Run any Skill in Manus with one click

codebase-audit

Perform a full codebase review, categorize findings by severity, file GitHub issues, then fix each issue in an isolated git worktree and submit PRs. Use this skill when the user asks to audit the codebase, do a comprehensive code review, find and fix security/quality/reliability issues, or run a proactive health check across the entire repository.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/TencentCloudBase/CloudBase-MCP --skill codebase-audit

Copy and paste this command into Claude Code to install the skill

Source

TencentCloudBase/CloudBase-MCP

Stars1,029

Forks129

UpdatedJune 3, 2026 at 09:07

File Explorer

8 files

SKILL.md

readonly

name	codebase-audit
description	Perform a full codebase review, categorize findings by severity, file GitHub issues, then fix each issue in an isolated git worktree and submit PRs. Use this skill when the user asks to audit the codebase, do a comprehensive code review, find and fix security/quality/reliability issues, or run a proactive health check across the entire repository.
alwaysApply	false

Codebase Audit → Issue → Worktree Fix → PR

End-to-end workflow: systematically review the entire codebase, report findings as GitHub issues, fix each issue in an isolated git worktree, and submit PRs — all in one session.

When to use this skill

Use this skill when you need to:

Perform a full code review / audit of the codebase
Proactively find security vulnerabilities, logic bugs, or code quality problems
Turn code review findings into tracked GitHub issues
Fix each issue in isolation (worktree per issue) and submit PRs
Run a periodic codebase health check with automated follow-through
Audit and fix dependency security vulnerabilities (Dependabot alerts / npm audit)

Do NOT use for:

Reviewing or fixing a single known bug (use systematic-debugging or direct fix)
Triaging existing open PRs (use pr-review-fix)
Processing attribution issues (use mcp-attribution-worktree)
Feature development or refactoring unrelated to audit findings

Workflow

Phase 1 — Review

Read references/review-strategy.md for the review scope and checklist.
Use the code-explorer subagent to read ALL source files in the target directory (default: mcp/src/).
For each file, systematically check against the review checklist:
- Security: path traversal, injection, unvalidated input, hardcoded secrets, improper error exposure
- Error handling: missing try-catch, swallowed errors, error messages leaking internals
- Type safety: as any, unsafe casts, missing null checks
- Logic bugs: race conditions, incorrect conditionals, unreachable code
- Code quality: dead code, duplication, overly complex functions
- Resource leaks: unclosed connections, missing cleanup
- API design: inconsistent validation, missing required field checks
Record every finding with: file path, line number(s), category, severity (Critical/High/Medium/Low), description, and suggested fix.
Dependency scan: Read references/dependency-audit.md and run the Dependabot alert fetch + npm audit to discover vulnerable dependencies. Record each finding using the dependency-audit format.

Phase 2 — Analyze & Classify

Read references/classification.md for severity definitions and grouping rules.
Deduplicate findings — merge instances of the same pattern across files.
Group findings into fix batches — related issues that should be fixed together in one PR.
Assign severity and priority:
- P0 (Critical): Security vulnerabilities, data loss risks
- P1 (High): Logic bugs, error handling gaps that cause runtime failures
- P2 (Medium): Type safety, code quality issues affecting maintainability
- P3 (Low): Style, naming, minor cleanup
Present a structured audit report to the user and wait for confirmation before proceeding.

Phase 3 — Create GitHub Issues

Read references/issue-workflow.md for issue creation guidelines.

For each fix batch (or individual Critical finding), create a GitHub issue:

gh issue create --title "<type>(<scope>): <summary>" --body "<structured body>" --label "<severity>,<category>"

Issue body must include: affected files, line numbers, problem description, expected behavior, and suggested fix approach.
Link related issues when findings are connected.
Present the created issues to the user.

Phase 4 — Worktree Fix

Read references/worktree-fix.md for the isolation and fix procedure.

