宽松/Copyleft/未知
已检查生态系统对齐：考虑了现有项目依赖项
已为每个替代方案评分置信度（高/中/低）
已为高/中置信度替代方案生成迁移计划
报告已写入 {output_dir}/645-open-source-replacer[-{domain}].md
摘要已返回给协调器

评分算法： shared/references/audit_scoring.md
必读： shared/references/research_tool_fallback.md

版本： 1.0.0 最后更新： 2026-02-26

🇺🇸English

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.

Open Source Replacer

L3 Worker that discovers custom modules, analyzes their purpose, and finds battle-tested open-source replacements via MCP Research.

Purpose & Scope

Discover significant custom modules (>=100 LOC, utility/integration type)
Analyze PURPOSE of each module by reading code (goal-based, not pattern-based)
Search open-source alternatives via WebSearch, Context7, Ref
Evaluate alternatives: stars, maintenance, license, CVE status, API compatibility
Score replacement confidence (HIGH/MEDIUM/LOW)
Generate migration plan for viable replacements
Output: file-based report to docs/project/.audit/

Out of Scope:

Pattern-based detection of known reinvented wheels (custom sorting, hand-rolled validation)
Package vulnerability scanning (CVE/CVSS for existing dependencies)
Story-level optimality checks via OPT- prefix

Input

- codebase_root: string        # Project root
- tech_stack: object            # Language, framework, package manager, existing dependencies
- output_dir: string            # e.g., "docs/project/.audit/ln-640/{YYYY-MM-DD}"

# Domain-aware (optional, from coordinator)
- domain_mode: "global" | "domain-aware"   # Default: "global"
- current_domain: string                   # e.g., "users", "billing" (only if domain-aware)
- scan_path: string                        # e.g., "src/users/" (only if domain-aware)

Workflow

MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.

Phase 1: Discovery + Classification

scan_root = scan_path IF domain_mode == "domain-aware" ELSE codebase_root

# Step 1: Find significant custom files
candidates = []
FOR EACH file IN Glob("**/*.{ts,js,py,rb,go,java,cs}", root=scan_root):
  IF file in node_modules/ OR vendor/ OR .venv/ OR dist/ OR build/ OR test/ OR __test__/:
    SKIP
  line_count = wc -l {file}
  IF line_count >= 100:
    candidates.append(file)

# Step 2: Filter to utility/library-like modules
utility_paths = ["utils/", "lib/", "helpers/", "common/", "shared/", "pkg/", "internal/"]
name_patterns = ["parser", "formatter", "validator", "converter", "encoder",
                 "decoder", "serializer", "logger", "cache", "queue", "scheduler",
                 "mailer", "http", "client", "wrapper", "adapter", "connector",
                 "transformer", "mapper", "builder", "factory", "handler"]

modules = []
FOR EACH file IN candidates:
  is_utility_path = any(p in file.lower() for p in utility_paths)
  is_utility_name = any(p in basename(file).lower() for p in name_patterns)
  export_count = count_exports(file)  # Grep for export/module.exports/def/class
  IF is_utility_path OR is_utility_name OR export_count > 5:
    modules.append(file)

# Step 3: Pre-classification gate
FOR EACH module IN modules:
  # Read first 30 lines to classify
  header = Read(module, limit=30)
  classify as:
    - "utility": generic reusable logic (validation, parsing, formatting, HTTP, caching)
    - "integration": wrappers around external services (email, payments, storage)
    - "domain-specific": business logic unique to project (scoring, routing, pricing rules)

  IF classification == "domain-specific":
    no_replacement_found.append({module, reason: "Domain-specific business logic"})
    REMOVE from modules

# Cap: analyze max 15 utility/integration modules per invocation
modules = modules[:15]

Phase 2: Goal Extraction

FOR EACH module IN modules:
  # Read code (first 200 lines + exports summary)
  code = Read(module, limit=200)
  exports = Grep("export|module\.exports|def |class |func ", module)

  # Extract goal: what problem does this module solve?
  goal = {
    domain: "email validation" | "HTTP retry" | "CSV parsing" | ...,
    inputs: [types],
    outputs: [types],
    key_operations: ["validates email format", "checks MX records", ...],
    complexity_indicators: ["regex", "network calls", "state machine", "crypto", ...],
    summary: "Custom email validator with MX record checking and disposable domain filtering"
  }

Phase 3: Alternative Search (MCP Research)

FOR EACH module WHERE module.goal extracted:
  # Strategy 1: WebSearch (primary)
  WebSearch("{goal.domain} {tech_stack.language} library package 2026")
  WebSearch("{goal.summary} open source alternative {tech_stack.language}")

