Stats
Actions
Tags
From tech-debt-audit
Performs a comprehensive technical debt and architecture audit across an entire codebase. Use this skill when the user explicitly requests a code audit, technical debt review, or codebase health assessment. Produces a structured markdown report saved to the project root.
How this skill is triggered — by the user, by Claude, or both
Slash command
/tech-debt-audit:tech-debt-auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill performs a full-codebase technical debt and architecture audit, producing a structured markdown report.
This skill performs a full-codebase technical debt and architecture audit, producing a structured markdown report.
Use this skill when the user explicitly asks for:
Do not trigger on vague requests ("what should we clean up") or single-file reviews.
This skill only writes to technical-debt-report.md at the project root. Source code is never modified. User confirmation is requested before writing the report.
Run before analyzing any source code. This phase maps the codebase structure and identifies what languages/frameworks are present.
Steps:
Detect language(s): Look for marker files:
package.jsonpyproject.toml, requirements.txt, setup.pygo.modCargo.tomlpom.xmlGemfileDockerfile, MakefileGet directory tree: Full structure, excluding:
node_modules, .git, vendor, __pycache__, .venv, dist, build, .next, coverage, .pytest_cacheIdentify hotspots: Which directories have the most files?
Size analysis: Find 20 largest source files by line count. Look for god modules (400+ lines).
CI/CD signals: Check for .github/workflows/, Dockerfile, Makefile, gitlab-ci.yml, .circleci/
Test coverage: Identify test directories (test/, tests/, __tests__/, spec/). Estimate test-to-source ratio.
Monorepo signals: Check for packages/, apps/, turbo.json, nx.json, go.work
Output: Summarize findings for the report snapshot.
Run targeted greps to surface debt signals without reading all files. This phase is fast and identifies high-risk areas.
Language-agnostic signals:
TODO, FIXME, HACK, XXX — sample and count@deprecated markers# type: ignore, # noqa, @SuppressWarnings, // @ts-ignore, // eslint-disablelocalhost:, 127.0.0.1, password =, API_KEY=, secretcatch {}, except: pass, except Exception:console.log, print(, fmt.Println, logger.debug (check it's not in test files)Language-specific signals:
JavaScript/TypeScript:
: any type annotations// @ts-ignore, // eslint-disableimport * as)eval()Python:
except: (bare except, no exception type)# type: ignore, # pylint: disableglobals(), eval()Go:
panic(recover())_ = err)unsafe keywordJava:
List instead of List<String>)@Deprecated@SuppressWarningsRust:
unsafe.unwrap() outside testspanic!()Ranking: Score files by debt signal density. Select 15–25 target files for Phase 3:
Read the selected files and combine static analysis tool output with LLM analysis to identify architectural issues.
Static Analysis Tools (per language):
JavaScript/TypeScript: Run eslint if available. Parse output for:
Python: Run pylint or flake8 if available. Parse for:
Go: Run go vet and golangci-lint if available. Parse for:
Rust: Run clippy if available. Parse for:
unwrap() calls)Java: Run checkstyle or spotbugs if available.
LLM Analysis (reading selected files):
Read selected files and look for:
God modules: Single file doing too many things. High line count + unrelated functions/classes. Example: utils.js with 30 unrelated utility functions.
Coupling: Count imports per file. Files importing many others = high coupling. Circular imports = architectural risk.
Duplication: Repeated code patterns that should be extracted into shared functions.
Error handling: Missing error checks, silent failures, broad try/catch or try/except blocks, panic(recover()) patterns.
Missing tests: Code with no corresponding test file, high cyclomatic complexity without test coverage.
Code smells:
Combine results: Merge static tool findings + LLM findings into a unified list of issues.
Save the report to technical-debt-report.md at the project root.
# Technical Debt & Architecture Audit
**Project:** [name]
**Date:** [YYYY-MM-DD]
**Scope:** full codebase
## Executive Summary
[3–5 sentences. Written for a tech lead or EM. Summarize overall health, top 2–3 risks, and remediation priority.]
**Overall Debt Level:** Critical | High | Medium | Low
**Estimated Remediation Effort:** [X days / weeks / months]
## Codebase Snapshot
| Metric | Value |
|--------|-------|
| Language(s) | [comma-separated] |
| Framework(s) | [comma-separated] |
| Total Files | [N] |
| Source Files | [N] |
| Test Files | [N] |
| Test-to-Source Ratio | [N%] |
| Largest File | [filename:lines] |
| CI/CD Present | Yes/No |
| Monorepo | Yes/No |
| TODOs/FIXMEs | [count] |
## Issues
### [CAT-NNN]: [Short Title]
- **Severity:** Critical | High | Medium | Low
- **Category:** [DEBT, ARCH, DEPS, TEST, DOCS, DEAD, PERF, CMPL]
- **Location:** [file:line or directory]
- **Description:** [What + why, 2–4 sentences]
- **Evidence:** [Specific observation or grep hit]
- **Suggested Fix:** [Actionable approach]
- **References:**
- [Title](URL)
- [Title](URL)
- **Effort:** Small (hours) | Medium (1–3 days) | Large (1–2 weeks) | Epic
[Repeat for 5–15 issues, ordered by severity then effort]
## Remediation Roadmap
### Critical (Immediate)
[List critical issues with fix approach]
### High (Next Sprint)
[High-severity issues prioritized by impact/effort]
### Medium (Next Quarter)
[Medium issues]
### Backlog
[Low issues]
## Patterns & Root Causes
[Systemic findings that appear across multiple files. Example: "Lack of error handling is pervasive because error types are not standardized."]
## Audit Methodology
- **Phase 1:** Language detection, file tree, size/hotspot analysis, CI/CD check
- **Phase 2:** Grep-based debt signals (language-agnostic and language-specific)
- **Phase 3:** Deep read of [N] target files + static analysis tool output + LLM analysis
- **Tools used:** [eslint, pylint, etc. as applicable]
- **Files analyzed:** [list of deep-read files]
- **Limitations:** [e.g., "Large test suites not fully examined", "Monorepo sub-packages analyzed individually"]
- **Recommendations:** Run `mls:security-scanner` for OWASP-specific scan; run language linters directly for mechanical issues
---
Categories:
DEBT — Technical debt (hacky code, shortcuts, quick fixes)ARCH — Architecture (modularity, coupling, design)DEPS — Dependencies (outdated, unused, version conflicts)TEST — Testing (low coverage, missing tests, brittle tests)DOCS — Documentation (missing, stale, unclear)DEAD — Dead code (unused functions, unreachable code)PERF — Performance (inefficient algorithms, N+1 queries)CMPL — Complexity (long methods, nested logic)Severity Criteria:
Use authoritative sources when citing best practices:
Before writing the report:
technical-debt-report.md at [project root]? Proceed?"technical-debt-report.mdProvides a checklist for code reviews covering functionality, security, performance, maintainability, tests, and quality. Use for pull requests, audits, team standards, and developer training.
npx claudepluginhub lexicalninja/my-marketplace --plugin tech-debt-audit