For each issue (in priority order): a. Create an isolated worktree and branch:

git worktree add ../<repo>-audit-fix-<issue-number> -b fix/<slug>-<issue-number> origin/main

b. Work inside the worktree — never in the main checkout. c. Implement the fix, keeping changes minimal and focused. d. Verify locally: cd mcp && npm run build && npm run test e. Commit with conventional-changelog format:

git commit -m 'fix(<scope>): 🔒 <english description>

Closes #<issue-number>'

f. Push and create PR:

git push github fix/<slug>-<issue-number>
gh pr create --title "fix(<scope>): 🔒 <summary>" --body "Closes #<issue-number>\n\n<description>" --base main

g. Remove the worktree after PR is created:

cd <original-dir>
git worktree remove ../<repo>-audit-fix-<issue-number>

One worktree per issue. Never mix fixes across worktrees.
Dependency fixes: For dependency vulnerability batches, follow references/dependency-audit.md Step 4. These can be grouped into a single PR since they modify package.json / package-lock.json.

Phase 5 — Verify & Report

Read references/verification.md for the verification checklist.
Check CI status for each PR:
```
gh pr checks <number>
```
If CI fails, re-enter the worktree, fix, and push again.
Generate a final audit report summarizing:
- Total findings by category and severity
- Issues created (with links)
- PRs submitted (with links)
- Remaining items that need human decision

Routing

Task	Read
What to review and how to check each category	`references/review-strategy.md`
Security severity classification (TSRC-style)	`references/security-severity-checklist.md`
How to classify, deduplicate, and batch findings	`references/classification.md`
How to create well-structured GitHub issues	`references/issue-workflow.md`
How to create worktrees and fix issues in isolation	`references/worktree-fix.md`
How to verify fixes and generate the final report	`references/verification.md`
How to audit and fix dependency vulnerabilities	`references/dependency-audit.md`

Git safety rules

Never force-push unless explicitly asked.
Never amend commits that are already pushed.
Always work inside the worktree, not the main checkout.
Always verify build + test locally before pushing.
One worktree per issue — never mix fixes.
Clean up worktrees after PR creation.

Commit conventions

Follow the project's conventional-changelog format:

fix(<scope>): 🔒 <english description>

Closes #<issue-number>

Scope examples: security, deps, error-handling, type-safety, code-quality, cloudrun, database, functions

Minimum self-check

Did I review ALL source files in the target scope, not just a sample?
Did I categorize each finding with file, line, severity, and description?
Did I present the audit report and get user confirmation before creating issues?
Did I create a separate GitHub issue for each fix batch?
Did I use an isolated worktree for each fix, not the main checkout?
Did I verify build + test pass before pushing each fix?
Did I clean up worktrees after creating PRs?
Did I generate a final report with links to all issues and PRs?
Did I check Dependabot alerts and npm audit for dependency vulnerabilities?
Did I apply the correct fix strategy (upgrade / override / replace / dismiss) for each vulnerable dependency?

More from this repository

same repository

cloudbase-agent-runtime

TencentCloudBase/CloudBase-MCP

Use when the user wants to develop, run, preview, or deploy a CloudBase Web app in this conversation as a Lovable-like vibe-coding session — i.e. any request that maps to "spin up a React+Vite project, see it live in the browser, iterate, deploy". Activate ONLY for browser-rendered Web projects based on the CloudBase official React (or Vue) + Vite template. Do NOT activate for: WeChat/Alipay mini-program, React Native / Flutter / Electron, pure cloud functions / CloudRun backends, or Next.js / Nuxt / Astro / Remix / SvelteKit (those frameworks are explicitly out of scope).

2026-06-031.0k

cloudbase-wechat-integration

TencentCloudBase/CloudBase-MCP

CloudBase WeChat integration guide for Mini Program WeChat Pay, Official Account JSAPI Pay, Native QR-code Pay, Official Account OAuth, openid handling, payment callbacks, and CloudBase Integration Center generated functions. This skill should be used when users ask to add, debug, or extend WeChat payment or official-account flows on CloudBase.

2026-06-021.0k

cloudbase-all-in-one

TencentCloudBase/CloudBase-MCP

Unified CloudBase execution guide for all-in-one skill installs. Use this as the first entry point for CloudBase app tasks, especially existing applications that already contain TODOs, fixed pages, and active handlers.

2026-06-021.0k

cloudbase-platform

TencentCloudBase/CloudBase-MCP

CloudBase platform overview and routing guide. This skill should be used when users need high-level capability selection, platform concepts, console navigation, or cross-platform best practices before choosing a more specific implementation skill.

