tobihagemann/audit
codex/skills/audit/SKILL.md
Project-wide health audit pipeline that fans out to all analysis skills in parallel, evaluates findings, and produces a unified report at .turbo/audit.md. Use when the user asks to "audit the project", "run a full audit", "project health check", "audit my code", "codebase audit", or "comprehensive review".
$ install --global
skillsauthnpx skillsauth add tobihagemann/turbo auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 4:51 AM191.3s1 file scanned
SKILL.md
- name:
- audit
- description:
- Project-wide health audit pipeline that fans out to all analysis skills in parallel, evaluates findings, and produces a unified report at .turbo/audit.md. Use when the user asks to \"audit the project\", \"run a full audit\", \"project health check\", \"audit my code\", \"codebase audit\", or \"comprehensive review\".
Audit
Project-wide health audit. Fans out to all analysis skills, evaluates findings, and writes .turbo/audit.md and .turbo/audit.html. Analysis-only — does not apply fixes.
Task Tracking
At the start, use update_plan to track each phase:
- Scope and partition
- Threat model
- Run analysis skills
- Run
$evaluate-findingsskill - Generate markdown report
- Generate HTML report
Step 1: Scope and Partition
If $ARGUMENTS specifies paths, use those directly (skip the question).
Otherwise, use request_user_input to confirm scope:
- All source files — audit everything
- Specific paths — user provides directories or file patterns
- Critical paths — heuristically identify high-risk areas (entry points, auth, data handling, payment processing)
Once scope is determined:
- Glob for source files in the selected scope. Exclude generated and vendored directories (
node_modules/,dist/,build/,vendor/,__pycache__/,.build/,DerivedData/,target/,.tox/, and others appropriate to the project). - Partition files by top-level source directory. Cap at 10 partitions. If more than 10 top-level directories exist, group related directories or use
request_user_inputto narrow scope. If a single directory contains 50+ files, sub-partition it by its immediate subdirectories.
Step 2: Threat Model
Check if .turbo/threat-model.md exists. If it does, continue to Step 3.
If missing, use request_user_input to ask whether to create one before proceeding. The security review benefits from threat model context, but creating one adds time.
- Yes — launch a Codex sub-agent call (inherited model defaults) whose prompt instructs it to invoke the
$create-threat-modelskill by reading and following the installed skill instructions. Wait for completion before continuing. - No — continue without a threat model.
Step 3: Launch All Analysis Agents
Launch the analysis agents below in parallel. Each sub-agent's prompt instructs it to invoke its assigned skill by reading and following the installed skill instructions, with the partition's file list passed in for partitioned skills.
Expect (6 partitioned rows × number of partitions, plus 5 project-wide rows) Codex sub-agent calls total. State the count explicitly before emitting the batch.
Partitioned Skills
For each skill below, launch one sub-agent per partition with the partition's file list in the prompt. Pass (skip peer review) annotations through to $review-code as an opt-out so it runs internal reviews only — $peer-review is scheduled as its own row to avoid duplicate peer-review runs.
| Skill | Scope |
|---|---|
| $review-code with correctness (skip peer review) | File list |
| $review-code with security (skip peer review) | File list |
| $review-code with api-usage (skip peer review) | File list |
| $review-code with consistency (skip peer review) | File list |
| $review-code with simplicity (skip peer review) | File list |
| $peer-review | File list |
Project-Wide Skills
| Skill | Notes |
|---|---|
| $review-code with coverage (skip peer review) | Project-wide |
| $review-dependencies | Project-wide |
| $review-tooling | Project-wide |
| $review-agentic-setup | Project-wide |
| $find-dead-code | Has its own partitioning |
Step 4: Run $evaluate-findings Skill
Aggregate all findings from all agents. Run the $evaluate-findings skill once on the combined set.
Step 5: Generate Markdown Report
Write .turbo/audit.md using the template below. Populate the dashboard by counting findings per category and applying health thresholds. Output the dashboard as text before writing the file.
