The free /roast skill
Audit your repo in 60 seconds without leaving Claude Code. Add --url for axe-core, Lighthouse + screenshots. Same methodology as the $19 audit. Open source.
git clone --depth 1 https://github.com/janderswag/roast-skill ~/.claude/skills/roastThen in any repo, in Claude Code: /roast
What you get
6 modules. Real findings. Cited evidence.
The Roast
The Technical Simon Cowell paragraph that put R&R on the map — applied to your README, marketing copy in components, and code intent. Built for the Twitter screenshot.
Security + exposed-key scan
Three deterministic verifiers feed this module — semgrep (OWASP / framework AST patterns), gitleaks (secrets in git history), and dep-audit (lockfile CVEs + misplaced build tools). Plus LLM analysis for issues no verifier can model. Every finding cites file:line and rule ID.
Architecture + scale-ceiling review
Reads your actual code paths, identifies bottlenecks, flags the moment your platform breaks at higher load.
Customer flow from source
Traces signup, checkout, and onboarding paths through your routes and components. Surfaces friction the LLM can see in the code.
Growth readiness (code-derived)
Sitemap, structured data, analytics wiring, share metadata, SEO surface. What your repo says about your acquisition surface.
Founder briefing (top-3 priorities)
Synthesizes all 5 modules into the 3 things to fix this week — in the same voice as the paid audit.
Add --url for the live audit
Pass a live URL and the skill loads it in headless Chromium, runs real verifiers against the rendered page, and captures screenshots. The flag IS the explicit opt-in to outbound network — default /roast stays local-only.
/roast --url https://your-deploy.comReal axe-core a11y findings
axe.min.js is bundled and injected into the rendered page. Real WCAG violations against your actual DOM — not source-code guesses.
Lighthouse Core Web Vitals via PSI
LCP, CLS, TBT, FCP + Performance/Accessibility/Best-Practices/SEO scores. Set ROAST_PSI_API_KEY for higher quota.
Live browser audit
Console errors, uncaught exceptions, failed network requests, missing security headers (CSP, HSTS, X-Frame, etc.) on your main document.
Viewport + full-page screenshots
Saved to /tmp/roast-<timestamp>/. Claude reads them with vision so you get narration on what your live site actually looks like.
First --url run lazy-installs playwright-chromium (~200MB) to ~/.claude/skills/roast/runner/.live-cache/ — one-time, ~30s. Subsequent runs are fast.
Run it again. See only what changed.
v0.7 makes /roast re-run aware. Fix something, run it again, and the skill tells you exactly what moved — all from a local .roast/ folder next to .git/. Nothing uploaded.
--delta — see only what changed
Re-run after a fix and the skill diffs against your last run — a one-line summary like "3 new · 12 persisted · 2 regressed · 1 improved · 4 fixed". The baseline lives in a local .roast/ folder; nothing is uploaded.
--triage — silence a finding for good
Disagree with a finding? Run /roast --triage <signature>=wont-fix and it stays quiet on every future run. The status persists in .roast/triage.json — no editing source to mute a check you've already judged.
Stable signatures + trust boundaries
Every finding gets a deterministic 16-char signature (survives reworded messages + severity bumps) and trust-boundary tags — user-input, secrets, auth, network, and 7 more. That's the spine that makes dedup, triage, and delta reliable.
What it doesn't do
Six things the free skill genuinely can't reach without R&R's server-side pipeline. Listed honestly so you know what you're getting before you install.
Competitor teardown
Needs web search + competitor URL fetch + cross-site analysis pipeline.
90-day founder roadmap
Synthesis tier reserved for the $19 audit. Free skill stops at top-3 priorities.
Multi-page crawl with SSRF-hardened fetcher
Free skill audits a single URL. Crawling your site needs the production fetcher that blocks RFC1918 / cloud-metadata endpoints.
Server-side history + regression alerts
v0.7's --delta diffs against your last local run. Cross-run trend history and automated score-regression alerts need the paid audit-history DB + the Co-Pilot tier.
$5 re-audits + share-to-earn referral loop
Re-audit pricing + ?via=<projectId> referral ledger live in the paid pipeline.
Founder Briefing Loom (Founder Briefing tier)
5-8 min async walkthrough from Jake personally. Requires a human; that's the $199 tier.
These ship in the $19 Full Project Audit. See the paid audit →
What the output looks like
Real shape, real voice. Not a mockup.
$ claude
> /roast --url https://your-deploy.com --export-json
[detecting stack...]
✓ Next.js 14.2.35 + TypeScript + Drizzle ORM + Stripe
✓ 47 source files in scope (excludes node_modules, .next)
✓ Auth: passport-jwt + iron-session
✓ Payments: Stripe Checkout + webhooks
✓ Deploy target: Vercel (next.config.mjs)
✓ Git: ad7c1e2 on main (clean)
[project shape: web-app]
✓ Dispatching: Roast + Security + Architecture + Customer Flow + Growth + Founder Briefing
[verifiers running: semgrep + gitleaks + dep-audit + live-browser + live-lighthouse (live URL: https://your-deploy.com)...]
