kyzooghost/audit-code-health
skills/audit-code-health/SKILL.md
Scans codebases for security vulnerabilities, bugs, and code health issues. Creates structured work items for remediation. Triggers on "audit", "code review", "security scan", "find bugs", "tech debt", or "assess code quality".
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add kyzooghost/audit-code-health-skill audit-code-healthInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 6:23 AM6.4s9 files scanned
SKILL.md
- name:
- audit-code-health
- description:
- Scans codebases for security vulnerabilities, bugs, and code health issues. Creates structured work items for remediation. Triggers on "audit", "code review", "security scan", "find bugs", "tech debt", or "assess code quality".
- license:
- MIT
- author:
- vercel
- version:
- 1.1.0
Code Health Auditor
Systematic audit process that scans directories to identify security issues, bugs, and code health problems. Findings are tracked as work items for remediation.
Quick Start
Example: For @native-yield-operations/automation-service/ do /audit-code-health
- Scan the target directory for issues
- Document findings in a table (Security → Bugs → Code Health)
- File work items or create a findings summary
For deeper audits, follow the Workflow below.
When to Apply
Use this skill when:
- Auditing a codebase for security vulnerabilities
- Identifying bugs and edge cases
- Assessing technical debt and code health
- Creating structured work items for remediation
- Running systematic code reviews
When NOT to Apply
Do not use this skill when:
- Developing a new feature
- Writing a new test
Core Principles
- Audit only, no fixes: Discover and document—never modify code
- Track everything: All findings become work items
- Scoped analysis: Stay within the target directory unless context requires external references
- Prioritize by impact: Security → Bugs → Code Health
Audit Categories by Priority
| Priority | Category | Severity | Reference | | -------- | ----------- | -------- | -------------------------------------------------- | | 1 | Security | CRITICAL | security-issues.md | | 2 | Bugs | HIGH | bugs-checklist.md | | 3 | Code Health | MEDIUM | code-health.md |
Quick Reference
Security Issues (CRITICAL)
- Auth/authz errors
- Injection risks (SQL, command, XSS)
- SSRF, path traversal
- Secrets or insecure defaults
- Broken crypto usage
- Missing input validation
- Dependency vulnerabilities
Bugs (HIGH)
- Edge cases and boundary conditions
- Concurrency / race conditions
- Error handling gaps
- Resource leaks
- Numeric overflow/underflow
- Retry / timeout bugs
Code Health (MEDIUM)
- Oversized or high-complexity modules
- Low test coverage near critical logic
- Duplicated abstractions
- Dead code or unused exports
- Poor documentation
- Misleading names
Related Skills
- Smart Contracts: If you detect
*.solfiles, use thedeveloping-smart-contractsskill for Solidity-specific security patterns - Unit Testing: Use the
unit-testing-guidelinesskill to assess test quality and coverage gaps
Workflow Overview
Audits run in cycles. Choose depth based on scope:
| Scope | Cycles | When to Use | | -------------- | ------ | -------------------------------------- | | Quick scan | 1-2 | Small PRs, single files, targeted review | | Standard audit | 3-5 | Feature modules, API surfaces | | Deep audit | 6-10 | Full codebase, security-critical systems |
Each cycle follows: SCAN → FINDINGS → VERIFY → FILE → TRIAGE
Cycle Process
For each cycle, execute these steps:
Cycle Progress:
- [ ] Step 1: SCAN - Inspect target directory
- [ ] Step 2: FINDINGS - Document issues by category
- [ ] Step 3: VERIFY - Validate findings before filing
- [ ] Step 4: FILE - Create work items
- [ ] Step 5: TRIAGE - Assign priorities
Step 1: SCAN
Analyze the target directory:
- Review code for security issues, bugs, and health problems
- Run read-only tooling: build, tests, lint, typecheck
- Use
code-simplifieron hotspots (if available)
Step 2: FINDINGS
Produce a findings table grouped by Security, Bugs, Code Health:
| Severity | Type | File(s) | Description | Confidence |
| -------- | -------- | ------------- | ------------------ | ---------- |
| P0 | Security | auth/jwt.ts | Token not verified | High |
Step 3: VERIFY
Before filing, validate each finding:
- [ ] Confirmed the issue exists (not a false positive)
- [ ] Identified the correct file and line number
- [ ] Assessed severity accurately
- [ ] Checked if issue is already tracked
Step 4: FILE
Create work items for verified findings.
If using Beads (bd):
- See beads-format.md for epic/issue structure
- Use
bdcommands to create and link items
If bd is not available:
- Use Markdown task lists for tracking findings
- Format:
- [ ] [P0/Security] auth/jwt.ts: Token not verified
Step 5: TRIAGE
- Assign P0/P1/P2 priorities
- Identify quick wins vs deep refactors
- Group related issues under epics (if using bd)
Output Format
Each cycle produces:
## Cycle N Summary
### Findings Table
| Severity | Type | File(s) | Description | Confidence | Status |
### Work Items Created
- [P0] ...
- [P1] ...
### Triage Notes
...
### Backlog Overview
Open items grouped by priority
Constraints
- DO NOT implement code changes
- STAY WITHIN target directory unless minimal external context needed
- PREFER many small issues over large vague ones
- VERIFY findings before filing to avoid false positives
Reference Files
- Security Issues Checklist
- Bugs Checklist
- Code Health Checklist
- Beads Format Guide
- Audit Examples
Related Skills
kyzooghost/sync-skill
development
VerifiedTrustedCommunity
Sync a skill from this repo into the local machine's skill directories. Use when the user asks to make a repo skill available locally, sync a local skill for Claude, Agents, or Codex, update local skill symlinks, or follow the .claude/skills source link pattern with .agents/skills and .codex/skills symlinks.
SKILL.mdUpdated Jun 3, 2026
kyzooghost/sync-command
development
VerifiedTrustedCommunity
Sync a command from this repo into local agent surfaces. Use when the user asks to make a repo command available locally, sync a local command for Claude, Agents, or Codex, update command symlinks, or expose a command to Codex as a skill.
SKILL.mdUpdated Jun 3, 2026
kyzooghost/grill-plan
testing
VerifiedTrustedCommunity
Use when the user asks to grill, interrogate, pressure-test, or relentlessly interview them about a plan until requirements, tradeoffs, dependencies, and implementation decisions are clear.
SKILL.mdUpdated Jun 3, 2026
kyzooghost/create-pr
tools
VerifiedTrustedCommunity
Use when the user asks to create, update, draft, or generate a GitHub pull request, including /create-pr behavior or equivalent workflow.
SKILL.mdUpdated Jun 3, 2026