What it does

codebase-summary analyzes any codebase and produces structured output: a Mermaid architecture diagram, tech stack table, module map, and full API inventory.

npx skills add https://github.com/rta-lab/codebase-summary-skill \
  --skill codebase-summary

We built it because our VAPT platform needs agents to understand a codebase before they can assess it for vulnerabilities. A codebase summary is Phase 0 of any security assessment.

How it works

Three-phase parallel agent pipeline:

Phase 1 — Parallel research. Multiple agents launch concurrently, each mapping a different aspect: directory structure, tech stack, module dependencies. They run independently and return structured findings.

Phase 2 — Synthesis. A separate agent integrates all Phase 1 outputs into the final deliverables. It doesn’t read the codebase — it works only from verified findings.

Phase 3 — Validation. Does the Mermaid diagram parse? Do the file paths exist? Are the API endpoints real? Verification, not creation.

The agents that discover facts are never the agents that synthesize or validate them. Each phase has a different failure mode, and separating them means each can be caught independently.

Why the pattern matters

This isn’t specific to codebase analysis. Parallel discovery → synthesis → adversarial validation is a general pattern for any agent task that needs breadth, integration, and correctness. Cloudflare’s security-audit-skill uses the same decomposition. We use it again in the security assessment pipeline we’re building now.

The insight: decompose by cognitive mode (discover, synthesize, validate), not by data partition. Let discovery agents overlap. Keep synthesis strictly downstream. Make validation adversarial.

What’s next

The security assessment skill — a six-phase pipeline for automated vulnerability discovery — is in active development. Both skills are open source on Skills.sh and GitHub.

Links: Skills.sh · GitHub · Rta Labs