nicknisi/codebase-sweep
plugins/essentials/skills/codebase-sweep/SKILL.md
Comprehensive, codebase-wide quality sweep that dispatches parallel subagents to find and fix structural issues. Covers deduplication, type consolidation, dead code removal, circular dependencies, weak types, defensive try/catch, deprecated paths, and AI slop. Primary support for JS/TS projects (knip, madge, TypeScript types); other languages get grep-based analysis. Use when the user asks to "deep clean the whole repo", "run a full codebase audit", "nuclear cleanup", "deslop everything", or "sweep the entire codebase for quality issues". Do NOT use for single-file fixes, branch-scoped diffs (use de-slopify instead), or targeted refactors.
$ install --global
skillsauthnpx skillsauth add nicknisi/claude-plugins codebase-sweepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 5:48 AM37.2s1 file scanned
SKILL.md
- name:
- codebase-sweep
- description:
- >-
- disable-model-invocation:
- true
Codebase Sweep
Dispatch up to 8 subagents to audit and clean the codebase. Each subagent must: (1) research its domain, (2) write a critical assessment with findings, (3) implement all high-confidence fixes.
Pre-flight
- Detect project language(s) from config files (package.json, tsconfig.json, Cargo.toml, pyproject.toml, go.mod, etc.).
- Based on detected languages, determine which subagents apply (see language applicability below).
- Identify the test runner and verify tests pass before starting. Abort if tests are already broken.
- Create a working branch:
cleanup/<YYYY-MM-DD>. - Exclude generated files,
node_modules,dist,vendor, lock files, and any paths listed in.gitignore.
Subagents
Each subagent is spawned using the Agent tool with mode: "auto". Give each subagent a clear prompt including: the task description below, the project root path, detected language(s), and a reminder to commit its own changes with the prefix cleanup(<task>):.
| # | Subagent | Applies to | Description |
|---|----------|-----------|-------------|
| 1 | Deduplication | All languages | Find duplicated logic across the codebase. Apply DRY only where it reduces complexity; do not abstract three similar lines into a helper. |
| 2 | Type consolidation | JS/TS, Java, C#, Go (typed languages) | Find all type/interface definitions. Merge duplicates into shared locations. Update imports. |
| 3 | Dead code removal | All languages | JS/TS: use knip to find unused exports, files, and dependencies. Other languages: use grep-based analysis to find unreferenced exports and files. Verify each removal with grep across the full repo before deleting. |
| 4 | Circular dependency resolution | All languages | JS/TS: use madge --circular to identify cycles. Other languages: trace import graphs with grep/find. Refactor to break cycles; do not paper over with lazy imports. |
| 5 | Weak type elimination | JS/TS (primary), Python (type hints) | Replace any, unknown (TS) or missing type annotations (Python) with concrete types. Research correct types from call sites and upstream packages. No casts to suppress errors. |
| 6 | Defensive code pruning | All languages | Remove try/catch blocks that hide errors or return silent fallbacks. Keep only those guarding genuinely untrusted input (user input, external APIs, filesystem boundaries). |
| 7 | Deprecated/legacy removal | All languages | Find code marked deprecated, behind always-on feature flags, or labeled legacy. Remove the dead path; keep one canonical implementation. |
| 8 | AI slop removal | All languages | Strip stubs, placeholder code, in-motion-work comments ("now replacing X with Y"), and over-commenting. Replace only where a new contributor genuinely needs the context. |
Skip subagents that don't apply to the detected language. For a Python-only project, skip subagent 4 (madge) unless circular imports are suspected, and scope subagent 2 to dataclass/TypedDict consolidation.
Execution order
Run in two phases because dead-code removal and circular-dep work produce better results after dedup and type consolidation have landed.
Phase 1 (parallel): 1, 2, 5, 6, 7, 8 Phase 2 (parallel, after Phase 1 commits): 3, 4
Constraints
- Each subagent commits independently with a descriptive message (
cleanup(<task>): <summary>). - Run the test suite after each subagent commits. If tests fail, revert that subagent's commit and include the failure in the final report — do not auto-fix.
- Subagents that touch the same file must serialize: later subagents rebase on earlier commits.
- No subagent may skip hooks (
--no-verify) or force-push. - For repositories over ~200 files, consider scoping to the most active packages/directories rather than sweeping everything. Use
git log --format='%H' --since='3 months ago' -- <path>to prioritize high-churn areas.
Reporting
After all subagents complete, produce a single summary with:
- Per-subagent: files changed, lines added/removed, key findings.
- Subagents skipped (with reason — language not applicable).
- Any subagents that failed or were reverted, with the failing test output.
- Remaining issues flagged but not auto-fixed (low confidence) — list for human review.
Related Skills
nicknisi/get-goal-prompt
tools
VerifiedTrustedCommunity
Generate a /goal command to execute an ideation project's specs autonomously. Reads the contract, builds a goal prompt with phase ordering and spec paths, copies it to clipboard, and prints it. The user pastes the /goal command to start autonomous execution. Use when the user says 'goal', 'run as goal', 'get goal prompt', 'goal prompt', or wants to execute specs via /goal instead of /ideation:autopilot.
89SKILL.mdUpdated May 24, 2026
nicknisi/zoom-out
development
VerifiedTrustedCommunity
Go up a layer of abstraction and map the surrounding architecture. Use when the user is unfamiliar with an area of code, asks "how does this fit in", "what calls this", "give me the big picture", "where am I", "map this out", "I'm lost", "explain this area", or needs to understand how a file, module, or function connects to the rest of the system. Also use when the user says /zoom-out or "zoom out" mid-conversation — even without a specific file reference, orient them based on whatever code is currently in context.
89SKILL.mdUpdated May 24, 2026
nicknisi/prototype
development
VerifiedTrustedCommunity
Build a throwaway prototype to answer a design question before committing to real implementation. Generates either a runnable terminal app (for state machines, data models, business logic) or several radically different UI variations on one route (for visual/layout decisions). Use when the user wants to prototype, spike, POC, sanity-check a data model, mock up a UI, explore design options, or says "prototype this", "spike this out", "let me play with it", "try a few designs", "sketch this in code", "I want to try something before building it for real", "quick and dirty version", or "validate this approach" — even if they don't use the word "prototype."
89SKILL.mdUpdated May 24, 2026
nicknisi/codebase-rehab
development
VerifiedTrustedCommunity
Phased maintainability migration that transforms messy, overgrown, or slop-prone repos into product-shaped codebases while preserving behavior. Covers file splitting, typed boundaries, test hardening, feature folders, API consolidation, and a final migration audit microsite. Use when the user asks to "rehab this codebase", "run a maintainability migration", "modernize structure", "clean up this messy repo and make it maintainable", or "productionize this prototype". Unlike codebase-sweep (parallel quick audit), this is a deep, staged refactor with migration planning and checkpoint commits. Do not use for security audits, observability, compliance, or SRE work.
89SKILL.mdUpdated May 24, 2026