What is the default scope if none is provided?

If no scope is provided, the skill defaults to files changed since the last commit.

How are findings prioritized and presented?

Findings are grouped by agent perspective, deduplicated across agents, and assigned severity levels (CRITICAL > HIGH > MEDIUM > LOW). Results are presented in a unified Code Audit Report with file:line references.

What happens when scope is 'all'?

Scope 'all' analyzes up to the 50 most important files by recent changes and complexity, running all five agents in parallel to produce a comprehensive report.

code-audit

npx machina-cli add skill speson/not-my-reforge/code-audit --openclaw

Files (1)

SKILL.md

2.4 KB

You have the code-audit skill. When invoked, run a comprehensive multi-perspective code audit.

Usage

/not-my-reforge:code-audit [scope]

Scope can be: a file path, directory, or "all" for full codebase. Default: files changed since last commit.

Audit Strategy

Launch 5 parallel agents using the Task tool (all with run_in_background: true):

1. Security Agent (security-reviewer)

OWASP Top 10 vulnerabilities
Hardcoded secrets/credentials
SQL injection, XSS, command injection
Auth/authz bypass risks
Dependency vulnerabilities (check package.json/Cargo.toml/go.mod)

2. Quality Agent (reviewer)

Code duplication
Dead code / unused exports
Error handling gaps (empty catch blocks, swallowed errors)
Naming consistency
SOLID principle violations

3. Performance Agent (explore)

N+1 query patterns
Unbounded loops / recursion
Large bundle imports
Memory leak risks (event listeners, subscriptions)
Missing pagination / streaming

4. Architecture Agent (oracle-deep)

Circular dependencies
Layer violations (presentation → data, etc.)
Coupling analysis
API design consistency
Breaking change risks

5. Test Coverage Agent (test-engineer)

Untested public functions
Missing edge case tests
Test quality (assertions per test, mocking depth)
Integration test gaps

Output Format

After all agents complete, synthesize into a unified report:

## Code Audit Report

### Critical (must fix)
- [SECURITY] file:line — description
- [BUG] file:line — description

### High (should fix)
- [QUALITY] file:line — description
- [PERFORMANCE] file:line — description

### Medium (consider)
- [ARCHITECTURE] file:line — description

### Low (nice to have)
- [STYLE] file:line — description

### Summary
- Files audited: N
- Issues found: N (critical: N, high: N, medium: N, low: N)
- Top risk areas: ...

Rules

Launch ALL agents in parallel (one message with multiple Task calls)
Each agent should focus ONLY on its perspective
Deduplicate findings across agents
Severity levels: CRITICAL > HIGH > MEDIUM > LOW
Always include file:line references
If scope is "all", limit to 50 most important files (by recent changes, complexity)

Source

git clone https://github.com/speson/not-my-reforge/blob/main/skills/code-audit/SKILL.mdView on GitHub

Overview

code-audit runs five parallel agents to inspect security, quality, performance, architecture, and test coverage across a given scope. It surfaces actionable findings with file:line references, helping teams ship safer, cleaner, and faster code. The results are synthesized into a unified Code Audit Report.

How This Skill Works

Invoke with /not-my-reforge:code-audit [scope]; the tool launches five agents in parallel via the Task tool (run_in_background: true). Each agent reports only its perspective; after completion findings are deduplicated and merged into a unified Markdown Code Audit Report with severity levels and file:line references.

When to Use It

Before a release to catch security, quality, and performance issues
During a large refactor to surface architecture and design problems
When onboarding a new codebase or module to audit baseline health
After dependency updates to check for vulnerabilities and regressions
As part of periodic code health checks for ongoing quality assurance

Quick Start

Step 1: /not-my-reforge:code-audit [scope] (or 'all' for full repo)
Step 2: Wait for the five parallel agents to complete and synthesize the Code Audit Report
Step 3: Open the unified report, fix high- and critical-severity findings, then re-run if needed

Best Practices

Define scope precisely (path, directory, or all); default to files changed since last commit if unspecified
Run all five agents in parallel to maximize coverage and speed
Review deduplicated findings and prioritize by severity (CRITICAL > HIGH > MEDIUM > LOW)
Use the unified Code Audit Report with file:line references to guide fixes
Triage critical issues first and track remediation progress

Example Use Cases

Audit a feature branch to identify security gaps, dead code, and missing tests before merging
Scan the entire repo after dependency bumps to catch new vulnerabilities or API changes
Evaluate the API surface for design consistency and potential breaking changes
Investigate data-access paths to surface N+1 queries and memory risks
After a module split, detect circular dependencies and architectural layer violations

Frequently Asked Questions

Add this skill to your agents