  # Strategy 2: Context7 (for known ecosystems)
  IF tech_stack.package_manager == "npm":
    WebSearch("{goal.domain} npm package weekly downloads")
  IF tech_stack.package_manager == "pip":
    WebSearch("{goal.domain} python library pypi")

  # Strategy 3: Ref (documentation search)
  ref_search_documentation("{goal.domain} {tech_stack.language} recommended library")

  # Strategy 4: Ecosystem alignment — check if existing project dependencies
  # already cover this goal (e.g., project uses Zod → check zod plugins first)
  FOR EACH dep IN tech_stack.existing_dependencies:
    IF dep.ecosystem overlaps goal.domain:
      WebSearch("{dep.name} {goal.domain} plugin extension")

  # Collect candidates (max 5 per module)
  alternatives = top_5_by_relevance(search_results)

Phase 4: Evaluation

MANDATORY: Security Gate and License Classification run for EVERY candidate before confidence assignment.

FOR EACH module, FOR EACH alternative:
  # 4a. Basic info
  info = {
    name: "zod" | "email-validator" | ...,
    version: "latest stable",
    weekly_downloads: N,
    github_stars: N,
    last_commit: "YYYY-MM-DD",
  }

  # 4b. Security Gate (mandatory)
  WebSearch("{alternative.name} CVE vulnerability security advisory")
  IF unpatched HIGH/CRITICAL CVE found:
    security_status = "VULNERABLE"
    → Cap confidence at LOW, add warning to Findings
  ELIF patched CVE (older version):
    security_status = "PATCHED_CVE"
    → Note in report, no confidence cap
  ELSE:
    security_status = "CLEAN"

  # 4c. License Classification
  license = detect_license(alternative)
  IF license IN ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unlicense"]:
    license_class = "PERMISSIVE"
  ELIF license IN ["GPL-2.0", "GPL-3.0", "AGPL-3.0", "LGPL-2.1", "LGPL-3.0"]:
    IF project_license is copyleft AND compatible:
      license_class = "COPYLEFT_COMPATIBLE"
    ELSE:
      license_class = "COPYLEFT_INCOMPATIBLE"
  ELSE:
    license_class = "UNKNOWN"

  # 4d. Ecosystem Alignment
  ecosystem_match = alternative.name IN tech_stack.existing_dependencies
                    OR alternative.ecosystem == tech_stack.framework
  # Prefer: zod plugin over standalone if project uses zod

  # 4e. Feature & API Evaluation
  api_surface_match = HIGH | MEDIUM | LOW
  feature_coverage = percentage  # what % of custom module features covered
  migration_effort = S | M | L   # S=<4h, M=4-16h, L=>16h

  # 4f. Confidence Assignment
  # HIGH: >10k stars, active (commit <6mo), >90% coverage,
  #       PERMISSIVE license, CLEAN security, ecosystem_match preferred
  # MEDIUM: >1k stars, maintained (commit <1yr), >70% coverage,
  #         PERMISSIVE license, no unpatched CRITICAL CVEs
  # LOW: <1k stars OR unmaintained OR <70% coverage
  #      OR COPYLEFT_INCOMPATIBLE OR VULNERABLE

Phase 5: Write Report + Migration Plan

MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/templates/audit_worker_report_template.md.

Build report in memory, write to {output_dir}/645-open-source-replacer[-{domain}].md.

# Open Source Replacement Audit Report

<!-- AUDIT-META
worker: ln-645
category: Open Source Replacement
domain: {domain_name|global}
scan_path: {scan_path|.}
score: {X.X}
total_issues: {N}
critical: 0
high: {N}
medium: {N}
low: {N}
status: complete
-->

## Checks

| ID | Check | Status | Details |
|----|-------|--------|---------|
| module_discovery | Module Discovery | passed/warning | Found N modules >= 100 LOC |
| classification | Pre-Classification | passed | N utility, M integration, K domain-specific (excluded) |
| goal_extraction | Goal Extraction | passed/warning | Extracted goals for N/M modules |
| alternative_search | Alternative Search | passed/warning | Found alternatives for N modules |
| security_gate | Security Gate | passed/warning | N candidates checked, M clean, K vulnerable |
| evaluation | Replacement Evaluation | passed/failed | N HIGH confidence, M MEDIUM |
| migration_plan | Migration Plan | passed/skipped | Generated for N replacements |

