robbyt/codebase-analysis
plugins/codex/skills/codebase-analysis/SKILL.md
Codebase analysis via the Codex MCP server with a read-only sandbox. Trigger when user needs architecture overview ("analyze this codebase with Codex", "have Codex map dependencies"), onboarding to unfamiliar code, understanding legacy systems, or identifying technical debt.
$ install --global
skillsauthnpx skillsauth add robbyt/claude-skills codebase-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 6:24 AM128.7s1 file scanned
SKILL.md
- name:
- codebase-analysis
- description:
- Codebase analysis via the Codex MCP server with a read-only sandbox. Trigger when user needs architecture overview ("analyze this codebase with Codex", "have Codex map dependencies"), onboarding to unfamiliar code, understanding legacy systems, or identifying technical debt.
Codebase Analysis via Codex
Use Codex to get a second-opinion architectural read of the current project, with the sandbox locked to read-only. Codex consults; Claude writes.
Transport
Always use the MCP tool. The plugin runs codex mcp-server on stdio via .mcp.json. Tool name: mcp__plugin_codex_cli__codex. If the example below errors with an unknown-tool error, run /mcp and substitute the actual prefix (e.g., mcp__codex_cli__codex). Shell fallback is a last resort (see ../references/commands.md).
Model
Omit the model parameter by default — codex picks gpt-5.5, the current flagship. Don't switch to gpt-5.4-mini here; codebase analysis benefits from the flagship's reasoning across many files. Only set model if the user names one explicitly. See ../references/patterns.md for the full table.
Basic call
mcp__plugin_codex_cli__codex({
"prompt": "Analyze this project's architecture: entry points, major modules, component relationships, and notable dependencies.",
"sandbox": "read-only"
})
The response includes a threadId. Use mcp__plugin_codex_cli__codex-reply with that id to drill in without re-establishing context.
When to Use
- Onboarding to an unfamiliar codebase
- Understanding legacy systems
- Mapping component relationships
- Finding hidden dependencies
- Architecture documentation
- Technical debt assessment
Examples
Full project analysis:
mcp__plugin_codex_cli__codex({
"prompt": "Analyze this project. Report on:\n- Overall architecture\n- Key dependencies\n- Component relationships\n- Potential issues",
"sandbox": "read-only"
})
Flow mapping:
mcp__plugin_codex_cli__codex({
"prompt": "Map the authentication flow. Identify every component involved from request to session creation.",
"sandbox": "read-only"
})
Dependency analysis:
mcp__plugin_codex_cli__codex({
"prompt": "Analyze dependencies: direct vs transitive, outdated packages, circular dependencies, bundle-size impact.",
"sandbox": "read-only"
})
Iterative workflow (prefer codex-reply)
When you're still working on the same area of the codebase, continue the existing thread rather than starting a new codex call. Codex retains context between rounds; fresh calls force it to re-read files and drift from its prior reasoning.
Typical loop:
- Initial consult → save the
threadIdfrom the response. - Claude reads related files / runs a query / makes a change.
codex-replywith new findings or a follow-up question.- Repeat — but cap at 3–4 rounds total. If the thread isn't converging, stop and bring the current state back to the user.
threadId is an MCP argument — pass it as the threadId field of codex-reply, not in the prompt text. See ../references/mcp-schema.md for wrong-vs-right examples.
Example — three rounds on the same architecture thread:
# Round 1 — initial map
mcp__plugin_codex_cli__codex({
"prompt": "Map the auth flow end-to-end.",
"sandbox": "read-only"
})
# → threadId: "019da14b-..." / flags: uncertainty about session rotation
# Round 2 — Claude reads src/session/ and reports back
mcp__plugin_codex_cli__codex-reply({
"threadId": "019da14b-...",
"prompt": "src/session/rotate.ts shows a 15m rotation window, not the 1h you assumed. Does that change anything in your flow map?"
})
# Round 3 — drill into a specific layer
mcp__plugin_codex_cli__codex-reply({
"threadId": "019da14b-...",
"prompt": "Focus on the data layer. What invariants does this flow depend on and where are they enforced?"
})
Start a fresh thread when: the user switches topic, the threadId is no longer in context, or Claude has made substantial code changes that would be cleaner to re-prime than to patch incrementally. See ../references/patterns.md.
Performance
- Simple analysis: ~5–30 s
- Multi-directory traversal: ~1–2 min
- Large legacy codebases: up to ~10 min
Safety
- Always
sandbox: "read-only". Codex must not modify files. - Never use
workspace-writeordanger-full-access. - Never use
--dangerously-bypass-approvals-and-sandbox.
Fallback (rare)
If the MCP server is unavailable (plugin disabled, server crashed), see ../references/commands.md for the Bash equivalent. Requires dangerouslyDisableSandbox: true because Codex writes its own session state.
Related Skills
robbyt/web-search
tools
VerifiedTrustedCommunity
Real-time web research using Google Search via Google's Antigravity (`agy`) CLI — the replacement for the deprecated `gemini-cli`. Trigger when user needs current information ("search with agy", "search with Google Antigravity", "find current info about X with agy", "what's the latest on Y"), library/API research, security vulnerability lookups, or comparisons requiring recent data.
41SKILL.mdUpdated May 21, 2026
robbyt/plan-review
tools
VerifiedTrustedCommunity
Get Google Antigravity's (`agy`) review of Claude's implementation plans. Trigger when user wants a second opinion on a plan ("have agy review this plan", "get a second opinion from Google Antigravity", "critique this plan with agy"), or after Claude creates a plan file that needs validation before implementation. Replaces the deprecated gemini-cli plan-review workflow.
41SKILL.mdUpdated May 21, 2026
robbyt/diff-review
tools
VerifiedTrustedCommunity
Get Google Antigravity's (`agy`) code review of git changes after Claude makes edits. Trigger when user wants a second opinion on code changes ("have agy review my changes", "get code review from Google Antigravity", "review this diff with agy"), or as a final check before committing. Replaces the deprecated gemini-cli diff-review workflow.
41SKILL.mdUpdated May 21, 2026
robbyt/codebase-analysis
tools
VerifiedTrustedCommunity
Deep architectural analysis of the current workspace using Google Antigravity (`agy`). Trigger when the user needs an architecture overview ("analyze this codebase with agy", "map dependencies with Google Antigravity"), is onboarding to unfamiliar code, exploring legacy systems, or hunting technical debt. Replaces the deprecated gemini-cli `codebase_investigator` workflow.
41SKILL.mdUpdated May 21, 2026