✓ 18 findings (3 HIGH, 8 MEDIUM, 7 LOW) across 5 verifiers
HIGH semgrep / stripe-webhook-no-signature-verify
app/api/webhooks/stripe/route.ts:24
HIGH gitleaks / aws-access-token
.env.backup:3 (commit fedcba9)
HIGH dep-audit / known-vuln/jsonwebtoken (CVE-2022-23529)
package.json — jsonwebtoken@8.5.1, fixed in 9.0.0
MEDIUM live-lighthouse / largest-contentful-paint
your-deploy.com — 6.4 s (Web Vitals threshold: 2.5 s)
MEDIUM live-browser / axe/color-contrast
your-deploy.com — button.cta-primary (3 occurrences)
MEDIUM live-browser / security-header/missing/content-security-policy
your-deploy.com — no CSP header on main document
+ 12 more
✓ screenshots saved: /tmp/roast-1736294817-https-your-deploy-com/
[6 modules dispatching in parallel...]
✓ Roast done
✓ Security score 6/10
✓ Architecture score 7/10
✓ Customer Flow score 5/10
✓ Growth score 4/10
✓ Founder Briefing done
Total: 78s wall-clock. No extra charge on Claude Pro/Max.
────────────────────────────────────────────────────
THE ROAST
Your README opens with "A modern, scalable platform
for AI-native teams." Modern, scalable, and platform
are the three most forgettable words in tech. Your
H1 in app/page.tsx says "Build faster with AI" —
which is what every other shovel-seller in this gold
rush says. You're not selling AI. You're selling a
webhook router with a chat sidebar. Say that. The
Stripe webhook handler has no signature verification
(app/api/webhooks/stripe:24) and the primary CTA
button on your live homepage fails WCAG contrast at
2.6:1 (live-browser caught it). The product is real;
the storefront and the code-shipped wall keep tripping
each other.
────────────────────────────────────────────────────
SECURITY (6/10)
Three HIGH findings, all verifier-confirmed:
• Stripe webhook accepts any POST body without
signature verification. Anyone who knows your
endpoint URL can submit fake checkout.session
completed events. (semgrep / stripe-webhook-
no-signature-verify, app/api/webhooks/stripe:24)
Fix: stripe.webhooks.constructEvent(rawBody, sig,
secret) before any DB writes.
• AWS access key committed to .env.backup in commit
fedcba9. (gitleaks / aws-access-token)
Fix: rotate the credential immediately; remove from
git history with git-filter-repo or BFG.
• jsonwebtoken@8.5.1 is vulnerable to CVE-2022-23529
(algorithm confusion). (dep-audit /
known-vuln/jsonwebtoken)
Fix: upgrade to >=9.0.0; review existing JWT verify
call sites for the affected algorithms.
Plus 4 missing security headers on your live document
(CSP, HSTS, X-Frame-Options, Referrer-Policy — all
caught by live-browser) and 1 MEDIUM wildcard CORS
issue.
────────────────────────────────────────────────────
ARCHITECTURE (7/10)
You hit your first wall around 5k concurrent users.
SQLite + Drizzle on a single Vercel function won't
sustain >50 writes/sec. Your audit_log table is the
choke point — every /api/event call writes a row.
Migration path: move to Postgres (Neon or Supabase),
push audit log writes to a queue (Inngest or Upstash
QStash). 2-3 weeks of work; do it before $5k MRR.
Other smells: components/Dashboard.tsx is a
1,407-line monolith. Three /api routes duplicate the
same Stripe price lookup logic — extract to
lib/stripe/prices.ts. lib/db/index.ts opens a fresh
Drizzle connection per request (no pooling).
────────────────────────────────────────────────────
CUSTOMER FLOW (5/10)
Live axe-core findings against the rendered page:
• [axe/color-contrast] button.cta-primary fails WCAG
on your homepage — white-on-orange-500 reads at
2.6:1, needs 4.5:1. Affects every "Sign up" CTA.
Fix: bg-orange-600 puts you over the threshold.
• [axe/image-alt] 7 <img> tags above the fold are
missing alt text. Screen-reader users hit a blank
wall.
Plus from-source flow review: signup → first value
is 6 clicks. Two of those clicks are the "what's
your role" form with 11 dropdown options where 7
are paraphrases of the same answer ("Founder", "CEO",
"Solo founder", "Indie hacker", "Bootstrapped
founder", "Pre-revenue founder", "YC founder"). Cut
to 3 broad buckets or drop it.
No in-product upgrade prompts. No Free → Pro path
anywhere outside the standalone /pricing page. You
have a leaky bucket on top of a contrast failure.