2026-06-021.0k

cloudbase

TencentCloudBase/CloudBase-MCP

Use this skill when you develop, design, build, deploy, debug, migrate, or troubleshoot CloudBase (腾讯云开发, 云开发, TCB, 微信云开发) projects. Covers Web apps (React, Vue, Vite, Next, Nuxt, 网站, dashboards, 管理后台), 微信小程序, 小程序, uni-app, native/mobile (iOS, Android, Flutter, React Native) via HTTP API. Includes UI (页面, 界面, 登录页, 表单, form, dashboard, 仪表盘, prototype, 原型), auth (登录, 注册, OAuth, 微信登录, publishable key), databases (NoSQL 文档数据库, MySQL 关系型数据库, CRUD, security rules), 云函数 (serverless, scf_bootstrap, HTTP Functions), CloudRun (云托管, Dockerfile), 云存储 (file upload, hosting, 静态托管). Built-in AI (内置大模型, streaming, 流式输出, image generation, 图片生成, 图像生成, generateText, streamText, createModel, generateImage, TokenHub, Hunyuan, hunyuan-exp, DeepSeek, deepseek, GLM, Kimi, MiniMax, Token Credits 资源包, 小程序成长计划), 第三方大模型, 大模型接入, 大模型调用, LLM API, chatbot, AI 助手, AI agent, 智能体, AG-UI, LangGraph, LangChain. Ops (巡检, 诊断, health check, 日志, troubleshooting, 排查). Spec workflow (需求文档, 技术方案, 架构设计, requirements, tasks.md).

2026-05-281.0k

ai-model-nodejs

TencentCloudBase/CloudBase-MCP

Use this skill for Node.js backend AI via @cloudbase/node-sdk (>=3.16.0) — cloud functions, CloudRun, Express, Koa, NestJS, serverless APIs, scheduled jobs, LLM proxies. Only SDK supporting image generation (ai.createImageModel + generateImage). Text models via ai.createModel with groups cloudbase, hunyuan-exp, or custom-*. Model IDs (deepseek-v4-flash, deepseek-v3.2, hunyuan-2.0-instruct-20251111, glm-5, kimi-k2.6) go in the model field of generateText/streamText. MUST run two-step preflight before code — see body. Keywords: backend, 云函数, 云托管, serverless, LLM proxy, agent orchestration, generateText, streamText, generateImage, createModel, hunyuan-image, Token Credits, TokenHub, Hunyuan, DeepSeek, GLM, Kimi, MiniMax. NOT for browser/Web (use ai-model-web) or Mini Program (use ai-model-wechat).

2026-05-281.0k

Source

TencentCloudBase

TencentCloudBase/CloudBase-MCP

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name	codebase-audit
description	Perform a full codebase review, categorize findings by severity, file GitHub issues, then fix each issue in an isolated git worktree and submit PRs. Use this skill when the user asks to audit the codebase, do a comprehensive code review, find and fix security/quality/reliability issues, or run a proactive health check across the entire repository.
alwaysApply	false

Codebase Audit → Issue → Worktree Fix → PR

End-to-end workflow: systematically review the entire codebase, report findings as GitHub issues, fix each issue in an isolated git worktree, and submit PRs — all in one session.

When to use this skill

Use this skill when you need to:

Perform a full code review / audit of the codebase
Proactively find security vulnerabilities, logic bugs, or code quality problems
Turn code review findings into tracked GitHub issues
Fix each issue in isolation (worktree per issue) and submit PRs
Run a periodic codebase health check with automated follow-through
Audit and fix dependency security vulnerabilities (Dependabot alerts / npm audit)

Do NOT use for:

Reviewing or fixing a single known bug (use systematic-debugging or direct fix)
Triaging existing open PRs (use pr-review-fix)
Processing attribution issues (use mcp-attribution-worktree)
Feature development or refactoring unrelated to audit findings

Workflow

Phase 1 — Review

Read references/review-strategy.md for the review scope and checklist.
Use the code-explorer subagent to read ALL source files in the target directory (default: mcp/src/).
For each file, systematically check against the review checklist:
- Security: path traversal, injection, unvalidated input, hardcoded secrets, improper error exposure
- Error handling: missing try-catch, swallowed errors, error messages leaking internals
- Type safety: as any, unsafe casts, missing null checks
- Logic bugs: race conditions, incorrect conditionals, unreachable code
- Code quality: dead code, duplication, overly complex functions
- Resource leaks: unclosed connections, missing cleanup
- API design: inconsistent validation, missing required field checks
Record every finding with: file path, line number(s), category, severity (Critical/High/Medium/Low), description, and suggested fix.
Dependency scan: Read references/dependency-audit.md and run the Dependabot alert fetch + npm audit to discover vulnerable dependencies. Record each finding using the dependency-audit format.

