Stats
Actions
Tags
From cloudbase-ai-toolkit
Audits the full codebase for security, quality, and reliability issues, creates GitHub issues for each finding, then fixes them in isolated git worktrees and submits PRs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cloudbase-ai-toolkit:codebase-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
End-to-end workflow: systematically review the entire codebase, report findings as GitHub issues, fix each issue in an isolated git worktree, and submit PRs — all in one session.
End-to-end workflow: systematically review the entire codebase, report findings as GitHub issues, fix each issue in an isolated git worktree, and submit PRs — all in one session.
Use this skill when you need to:
Do NOT use for:
systematic-debugging or direct fix)pr-review-fix)mcp-attribution-worktree)references/review-strategy.md for the review scope and checklist.code-explorer subagent to read ALL source files in the target directory (default: mcp/src/).as any, unsafe casts, missing null checksreferences/dependency-audit.md and run the Dependabot alert fetch + npm audit to discover vulnerable dependencies. Record each finding using the dependency-audit format.references/classification.md for severity definitions and grouping rules.references/issue-workflow.md for issue creation guidelines.gh issue create --title "<type>(<scope>): <summary>" --body "<structured body>" --label "<severity>,<category>"
references/worktree-fix.md for the isolation and fix procedure.git worktree add ../<repo>-audit-fix-<issue-number> -b fix/<slug>-<issue-number> origin/main
cd mcp && npm run build && npm run test
e. Commit with conventional-changelog format:
git commit -m 'fix(<scope>): 🔒 <english description>
Closes #<issue-number>'
git push github fix/<slug>-<issue-number>
gh pr create --title "fix(<scope>): 🔒 <summary>" --body "Closes #<issue-number>\n\n<description>" --base main
cd <original-dir>
git worktree remove ../<repo>-audit-fix-<issue-number>
references/dependency-audit.md Step 4. These can be grouped into a single PR since they modify package.json / package-lock.json.references/verification.md for the verification checklist.gh pr checks <number>
| Task | Read |
|---|---|
| What to review and how to check each category | references/review-strategy.md |
| Security severity classification (TSRC-style) | references/security-severity-checklist.md |
| How to classify, deduplicate, and batch findings | references/classification.md |
| How to create well-structured GitHub issues | references/issue-workflow.md |
| How to create worktrees and fix issues in isolation | references/worktree-fix.md |
| How to verify fixes and generate the final report | references/verification.md |
| How to audit and fix dependency vulnerabilities | references/dependency-audit.md |
Follow the project's conventional-changelog format:
fix(<scope>): 🔒 <english description>
Closes #<issue-number>
Scope examples: security, deps, error-handling, type-safety, code-quality, cloudrun, database, functions
npx claudepluginhub tencentcloudbase/cloudbase-mcpIterative multi-agent code audit that detects project shape and risk signals, runs role-scoped reviewers, consolidates findings with a false-positive contract, and fixes critical/high issues in batches until clean.
Audits entire codebases for DRY/YAGNI violations, complexity issues, and naming drift. Supports single-agent or team-review modes with directory scoping.
Reviews implementation code for bugs, security issues, and quality problems. Creates FIX tasks for blocking issues before merge.