playbooks

home / skills / falkicon / mechanic / s-audit

s-audit skill

/.agent/skills/s-audit

This skill performs a comprehensive WoW addon audit, combining security, complexity, deprecation, and dead code analysis for quality.

npx playbooks add skill falkicon/mechanic --skill s-audit

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.1 KB
---
name: s-audit
description: >
  Comprehensive quality analysis for WoW addons. Combines security, complexity,
  deprecation, and dead code analysis into a single audit workflow.
  Triggers: audit, quality, analysis, review, check, scan.
---

# Auditing WoW Addons

Expert guidance for comprehensive addon quality analysis.

## Related Commands

- [c-audit](../../commands/c-audit.md) - Full audit workflow
- [c-clean](../../commands/c-clean.md) - Dead code cleanup
- [c-lint](../../commands/c-lint.md) - Syntax and style
- [c-review](../../commands/c-review.md) - Full review (includes audit)

## MCP Tools

| Task | MCP Tool |
|------|----------|
| Security Analysis | `addon.security(addon="MyAddon")` |
| Complexity Analysis | `addon.complexity(addon="MyAddon")` |
| Deprecation Scan | `addon.deprecations(addon="MyAddon")` |
| Dead Code Detection | `addon.deadcode(addon="MyAddon")` |

## Capabilities

1. **Security Analysis** — Combat lockdown, secret values, taint, unsafe eval
2. **Complexity Analysis** — Deep nesting, long functions, magic numbers, duplicates
3. **Deprecation Scanning** — 100+ deprecated APIs with migration paths
4. **Dead Code Detection** — Unused functions, orphaned files, dead exports

## Analysis Categories

### Security (`addon.security`)

| Category | Description | Severity |
|----------|-------------|----------|
| `combat_violation` | Protected API without InCombatLockdown() guard | Error |
| `secret_leak` | Logging/storing secret values (12.0+) | Error |
| `taint_risk` | Unsafe global modifications | Warning |
| `unsafe_eval` | loadstring/RunScript with variable input | Warning |
| `addon_comm` | Unvalidated message parsing | Info |

### Complexity (`addon.complexity`)

| Category | Threshold | Description |
|----------|-----------|-------------|
| `deep_nesting` | > 5 levels | Excessive if/for/while nesting |
| `long_function` | > 100 lines | Functions too long to understand |
| `long_file` | > 500 lines | Files that should be split |
| `magic_number` | pattern-based | Unexplained numeric literals |
| `duplicate_code` | > 10 lines | Near-identical code blocks |

### Deprecations (`addon.deprecations`)

| Category | Example APIs | Since |
|----------|--------------|-------|
| `addons` | GetAddOnInfo → C_AddOns.GetAddOnInfo | 11.0 |
| `spells` | GetSpellInfo → C_Spell.GetSpellInfo | 11.0 |
| `items` | GetItemInfo → C_Item.GetItemInfo | 11.0 |
| `containers` | GetContainerItemInfo → C_Container | 10.0 |
| `unit` | UnitHealth (returns secret for enemies) | 12.0 |

### Dead Code (`addon.deadcode`)

| Category | Description |
|----------|-------------|
| `unused_function` | Functions defined but never called |
| `orphaned_file` | Lua files not in TOC |
| `dead_export` | Exported values never used |
| `unused_library` | Libraries in Libs/ never used |

## Workflow

### Quick Audit

```
1. addon.security   → Critical issues (combat, secrets)
2. addon.deprecations (min_severity=error) → Breaking changes
3. Report critical findings
```

### Full Audit

```
1. addon.security   → All security issues
2. addon.complexity → All maintainability issues
3. addon.deprecations → All deprecated APIs
4. addon.deadcode   → All dead code
5. Comprehensive report with priority order
```

## Interpreting Results

### Priority Order

1. **Critical** (Fix immediately):
   - Combat lockdown violations (will cause bugs)
   - Secret value leaks (12.0+ breaking)
   - Deprecated APIs with `severity: error`

2. **High** (Fix before release):
   - Taint risks
   - Deprecated APIs with `severity: warning`
   - Orphaned files

3. **Medium** (Fix when convenient):
   - Deep nesting (maintainability)
   - Long functions
   - Magic numbers

4. **Low** (Consider fixing):
   - Code duplicates
   - Suspicious dead code

## Best Practices

1. **Run before release** — Catch breaking changes early
2. **Start with critical** — Security and deprecations first
3. **Filter by severity** — Use `include_suspicious=false` for focused results
4. **Check 12.0 readiness** — Secret value APIs are breaking changes
5. **Review complexity** — High complexity = high bug risk

Overview

This skill performs comprehensive quality analysis for World of Warcraft addons. It combines security checks, complexity metrics, deprecation scanning, and dead-code detection into a single audit workflow. The goal is to surface critical bugs, breaking API usage, and maintainability risks before release.

How this skill works

The skill runs modular checks: security rules detect combat lockdown, secret leaks, taint, and unsafe evals; complexity analysis measures nesting, function/file length, magic numbers, and code duplication; a deprecation scanner maps 100+ deprecated APIs to modern replacements; dead-code detection finds unused functions, orphaned files, and unused libraries. Results are prioritized (Critical → High → Medium → Low) and returned as a consolidated report with actionable items and suggested fixes.

When to use it

  • Before publishing an addon release
  • After upgrading to a new WoW client (major version)
  • When CI indicates regressions or new warnings
  • During pull requests for large refactors
  • Before a public beta or stress test

Best practices

  • Run a quick audit first to catch security and breaking deprecations
  • Follow the priority order: fix Critical issues immediately
  • Filter results by severity to focus the team (include_suspicious=false)
  • Re-run audits after code removals to detect orphaned files
  • Track complexity hotspots and split long files/functions proactively

Example use cases

  • Pre-release check to eliminate combat lockdown and secret leaks
  • Automated CI step that fails on Critical deprecations or security errors
  • Code cleanup sprint guided by dead-code and duplicate detections
  • Refactor validation to ensure no deprecated APIs remain after migration
  • Maintainability review highlighting long functions and deep nesting hotspots

FAQ

What constitutes a Critical finding?

Critical findings include combat lockdown violations, secret value leaks introduced by newer APIs, and deprecated APIs flagged as errors. These should be fixed immediately.

Can I run only specific checks?

Yes. The workflow supports targeted runs (security, complexity, deprecations, deadcode) so you can focus on one area or run the full audit.