Phase 2 — Analyze & Classify

Read references/classification.md for severity definitions and grouping rules.
Deduplicate findings — merge instances of the same pattern across files.
Group findings into fix batches — related issues that should be fixed together in one PR.
Assign severity and priority:
- P0 (Critical): Security vulnerabilities, data loss risks
- P1 (High): Logic bugs, error handling gaps that cause runtime failures
- P2 (Medium): Type safety, code quality issues affecting maintainability
- P3 (Low): Style, naming, minor cleanup
Present a structured audit report to the user and wait for confirmation before proceeding.

Phase 3 — Create GitHub Issues

Read references/issue-workflow.md for issue creation guidelines.

For each fix batch (or individual Critical finding), create a GitHub issue:

gh issue create --title "<type>(<scope>): <summary>" --body "<structured body>" --label "<severity>,<category>"

Issue body must include: affected files, line numbers, problem description, expected behavior, and suggested fix approach.
Link related issues when findings are connected.
Present the created issues to the user.

Phase 4 — Worktree Fix

Read references/worktree-fix.md for the isolation and fix procedure.

For each issue (in priority order): a. Create an isolated worktree and branch:

git worktree add ../<repo>-audit-fix-<issue-number> -b fix/<slug>-<issue-number> origin/main

git commit -m 'fix(<scope>): 🔒 <english description>

Closes #<issue-number>'

f. Push and create PR:

git push github fix/<slug>-<issue-number>
gh pr create --title "fix(<scope>): 🔒 <summary>" --body "Closes #<issue-number>\n\n<description>" --base main

g. Remove the worktree after PR is created:

cd <original-dir>
git worktree remove ../<repo>-audit-fix-<issue-number>

One worktree per issue. Never mix fixes across worktrees.
Dependency fixes: For dependency vulnerability batches, follow references/dependency-audit.md Step 4. These can be grouped into a single PR since they modify package.json / package-lock.json.

Phase 5 — Verify & Report

Read references/verification.md for the verification checklist.
Check CI status for each PR:
```
gh pr checks <number>
```
If CI fails, re-enter the worktree, fix, and push again.
Generate a final audit report summarizing:
- Total findings by category and severity
- Issues created (with links)
- PRs submitted (with links)
- Remaining items that need human decision

Routing

Task	Read
What to review and how to check each category	`references/review-strategy.md`
Security severity classification (TSRC-style)	`references/security-severity-checklist.md`
How to classify, deduplicate, and batch findings	`references/classification.md`
How to create well-structured GitHub issues	`references/issue-workflow.md`
How to create worktrees and fix issues in isolation	`references/worktree-fix.md`
How to verify fixes and generate the final report	`references/verification.md`
How to audit and fix dependency vulnerabilities	`references/dependency-audit.md`

Git safety rules

Never force-push unless explicitly asked.
Never amend commits that are already pushed.
Always work inside the worktree, not the main checkout.
Always verify build + test locally before pushing.
One worktree per issue — never mix fixes.
Clean up worktrees after PR creation.

Commit conventions

Follow the project's conventional-changelog format:

fix(<scope>): 🔒 <english description>

Closes #<issue-number>

Scope examples: security, deps, error-handling, type-safety, code-quality, cloudrun, database, functions

Minimum self-check

Did I review ALL source files in the target scope, not just a sample?
Did I categorize each finding with file, line, severity, and description?
Did I present the audit report and get user confirmation before creating issues?
Did I create a separate GitHub issue for each fix batch?
Did I use an isolated worktree for each fix, not the main checkout?
Did I verify build + test pass before pushing each fix?
Did I clean up worktrees after creating PRs?
Did I generate a final report with links to all issues and PRs?
Did I check Dependabot alerts and npm audit for dependency vulnerabilities?
Did I apply the correct fix strategy (upgrade / override / replace / dismiss) for each vulnerable dependency?