auditlisted

Use when the user wants a security + performance audit of the Pinta Chrome extension. Walks the manifest, content scripts, service worker, message passing, WebSocket / HTTP layer, IndexedDB store, composite + screenshot pipeline, and Svelte 5 runes usage; produces a prioritized findings list with file:line refs and concrete fixes.
kevzlou7979/pinta · ★ 2 · AI & Automation · score 68

Install: claude install-skill kevzlou7979/pinta

# /audit Audit the Pinta Chrome extension (`extension/`) for security and performance regressions. Output a tight findings report — severity, what, where (file:line), why it matters, and the concrete fix. Skip nitpicks that don't change behavior or cost. ## 0. Sanity check You're auditing **Pinta's Chrome extension**, not the companion or the landing page. The relevant tree is `extension/src/`: ``` background/ service-worker.ts, screenshot.ts content/ overlay.ts (entry), Overlay.svelte, selector.ts, capture.ts, Canvas.svelte, ElementEditor.svelte, CommentInput.svelte, tools/draw.ts, state.svelte.ts lib/ state.svelte.ts, ws-client.ts, companions.ts, composite.ts, local-store.ts, url-patterns.ts, theme.svelte.ts, format-clipboard.ts popup/ Popup.svelte + index.html sidepanel/ App.svelte, AnnotationCard.svelte, SessionHistory.svelte, StatusPill.svelte, index.html styles/ app.css manifest.config.ts tailwind.config.js vite.config.ts ``` If a finding doesn't apply to the extension, drop it. ## 1. Auto-load Svelte 5 conventions Before reviewing reactivity / runes / `$effect` usage, fetch Svelte's official AI guidance so your review aligns with current Svelte 5 idiom: ``` WebFetch https://svelte.dev/docs/ai/overview WebFetch https://svelte.dev/llms-medium.txt (optional, large) ``` Pay attention to: - `$state`, `$derived`, `$effect`, `$props`, `$bindable` semant