playbooks

home / skills / laurigates / claude-plugins / code-antipatterns-analysis

code-antipatterns-analysis skill

/code-quality-plugin/skills/code-antipatterns-analysis

This skill analyzes codebases for anti-patterns and quality issues across JavaScript, TypeScript, Python, Vue, and React using parallel agents.

npx playbooks add skill laurigates/claude-plugins --skill code-antipatterns-analysis

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
10.3 KB
---
model: opus
created: 2025-12-16
modified: 2025-12-16
reviewed: 2025-12-16
name: code-antipatterns-analysis
description: Analyze codebases for anti-patterns, code smells, and quality issues using ast-grep structural pattern matching. Use when reviewing code quality, identifying technical debt, or performing comprehensive code analysis across JavaScript, TypeScript, Python, Vue, React, or other supported languages.
allowed-tools: Bash(sg *), Bash(rg *), Read, Grep, Glob, TodoWrite, Task
---

# Code Anti-patterns Analysis

Expert knowledge for systematic detection and analysis of anti-patterns, code smells, and quality issues across codebases using ast-grep and parallel agent delegation.

## Analysis Philosophy

This skill emphasizes **parallel delegation** for comprehensive analysis. Rather than sequentially scanning for issues, launch multiple specialized agents to examine different categories simultaneously, then consolidate findings.

## Analysis Categories

### 1. JavaScript/TypeScript Anti-patterns

**Callback Hell & Async Issues**
```bash
# Nested callbacks (3+ levels)
ast-grep -p '$FUNC($$$, function($$$) { $FUNC2($$$, function($$$) { $$$ }) })' --lang js

# Missing error handling in async
ast-grep -p 'async function $NAME($$$) { $$$ }' --lang js
# Then check if try-catch is present

# Unhandled promise rejection
ast-grep -p '$PROMISE.then($$$)' --lang js
# Without .catch() - use composite rule
```

**Magic Values**
```bash
# Magic numbers in comparisons
ast-grep -p 'if ($VAR > 100)' --lang js
ast-grep -p 'if ($VAR < 50)' --lang js
ast-grep -p 'if ($VAR === 42)' --lang js

# Magic strings
ast-grep -p "if ($VAR === 'admin')" --lang js
```

**Empty Catch Blocks**
```bash
ast-grep -p 'try { $$$ } catch ($E) { }' --lang js
```

**Console Statements (Debug Leftovers)**
```bash
ast-grep -p 'console.log($$$)' --lang js
ast-grep -p 'console.debug($$$)' --lang js
ast-grep -p 'console.warn($$$)' --lang js
```

**Use let/const for Variable Declarations**
```bash
ast-grep -p 'var $VAR = $$$' --lang js
```

### 2. Vue 3 Anti-patterns

**Props Mutation**
```yaml
# YAML rule for props mutation detection
id: vue-props-mutation
language: JavaScript
message: Use computed properties or emit events to update props
rule:
  pattern: props.$PROP = $VALUE
```

```bash
# Direct prop assignment
ast-grep -p 'props.$PROP = $VALUE' --lang js
```

**Missing Keys in v-for**
```bash
# Search in Vue templates
ast-grep -p 'v-for="$ITEM in $LIST"' --lang html
# Check if :key is present nearby
```

**Options API in Composition API Codebase**
```bash
# Find Options API usage
ast-grep -p 'export default { data() { $$$ } }' --lang js
ast-grep -p 'export default { methods: { $$$ } }' --lang js
ast-grep -p 'export default { computed: { $$$ } }' --lang js

# vs Composition API
ast-grep -p 'defineComponent({ setup($$$) { $$$ } })' --lang js
```

**Reactive State Issues**
```bash
# Destructuring reactive state (loses reactivity)
ast-grep -p 'const { $$$PROPS } = $REACTIVE' --lang js

# Should use toRefs
ast-grep -p 'const { $$$PROPS } = toRefs($REACTIVE)' --lang js
```

### 3. TypeScript Quality Issues

**Excessive `any` Usage**
```bash
ast-grep -p ': any' --lang ts
ast-grep -p 'as any' --lang ts
ast-grep -p '<any>' --lang ts
```

**Non-null Assertions**
```bash
ast-grep -p '$VAR!' --lang ts
ast-grep -p '$VAR!.$PROP' --lang ts
```

**Type Assertions Instead of Guards**
```bash
ast-grep -p '$VAR as $TYPE' --lang ts
```

**Missing Return Types**
```bash
# Functions without return type annotations
ast-grep -p 'function $NAME($$$) { $$$ }' --lang ts
# Check if return type is present
```

### 4. Async/Promise Patterns

**Unhandled Promises**
```bash
# Promise without await or .then/.catch
ast-grep -p '$ASYNC_FUNC($$$)' --lang js
# Context: check if result is used

# Floating promises (no await)
ast-grep -p '$PROMISE_RETURNING()' --lang ts
```

