laurigates/code-antipatterns
code-quality-plugin/skills/code-antipatterns/SKILL.md
Analyze a codebase for anti-patterns using ast-grep. Use when finding magic numbers, console.logs, var usage, excessive any, eval/innerHTML security issues, or deep nesting.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins code-antipatternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 7:45 AM26.0s2 files scanned
SKILL.md
- created:
- 2025-12-16
- modified:
- 2026-05-23
- reviewed:
- 2026-04-25
- description:
- Analyze a codebase for anti-patterns using ast-grep. Use when finding magic numbers, console.logs, var usage, excessive any, eval/innerHTML security issues, or deep nesting.
- allowed-tools:
- Read, Bash(sg *), Bash(rg *), Glob, Grep, TodoWrite, Task, SlashCommand
- args:
- [PATH] [--focus <category>] [--severity <level>]
- argument-hint:
- [PATH] [--focus <category>] [--severity <level>]
- name:
- code-antipatterns
When to Use This Skill
| Use this skill when... | Use something else instead when... |
|------------------------|------------------------------------|
| Running a parallel anti-pattern scan and producing a report | Looking up the full YAML rule catalog → see REFERENCE.md |
| Specifically targeting empty catches, floating promises, or \|\| true | Use the dedicated scanner → code-hidden-failures --track errors |
| Finding success-on-empty / silent degradation patterns | Use the dedicated scanner → code-hidden-failures --track degradation |
| Broad code-quality review across security, perf, and architecture | Run the full review delegate → code-review |
Context
- Analysis path:
$1(defaults to current directory if not specified) - JS/TS files: !
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" \) - Vue files: !
find . -name "*.vue" - Python files: !
find . -name "*.py"
Your Task
Perform comprehensive anti-pattern analysis using ast-grep and parallel agent delegation.
Analysis Categories
Based on the detected languages, analyze for these categories:
-
JavaScript/TypeScript Anti-patterns
- Callbacks, magic values, console.logs
- var usage, deprecated patterns
- Error swallowing (empty catch, floating promises) → delegate to
/code:hidden-failures --track errors
-
Async/Promise Patterns
- Nested callbacks, Promise constructor anti-pattern
- Error-handling coverage (unhandled/floating promises) → delegate to
/code:hidden-failures --track errors
-
Framework-Specific (if detected)
- Vue 3: Props mutation, reactivity issues, Options vs Composition API mixing
- React: Missing deps in hooks, inline functions, prop drilling
-
TypeScript Quality (if .ts files present)
- Excessive
anytypes, non-null assertions, type safety issues
- Excessive
-
Code Complexity
- Long functions (>50 lines), deep nesting (>4 levels), large parameter lists
-
Security Concerns
- eval usage, innerHTML XSS, hardcoded secrets, injection risks
-
Memory & Performance
- Event listeners without cleanup, setInterval leaks, inefficient patterns
-
Python Anti-patterns (if detected)
- Mutable default arguments, global variables
- Bare except and suppression patterns → delegate to
/code:hidden-failures --track errors
Delegated Category: Error Swallowing
Do NOT re-implement empty-catch / bare-except / floating-promise detection
here. Invoke /code:hidden-failures --track errors via the SlashCommand tool with the
same PATH and severity filter, then fold its findings into the
consolidated report under a dedicated Error Swallowing section.
Rationale: a single source of truth prevents drift between severity
models, app-context surfacing recommendations, and privacy redaction
policies. See code-quality-plugin/skills/code-hidden-failures/SKILL.md.
Execution Strategy
CRITICAL: Use parallel agent delegation for efficiency.
Launch multiple specialized agents simultaneously:
## Agent 1: Language Detection & Setup (Explore - quick)
Detect project stack, identify file patterns, establish analysis scope
## Agent 2: JavaScript/TypeScript Analysis (code-analysis)
- Use ast-grep for structural pattern matching
- Focus on: magic values, var usage, deprecated patterns
- Error swallowing handled separately via `/code:hidden-failures --track errors`
## Agent 3: Async/Promise Analysis (code-analysis)
- Nested callbacks, Promise constructor anti-pattern
- Floating promises / unhandled rejections handled via `/code:hidden-failures --track errors`
## Agent 4: Framework-Specific Analysis (code-analysis)
- Vue: props mutation, reactivity issues
- React: hooks dependencies, inline functions
## Agent 5: Security Analysis (security-audit)
- eval, innerHTML, hardcoded secrets, injection risks
- Use OWASP context
## Agent 6: Complexity Analysis (code-analysis)
- Function length, nesting depth, parameter counts
- Cyclomatic complexity indicators
ast-grep Pattern Examples
For the full YAML rule catalog (with id:, severity:, message:, fix:, and note: fields), see REFERENCE.md.
