Stats
Actions
Tags
From specialist-agent
Audits codebases for OWASP Top 10 security issues, performance bottlenecks, architecture flaws, dependency vulnerabilities, and observability gaps before releases, refactors, or compliance reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/specialist-agent:auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Run a comprehensive audit that combines security, performance, architecture, and dependency analysis in one pass.
Run a comprehensive audit that combines security, performance, architecture, and dependency analysis in one pass.
Target: $ARGUMENTS
@reviewer instead)Determine audit scope:
IF $ARGUMENTS is a path → audit that path
IF $ARGUMENTS is a module name → find and audit the module
IF $ARGUMENTS is empty → audit entire project
Read the project structure. Identify:
Check for OWASP Top 10 vulnerabilities:
| Check | What to Look For |
|---|---|
| Injection | SQL/NoSQL injection, command injection, XSS |
| Auth | Hardcoded secrets, weak JWT config, missing CSRF |
| Access Control | Missing auth checks, IDOR, privilege escalation |
| Cryptography | Weak algorithms, plaintext passwords, missing encryption |
| Configuration | Debug mode in production, verbose errors, default credentials |
| Dependencies | Known CVEs in packages |
| Data Exposure | Sensitive data in logs, responses, or error messages |
Run if available:
npm audit --json 2>/dev/null || true
npx eslint --format json $TARGET 2>/dev/null || true
Check structural integrity:
| Check | Criteria |
|---|---|
| Layer separation | Services don't import from components |
| Circular dependencies | No import cycles |
| Naming conventions | Consistent file/function naming |
| Type safety | TypeScript strict mode, no any abuse |
| Error handling | Try/catch at boundaries, custom error classes |
| API contracts | DTOs/schemas at boundaries |
Check for performance issues:
| Check | What to Look For |
|---|---|
| Bundle size | Large imports, missing tree-shaking |
| N+1 queries | Database calls in loops |
| Memory leaks | Uncleaned listeners, subscriptions, timers |
| Rendering | Unnecessary re-renders, missing memoization |
| Network | Missing caching, redundant API calls |
| Assets | Unoptimized images, missing lazy loading |
Check for production readiness observability:
| Check | What to Look For |
|---|---|
| Structured logging | JSON format, consistent fields (timestamp, level, service, traceId) |
| Error tracking | Errors captured with context (user, request, stack trace) |
| Health endpoints | /health or equivalent exposed by every service |
| Metrics | RED metrics (Rate, Errors, Duration) for critical operations |
| Correlation IDs | Trace/request IDs propagated across service boundaries |
| Sensitive data | NO passwords, tokens, PII, credit cards in logs |
# Check for structured logging
grep -rn "console\.log\|console\.error\|console\.warn" $TARGET --include="*.ts" --include="*.tsx" 2>/dev/null | grep -v "node_modules\|test\|spec" | head -15
# Check for health endpoints
grep -rn "health\|healthcheck\|readiness\|liveness" $TARGET --include="*.ts" --include="*.tsx" 2>/dev/null | head -10
# Check for sensitive data in logs
grep -rn "console\.\|logger\.\|log\." $TARGET --include="*.ts" 2>/dev/null | grep -i "password\|token\|secret\|credit\|ssn" | head -10
If the project contains frontend code (.tsx, .vue, .svelte, .astro), check:
| Check | Criteria |
|---|---|
| Alt text | All images have descriptive alt attributes |
| Form labels | All inputs have associated labels or aria-label |
| Heading hierarchy | Single H1, logical H2-H6, no skipped levels |
| Keyboard navigation | Interactive elements accessible via keyboard |
| Color contrast | Text meets WCAG AA 4.5:1 ratio |
| ARIA usage | Correct roles, states, properties |
# Detect frontend code
FRONTEND_FILES=$(find $TARGET -name "*.tsx" -o -name "*.vue" -o -name "*.svelte" -o -name "*.astro" 2>/dev/null | grep -v node_modules | head -5)
if [ -n "$FRONTEND_FILES" ]; then
echo "Frontend detected - running accessibility checks"
grep -rn "<img" $TARGET --include="*.tsx" --include="*.vue" 2>/dev/null | grep -v "alt=" | head -10
grep -rn "<input\|<select" $TARGET --include="*.tsx" --include="*.vue" 2>/dev/null | grep -v "aria-label\|id=" | head -10
fi
Check dependency health:
| Check | What to Look For |
|---|---|
| Outdated | Major versions behind |
| Vulnerable | Known CVEs |
| Unused | Installed but not imported |
| Duplicate | Multiple versions of same package |
| License | Incompatible licenses (GPL in MIT project) |
Run if available:
npx depcheck --json 2>/dev/null || true
Compile findings into a structured report with severity ratings.
Scoring formula per domain (0-100):
Overall score = average of all domain scores (weighted: Security 30%, Architecture 25%, Performance 20%, Observability 15%, Dependencies 10%).
| Level | Description | Action |
|---|---|---|
| CRITICAL | Security vulnerability or data loss risk | Fix immediately |
| HIGH | Architecture violation or major performance issue | Fix before release |
| MEDIUM | Code quality issue or minor vulnerability | Fix in next sprint |
| LOW | Style issue or minor improvement | Fix when convenient |
| INFO | Observation or recommendation | Consider for future |
Before claiming audit is complete:
| Excuse | Reality |
|---|---|
| "No security issues found" | Absence of evidence is not evidence of absence. Did you check all OWASP categories? |
| "Architecture looks fine" | Did you trace actual imports, or just scan filenames? |
| "Dependencies are up to date" | Did you run npm audit? Check for unused deps? |
| "Performance seems okay" | Did you check for N+1 queries, memory leaks, bundle size? |
| "The codebase is too large to audit fully" | Scope down to critical paths (auth, payments, data). Never skip security. |
| "Observability is a nice-to-have" | Production without observability is flying blind. You can't fix what you can't see. |
| "Accessibility doesn't apply to us" | Internal tools have users with disabilities too. And legal requirements don't have exemptions. |
npm audit or linting if available──── /audit ────
Target: [path or module]
Scope: [X files, Y lines]
Security: [score]/100 - [X critical, Y high, Z medium]
Architecture: [score]/100 - [X high, Y medium]
Performance: [score]/100 - [X high, Y medium]
Observability: [score]/100 - [X high, Y medium]
Dependencies: [score]/100 - [X vulnerable, Y outdated, Z unused]
Accessibility: [score]/100 - [N findings] (if frontend)
Overall Score: [0-100] (weighted average)
Risk Level: [CRITICAL | HIGH | MEDIUM | LOW]
Top Findings:
1. [CRITICAL] [description] - [file:line]
2. [HIGH] [description] - [file:line]
3. [HIGH] [description] - [file:line]
Full report: [inline below]
npx claudepluginhub herbertjulio/specialist-agent --plugin specialist-agentRuns mechanical checks (build, typecheck, lint, tests, secrets scan) then dispatches specialist reviewers and produces a scored codebase health report. Use for code quality, security, or performance audits.
Runs an 8-dimension project health audit covering security, dependencies, code quality, architecture, performance, infrastructure, docs, and mesh analytics. Delegates to specialist skills and produces a consolidated health score and action plan.
Conducts full codebase health audit across architecture, security, code quality, dependencies, test coverage. Produces scored report with letter grades and prioritized remediation. Use for existing codebases or before releases.