← 返回 Skills 市场
suhteevah

deadcode

作者 suhteevah · GitHub ↗ · v1.0.1 · MIT-0
darwinlinuxwin32 ⚠ suspicious
78
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install deadcode
功能描述
Dead code and unused export detector — scans JavaScript/TypeScript, Python, Go, Java, and CSS for dead code, orphan files, unused exports, and code cruft
使用说明 (SKILL.md)

\r \r

DeadCode -- Dead Code & Unused Export Detector\r

\r DeadCode scans source files for dead code, unused exports, orphan files, unreachable code paths, and code cruft across JavaScript/TypeScript, Python, Go, and CSS/SCSS. It uses regex-based pattern matching against 60+ dead code patterns, lefthook for git hook integration, and produces markdown reports with actionable cleanup recommendations.\r \r

Commands\r

\r

Free Tier (No license required)\r

\r

deadcode scan [file|directory]\r

One-shot dead code scan of files or directories.\r \r How to execute:\r

bash "\x3CSKILL_DIR>/scripts/deadcode.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Auto-detects language types (JavaScript/TypeScript, Python, Go, CSS/SCSS)\r
3. Finds all source files matching known patterns\r
4. Runs 60+ dead code patterns against each file\r
5. Runs file-level checks for orphan detection and structural issues\r
6. Calculates a dead code score (0-100) per file and overall\r
7. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
8. Exit code 0 if score >= 70, exit code 1 if too much dead code found\r
9. Free tier limited to 5 source files per scan\r
\r
**Example usage scenarios:**\r
- "Scan my code for dead code" -> runs `deadcode scan .`\r
- "Check this file for unused exports" -> runs `deadcode scan src/utils.ts`\r
- "Find dead code in my Python project" -> runs `deadcode scan src/`\r
- "Are there orphan files in my repo?" -> runs `deadcode orphans .`\r
\r
### Pro Tier ($19/user/month -- requires DEADCODE_LICENSE_KEY)\r
\r
#### `deadcode hooks install`\r
Install git pre-commit hooks that scan staged source files before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit hook\r
4. On every commit: scans all staged source files for dead code, blocks commit if critical/high findings, shows cleanup advice\r
\r
#### `deadcode hooks uninstall`\r
Remove DeadCode git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" hooks uninstall\r
```\r
\r
#### `deadcode report [directory]`\r
Generate a markdown dead code report with findings, severity breakdown, and cleanup steps.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory\r
3. Generates a formatted markdown report from template\r
4. Includes per-file breakdowns, dead code scores, cleanup priority\r
5. Output suitable for code reviews and tech debt tracking\r
\r
#### `deadcode orphans [directory]`\r
Find orphan files that are never imported or referenced by any other file.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" orphans [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Builds an import/reference graph across all source files\r
3. Identifies files that are never imported/required/referenced\r
4. Excludes entry points (index files, main files, test files, config files)\r
5. Reports orphan files with confidence levels\r
\r
### Team Tier ($39/user/month -- requires DEADCODE_LICENSE_KEY with team tier)\r
\r
#### `deadcode ignore [pattern]`\r
Manage ignore rules for dead code detection.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" ignore [pattern]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Adds/removes patterns to the ignore list in ~/.openclaw/openclaw.json\r
3. Patterns can be file globs or check IDs\r
4. Supports per-project and global ignore rules\r
\r
#### `deadcode sarif [directory]`\r
Generate SARIF output for CI/CD integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" sarif [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan of the directory\r
3. Outputs findings in SARIF v2.1.0 format\r
4. Compatible with GitHub Code Scanning, Azure DevOps, and other CI systems\r
5. Includes rule definitions, locations, and severity mappings\r
\r
#### `deadcode status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/deadcode.sh" status\r
```\r
\r
## Detected Dead Code Patterns\r
\r
DeadCode detects 60+ dead code patterns across 5 language categories:\r
\r
| Category | Examples | Severity |\r
|----------|----------|----------|\r
| **JavaScript/TypeScript** | Unused exports, console.log left in code, commented-out blocks, unreachable code after return/throw, empty function bodies, unused variables, dead switch cases, deprecated markers, empty catch blocks | Critical/High |\r
| **Python** | Functions defined but never called, unused imports, pass-only bodies, commented-out code, dead code after return/raise, __all__ mismatches, empty except blocks | Critical/High |\r
| **Go** | Unused imports, unexported dead functions, dead code after return/panic, empty function bodies, commented-out code, empty init() functions | High/Medium |\r
| **CSS/SCSS** | Unused CSS classes/IDs, empty rule blocks, duplicate selectors, commented-out styles, !important overuse, unused CSS variables, empty media queries, vendor prefixes | Medium/Low |\r
| **General** | Orphan files, large comment blocks, TODO/FIXME density, debug/test code in production, placeholder text, feature flag remnants | High/Medium |\r
\r
## Configuration\r
\r
Users can configure DeadCode in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
  "skills": {\r
    "entries": {\r
      "deadcode": {\r
        "enabled": true,\r
        "apiKey": "YOUR_LICENSE_KEY_HERE",\r
        "config": {\r
          "severityThreshold": "high",\r
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.spec.*"],\r
          "ignoreChecks": [],\r
          "reportFormat": "markdown"\r
        }\r
      }\r
    }\r
  }\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies\r
