MageSmith

Magento 2 Code Audit

LLM-powered audits that surface real issues in your Magento module in minutes.

Open app →← All tools
Magento 2 Code Audit screenshot

What Magento 2 Code Audit does

  • Paste a class, upload a ZIP/tar.gz, or submit a module folder — we extract .php, .phtml, and key etc/*.xml files automatically
  • Severity-ranked findings — critical, error, warning, info — each with file:line pointer and recommended fix
  • Marketplace readiness score (0-100) computed from EQP-category findings — flags Mage:: usage, deprecated install scripts, raw shell exec, eval/base64 patterns, and other automatic-rejection triggers before you submit
  • Magento anti-pattern detection: direct ObjectManager usage, deprecated API calls, missing DI, layout XML referencing non-existent blocks
  • Security checks: CSRF-skip annotations, raw SQL with user input, session fixation risks, missing ACL on admin routes
  • Performance checks: N+1 collection loads, unbatched INSERTs, missing indexes on common WHERE columns, eager loads that should be lazy
  • Bring your own Anthropic API key — your audits, your bill, your data retention preferences

How it works

1

Drop your module

Paste a class directly, upload a ZIP/tar.gz of the module, or link a folder path. Max 10 MB compressed, 2 MB per file, 500 files.

2

Audit

Runs Claude against your code with a Magento-tuned system prompt. Takes 30–90 seconds for a small module.

3

Review findings

Sorted by severity. Each finding shows the file and line, the issue in plain English, and a suggested fix you can apply.

Frequently asked about Magento 2 Code Audit

How is my code handled? +

It's sent to Anthropic only when you explicitly click Audit. The code isn't persisted server-side beyond the request — only a summary of findings is saved to your history.

Can I use my own Anthropic API key? +

Yes. Set it in Settings → Anthropic Key. Falls back to the server key for light free-tier use when you haven't set one.

What file types are scanned? +

PHP (.php), PHTML templates (.phtml), and key Magento config XMLs (di.xml, events.xml, module.xml, acl.xml, webapi.xml, crontab.xml). JavaScript and CSS are intentionally excluded for now.

How long does it take? +

30–90 seconds for a small module (under 50 files). Larger modules are chunked and aggregated — expect a minute or two.

Does this catch Magento Marketplace EQP issues? +

Yes — the audit ships with a dedicated EQP rule pack (Mage:: usage, deprecated InstallSchema/UpgradeData scripts, raw shell exec, eval/base64 obfuscation, direct $_SESSION access, etc.) tagged Category=eqp. The summary shows a 0-100 Marketplace readiness score so you can see at a glance whether a submission would clear Adobe's static gate. Final EQP review is still done by Adobe; this surfaces the static-rule blockers up front.

What's the upload limit? +

10 MB compressed, 2 MB per file, 500 files max. Most real-world modules fit easily.

Related tools

Magento 2 Module Generator thumbnail

Magento 2 Module Generator

Scaffold a production-ready Magento 2 module in under a minute.

Learn more →

Magento 2 Database Documentation thumbnail

Magento 2 Database Documentation

Browsable Magento 2 schema with foreign-key graphs and instant search.

Learn more →

Every Magento dev tool, in one hosted workspace.

Free to sign up. Nothing to install. Drafts, audits, and projects saved across every tool.

Open app →