app-audit
Full application quality audit. Chains impeccable-audit + security-scanner + performance-profiler + accessibility + web-vitals + owasp. Produces a single prioritized report with severity scores, WCAG citations, and fix commands for each issue.
Best use case
app-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Full application quality audit. Chains impeccable-audit + security-scanner + performance-profiler + accessibility + web-vitals + owasp. Produces a single prioritized report with severity scores, WCAG citations, and fix commands for each issue.
Teams using app-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/app-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How app-audit Compares
| Feature / Agent | app-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Full application quality audit. Chains impeccable-audit + security-scanner + performance-profiler + accessibility + web-vitals + owasp. Produces a single prioritized report with severity scores, WCAG citations, and fix commands for each issue.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# App Audit ## Purpose App Audit is the full-stack quality orchestrator. One command runs UI/UX, security, performance, accessibility, and code quality checks in sequence — then consolidates every finding into a single prioritized report. It does not fix issues; it surfaces them with enough context to fix them fast. ## Workflow ### Phase 0 — Scope Parse `$ARGUMENTS` for: - `target` — URL, file path, or "whole project" - `focus` — "security" / "performance" / "a11y" / "ui" / "all" (default: all) - `wcagLevel` — "AA" (default) or "AAA" Confirm scope with user if target is ambiguous. ### Phase 1 — UI/UX Audit 1. **Invoke `impeccable-audit`** — Run the full impeccable audit workflow on the target. Collect all UI findings (anti-patterns, visual hierarchy, typography, color tokens, interactive states, responsiveness) as a findings list with severity levels. ### Phase 2 — Security Scan 2. **Invoke `security-scanner`** — Scan for OWASP Top 10 vulnerabilities: broken access control, injection, cryptographic failures, insecure design, security misconfiguration, vulnerable components, auth failures, integrity failures, logging failures, SSRF. 3. **Invoke `owasp`** — Cross-reference findings against the OWASP standard. Assign OWASP category label (A01–A10) to each security issue. Additional manual checks during this phase: - `.env` files in git history - API keys exposed via `NEXT_PUBLIC_*` - Missing CSP headers - Missing rate limiting on auth endpoints ### Phase 3 — Performance Analysis 4. **Invoke `performance-profiler`** — Profile bundle size, N+1 queries, missing indexes, memoization gaps, and render performance. 5. **Invoke `web-vitals`** — Measure Core Web Vitals against targets (LCP < 2.5s, INP < 100ms, CLS < 0.1, TTFB < 800ms). Flag anything in "Needs Work" or "Poor" range. ### Phase 4 — Accessibility 6. **Invoke `accessibility`** — Run WCAG 2.1 AA (or AAA if specified) checks: color contrast, missing alt text, form labels, button names, heading hierarchy, focus indicators, keyboard navigation, ARIA usage, landmark regions, skip nav, aria-live regions. ### Phase 5 — Code Quality Run static analysis directly: ```bash # TypeScript errors npx tsc --noEmit 2>&1 | grep "error TS" # Dead code npx knip # Dependency vulnerabilities npm audit --audit-level=moderate # Outdated dependencies npm outdated ``` Collect all findings from this phase. --- ## Consolidated Report After all phases complete, produce a single report: ```markdown # App Audit Report — [Target] — [Date] ## Executive Summary - Critical: N issues (fix before deploy) - High: N issues (fix this sprint) - Medium: N issues (fix next sprint) - Low: N issues (backlog) - Overall score: X/100 ## Critical Issues ### [Issue Title] - Category: Security / Performance / A11y / UI - Location: file:line or URL + selector - Impact: [what breaks or who is harmed] - Standard: WCAG 1.4.3 / OWASP A03 / etc. - Fix: [specific code change or command] ## [Continue for High / Medium / Low...] ## Fix Priority Queue 1. [Critical #1] — [1-line fix description] 2. [Critical #2] — ... ``` --- ## Usage ``` /app-audit http://localhost:3000 /app-audit src/ focus:security /app-audit . focus:performance,a11y wcag:AAA ```
Related Skills
seo-audit
Audit affiliate blog posts and landing pages for SEO issues. Triggers on: "audit my blog post for SEO", "check my SEO", "SEO review", "improve my rankings", "SEO checklist", "on-page SEO audit", "keyword optimization check", "why isn't my page ranking", "SEO score", "content quality audit", "check my meta tags", "internal linking audit", "quick SEO wins".
audit
Full codebase audit orchestrator covering security, code quality, performance, and accessibility analysis with prioritized findings.
ultrathink
UltraThink Workflow OS — 4-layer skill mesh with persistent memory and privacy hooks for complex engineering tasks. Routes prompts through intent detection to activate the right domain skills automatically.
ultrathink_review
Multi-pass code review powered by UltraThink's quality gate — checks correctness, security (OWASP), performance, readability, and project conventions in a single structured pass.
ultrathink_memory
Persistent memory system for UltraThink — search, save, and recall project context, decisions, and patterns across sessions using Postgres-backed fuzzy search with synonym expansion.
ui-design
Comprehensive UI design system: 230+ font pairings, 48 themes, 65 design systems, 23 design languages, 30 UX laws, 14 color systems, Swiss grid, Gestalt principles, Pencil.dev workflow. Inherits ui-ux-pro-max (99 UX rules) + impeccable-frontend-design (anti-AI-slop). Triggers on any design, UI, layout, typography, color, theme, or styling task.
Zod
> TypeScript-first schema validation with static type inference.
webinar-registration-page
Build a webinar or live event registration page as a self-contained HTML file with countdown timer, speaker bio, agenda, and registration form. Triggers on: "build a webinar registration page", "create a webinar sign-up page", "event registration landing page", "live training registration page", "workshop sign-up page", "create a webinar page", "build an event page", "free webinar landing page", "live demo registration page", "online event page", "create a registration page for my webinar", "build a training event page".
webhooks
Webhook design patterns — delivery, retry with exponential backoff, HMAC signature verification, payload validation, idempotency keys
web-workers
Offload heavy computation from the main thread using Web Workers, SharedWorkers, and Comlink — structured messaging, transferable objects, and off-main-thread architecture patterns
web-vitals
Core Web Vitals monitoring (LCP, FID, CLS, INP, TTFB), measurement with web-vitals library, reporting to analytics, and optimization strategies for Next.js
web-components
Native Web Components, custom elements API, Shadow DOM, HTML templates, slots, lifecycle callbacks, and framework-agnostic design patterns