Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From claude-mods
Detects technical debt using parallel subagents: duplicated code, dead imports, security issues, and complexity hotspots. Run at session end or before commits/merges.
npx claudepluginhub 0xdarkmatter/claude-mods --plugin claude-modsHow this skill is triggered — by the user, by Claude, or both
Slash command
/claude-mods:techdebtWhen to use
Use at session wrap-up or before a commit/merge — e.g. 'find tech debt', 'scan for issues before I commit', 'check code quality', 'anything to clean up before merge?'.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Automated technical debt detection using parallel subagents. Designed to run at session end to catch issues while context is fresh.
Identifies technical debt patterns like duplicated code, inconsistent naming, dead code, TODOs, magic numbers, long functions, and deep nesting. Use for code reviews and refactoring analysis.
Analyzes code quality via cleanup analysis (dead code, duplication, complexity) and multi-perspective reviews (maintainer, architect, user advocate, security, performance).
Systematically audits technical debt: classify by Fowler's quadrant, assess interest rate, estimate remediation cost, and prioritize by ROI.
Share bugs, ideas, or general feedback.
Automated technical debt detection using parallel subagents. Designed to run at session end to catch issues while context is fresh.
# Session end - scan changes since last commit (default)
/techdebt
# Deep scan - analyze entire codebase
/techdebt --deep
# Specific categories
/techdebt --duplicates # Only duplication
/techdebt --security # Only security issues
/techdebt --complexity # Only complexity hotspots
/techdebt --deadcode # Only dead code
# Auto-fix mode (interactive)
/techdebt --fix
Always uses parallel subagents for fast analysis:
Main Agent (orchestrator)
│
├─> Subagent 1: Duplication Scanner
├─> Subagent 2: Security Scanner
├─> Subagent 3: Complexity Scanner
└─> Subagent 4: Dead Code Scanner
↓ All run in parallel (2-15s depending on scope)
Main Agent: Consolidate findings → Rank by severity → Generate report
Benefits:
Default (no flags):
git diff --name-only HEADDeep scan (--deep flag):
Specific category (e.g., --duplicates):
Launch 4 subagents simultaneously (or subset if category specified):
Subagent 1: Duplication Scanner
ast-grep, structural search, token analysisSubagent 2: Security Scanner
Subagent 3: Complexity Scanner
Subagent 4: Dead Code Scanner
Subagent instructions template:
Scan {scope} for {category} issues.
## Domain Knowledge
Before scanning, read the relevant skill for deeper patterns:
- Security scanner: Read skills/security-ops/references/owasp-detailed.md
- Complexity scanner: Read skills/refactor-ops/SKILL.md
Scope: {file_list or "entire codebase"}
Language: {detected from file extensions}
Focus: {category-specific patterns}
Output format:
- File path + line number
- Issue description
- Severity (P0-P3)
- Suggested fix (if available)
Use appropriate tools:
- Duplication: ast-grep for structural similarity
- Security: pattern matching + known vulnerability patterns
- Complexity: cyclomatic complexity calculation
- Dead Code: static analysis for unused symbols
Main agent collects results from all subagents and:
Create actionable report with:
# Tech Debt Report
**Scope:** {X files changed | Entire codebase}
**Scan Time:** {duration}
**Debt Score:** {0-100, lower is better}
## Summary
| Category | Findings | P0 | P1 | P2 | P3 |
|----------|----------|----|----|----|----|
| Duplication | X | - | X | X | - |
| Security | X | X | - | - | - |
| Complexity | X | - | X | X | - |
| Dead Code | X | - | - | X | X |
## Critical Issues (P0)
### {file_path}:{line}
**Category:** {Security}
**Issue:** Hardcoded API key detected
**Impact:** Credential exposure risk
**Fix:** Move to environment variable
## High Priority (P1)
### {file_path}:{line}
**Category:** {Duplication}
**Issue:** 45-line block duplicated across 3 files
**Impact:** Maintenance burden, inconsistency risk
**Fix:** Extract to shared utility function
[... continue for all findings ...]
