AgentSkillsCN

audit

对应用的各项功能逐一打分,并根据分析结果自动生成故事记录。

SKILL.md
--- frontmatter
name: audit
description: Rate each aspect of app, auto-create stories from findings
allowed-tools: Bash, Read, Grep, Glob, Task, TaskCreate, TaskUpdate, TaskList, Write, Edit
model: opus
user-invocable: true

Audit

Philosophy: Rate each aspect of the app (or specific feature), then auto-create stories from findings.

Swarm Architecture

code
User says "audit"
    │
    ├─► Agent 1: Security Audit (Haiku) - secrets, XSS, CORS, injection
    ├─► Agent 2: Performance Audit (Haiku) - memo, effects, re-renders
    ├─► Agent 3: Accessibility Audit (Haiku) - WCAG, keyboard, contrast
    ├─► Agent 4: Type Safety Audit (Haiku) - any, ts-ignore, conflicts
    ├─► Agent 5: UX/UI Audit (Haiku) - states, tokens, feedback
    └─► Agent 6: Test Coverage Audit (Haiku) - critical paths, gaps

    [All run in parallel via Task tool with run_in_background: true]

    ▼
Wait for completion → Aggregate Results → Present Report

Execution

Launch all 6 agents in a single message:

typescript
Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "Security audit for [PROJECT_PATH]. Scan: exposed secrets, dangerouslySetInnerHTML, eval(), missing Zod validation, SQL injection, XSS vectors, CORS config. Report: Severity, File:line, Issue, Fix." })

Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "Performance audit for [PROJECT_PATH]. Scan: missing React.memo on list items, useEffect without cleanup, inline objects in JSX, missing lazy loading, N+1 queries. Report: Severity, File:line, Issue, Fix." })

Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "Accessibility audit for [PROJECT_PATH]. Scan: images without alt, missing aria-labels, onClick without onKeyDown, missing form labels, hardcoded colors, undersized touch targets. Report: Severity, File:line, Issue, Fix." })

Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "Type safety audit for [PROJECT_PATH]. Scan: 'any' usage (skip test files), @ts-ignore, type assertions without guards, conflicting type definitions, untyped API responses. Report: Severity, File:line, Issue, Fix." })

Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "UX/UI audit for [PROJECT_PATH]. Scan: missing loading states, missing empty states, missing error states, hardcoded colors instead of tokens, missing toast feedback. Report: Severity, File:line, Issue, Fix." })

Task({ subagent_type: "Explore", model: "haiku", run_in_background: true,
  prompt: "Test coverage audit for [PROJECT_PATH]. Scan: auth flows without tests, data mutations without tests, hooks without test files, utilities without tests. List critical gaps. Report: Severity, What needs testing, Priority." })

Output Format

markdown
## Audit Report

**Scan Time:** ~3 min | **Agents:** 6 parallel | **Files Scanned:** ~250

### Summary

| Category | Critical | High | Medium | Low | Total |
|----------|----------|------|--------|-----|-------|
| Security | X | X | X | X | XX |
| Performance | X | X | X | X | XX |
| Accessibility | X | X | X | X | XX |
| Type Safety | X | X | X | X | XX |
| UX/UI | X | X | X | X | XX |
| Test Coverage | X | X | X | X | XX |
| **TOTAL** | **X** | **X** | **X** | **X** | **XX** |

### Critical Issues (Fix Immediately)

| # | Category | File:Line | Issue | Fix |
|---|----------|-----------|-------|-----|
| 1 | Security | src/api/auth.ts:45 | Exposed API key | Move to env var |
| 2 | A11y | src/components/Button.tsx:12 | No keyboard handler | Add onKeyDown |

### High Priority (Top 10)

1. [Category] File:line - Issue
2. ...

### Ratings

| Category | Score | Notes |
|----------|-------|-------|
| Security | 5/10 | 2 critical vulnerabilities |
| Performance | 7/10 | Missing memoization |
| Accessibility | 6/10 | Keyboard nav gaps |
| Type Safety | 7/10 | 12 'any' types |
| UX/UI | 6/10 | Missing loading states |
| Test Coverage | 2/10 | 95% hooks untested |
| **Overall** | **5.5/10** | |

Severity Definitions

SeverityDefinitionExample
CriticalSecurity vulnerability or app-breakingXSS, auth bypass, crash
HighSignificant UX degradation or major debt5s load, no error handling
MediumNoticeable but not blockingMissing loading state
LowNice to have, polishconsole.log left in

Auto-Create Stories

After rating, automatically create stories for Critical + High issues:

typescript
// Auto-create for critical issues
TaskCreate({
  subject: "Fix XSS vulnerability in user input",
  description: "src/api/auth.ts:45 - dangerouslySetInnerHTML with user data",
  metadata: { type: "security", priority: 0, category: "security" }
})

// Create for high-priority issues
TaskCreate({
  subject: "Add keyboard handler to Button",
  description: "src/components/Button.tsx:12 - onClick without onKeyDown",
  metadata: { type: "fix", priority: 1, category: "a11y" }
})

Then report:

code
Created [X] stories from audit findings.
- [N] Critical (priority 0)
- [N] High (priority 1)

Medium/Low issues logged but not queued.
Say "auto" to start fixing, or "audit [feature]" to audit specific area.

Focused Audit

User can audit specific features:

  • audit auth → Only scan auth-related files
  • audit dashboard → Only scan dashboard components
  • audit latest → Audit files changed in last 3 commits

Token Cost

  • 6 agents × ~15K tokens each = ~90K tokens total
  • Time: 2-4 minutes (parallel execution)
  • Context efficient: agents run in background, results aggregated

Real Results (From Production Test)

Last audit of Data Globe (247 files):

CategoryCriticalHighTotal
Security2514
Performance048
Accessibility257
Type Safety128
UX/UI3410
Test Coverage231538
Overall Score5.5/10-85 issues

Key findings:

  • Test coverage is the biggest gap (95% hooks untested)
  • 68 components use hardcoded colors
  • Edge Functions lack input validation
  • 530 console statements in production