slither is a cheap-model repo scout. It creeps like a snake through a repository, gathers bounded file evidence, optionally asks a cheap model through github.com/garyblankenship/wormhole, and writes a Markdown report.
go install github.com/dotcommander/slither/cmd/slither@latestBuild from source:
git clone https://github.com/dotcommander/slither.git
cd slither
go build -o slither ./cmd/slitherSee docs/usage.md for the full flag reference and output format.
go run ./cmd/slither report /path/to/repo --out slither-report.md --top 80 --days 90Emit a machine-readable evidence envelope:
go run ./cmd/slither report /path/to/repo --json --out slither-report.jsonAppend an auditable cheap-model cull ledger with kept targets, alternates, culled buckets, evidence intersections, and skipped-signal context:
go run ./cmd/slither report /path/to/repo --top 80 --cull --json --out slither-cull.jsonslither embeds the full premium-model-triage pattern catalog by default. Use --patterns only when testing or overriding that catalog:
go run ./cmd/slither report /path/to/repo \
--patterns ./triage_patterns.json \
--json --out slither-report.jsonWith OpenRouter via wormhole:
OPENROUTER_API_KEY=... go run ./cmd/slither report /path/to/repo \
--model z-ai/glm-5.2 \
--base-url https://openrouter.ai/api/v1 \
--out slither-report.mdWith a local OpenAI-compatible server:
go run ./cmd/slither report /path/to/repo --local --out slither-report.mdIf no model is configured, slither uses a deterministic fallback score so the CLI is useful offline. A default model, base URL, API-key env var, and ordered fallback_models can be set in ~/.config/slither/config.json (written on first run); CLI flags override it. Model scores are cached under ~/.config/slither/cache/ so re-runs skip unchanged files (--no-cache to disable). Reports include discovery counts, evidence layers, lane scores, pattern source, and skipped signals so missing evidence is visible instead of treated as low risk.