tobihagemann/audit
claude/skills/audit/SKILL.md
Project-wide health audit pipeline that fans out to all analysis skills in parallel, evaluates findings, and produces a unified report at .turbo/audit.md. Use when the user asks to "audit the project", "run a full audit", "project health check", "audit my code", "codebase audit", or "comprehensive review".
$ install --global
skillsauthnpx skillsauth add tobihagemann/turbo auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 4:47 AM128.4s1 file scanned
SKILL.md
- name:
- audit
- description:
- Project-wide health audit pipeline that fans out to all analysis skills in parallel, evaluates findings, and produces a unified report at .turbo/audit.md. Use when the user asks to \"audit the project\", \"run a full audit\", \"project health check\", \"audit my code\", \"codebase audit\", or \"comprehensive review\".
Audit
Project-wide health audit. Fans out to all analysis skills, evaluates findings, and writes .turbo/audit.md and .turbo/audit.html. Analysis-only — does not apply fixes.
Task Tracking
At the start, use TaskCreate to create a task for each phase:
- Scope and partition
- Threat model
- Run analysis skills
- Run
/evaluate-findingsskill - Generate markdown report
- Generate HTML report
Step 1: Scope and Partition
If $ARGUMENTS specifies paths, use those directly (skip the question).
Otherwise, use AskUserQuestion to confirm scope:
- All source files — audit everything
- Specific paths — user provides directories or file patterns
- Critical paths — heuristically identify high-risk areas (entry points, auth, data handling, payment processing)
Once scope is determined:
- Glob for source files in the selected scope. Exclude generated and vendored directories (
node_modules/,dist/,build/,vendor/,__pycache__/,.build/,DerivedData/,target/,.tox/, and others appropriate to the project). - Partition files by top-level source directory. Cap at 10 partitions. If more than 10 top-level directories exist, group related directories or use
AskUserQuestionto narrow scope. If a single directory contains 50+ files, sub-partition it by its immediate subdirectories.
Step 2: Threat Model
Check if .turbo/threat-model.md exists. If it does, continue to Step 3.
If missing, use AskUserQuestion to ask whether to create one before proceeding. The security review benefits from threat model context, but creating one adds time.
- Yes — launch an Agent tool call (
model: "opus", do not setrun_in_background) whose prompt instructs it to invoke the/create-threat-modelskill via the Skill tool. Wait for completion before continuing. - No — continue without a threat model.
Step 3: Launch All Analysis Agents
Use the Agent tool to launch all analysis agents below in a single assistant message so they run concurrently. Each Agent call uses model: "opus" and does not set run_in_background. Each Agent's prompt instructs the subagent to invoke its assigned skill via the Skill tool, with the partition's file list passed in for partitioned skills.
Expect (6 partitioned rows × number of partitions, plus 5 project-wide rows) Agent tool calls total. State the count explicitly when emitting the calls.
Partitioned Skills
For each skill below, launch one Agent per partition with the partition's file list in the prompt. Pass (skip peer review) annotations through to /review-code as an opt-out so it runs internal reviews only — /peer-review is scheduled as its own row to avoid duplicate peer-review runs.
| Skill | Scope |
|---|---|
| /review-code with correctness (skip peer review) | File list |
| /review-code with security (skip peer review) | File list |
| /review-code with api-usage (skip peer review) | File list |
| /review-code with consistency (skip peer review) | File list |
| /review-code with simplicity (skip peer review) | File list |
| /peer-review | File list |
Project-Wide Skills
| Skill | Notes |
|---|---|
| /review-code with coverage (skip peer review) | Project-wide |
| /review-dependencies | Project-wide |
| /review-tooling | Project-wide |
| /review-agentic-setup | Project-wide |
| /find-dead-code | Has its own partitioning |
Step 4: Run /evaluate-findings Skill
Aggregate all findings from all agents. Run the /evaluate-findings skill once on the combined set.
Step 5: Generate Markdown Report
Write .turbo/audit.md using the template below. Populate the dashboard by counting findings per category and applying health thresholds. Output the dashboard as text before writing the file.
