Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

codebase-audit

Étoiles0

Forks0

Mis à jour8 mai 2026 à 12:40

Domain-parameterized codebase auditing (security, UX, performance, API, copy, CLI). Use when auditing code, assessing quality, finding issues, or pre-launch review.

Installation

Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.

Exécuter dans Manus

Source

oysteinkrog

oysteinkrog/dotfiles

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Téléchargement

Exécuter dans Manus

Métiers associésSOC

Basé sur la classification professionnelle SOC

Analystes en assurance qualité des logiciels et testeursProfessions informatiques et mathématiques·SOC 15-1253

Explorateur de fichiers

4 fichiers

SKILL.md

readonly

name	codebase-audit
description	Domain-parameterized codebase auditing (security, UX, performance, API, copy, CLI). Use when auditing code, assessing quality, finding issues, or pre-launch review.

Codebase Audit

Core Insight: Different domains need different lenses. A security audit looks for injection; a UX audit looks for confusion. Same codebase, different questions.

When to Use What

Need	Skill
Find and report domain-specific issues	codebase-audit (this)
Find bugs and fix them iteratively	multi-pass-bug-hunting
Evaluate usability specifically	ux-audit
Make UI visually polished	ui-polish

THE EXACT PROMPT

Perform a comprehensive [DOMAIN] audit of this codebase.

Domain: security | ux | performance | api | copy | cli

Return a detailed report with:
- File path and line numbers for each issue
- Severity (Critical/High/Medium/Low)
- Root cause analysis
- Recommended fix

Use the output template and domain checklist from references.

Quick Multi-Domain Sweep

Run quick audits across: security, performance, api

For each domain: top 3 issues only, with severity and fix.
Total output under 100 lines.

Domains at a Glance

Domain	Key Question	Top Signals
security	Can attackers exploit this?	injection, auth bypass, secrets in code
ux	Is this confusing?	accessibility, error handling, flows
performance	Is this slow?	N+1 queries, blocking I/O, missing cache
api	Is this pleasant to consume?	status codes, error format, pagination
copy	Is this clear?	jargon, tone, error messages
cli	Is this discoverable?	--help, exit codes, progress feedback

Full checklists: CHECKLISTS.md

Output Template

# [Domain] Audit Report: [Project]

## Summary
- **Total:** N findings
- **Critical:** X | **High:** Y | **Medium:** Z | **Low:** W

## Critical Findings

### [Title]
- **Location:** `file.rs:42`
- **Issue:** [What's wrong]
- **Root Cause:** [Why]
- **Fix:** [Solution]

## High / Medium / Low
[Same format, decreasing detail]

Severity

Level	Criteria	Example
Critical	Exploitable now, data loss	SQL injection, unauth admin
High	Serious, harder to exploit	CSRF missing, N+1 on hot path
Medium	Real issue, limited scope	Missing validation, vague errors
Low	Polish, best practice	Naming inconsistency, missing docs

Workflow Integration

┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│ codebase-audit  │────▶│ Create beads for │────▶│ multi-pass-bug  │
│ (find + report) │     │ critical issues  │     │ hunting (fix)   │
└─────────────────┘     └──────────────────┘     └─────────────────┘

# After audit, create issues
br create --title="[Security] SQL injection in user_search" \
  --type=bug --priority=0 --body="Found at src/search.rs:42"

Quick Grep Patterns

Security

rg -n "unwrap\(\)|panic!" --type rust           # Rust panics
rg -n "eval\(|exec\(" --type js --type py       # Code injection
rg -n "password|secret|api_key" --type-not lock # Hardcoded secrets

Performance

rg -n "for.*await|\.await.*for" --type rust     # Async in loops
rg -n "SELECT.*FROM.*WHERE" | grep -v "LIMIT"   # Unbounded queries

CLI

./tool --help | head -20                        # Help exists?
./tool --unknown 2>&1; echo "Exit: $?"          # Error handling

More patterns: TOOLS.md

Anti-Patterns

Don't	Do
"code is bad"	Specific `file:line` + fix
Mix severities	Group by impact
Audit everything at once	One domain, deep
Skip root cause	Explain WHY, not just WHAT
Report-only	Create issues for criticals

References

Topic	File
Full domain checklists	CHECKLISTS.md
Example audit reports	EXAMPLES.md
Tool commands by domain	TOOLS.md

Plus depuis ce dépôt

même dépôt

consult-oracles

oysteinkrog/dotfiles

Consult Fable (primary oracle) for expert second opinions; escalate to GPT-5.5-Pro only for extremely important or complex tasks (always paired with Fable). Use for complex decisions, architecture choices, debugging hard problems, or when user says "consult oracles", "ask the experts", or wants a second opinion.

2026-06-100

oracle-review

oysteinkrog/dotfiles

Run iterative oracle + agent hardening loop on any artifact (designs, plans, beads, architecture) until findings converge to near-zero. Combines /swarm-oracle with /swarm-review in alternating rounds. Use for the full hardening cycle, not just a single oracle pass. For oracle-only, use /swarm-oracle. For bead-only hardening, use /swarm-beads-quality.

2026-06-100

oracle-consensus

oysteinkrog/dotfiles

Run 2x oracle sessions (FOR + AGAINST stances) to validate design decisions, plans, or bead readiness. Default = two Fable subagents; escalate to PAL 2x GPT-Pro (always paired with Fable) for extremely important or complex validations. Use after design rounds, before implementation, or to challenge architecture decisions.

