sd0xdev/project-audit
skills/project-audit/SKILL.md
Project health audit with deterministic scoring. Use when: evaluating project quality, onboarding to new codebase, periodic health checks. Not for: runtime performance analysis, security-specific audits (use /codex-security). Output: 5-dimension score + actionable findings.
$ install --global
skillsauthnpx skillsauth add sd0xdev/sd0x-dev-flow project-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:13 AM41.7s4 files scanned
SKILL.md
- name:
- project-audit
- description:
- Project health audit with deterministic scoring. Use when: evaluating project quality, onboarding to new codebase, periodic health checks. Not for: runtime performance analysis, security-specific audits (use /codex-security). Output: 5-dimension score + actionable findings.
Project Audit
When NOT to Use
- Security-specific review (use
/codex-security) - Runtime performance profiling
- Mid-development review (use
/codex-review-fast)
Procedure
- Run
bash scripts/run-skill.sh project-audit audit.js --jsonto collect deterministic scores - Parse the JSON output — overall_score, status, dimensions, checks, findings, next_actions
- If status = Blocked (P0 findings) — highlight critical gaps, suggest immediate fixes
- If status = Needs Work (P1 findings) — format improvement roadmap by dimension
- If status = Healthy — summarize strengths, note any P2 improvements
- Add qualitative interpretation beyond the scores (e.g., "test ratio is good but concentrated in unit tests")
Script Integration
The audit script runs 12 deterministic checks across 5 dimensions:
| Dimension | Checks | What It Measures | |-----------|--------|-----------------| | oss | 2 | LICENSE, README quality | | robustness | 3 | CI config, lint/typecheck, test ratio | | scope | 2 | Declared features vs implementation, AC completion | | runnability | 3 | Package manifest, scripts, env/Docker setup | | stability | 2 | Lock file + audit, type configuration |
Scoring Model
- Each check:
1(pass) /0.5(partial) /0(fail) /N/A(skipped) - Dimension score:
applicable_sum / applicable_count * 100 - Overall score: average of dimension scores
- Confidence:
applicable_checks / total_checksper dimension
Status Determination
| Status | Condition | Exit Code | |--------|-----------|-----------| | Blocked | Any P0 finding | 2 | | Needs Work | No P0, has P1 | 1 | | Healthy | No P0/P1 | 0 |
Script Failure Fallback
If the script fails, report the error and suggest running manually:
bash scripts/run-skill.sh project-audit audit.js --json
Output Format
## Project Audit Report
| Field | Value |
|-------|-------|
| Repo | [name] |
| Score | **[N]/100** |
| Status | [icon] [status] |
### Dimensions
[table of dimension scores]
### Checks
[list of check results with suggestions]
### Next Actions
[prioritized action items]
## Gate: ✅/⛔
References
references/check-catalog.md— Check definitions, scoring criteria, ecosystem detection (read when investigating a specific check result)references/output-template.md— Report format examples and JSON schema (read when customizing output)
Verification
- [ ] Script ran successfully
- [ ] All 12 checks executed (or marked N/A with reason)
- [ ] Qualitative interpretation added beyond raw scores
- [ ] Next actions are actionable (include commands where applicable)
Related Skills
sd0xdev/zh-tw
documentation
VerifiedTrustedCommunity
Rewrite the previous reply in Traditional Chinese
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/watch-ci
development
VerifiedTrustedCommunity
Monitor GitHub Actions CI runs until completion. Use when: watching CI after push, checking build status, monitoring PR checks, waiting for CI completion, user says 'watch CI', 'check CI', 'CI status', 'monitor build', or /watch-ci. Not for: pushing code (use push-ci), creating PRs (use create-pr). Output: per-run verdict (pass/fail/timeout).
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/verify
development
VerifiedTrustedCommunity
Verification loop — lint -> typecheck -> unit -> integration -> e2e
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/update-docs
development
VerifiedTrustedCommunity
Research current code state then update corresponding docs, ensuring docs stay in sync with code.
147SKILL.mdUpdated Apr 28, 2026