Report Template
# Audit Report
**Date:** <date>
**Scope:** <what was audited>
## Dashboard
| Category | Health | Findings | Critical |
|---|---|---|---|
| Correctness | <Pass/Warn/Fail> | <N> | <N> |
| Security | <Pass/Warn/Fail> | <N> | <N> |
| API Usage | <Pass/Warn/Fail> | <N> | <N> |
| Consistency | <Pass/Warn/Fail> | <N> | <N> |
| Simplicity | <Pass/Warn/Fail> | <N> | <N> |
| Test Coverage | <Pass/Warn/Fail> | <N> | <N> |
| Dependencies | <Pass/Warn/Fail> | <N> | <N> |
| Tooling | <Pass/Warn/Fail> | <N> | <N> |
| Dead Code | <Pass/Warn/Fail> | <N> | <N> |
| Agentic Setup | <Pass/Warn/Fail> | <N> | <N> |
| Threat Model | <Present/Missing> | — | — |
### Health Thresholds
- **Pass** — zero P0/P1 findings in this category
- **Warn** — P1 findings present but no P0
- **Fail** — P0 findings present
## Detailed Findings
### Correctness
<findings from /review-code correctness>
### Security
<findings from /review-code security>
### API Usage
<findings from /review-code api-usage>
### Consistency
<findings from /review-code consistency>
### Simplicity
<findings from /review-code simplicity>
### Test Coverage
<findings from /review-code coverage>
### Dependencies
<findings from /review-dependencies>
### Tooling
<findings from /review-tooling>
### Dead Code
<findings from /find-dead-code>
### Agentic Setup
<findings from /review-agentic-setup>
### Threat Model
<status and summary>
Step 6: Generate HTML Report
Convert the markdown report into a styled, interactive HTML page.
- Run the
/frontend-designskill to load design principles. - Read
.turbo/audit.mdfor the full report content. - Write a self-contained
.turbo/audit.html(single file, no external dependencies beyond Google Fonts) that presents all findings from the markdown report with:- Dashboard health grid with severity color-coding (red=Fail, amber=Warn, green=Pass)
- Severity summary bar (P0/P1/P2/P3 counts)
- Sticky navigation between report sections
- Collapsible category sections
- Finding tables with file, line, and description columns
- Severity badges and color-coded group labels
- Entrance animations and hover states
- Print-friendly styles via
@media print - Responsive layout for mobile
Rules
- If any skill is unavailable or fails, proceed with findings from the remaining skills and note the failure in the report.
/peer-reviewcovers all concerns (correctness, security, api-usage, consistency, simplicity, coverage). Distribute its findings into their matching category sections. Deduplicate findings that overlap with the specialized reviewers.- Does not modify source code, stage files, or commit.
Related Skills
tobihagemann/understand-change
tools
VerifiedTrustedCommunity
Teach the user to deeply understand a change through interactive tutoring: restating understanding, drilling into why/what/how, and quizzing until mastery. The active counterpart to a one-shot explanation. Use when the user asks to "understand this change", "teach me this change", "help me understand what changed", "walk me through this change", "make sure I understand this", "quiz me on this", or "teach me what we did".
319SKILL.mdUpdated Jun 4, 2026
tobihagemann/understand-change
tools
VerifiedTrustedCommunity
Teach the user to deeply understand a change through interactive tutoring: restating understanding, drilling into why/what/how, and quizzing until mastery. The active counterpart to a one-shot explanation. Use when the user asks to "understand this change", "teach me this change", "help me understand what changed", "walk me through this change", "make sure I understand this", "quiz me on this", or "teach me what we did".
319SKILL.mdUpdated Jun 4, 2026
tobihagemann/update-pr
tools
VerifiedTrustedCommunity
Update an existing GitHub pull request's title and description to reflect the current state of the branch. Use when the user asks to "update the PR", "update PR description", "update PR title", "refresh PR description", or "sync PR with changes".
319SKILL.mdUpdated May 9, 2026
tobihagemann/split-and-ship
tools
VerifiedTrustedCommunity
Execute an approved split plan by creating separate branches, commits, and PRs for each change group. Use when the user asks to "split and ship", "ship the split plan", "create separate PRs", or "split changes into branches".
319SKILL.mdUpdated May 9, 2026