────────────────────────────────────────────────────
GROWTH (4/10)
Live Lighthouse via PageSpeed Insights:
Performance 42 / 100 (poor)
Accessibility 78 / 100 (low)
Best Practices 92 / 100 ✓
SEO 88 / 100 (low)
LCP 6.4 s (poor — good ≤ 2.5 s)
CLS 0.18 (needs improvement)
TBT 380 ms (needs improvement)
FCP 2.5 s (needs improvement)
The LCP is killing both the user experience and the
SEO surface — Core Web Vitals are a ranking signal
now. Largest culprit: a 2.8 MB uncompressed hero
image. WebP + lazy-load below the fold cuts it to
~3 s with no other work.
No sitemap.xml. Missing JSON-LD on /pricing and
/features. No analytics — not PostHog, not Plausible,
not Google. You can't fix what you can't measure.
────────────────────────────────────────────────────
FOUNDER BRIEFING
You're a 1-2 person team shipping fast on a real
product idea. The work shows it. The storefront
doesn't. Three security HIGHs will get you on a
disclosure list if anyone scrapes for them — the AWS
key is already public, the Stripe webhook is one
curl from free credits, and the JWT upgrade is one
package.json line. A 2.6:1 contrast on your own CTA
is the screenshot that ships you. And the live LCP
is 6.4 s on a homepage selling speed.
Good news: every single finding here is a
one-week-or-less fix. None require rearchitecting.
Order matters more than scope.
────────────────────────────────────────────────────
TOP-3 PRIORITIES (ordered by what costs you most)
1. [CRITICAL] Rotate the leaked AWS key + verify the
Stripe webhook signature.
.env.backup:3 (commit fedcba9) +
app/api/webhooks/stripe/route.ts:24
The AWS key is on the public internet whether
you've noticed or not; the webhook gap lets any IP
provision paid features for free. Both are
credential rotations away from contained, both
happen tonight.
2. [HIGH] Your $19 CTA button fails the a11y check
your product sells.
button.cta-primary on the live homepage
axe-core flagged 2.6:1 contrast on the white-on-
orange-500 button. The tool that audits for a11y
failing its own a11y check is the screenshot that
runs through your own tool.
Fix: swap to bg-orange-600.
3. [HIGH] LCP 6.4 s on your live homepage.
live-lighthouse / largest-contentful-paint
PSI Lighthouse: 42 / 100 performance, LCP 6.4 s vs
the 2.5 s "good" threshold. Largest culprit: a 2.8
MB uncompressed hero image.
Fix: WebP it + lazy-load below the fold; you're at
~3 s with no other work.
────────────────────────────────────────────────────
[ready to export roast.json]
────────────────────────────────────────────────────
Ready to export roast.json → ./roast.json
────────────────────────────────────────────────────
What we'd send to roastrebuild.com:
18 findings
7 file paths (basenames + line numbers only)
1 redacted secret evidence snippets
11 code evidence snippets (max 412 chars each)
What we'd NOT send:
✗ no full filesystem paths (only basename of cwd)
✗ no raw source code beyond ≤500-char snippets
✗ no environment variables, secrets, or credentials
✗ no screenshots (kept local in /tmp/, never uploaded)
✗ no authentication, no API keys, no telemetry
Claim code (pre-generated): RST-K7N4P2QH
Audit URL: https://your-deploy.com/
Git: ad7c1e2 on main
→ --export-yes flag passed; skipping interactive confirmation
────────────────────────────────────────────────────
✓ Exported to ./roast.json (3.4 KB)
Your claim code: RST-K7N4P2QH
Expires in 30 days.
────────────────────────────────────────────────────
Pay $19 to unlock the full audit + 90-day roadmap:
── Option 1: curl (instant) ──
curl -X POST https://www.roastrebuild.com/api/audit/from-skill \
-H 'Content-Type: application/json' \
-d @./roast.json
── Option 2: scan QR with your phone ──
[terminal QR code rendered here — scan to open /resume on mobile]
→ https://www.roastrebuild.com/resume?c=RST-K7N4P2QH
── Option 3: visit /resume and paste ──
https://www.roastrebuild.com/resume
Code: RST-K7N4P2QH
How we protect you
Free dev tools have a trust problem. We solved it by not having the failure modes other tools do.
Open source, MIT license
Every line of methodology is in a single SKILL.md you can read before installing. github.com/janderswag/roast-skill — public from day one.
Never sees your API key
Runs inside your existing Claude Code session and uses that auth. The skill never reads, stores, or transmits your Anthropic key.
Zero outbound network calls by default
Without --url, the audit runs entirely on your machine. No POSTs to roastrebuild.com. Passing --url IS the explicit opt-in: the runner then calls Google PSI and loads your URL in headless Chromium. Nothing else ever calls home.
Findings stay on your disk
Your code, your repo names, your findings — they don't leave your environment. We see nothing.
Want more?
The free skill is the entry. Three upgrade paths when you want depth, recurrence, or me personally.
Ready when you are.
30 seconds to install. 60 seconds to first finding.
git clone --depth 1 https://github.com/janderswag/roast-skill ~/.claude/skills/roastThen in any repo, in Claude Code: /roast
Read the methodology before you install: github.com/janderswag/roast-skill