- Supports scanning multiple language types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = clean (score >= 70), 1 = too much dead code (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://deadcode.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no source files found in target, report clean scan with info message\r
- If language type cannot be determined, skip the file gracefully\r
\r
## When to Use DeadCode\r
\r
The user might say things like:\r
- "Scan my code for dead code"\r
- "Find unused exports in my project"\r
- "Are there orphan files in my repo?"\r
- "Check for unreachable code"\r
- "Find commented-out code blocks"\r
- "Detect unused imports in my Python code"\r
- "Generate a dead code report"\r
- "Set up pre-commit hooks for dead code detection"\r
- "Check for console.log statements left in production"\r
- "Find empty function bodies"\r
- "Are there any unused CSS classes?"\r
- "Scan for TODO/FIXME comments"\r
- "Find placeholder code"\r
- "Check for debug code left in production"\r
- "Generate SARIF output for my CI pipeline"\r
安全使用建议
This skill is internally consistent with a local dead-code scanner. Before installing: (1) review the included scripts (scripts/*.sh) yourself — pre-commit hooks will source these files on every commit and can run arbitrary shell commands; (2) be aware that installing hooks will add/modify lefthook.yml in your repo and call `lefthook install`; (3) Pro/Team features require a JWT-style license key (DEADCODE_LICENSE_KEY) which the skill stores and reads from ~/.openclaw/openclaw.json or the environment; if you set CLAWHUB_JWT_SECRET you enable local signature verification; (4) Homebrew will be used to install lefthook. If you trust the skill source and inspect the hook content, it's reasonable to proceed. If you do not trust the source, do not install the hooks and inspect the scripts before running scans.
功能分析
Type: OpenClaw Skill Name: deadcode Version: 1.0.1 The skill bundle contains multiple command injection vulnerabilities in 'scripts/deadcode.sh' and 'scripts/license.sh'. Specifically, the 'do_ignore_add' and 'extract_field' functions unsafely interpolate user-provided patterns and decoded JWT payloads into Python and Node.js one-liners, which could allow for arbitrary code execution. While the tool's core functionality (scanning source code for dead patterns and managing git hooks via 'lefthook') is consistent with its stated purpose, the lack of input sanitization in these high-risk operations poses a significant security risk.
能力标签
requires-sensitive-credentials
能力评估
Purpose & Capability
Name/description match the code: bash-based pattern scanner, language detection, report generation, and optional hook integration. Requested binaries (git, bash, python3, jq) and the lefthook brew formula are directly used by the scripts and align with the advertised features.
Instruction Scope
Runtime instructions and scripts operate locally (find/grep/awk/sed) and perform scanning, report generation, and installation/removal of lefthook hooks. They read and write ~/.openclaw/openclaw.json for license/config and will copy lefthook.yml into repo roots and run lefthook install—expected for pre-commit integration but notable because it modifies repo-level files and causes scripts to execute on each commit.
Install Mechanism
Install step is a single Homebrew formula (lefthook). No network downloads from arbitrary URLs or extracted archives are used; scripts are provided in the skill bundle. This is a low-risk install mechanism consistent with the stated purpose.
Credentials
Primary credential DEADCODE_LICENSE_KEY is justified by the Pro/Team features documented; the scripts also read/write ~/.openclaw/openclaw.json to persist keys and ignores (this path is declared in the SKILL metadata). One optional environment variable (CLAWHUB_JWT_SECRET) is referenced in license verification for signature checking but is not required — it only enables stronger local token verification when set.
Persistence & Privilege
always:false and model invocation are normal. The only persistence is writing/reading ~/.openclaw/openclaw.json (to store apiKey/ignore rules) and optionally adding lefthook.yml to repositories — both are appropriate for this skill but do modify user config and project files. Installing hooks will cause the skill's scripts to be sourced during commits.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install deadcode
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /deadcode 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: declare all deps, JWT verification, configPaths
v1.0.0
- Initial release of DeadCode, a dead code and unused export detector for JavaScript/TypeScript, Python, Go, Java, and CSS. - Supports free tier features: one-shot scans for dead code, unused exports, orphan files, and code cruft using 60+ pattern checks. - Pro tier adds git pre-commit hooks, detailed markdown reports, and advanced orphan file detection. - Team tier introduces ignore rule management, SARIF output for CI integration, and license/config status commands. - Scans are local-only, require no network calls, and support multiple languages in a single pass. - Integration with lefthook for git hook automation (requires git and bash).
元数据
Slug deadcode
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

deadcode 是什么?

Dead code and unused export detector — scans JavaScript/TypeScript, Python, Go, Java, and CSS for dead code, orphan files, unused exports, and code cruft. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 78 次。

如何安装 deadcode?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install deadcode」即可一键安装,无需额外配置。

deadcode 是免费的吗?

是的,deadcode 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

deadcode 支持哪些平台?

deadcode 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。

谁开发了 deadcode?

由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论