## Recommendations
1. Address all P0 issues before merge
2. Consider refactoring high-complexity functions
3. Remove dead code to reduce maintenance burden
## Auto-Fix Available
Run `/techdebt --fix` to interactively apply safe automated fixes.
If --fix flag provided:
Identify safe fixes:
Interactive prompts:
Fix: Remove unused import 'requests' from utils.py:5
[Y]es / [N]o / [A]ll / [Q]uit
Apply changes:
Safety rules:
AST Similarity Detection:
ast-grep for structural pattern matchingToken-based Analysis:
Thresholds:
Pattern Detection:
| Pattern | Severity | Example |
|---|---|---|
| Hardcoded secrets | P0 | API_KEY = "sk-..." |
| SQL injection risk | P0 | f"SELECT * FROM users WHERE id={user_id}" |
| Insecure crypto | P0 | hashlib.md5(), random.random() for tokens |
| Path traversal | P0 | open(user_input) without validation |
| XSS vulnerability | P0 | Unescaped user input in HTML |
| Eval/exec usage | P1 | eval(user_input) |
| Weak passwords | P2 | Hardcoded default passwords |
Language-specific checks:
pickle usage, yaml.load() without SafeLoadereval(), innerHTML with user dataMetrics:
| Metric | P1 Threshold | P2 Threshold |
|---|---|---|
| Cyclomatic Complexity | >15 | >10 |
| Function Length | >100 lines | >50 lines |
| Nested Depth | >5 levels | >4 levels |
| Number of Parameters | >7 | >5 |
Refactoring suggestions:
Detection methods:
Safe removal criteria:
Tier 1 (Full support):
ast-grep, radon, pylintast-grep, eslint, jscpdgocyclo, golangci-lintclippy, cargo-auditTier 2 (Basic support):
Language detection:
Add to your workflow:
## Session Wrap-Up Checklist
- [ ] Run `/techdebt` to scan changes
- [ ] Address any P0 issues found
- [ ] Create tasks for P1/P2 items
- [ ] Commit clean code
Create .claude/hooks/pre-commit.sh:
#!/bin/bash
# Auto-run tech debt scan before commits
echo "🔍 Scanning for tech debt..."
claude skill techdebt --quiet
if [ $? -eq 1 ]; then
echo "❌ P0 issues detected. Fix before committing."
exit 1
fi
echo "✅ No critical issues found"
Run deep scan on pull requests:
# .github/workflows/techdebt.yml
name: Tech Debt Check
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run tech debt scan
run: claude skill techdebt --deep --ci
Track debt over time:
# Initial baseline
/techdebt --deep --save-baseline
# Compare against baseline
/techdebt --compare-baseline
# Output: "Debt increased by 15% since baseline"
Baseline stored in .claude/techdebt-baseline.json:
{
"timestamp": "2026-02-03T10:00:00Z",
"commit": "a28f0fb",
"score": 42,
"findings": {
"duplication": 8,
"security": 0,
"complexity": 12,
"deadcode": 5
}
}
Add project-specific patterns in .claude/techdebt-rules.json:
{
"security": [
{
"pattern": "TODO.*security",
"severity": "P0",
"message": "Security TODO must be resolved"
}
],
"complexity": {
"cyclomatic_threshold": 12,
"function_length_threshold": 80
}
}
/techdebt --format=json # JSON output for tooling
/techdebt --format=markdown # Markdown report (default)
/techdebt --format=sarif # SARIF for IDE integration
Issue: Scan times out
--deep only on smaller modules, or increase timeoutIssue: Too many false positives
.claude/techdebt-rules.json--ignore-patterns flag to exclude test filesIssue: Missing dependencies (ast-grep, etc.)
npm install -g @ast-grep/cli or skip categorySee also: