dev-team-audit
Full codebase audit combining security, quality, and tooling assessments. Use to run a comprehensive scan with Szabo (security), Knuth (quality), and Deming (tooling) in parallel. Can be scoped to specific directories or file patterns.
Install
mkdir -p .claude/skills/dev-team-audit && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/17205" && unzip -o skill.zip -d .claude/skills/dev-team-audit && rm skill.zipInstalls to .claude/skills/dev-team-audit
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Full codebase audit combining security, quality, and tooling assessments. Use to run a comprehensive scan with Szabo (security), Knuth (quality), and Deming (tooling) in parallel. Can be scoped to specific directories or file patterns.About this skill
Run a comprehensive audit of: $ARGUMENTS
Setup
-
Determine the audit scope:
- If a directory or file pattern is given, scope the audit to those paths
- If no argument, audit the entire codebase
- Respect
.gitignore— skipnode_modules/,dist/, build artifacts
-
The audit always spawns three specialist agents:
- @dev-team-szabo — Security audit
- @dev-team-knuth — Quality and correctness audit
- @dev-team-deming — Tooling and automation audit
Security preamble
Before starting the audit, check for open security alerts using the project's security monitoring process (e.g., a /security-status skill or CLAUDE.md guidance). If no such process, skill, or guidance is available, explicitly note this in your report and proceed by reviewing recent security-related issues and scanning for common vulnerabilities manually. Include any findings in the audit scope.
Execution
-
Spawn all three agents as parallel background subagents using the Agent tool with
subagent_type: "general-purpose". Use the agent teammate naming convention:szabo-audit,knuth-audit,deming-audit. Timeout: If an audit agent has not reported progress (status file or message) within 2 minutes, send a status ping. If no response within 1 additional minute, terminate the agent and proceed with findings from the other agents. -
Each agent's prompt must include:
- The agent's full definition (read from
.claude/agents/<agent>.agent.md) - The scope (directory/pattern or "full codebase")
- Instruction to produce classified findings:
[DEFECT],[RISK],[QUESTION],[SUGGESTION] - Instruction to read the actual code and tests for full context
- The agent's full definition (read from
-
Agent-specific instructions:
Szabo (Security):
- Map all trust boundaries and entry points
- Check for OWASP Top 10 vulnerabilities
- Audit auth/authz flows end-to-end
- Review secret management and dependency vulnerabilities
Knuth (Quality):
- Identify untested code paths and coverage gaps
- Find boundary conditions without tests
- Check assertion quality in existing tests
- Map test-to-requirement traceability
Deming (Tooling):
- Inventory current tooling (linters, formatters, SAST, CI)
- Identify missing automation opportunities
- Check for stale dependencies and known vulnerabilities
- Evaluate CI pipeline efficiency
-
Wait for all agents to complete.
Report
Produce a consolidated audit report:
Executive summary
One paragraph summarizing the overall health of the codebase across all three domains.
Security findings (@dev-team-szabo)
List all findings, grouped by classification:
[DEFECT]— must fix[RISK]— should address[QUESTION]/[SUGGESTION]— consider
Quality findings (@dev-team-knuth)
Same grouping. Include specific files and line references.
Tooling findings (@dev-team-deming)
Same grouping. Include actionable recommendations.
Priority matrix
| Priority | Finding | Agent | Action |
|---|---|---|---|
| P0 (fix now) | [DEFECT] items | ... | ... |
| P1 (fix soon) | [RISK] items | ... | ... |
| P2 (improve) | [SUGGESTION] items | ... | ... |
Recommended next steps
Numbered list of concrete actions, ordered by priority. Each action should reference the specific finding it addresses.
Platform detection
Before issuing any gh issue, gh pr, or other platform-specific CLI commands, check .dev-team/config.json for the platform and issueTracker fields. If the project specifies a non-GitHub platform (e.g., "gitlab", "bitbucket", "other"), adapt issue tracker and PR commands accordingly — use glab for GitLab, the Bitbucket API, or the appropriate CLI for the configured platform. If platform is absent from config.json, default to "github". The steps in this skill assume GitHub by default.
Completion
After the audit report is delivered:
- Format the finding outcome log with every finding's classification, source agent, and outcome. Then call
dev-team-extractwith the formatted log. - If
dev-team-extractwas not called, the audit is INCOMPLETE. dev-team-extracthandles Borges spawning, metrics verification, and memory formation gates. Do not report the audit as complete untildev-team-extractreports success.- Include Borges's recommendations in the final report.