**Nested Callbacks (Pyramid of Doom)**
```bash
ast-grep -p '$F1($$$, function($$$) { $F2($$$, function($$$) { $F3($$$, function($$$) { $$$ }) }) })' --lang js
```

**Promise Constructor Anti-pattern**
```bash
# Wrapping already-async code in new Promise
ast-grep -p 'new Promise(($RESOLVE, $REJECT) => { $ASYNC_FUNC($$$).then($$$) })' --lang js
```

### 5. Code Complexity

**Long Functions (Manual Review)**
```bash
# Find function definitions, then count lines
ast-grep -p 'function $NAME($$$) { $$$ }' --lang js --json | jq '.[] | select(.range.end.line - .range.start.line > 50)'
```

**Deep Nesting**
```bash
# Nested if statements (4+ levels)
ast-grep -p 'if ($A) { if ($B) { if ($C) { if ($D) { $$$ } } } }' --lang js
```

**Large Parameter Lists**
```bash
ast-grep -p 'function $NAME($A, $B, $C, $D, $E, $$$)' --lang js
```

**Cyclomatic Complexity Indicators**
```bash
# Multiple conditionals in single function
ast-grep -p 'if ($$$) { $$$ } else if ($$$) { $$$ } else if ($$$) { $$$ }' --lang js
```

### 6. React/Pinia Store Patterns

**Direct State Mutation (Pinia)**
```bash
# Direct store state mutation outside actions
ast-grep -p '$STORE.$STATE = $VALUE' --lang js
```

**Missing Dependencies in useEffect**
```bash
ast-grep -p 'useEffect(() => { $$$ }, [])' --lang jsx
# Check if variables used inside are in dependency array
```

**Inline Functions in JSX**
```bash
ast-grep -p '<$COMPONENT onClick={() => $$$} />' --lang jsx
ast-grep -p '<$COMPONENT onChange={() => $$$} />' --lang jsx
```

### 7. Memory & Performance

**Event Listeners Without Cleanup**
```bash
ast-grep -p 'addEventListener($EVENT, $HANDLER)' --lang js
# Check for corresponding removeEventListener
```

**setInterval Without Cleanup**
```bash
ast-grep -p 'setInterval($$$)' --lang js
# Check for clearInterval
```

**Large Arrays in Computed/Memos**
```bash
ast-grep -p 'computed(() => $ARRAY.filter($$$))' --lang js
ast-grep -p 'useMemo(() => $ARRAY.filter($$$), [$$$])' --lang jsx
```

### 8. Security Concerns

**eval Usage**
```bash
ast-grep -p 'eval($$$)' --lang js
ast-grep -p 'new Function($$$)' --lang js
```

**innerHTML Assignment (XSS Risk)**
```bash
ast-grep -p '$ELEM.innerHTML = $$$' --lang js
ast-grep -p 'dangerouslySetInnerHTML={{ __html: $$$ }}' --lang jsx
```

**Hardcoded Secrets**
```bash
ast-grep -p "apiKey: '$$$'" --lang js
ast-grep -p "password = '$$$'" --lang js
ast-grep -p "secret: '$$$'" --lang js
```

**SQL String Concatenation**
```bash
ast-grep -p '"SELECT * FROM " + $VAR' --lang js
ast-grep -p '`SELECT * FROM ${$VAR}`' --lang js
```

### 9. Python Anti-patterns

**Bare Except**
```bash
ast-grep -p 'except: $$$' --lang py
```

**Mutable Default Arguments**
```bash
ast-grep -p 'def $FUNC($ARG=[])' --lang py
ast-grep -p 'def $FUNC($ARG={})' --lang py
```

**Global Variable Usage**
```bash
ast-grep -p 'global $VAR' --lang py
```

**Type: ignore Without Reason**
```bash
# Search in comments via grep
grep -r "# type: ignore$" --include="*.py"
```

## Parallel Analysis Strategy

When analyzing a codebase, launch multiple agents in parallel to maximize efficiency:

### Agent Delegation Pattern

```markdown
1. **Language Detection Agent** (Explore)
   - Detect project languages and frameworks
   - Identify relevant file patterns

2. **JavaScript/TypeScript Agent** (code-analysis or Explore)
   - JS anti-patterns
   - TypeScript quality issues
   - Async/Promise patterns

3. **Framework-Specific Agent** (code-analysis or Explore)
   - Vue 3 anti-patterns (if Vue detected)
   - React anti-patterns (if React detected)
   - Pinia/Redux patterns (if detected)

4. **Security Agent** (security-audit)
   - Security concerns
   - Hardcoded values
   - Injection risks

5. **Complexity Agent** (code-analysis or Explore)
   - Code complexity metrics
   - Long functions
   - Deep nesting

6. **Python Agent** (if Python detected)
   - Python anti-patterns
   - Type annotation issues
```