2026-06-100

sync-human

oysteinkrog/dotfiles

Act as a wise, effective teacher whose goal is to make the human deeply understand the work done in this session (a change, a bug fix, a feature, a design) — i.e. sync the human's mental model up to the agent's. Use when the user says "sync-human", "sync me up", "teach me this session", "make sure I understand", "walk me through what we did", "quiz me on this", or "I want to actually understand this PR/change", or otherwise wants Socratic, gated, incremental teaching with comprehension checks rather than a one-shot summary. Drives understanding at both high level (motivation, impact) and low level (business logic, edge cases) using a running checklist and quizzes.

2026-06-050

agent-mail

oysteinkrog/dotfiles

MCP Agent Mail for multi-agent coordination. Use when agents need file locks, messaging, inboxes, or conflict prevention. Handles macro_start_session, file_reservation_paths, send_message, threading, pre-commit guards.

2026-05-290

secret-lookup

oysteinkrog/dotfiles

Retrieve API tokens, keys, and credentials Oystein has stored locally. Use whenever code, scripts, or shell commands need a secret value: GitHub tokens, Cloudflare, HubSpot, Slack, Zendesk, Jira, Sentry, Anthropic, Apify, Browserbase, Google OAuth, Huma. Use BEFORE searching shell history, session logs, dotfiles, or the filesystem — the canonical store is documented here and the values are reachable via two fish helpers. Also use when adding, rotating, or removing a credential.

2026-05-110

name	codebase-audit
description	Domain-parameterized codebase auditing (security, UX, performance, API, copy, CLI). Use when auditing code, assessing quality, finding issues, or pre-launch review.

Codebase Audit

Core Insight: Different domains need different lenses. A security audit looks for injection; a UX audit looks for confusion. Same codebase, different questions.

When to Use What

Need	Skill
Find and report domain-specific issues	codebase-audit (this)
Find bugs and fix them iteratively	multi-pass-bug-hunting
Evaluate usability specifically	ux-audit
Make UI visually polished	ui-polish

THE EXACT PROMPT

Perform a comprehensive [DOMAIN] audit of this codebase.

Domain: security | ux | performance | api | copy | cli

Return a detailed report with:
- File path and line numbers for each issue
- Severity (Critical/High/Medium/Low)
- Root cause analysis
- Recommended fix

Use the output template and domain checklist from references.

Quick Multi-Domain Sweep

Run quick audits across: security, performance, api

For each domain: top 3 issues only, with severity and fix.
Total output under 100 lines.

Domains at a Glance

Domain	Key Question	Top Signals
security	Can attackers exploit this?	injection, auth bypass, secrets in code
ux	Is this confusing?	accessibility, error handling, flows
performance	Is this slow?	N+1 queries, blocking I/O, missing cache
api	Is this pleasant to consume?	status codes, error format, pagination
copy	Is this clear?	jargon, tone, error messages
cli	Is this discoverable?	--help, exit codes, progress feedback

Full checklists: CHECKLISTS.md

Output Template

# [Domain] Audit Report: [Project]

## Summary
- **Total:** N findings
- **Critical:** X | **High:** Y | **Medium:** Z | **Low:** W

## Critical Findings

### [Title]
- **Location:** `file.rs:42`
- **Issue:** [What's wrong]
- **Root Cause:** [Why]
- **Fix:** [Solution]

## High / Medium / Low
[Same format, decreasing detail]

Severity

Level	Criteria	Example
Critical	Exploitable now, data loss	SQL injection, unauth admin
High	Serious, harder to exploit	CSRF missing, N+1 on hot path
Medium	Real issue, limited scope	Missing validation, vague errors
Low	Polish, best practice	Naming inconsistency, missing docs

Workflow Integration

┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│ codebase-audit  │────▶│ Create beads for │────▶│ multi-pass-bug  │
│ (find + report) │     │ critical issues  │     │ hunting (fix)   │
└─────────────────┘     └──────────────────┘     └─────────────────┘

# After audit, create issues
br create --title="[Security] SQL injection in user_search" \
  --type=bug --priority=0 --body="Found at src/search.rs:42"

Quick Grep Patterns

Security

rg -n "unwrap\(\)|panic!" --type rust           # Rust panics
rg -n "eval\(|exec\(" --type js --type py       # Code injection
rg -n "password|secret|api_key" --type-not lock # Hardcoded secrets

Performance

rg -n "for.*await|\.await.*for" --type rust     # Async in loops
rg -n "SELECT.*FROM.*WHERE" | grep -v "LIMIT"   # Unbounded queries

CLI

./tool --help | head -20                        # Help exists?
./tool --unknown 2>&1; echo "Exit: $?"          # Error handling

More patterns: TOOLS.md

Anti-Patterns

Don't	Do
"code is bad"	Specific `file:line` + fix
Mix severities	Group by impact
Audit everything at once	One domain, deep
Skip root cause	Explain WHY, not just WHAT
Report-only	Create issues for criticals

References

Topic	File
Full domain checklists	CHECKLISTS.md
Example audit reports	EXAMPLES.md
Tool commands by domain	TOOLS.md