Use these patterns during analysis:
# Magic numbers
ast-grep -p 'if ($VAR > 100)' --lang js
# Console statements
ast-grep -p 'console.log($$$)' --lang js
# var usage
ast-grep -p 'var $VAR = $$$' --lang js
# TypeScript any
ast-grep -p ': any' --lang ts
ast-grep -p 'as any' --lang ts
# Vue props mutation
ast-grep -p 'props.$PROP = $VALUE' --lang js
# Security: eval
ast-grep -p 'eval($$$)' --lang js
# Security: innerHTML
ast-grep -p '$ELEM.innerHTML = $$$' --lang js
# Python: mutable defaults
ast-grep -p 'def $FUNC($ARG=[])' --lang py
Output Format
Consolidate findings into this structure:
## Anti-pattern Analysis Report
### Summary
- Total issues: X
- Critical: X | High: X | Medium: X | Low: X
- Categories with most issues: [list]
### Critical Issues (Fix Immediately)
| File | Line | Issue | Category |
|------|------|-------|----------|
| ... | ... | ... | ... |
### High Priority Issues
| File | Line | Issue | Category |
|------|------|-------|----------|
| ... | ... | ... | ... |
### Medium Priority Issues
[Similar table]
### Low Priority / Style Issues
[Similar table or summary count]
### Recommendations
1. [Prioritized fix recommendations]
2. [...]
### Category Breakdown
- **Security**: X issues (details)
- **Async/Promises**: X issues (details)
- **Code Complexity**: X issues (details)
- [...]
Optional Flags
--focus <category>: Focus on specific category (security, async, complexity, framework)--severity <level>: Minimum severity to report (critical, high, medium, low)--fix: Attempt automated fixes where safe
Post-Analysis
After consolidating findings:
- Prioritize issues by impact and effort
- Suggest which issues can be auto-fixed with ast-grep
- Identify patterns that indicate systemic problems
- Recommend process improvements (linting rules, pre-commit hooks)
See Also
- Reference: REFERENCE.md - Full YAML rule catalog with ast-grep pattern library
- Skill:
ast-grep-search- ast-grep usage reference - Command:
/code:review- Comprehensive code review - Agent:
security-audit- Deep security analysis - Agent:
code-refactoring- Automated refactoring
Related Configure Skills
- If linting not configured →
/configure:lintingfor automated enforcement - If security scanning not set up →
/configure:securityfor CI integration
Related Skills
laurigates/workflow-verify-before-filing
testing
VerifiedTrustedCommunity
Verify accumulated bug claims at upstream HEAD and dedup against trackers before filing issues. Use when filing upstream reports from backlogs, audit docs, or git-history findings.
38SKILL.mdUpdated Jun 12, 2026
laurigates/cold-read-gate
documentation
VerifiedTrustedCommunity
Gate outward-bound text (upstream issues, docs, PR bodies) through isolated haiku fresh-reader critique before publishing. Use when an artifact must survive a reader with zero project context.
38SKILL.mdUpdated Jun 12, 2026
laurigates/evaluate-improve
tools
VerifiedTrustedCommunity
Suggest improvements to SKILL.md content, descriptions, or tool config from eval results. Use when raising pass rates, fixing triggering, or iterating on a skill after evaluation.
38SKILL.mdUpdated Apr 16, 2026
laurigates/deadbranch
tools
VerifiedTrustedCommunity
deadbranch CLI for stale-branch cleanup — dry-run preview, TUI or non-interactive delete, protects main/develop/WIP. Use when asked to clean up branches, prune branches, or remove stale branches.
37SKILL.mdUpdated Jun 11, 2026