一键导入
audit
Full codebase audit orchestrator covering security, code quality, performance, and accessibility analysis with prioritized findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Full codebase audit orchestrator covering security, code quality, performance, and accessibility analysis with prioritized findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Unified design foundations — design system architecture, tokens, component specs, visual principles, creative vision, figma integration, plus brand design system loader (66 real brands via DESIGN.md). Absorbs design, design-system, design-systems, design-principles, design-router, creative-vision, figma, design-md.
Render, summarize, and present markdown documents and structured content in multiple output modes
Ultra UI skill - combines Google's DESIGN.md spec (machine-readable design tokens) with the ui-ux-pro-max knowledge base (91 styles, 161 palettes, 73 font pairings, 161 products, 104 UX guidelines, 25 chart types). Generates lint-clean DESIGN.md files, validates token references and WCAG contrast, exports Tailwind/DTCG tokens, and diffs design systems version-over-version.
Initialize UltraThink capabilities in the current project directory
Org-Bench Google-bipartite winning mechanism — the 4-section design-doc gate that every non-trivial change passes through. Use when the Director defines new work, when an Integrator reviews a lane (code/quality/devops), when the Director approves, or when a Worker is about to start coding and needs the spec. Tools live in the `design-doc` MCP server. Triggers on phrases like "design doc", "design review", "approve revision", "lane verdict", "what does this issue require", "is this approved yet".
Web scraping with anti-bot bypass (Cloudflare Turnstile etc.), stealth headless browsing, adaptive selectors, and concurrent crawls. Use when the user asks to scrape, crawl, or extract data from websites; the built-in WebFetch fails; the target has anti-bot protections; or the work needs JavaScript rendering. Prefers the registered MCP tools (mcp__scrapling__*) over raw Python so token cost stays low.
| name | audit |
| description | Full codebase audit orchestrator covering security, code quality, performance, and accessibility analysis with prioritized findings. |
| layer | orchestrator |
| category | orchestration |
| triggers | ["/audit","audit this codebase","full code audit","security audit","quality audit","review the whole project"] |
| inputs | ["Codebase path or repository","Optional audit scope (security, quality, performance, accessibility, or all)","Optional focus areas or concerns","Optional severity threshold for reporting"] |
| outputs | ["Categorized findings (security, quality, performance, accessibility)","Severity-ranked issue list (critical, high, medium, low, info)","Remediation recommendations per finding","Executive summary with overall health score","Actionable fix list ordered by priority"] |
| linksTo | ["scout","code-review","test","optimize","research","debug","fix","refactor","sequential-thinking","mermaid","docs-writer","plan"] |
| linkedFrom | ["team","ship"] |
| preferredNextSkills | ["fix","refactor","cook","ship"] |
| fallbackSkills | ["code-review","scout"] |
| riskLevel | low |
| memoryReadPolicy | full |
| memoryWritePolicy | always |
| sideEffects | ["Reads all source files (read-only analysis phase)","May run test suite to assess coverage","May run linting tools","Produces audit report artifacts","Does NOT modify code unless explicitly asked to fix findings"] |
Audit is the comprehensive codebase analysis orchestrator. It systematically examines a codebase across four dimensions -- security, code quality, performance, and accessibility -- and produces a prioritized report of findings with remediation recommendations. Think of it as a thorough health checkup for your code.
Audit is read-only by default. It analyzes and reports but does not change code unless the user explicitly asks it to fix findings. This makes it safe to run at any time without risk of unintended changes.
scout -- Build a comprehensive inventory of the codebase:
mermaid dependency graph)docs-writer -- Format the audit report.plan to create a fix plan if the user wants to address findings.| Dimension | Critical | High | Medium | Low |
|---|---|---|---|---|
| Security | Data breach risk, auth bypass | Injection vectors, weak crypto | Missing headers, verbose errors | Outdated non-vulnerable deps |
| Quality | Circular deps, no tests | God objects, no error handling | DRY violations, magic numbers | Naming inconsistencies |
| Performance | Memory leaks, N+1 in loops | Missing indexes, huge bundles | Missing memoization | Minor optimization opportunities |
| Accessibility | No keyboard access, missing alt | No focus management, low contrast | Missing ARIA labels | Suboptimal heading order |
Use Audit when you want a comprehensive understanding of a codebase's health. It's especially valuable before major releases, after inheriting a codebase, or on a regular cadence (monthly/quarterly).
Best for:
Not ideal for:
cook)debug + fix)code-review)User: /audit Run a full audit on this codebase
Audit workflow:
1. scout -> Inventory: 342 files, 18 deps, 67% test coverage
2. Security -> 2 critical (exposed API key in config, SQL injection in search),
4 medium (missing rate limiting, verbose error messages)
3. Quality -> 1 high (circular dependency in models/), 8 medium (DRY violations),
12 low (naming inconsistencies)
4. Performance -> 1 high (N+1 in user list endpoint), 3 medium (no code splitting)
5. Accessibility -> 2 high (no keyboard nav on modal, missing form labels),
5 medium (low contrast on secondary text)
Report: Overall score C+, 2 critical security fixes needed immediately
User: /audit Security audit only, we're preparing for SOC 2
Audit workflow:
1. scout -> Full codebase inventory
2. Security deep dive -> All 5 security sub-phases with extra scrutiny
3. Report -> Security-specific findings with compliance mapping
4. Suggest -> Plan for remediating all findings before SOC 2 audit
User: /audit Our app is slow, audit the performance
Audit workflow:
1. scout -> Inventory with focus on bundle size, API routes, DB queries
2. Performance deep dive -> Bundle analysis, runtime patterns, API review
3. Report -> Ranked performance findings with estimated impact
4. Suggest -> Top 5 optimizations with expected improvement