Report Template
# Audit Report
**Date:** <date>
**Scope:** <what was audited>
## Dashboard
| Category | Health | Findings | Critical |
|---|---|---|---|
| Correctness | <Pass/Warn/Fail> | <N> | <N> |
| Security | <Pass/Warn/Fail> | <N> | <N> |
| API Usage | <Pass/Warn/Fail> | <N> | <N> |
| Consistency | <Pass/Warn/Fail> | <N> | <N> |
| Simplicity | <Pass/Warn/Fail> | <N> | <N> |
| Test Coverage | <Pass/Warn/Fail> | <N> | <N> |
| Dependencies | <Pass/Warn/Fail> | <N> | <N> |
| Tooling | <Pass/Warn/Fail> | <N> | <N> |
| Dead Code | <Pass/Warn/Fail> | <N> | <N> |
| Agentic Setup | <Pass/Warn/Fail> | <N> | <N> |
| Threat Model | <Present/Missing> | — | — |
### Health Thresholds
- **Pass** — zero P0/P1 findings in this category
- **Warn** — P1 findings present but no P0
- **Fail** — P0 findings present
## Detailed Findings
### Correctness
<findings from $review-code correctness>
### Security
<findings from $review-code security>
### API Usage
<findings from $review-code api-usage>
### Consistency
<findings from $review-code consistency>
### Simplicity
<findings from $review-code simplicity>
### Test Coverage
<findings from $review-code coverage>
### Dependencies
<findings from $review-dependencies>
### Tooling
<findings from $review-tooling>
### Dead Code
<findings from $find-dead-code>
### Agentic Setup
<findings from $review-agentic-setup>
### Threat Model
<status and summary>
Step 6: Generate HTML Report
Convert the markdown report into a styled, interactive HTML page.
- Run the
$frontend-designskill to load design principles. - Read
.turbo/audit.mdfor the full report content. - Write a self-contained
.turbo/audit.html(single file, no external dependencies beyond Google Fonts) that presents all findings from the markdown report with:- Dashboard health grid with severity color-coding (red=Fail, amber=Warn, green=Pass)
- Severity summary bar (P0/P1/P2/P3 counts)
- Sticky navigation between report sections
- Collapsible category sections
- Finding tables with file, line, and description columns
- Severity badges and color-coded group labels
- Entrance animations and hover states
- Print-friendly styles via
@media print - Responsive layout for mobile
Rules
- If any skill is unavailable or fails, proceed with findings from the remaining skills and note the failure in the report.
$peer-reviewcovers all concerns (correctness, security, api-usage, consistency, simplicity, coverage). Distribute its findings into their matching category sections. Deduplicate findings that overlap with the specialized reviewers.- Does not modify source code, stage files, or commit.
Related Skills
tobihagemann/codex-exec
tools
VerifiedTrustedCommunity
Run autonomous task execution using the codex CLI. Use when the user asks to "codex exec", "run codex exec", "execute a task with codex", or "delegate to codex".
334SKILL.mdUpdated May 9, 2026
tobihagemann/finalize
development
VerifiedTrustedCommunity
Run the post-implementation quality assurance workflow including tests, code polishing, review, and commit. Use when the user asks to "finalize implementation", "finalize changes", "wrap up implementation", "finish up", "ready to commit", or "run QA workflow".
331SKILL.mdUpdated May 9, 2026
tobihagemann/finalize
development
VerifiedTrustedCommunity
Run the post-implementation quality assurance workflow including tests, code polishing, review, and commit. Use when the user asks to "finalize implementation", "finalize changes", "wrap up implementation", "finish up", "ready to commit", or "run QA workflow".
331SKILL.mdUpdated May 9, 2026
tobihagemann/understand-change
tools
VerifiedTrustedCommunity
Teach the user to deeply understand a change through interactive tutoring: restating understanding, drilling into why/what/how, and quizzing until mastery. The active counterpart to a one-shot explanation. Use when the user asks to "understand this change", "teach me this change", "help me understand what changed", "walk me through this change", "make sure I understand this", "quiz me on this", or "teach me what we did".
319SKILL.mdUpdated Jun 4, 2026