| name | code-auditing |
| description | Provides code auditing methodology, checklists, and best practices. Use when user asks to "audit code", "find technical debt", "security review", "identify dead code", "analyze code quality", or "check best practices". |
| allowed-tools | Read, Grep, Glob, Bash, TodoWrite |
Code Auditing Skill
Comprehensive methodology for systematic code quality audits.
When to Use
- Comprehensive code quality audits
- Security vulnerability assessments
- Technical debt identification
- Pre-release code reviews
- Best practices verification
- Library and dependency audits
Audit Phases
Phase 0: Pre-Analysis Setup
- Check for project configuration files (package.json, tsconfig.json, etc.)
- Identify tech stack and main libraries
- Check for linting/formatting configs
- Run existing linting/testing commands as baseline
- Load documentation for identified core libraries
Phase 1: Discovery
- Find all code files by type
- Create tracking list for each file
- Group files by module/feature for contextual analysis
Phase 2: File-by-File Analysis
For each file, analyze for:
- Dead code (unused functions, variables, imports)
- Code smells and anti-patterns
- Custom implementations that could use established libraries
- Security vulnerabilities
- Performance issues
- Outdated patterns or deprecated APIs
- Missing error handling
- Overly complex functions
- Duplicate code
Phase 3: Best Practices Verification
For every library and framework:
- Retrieve official documentation
- Compare implementation against official patterns
- Identify deviations from recommendations
- Note outdated usage patterns
- Flag discouraged anti-patterns
Phase 4: Pattern Detection
Look for recurring issues:
- Common anti-patterns across files
- Duplicated logic that could be abstracted
- Inconsistent coding styles
- Missing error handling patterns
Phase 5: Library Recommendations
For custom implementations:
- Check if current libraries provide the functionality
- Search for mature ecosystem packages
- Verify library health (commits, issues, activity)
- Check compatibility with project setup
Phase 6: Comprehensive Report
Generate detailed report with:
- Executive summary
- Critical issues requiring immediate attention
- File-by-file findings
- Prioritized action plan
- Effort estimates
- Library recommendations
Issue Priority Levels
- Critical - Security vulnerabilities, broken functionality
- High Priority - Performance bottlenecks, unmaintainable code
- Medium Priority - Code quality, best practices deviations
- Low Priority - Style, minor improvements
- Quick Wins - Less than 30 minutes to fix
Analysis Categories
Security
- Hardcoded secrets
- SQL injection risks
- XSS vulnerabilities
- Missing input validation
- Exposed sensitive data
Performance
- Inefficient algorithms
- Blocking operations
- Memory leaks
- Missing caching opportunities
- N+1 query patterns
TypeScript/Type Safety
- Missing type annotations
- Use of
any type
- Custom types duplicating official types
- Missing @types packages
Async/Promise Issues
- Missing await keywords
- Unhandled promise rejections
- Callback hell
Dead Code
- Unused imports and exports
- Unused functions, classes, and methods
- Unused variables and types
- Unreachable code blocks
- Unused files (not imported anywhere)
- Unused dependencies
Tools:
- JavaScript/TypeScript:
npx knip --reporter json
- Python:
deadcode . --dry
Important: Always verify tool findings before reporting. Check for:
- Dynamic imports (
import(variable))
- Framework patterns (React components, decorators)
- Re-exports for public API
- Entry points (CLI scripts, serverless handlers)
Resources
See the reference documents for complete methodologies:
references/audit-methodology.md - Full 6-phase audit process with detailed checklistsreferences/dead-code-methodology.md - Dead code detection tools, verification, and cleanup workflows
Quick Reference
Before Starting
During Audit
After Audit