## Findings

| Severity | Location | Issue | Principle | Recommendation | Effort |
|----------|----------|-------|-----------|----------------|--------|
| HIGH | src/utils/email-validator.ts (245 LOC) | Custom email validation with MX checking | Reuse / OSS Available | Replace with zod + zod-email (28k stars, MIT, 95% coverage) | M |

## Migration Plan

| Priority | Module | Lines | Replacement | Confidence | Effort | Steps |
|----------|--------|-------|-------------|------------|--------|-------|
| 1 | src/utils/email-validator.ts | 245 | zod + zod-email | HIGH | M | 1. Install 2. Create schema 3. Replace calls 4. Remove module 5. Test |

<!-- DATA-EXTENDED
{
  "modules_scanned": 15,
  "modules_with_alternatives": 8,
  "reuse_opportunity_score": 6.5,
  "replacements": [
    {
      "module": "src/utils/email-validator.ts",
      "lines": 245,
      "classification": "utility",
      "goal": "Email validation with MX checking",
      "alternative": "zod + zod-email",
      "confidence": "HIGH",
      "stars": 28000,
      "last_commit": "2026-02-10",
      "license": "MIT",
      "license_class": "PERMISSIVE",
      "security_status": "CLEAN",
      "ecosystem_match": true,
      "feature_coverage": 95,
      "effort": "M",
      "migration_steps": ["Install zod + zod-email", "Create validation schema", "Replace validate() calls", "Remove custom module", "Run tests"]
    }
  ],
  "no_replacement_found": [
    {"module": "src/lib/domain-scorer.ts", "reason": "Domain-specific business logic", "classification": "domain-specific"}
  ]
}
-->

Phase 6: Return Summary

Report written: docs/project/.audit/ln-640/{YYYY-MM-DD}/645-open-source-replacer[-{domain}].md
Score: X.X/10 | Issues: N (C:0 H:N M:N L:N)

Scoring

Uses standard penalty formula from shared/references/audit_scoring.md:

penalty = (critical x 2.0) + (high x 1.0) + (medium x 0.5) + (low x 0.2)
score = max(0, 10 - penalty)

Severity mapping:

HIGH: HIGH confidence replacement for module >200 LOC
MEDIUM: MEDIUM confidence, or HIGH confidence for 100-200 LOC
LOW: LOW confidence (partial coverage only)
Exception: Custom module with domain-specific logic not covered by OSS package → skip. Feature parity <80% → skip recommendation. Layer 2: Verify replacement has full feature parity before recommending

Critical Rules

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

Goal-based, not pattern-based: Read code to understand PURPOSE before searching alternatives
MCP Research mandatory: Always search via WebSearch/Context7/Ref, never assume packages exist
Security gate mandatory: WebSearch for CVEs before recommending any package; never recommend packages with unpatched HIGH/CRITICAL CVEs
License classification mandatory: Permissive (MIT/Apache/BSD) preferred; copyleft only if project-compatible
Ecosystem alignment: Prefer packages from project's existing dependency tree (e.g., zod plugin over standalone if project uses zod)
Pre-classification gate: Categorize modules before analysis; exclude domain-specific business logic
No auto-fix: Report only, never install packages or modify code
Effort realism: S = <4h, M = 4-16h, L = >16h (migration effort is larger than simple fixes)
Cap analysis: Max 15 modules per invocation to stay within token budget
Evidence always: Include file paths + line counts for every finding

Definition of Done

MANDATORY READ: Load shared/references/audit_worker_core_contract.md.

Custom modules discovered (>= 100 LOC, utility/integration type)
Pre-classification gate applied: domain-specific modules excluded with documented reason
Goals extracted for each module (domain, inputs, outputs, operations)
Open-source alternatives searched via MCP Research (WebSearch, Context7, Ref)
Security gate passed: all candidates checked for CVEs via WebSearch
License classified: Permissive/Copyleft/Unknown for each candidate
Ecosystem alignment checked: existing project dependencies considered
Confidence scored for each replacement (HIGH/MEDIUM/LOW)
Migration plan generated for HIGH/MEDIUM confidence replacements
Report written to {output_dir}/645-open-source-replacer[-{domain}].md
Summary returned to coordinator

Reference Files

Scoring algorithm: shared/references/audit_scoring.md
MANDATORY READ: shared/references/research_tool_fallback.md

Version: 1.0.0 Last Updated: 2026-02-26

Weekly Installs

130

Repository

levnikolaevich/…e-skills

GitHub Stars

245

First Seen

Feb 27, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

cursor124

codex123

opencode122

gemini-cli122

amp122

cline122

Skills CLI 使用指南：AI Agent 技能包管理器安装与管理教程

44,900 周安装