### Consolidation

After parallel analysis completes:
1. Aggregate findings by severity (critical, high, medium, low)
2. Group by category (security, performance, maintainability)
3. Provide actionable remediation suggestions
4. Prioritize fixes based on impact

## YAML Rule Examples

### Complete Anti-pattern Rule

```yaml
id: no-empty-catch
language: JavaScript
severity: warning
message: Empty catch block suppresses errors silently
note: |
  Empty catch blocks hide errors and make debugging difficult.
  Either log the error, handle it specifically, or re-throw.

rule:
  pattern: try { $$$ } catch ($E) { }

fix: |
  try { $$$ } catch ($E) {
    console.error('Error:', $E);
    throw $E;
  }

files:
  - 'src/**/*.js'
  - 'src/**/*.ts'
ignores:
  - '**/*.test.js'
  - '**/node_modules/**'
```

### Vue Props Mutation Rule

```yaml
id: no-props-mutation
language: JavaScript
severity: error
message: Never mutate props directly - use emit or local copy

rule:
  all:
    - pattern: props.$PROP = $VALUE
    - inside:
        kind: function_declaration

note: |
  Props should be treated as immutable. To modify data:
  1. Emit an event to parent: emit('update:propName', newValue)
  2. Create a local ref: const local = ref(props.propName)
```

## Integration with Commands

This skill is designed to work with the `/code:antipatterns` command, which:
1. Detects project language stack
2. Launches parallel specialized agents
3. Consolidates findings into prioritized report
4. Suggests automated fixes where possible

## Best Practices for Analysis

1. **Start with language detection** - Run appropriate patterns for detected languages
2. **Use parallel agents** - Don't sequentially analyze; delegate to specialized agents
3. **Prioritize by severity** - Security issues first, then correctness, then style
4. **Provide fixes** - Don't just identify problems; suggest solutions
5. **Consider context** - Some "anti-patterns" are acceptable in specific contexts
6. **Check test files separately** - Different standards may apply to test code

## Severity Levels

| Severity | Description | Examples |
|----------|-------------|----------|
| **Critical** | Security vulnerabilities, data loss risk | eval(), SQL injection, hardcoded secrets |
| **High** | Bugs, incorrect behavior | Props mutation, unhandled promises, empty catch |
| **Medium** | Maintainability issues | Magic numbers, deep nesting, large functions |
| **Low** | Style/preference | var usage, console.log, inline functions |

## Resources

- **ast-grep Documentation**: https://ast-grep.github.io/
- **ast-grep Playground**: https://ast-grep.github.io/playground.html
- **OWASP Top 10**: https://owasp.org/www-project-top-ten/
- **Clean Code Principles**: https://clean-code-developer.com/

Overview

This skill analyzes codebases for anti-patterns, code smells, and quality issues using ast-grep structural pattern matching and a parallel agent delegation approach. It targets JavaScript, TypeScript, Vue, React, Python and other supported languages to deliver prioritized, actionable findings. Use it to detect technical debt, security risks, and maintainability problems at scale.

How this skill works

The skill first detects project languages and relevant file patterns, then launches specialized agents in parallel (language, framework, security, complexity, etc.) to run targeted ast-grep queries. Agents produce structured findings which are consolidated, grouped by severity and category, and returned with remediation suggestions and optional automated fixes. It can output raw ast-grep matches, YAML rule recommendations, and prioritized reports.

When to use it

  • During code reviews to surface subtle anti-patterns and regressions
  • When performing a security audit to find hardcoded secrets, eval, or XSS risks
  • To measure technical debt across a repository before refactors or upgrades
  • When onboarding to a new codebase to learn common quality issues and hotspots
  • As part of CI to catch regressions in async handling, type usage, or complexity

Best practices

  • Start with language detection to run only relevant pattern sets
  • Run specialized agents in parallel to maximize coverage and speed
  • Prioritize findings by severity: security first, then correctness, then maintainability
  • Provide concrete fixes or code examples alongside each issue
  • Treat test files and generated code with different rules or ignores
  • Contextualize anti-patterns—some flagged patterns may be acceptable in specific scenarios

Example use cases

  • Scan a monorepo to find unhandled promises, magic values, and long functions across packages
  • Audit a Vue 3 codebase to detect props mutation, missing v-for keys, and reactive destructuring issues
  • Detect excessive any usage, non-null assertions, and missing return types in a TypeScript project
  • Identify bare except blocks, mutable default args, and global usage in Python modules
  • Run a security-focused pass to locate eval, innerHTML assignments, SQL string concatenation, and hardcoded secrets

FAQ

Which languages and frameworks are supported?

Primary coverage is JavaScript, TypeScript, Vue, React (JSX/TSX), and Python; ast-grep can extend to other supported languages by adding rules.

How are findings prioritized?

Findings are aggregated and grouped by severity (critical, high, medium, low) and by category (security, performance, maintainability) to guide remediation order.