slither is a cheap-model repo scout. It creeps like a snake through a repository, gathers bounded file evidence, optionally asks a cheap model through github.com/garyblankenship/wormhole, and writes a Markdown report.
go install github.com/dotcommander/slither/cmd/slither@latestBuild from source:
git clone https://github.com/dotcommander/slither.git
cd slither
go build -o slither ./cmd/slitherSee docs/usage.md for the full flag reference and output format.
go run ./cmd/slither report /path/to/repo --out slither-report.md --top 80 --days 90Emit a machine-readable evidence envelope:
go run ./cmd/slither report /path/to/repo --json --out slither-report.jsonAppend an auditable cheap-model cull ledger with kept targets, alternates, culled buckets, evidence intersections, and skipped-signal context:
go run ./cmd/slither report /path/to/repo --top 80 --cull --json --out slither-cull.jsonslither embeds the full premium-model-triage pattern catalog by default. Use --patterns only when testing or overriding that catalog:
go run ./cmd/slither report /path/to/repo \
--patterns ./triage_patterns.json \
--json --out slither-report.jsonWith OpenRouter via wormhole:
OPENROUTER_API_KEY=... go run ./cmd/slither report /path/to/repo \
--model z-ai/glm-5.2 \
--base-url https://openrouter.ai/api/v1 \
--out slither-report.mdWith a local OpenAI-compatible server:
go run ./cmd/slither report /path/to/repo --local --out slither-report.mdIf no model is configured, slither uses a deterministic fallback score so the CLI is useful offline. A default model, base URL, API-key env var, and ordered fallback_models can be set in ~/.config/slither/config.json (written on first run); CLI flags override it. Model scores are cached under ~/.config/slither/cache/ so re-runs skip unchanged files (--no-cache to disable). Reports include discovery counts, evidence layers, evidence locations, actionability labels, cull dispositions, lane scores, pattern source, and skipped signals so missing evidence is visible instead of treated as low risk.