stevefeldman/performance-audit
skills/performance-audit/SKILL.md
Analyze codebase for performance bottlenecks across code, database, frontend, network, and async operations
$ install --global
skillsauthnpx skillsauth add stevefeldman/agents-skills performance-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 8:14 AM182.8s1 file scanned
SKILL.md
- name:
- performance-audit
- description:
- Analyze codebase for performance bottlenecks across code, database, frontend, network, and async operations
Performance Audit
Analyze the codebase for performance bottlenecks and optimization opportunities.
Instructions
Conduct a comprehensive performance audit following these steps:
-
Technology Stack Analysis
- Identify the primary language, framework, and runtime
- Review build tools and optimization configurations
- Check for existing performance monitoring (APM, profilers, dashboards)
-
Code Performance Analysis
- Identify inefficient algorithms and data structures (especially O(n^2) or worse)
- Look for unnecessary computations, redundant operations, and hot loops
- Review memory allocation patterns and potential leaks
- Run stack-specific profiling:
- Node.js:
node --prof app.jsthennode --prof-process - Python:
python -m cProfile -o output.prof script.py - Go:
go tool pprof http://localhost:6060/debug/pprof/profile - Rust:
cargo flamegraph - Java:
jcmd <pid> JFR.start duration=60s filename=profile.jfr
- Node.js:
-
Database Performance
- Analyze queries for efficiency. Run
EXPLAIN ANALYZEon slow or suspicious queries - Check for missing indexes: look at
WHERE,JOIN, andORDER BYcolumns - Identify N+1 query problems and excessive round-trips
- Review connection pooling settings and pool utilization
- Check for table locks, deadlocks, and long-running transactions
- Analyze queries for efficiency. Run
-
Frontend Performance (if applicable)
- Run
npx lighthouse --output=json --output-path=./report.json <url>to audit Core Web Vitals - Analyze bundle size:
npx webpack-bundle-analyzer stats.jsonornpx vite-bundle-visualizer - Check for unused code and heavy dependencies (
npx depcheck) - Review render performance: unnecessary re-renders, missing memoization, layout thrashing
- Check image optimization and lazy loading
- Run
-
Network Performance
- Review API call patterns and identify redundant or waterfall requests
- Check caching strategy: HTTP cache headers, CDN configuration, application-level caching
- Analyze payload sizes and verify compression (gzip/brotli) is enabled
- Look for missing pagination on large data sets
-
Asynchronous Operations
- Review async/await usage for accidental serialization of independent operations
- Check for blocking operations on the main thread or event loop
- Identify opportunities for parallel execution (
Promise.all, goroutine fan-out, etc.) - Analyze task queue and background job performance
-
Memory Usage
- Check for memory leaks: growing heap over time, unclosed resources, listener accumulation
- Review garbage collection pressure and large object allocation
- Identify excessive data retention (caches without TTL, unbounded buffers)
- Profile with:
node --inspect(Chrome DevTools),valgrind,go tool pprof /heap
-
Build and Deployment Performance
- Measure build times and identify slow steps
- Check tree shaking, code splitting, and dead code elimination
- Verify dev vs. production optimization flags
- Review Docker image sizes and layer caching
-
Performance Monitoring
- Check existing metrics and alerting coverage
- Identify key KPIs: p50/p95/p99 latency, throughput, error rate, saturation
- Suggest missing instrumentation points
-
Benchmarking and Profiling
- Create benchmarks for critical code paths
- Measure before and after for any proposed optimization
- Document performance baselines for future comparison
-
Optimization Recommendations
- Prioritize by impact and effort using the severity format below
- Provide specific code changes, not just descriptions
- Suggest architectural improvements for long-term scalability
Output Format
Rate each finding by severity:
### [CRITICAL] N+1 query in OrderService.getAll()
**File:** `src/services/order-service.ts:45`
**Impact:** ~200ms added per request; 2000 extra DB queries under load
**Fix:** Eager-load line items with a JOIN or `include` clause
**Effort:** Low (1-2 hours)
### [HIGH] Uncompressed API responses
**File:** `src/server.ts` (missing middleware)
**Impact:** 3x larger payloads, ~150ms extra on mobile
**Fix:** Add `compression()` middleware
**Effort:** Low (15 minutes)
### [MEDIUM] Synchronous file reads at startup
**File:** `src/config/loader.ts:12`
**Impact:** Adds 400ms to cold start
**Fix:** Switch to async reads or cache after first load
**Effort:** Low (30 minutes)
Severity levels:
- CRITICAL - Causes outages, timeouts, or order-of-magnitude slowdowns under real load
- HIGH - Noticeable user-facing latency or significant resource waste
- MEDIUM - Measurable but tolerable; worth fixing in normal development
- LOW - Minor inefficiency; fix opportunistically
Follow-Up
For load testing and validating fixes under realistic traffic, use the /k6 skill to generate and run load test scripts.
Related Skills
stevefeldman/dependency-security-audit
development
VerifiedTrustedCommunity
Use when reviewing Dependabot alerts, npm audit findings, govulncheck output, or CVE reports on a JavaScript/Node.js or Go project — especially when triaging multiple alerts across direct and transitive dependencies to assess real-world risk and produce a remediation plan.
3SKILL.mdUpdated May 28, 2026
stevefeldman/pr-evidence
development
VerifiedTrustedCommunity
Use when a code review finding needs proof — write a focused test in JavaScript or Go that either confirms the issue is real or exposes it as over-engineering hyperbole. Trigger after code-review or code-review-skill findings are presented and evidence is requested.
3SKILL.mdUpdated May 22, 2026
stevefeldman/software-estimation
development
VerifiedTrustedCommunity
Produce data-driven software delivery estimates by analyzing historical JIRA tickets, git activity, and engineer track records, then matching the new work against the most similar past tickets. Use this skill whenever the user asks "how long will this take", wants to estimate a piece of work, scope an epic, plan a sprint, or estimate delivery for JIRA stories or a Figma design. Also use whenever the user wants developer-to-work assignment recommendations based on history, wants to optimize an estimate by adding or reallocating engineers, or asks "what's the fastest way to ship this" or "who should work on this". Especially trigger when the user provides JIRA ticket IDs, JIRA story links, or Figma designs together with any indication of a team that will execute the work.
3SKILL.mdUpdated May 16, 2026
stevefeldman/automation-rubric
tools
VerifiedTrustedCommunity
Use when auditing an existing test suite for quality and coverage gaps, evaluating Playwright migration readiness, scoring automation against a world-class e-commerce standard, or guiding the creation of new tests. Applicable to Selenium, WebdriverIO, and Playwright suites.
3SKILL.mdUpdated May 12, 2026