gqllint

GraphQL anti-pattern & security analyzer -- detects query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, sch...

copies: implexa run clawhub/gqllint

view source

installs

stars

karma

SkillRank score ↗

7.7/ 10

evaluated by implexa, claude-haiku-4-5 · 2026-05-26

gqllint detects graphql anti-patterns across 6 categories via regex matching, supporting 30-90 patterns depending on tier. covers query depth, resolver n+1, over/under fetching, auth gaps, schema design, and client safety with local scanning and markdown/json/html reporting.

structure

9.0

trigger phrases

9.0

procedure

8.0

edge cases

6.0

documentation

8.0

view original SKILL.md from clawhubclick to expand

---
name: GQLLint
version: 1.0.0
description: "GraphQL anti-pattern & security analyzer -- detects query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, schema design issues, and client query safety problems in GraphQL codebases"
homepage: https://gqllint.pages.dev
metadata:
  {
    "openclaw": {
      "emoji": "\ud83d\udd78\ufe0f",
      "primaryEnv": "GQLLINT_LICENSE_KEY",
      "requires": {
        "bins": ["git", "bash", "python3", "jq"]
      },
      "configPaths": ["~/.openclaw/openclaw.json"],
      "install": [
        {
          "id": "lefthook",
          "kind": "brew",
          "formula": "lefthook",
          "bins": ["lefthook"],
          "label": "Install lefthook (git hooks manager)"
        }
      ],
      "os": ["darwin", "linux", "win32"]
    }
  }
user-invocable: true
disable-model-invocation: false
---

# GQLLint -- GraphQL Anti-Pattern & Security Analyzer

GQLLint scans codebases for GraphQL anti-patterns: query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, schema design issues, and client query safety problems. It uses regex-based pattern matching against 90 GraphQL-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

**Note:** GQLLint focuses on GraphQL-specific patterns (schema definitions, resolvers, client queries, server configuration). It does NOT analyze general JavaScript/TypeScript quality or REST API patterns.

## Commands

### Free Tier (No license required)

#### `gqllint scan [file|directory]`
One-shot GraphQL quality scan of files or directories.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]
```

**What it does:**
1. Accepts a file path or directory (defaults to current directory)
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
3. Runs 30 GraphQL patterns against each file (free tier limit)
4. Calculates a GraphQL quality score (0-100) per file and overall
5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
6. Outputs findings with: file, line number, check ID, severity, description, recommendation
7. Exit code 0 if score >= 70, exit code 1 if GraphQL quality is poor
8. Free tier limited to first 30 patterns (QD + RN categories)

**Example usage scenarios:**
- "Scan my code for GraphQL issues" -> runs `gqllint scan .`
- "Check this file for N+1 resolver problems" -> runs `gqllint scan src/resolvers/`
- "Find query depth vulnerabilities" -> runs `gqllint scan src/`
- "Audit my GraphQL schema" -> runs `gqllint scan .`
- "Check for introspection leaks" -> runs `gqllint scan .`

### Pro Tier ($19/user/month -- requires GQLLINT_LICENSE_KEY)

#### `gqllint scan --tier pro [file|directory]`
Extended scan with 60 patterns covering depth, N+1, fetching, and auth issues.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro
```

**What it does:**
1. Validates Pro+ license
2. Runs 60 GraphQL patterns (QD, RN, OF, RL categories)
3. Detects over/under fetching and missing pagination
4. Identifies auth gaps, rate limiting issues, and open playgrounds
5. Full category breakdown reporting

#### `gqllint scan --format json [directory]`
Generate JSON output for CI/CD integration.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json
```

#### `gqllint scan --format html [directory]`
Generate HTML report for browser viewing.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html
```

#### `gqllint scan --category RN [directory]`
Filter scan to a specific check category (QD, RN, OF, RL, SD, CQ).

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category RN
```

### Team Tier ($39/user/month -- requires GQLLINT_LICENSE_KEY with team tier)

#### `gqllint scan --tier team [directory]`
Full scan with all 90 patterns across all 6 categories including schema design and client safety.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team
```

**What it does:**
1. Validates Team+ license
2. Runs all 90 patterns across 6 categories
3. Includes schema design checks (input types, naming, JSON scalars, deprecation)
4. Includes client query safety (injection, error handling, caching, codegen)
5. Full category breakdown with per-file results

#### `gqllint scan --verbose [directory]`
Verbose output showing every matched line and pattern details.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose
```

#### `gqllint status`
Show license and configuration information.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" status
```

#### `gqllint patterns`
List all available detection patterns with IDs, severities, and descriptions.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" patterns
```

## Check Categories

GQLLint detects 90 GraphQL anti-patterns across 6 categories:

| Category | Code | Patterns | Description | Severity Range |
|----------|------|----------|-------------|----------------|
| **Query Depth & Complexity** | QD | 15 | Unbounded depth, no complexity limit, introspection leak, recursive fragments | low -- critical |
| **Resolver N+1** | RN | 15 | Database calls in loops, no DataLoader, sequential awaits, missing batching | low -- critical |
| **Over/Under Fetching** | OF | 15 | SELECT *, no pagination, eager loading, missing projections, full object returns | low -- critical |
| **Rate Limiting & Auth** | RL | 15 | No auth on mutations, open playground, missing rate limit, no CORS, no persisted queries | low -- critical |
| **Schema Design** | SD | 15 | Raw scalars in mutations, no input types, JSON scalar, naming issues, no deprecation | low -- high |
| **Client Query Safety** | CQ | 15 | String concatenation, template injection, no error handling, missing variables, no codegen | low -- critical |

## Tier-Based Pattern Access

| Tier | Patterns | Categories |
|------|----------|------------|
| **Free** | 30 | QD, RN |
| **Pro** | 60 | QD, RN, OF, RL |
| **Team** | 90 | QD, RN, OF, RL, SD, CQ |
| **Enterprise** | 90 | QD, RN, OF, RL, SD, CQ + priority support |

## Scoring

GQLLint uses a deductive scoring system starting at 100 (perfect):

| Severity | Point Deduction | Description |
|----------|-----------------|-------------|
| **Critical** | -25 per finding | Severe risk (query injection, N+1 loops, introspection leak, unauth mutations) |
| **High** | -15 per finding | Significant problem (no depth limit, no pagination, open playground, resolver waterfalls) |
| **Medium** | -8 per finding | Moderate concern (schema design gaps, missing rate limits, over-fetching) |
| **Low** | -3 per finding | Informational / best practice suggestion |

### Grading Scale

| Grade | Score Range | Meaning |
|-------|-------------|---------|
| **A** | 90-100 | Excellent GraphQL quality |
| **B** | 80-89 | Good GraphQL with minor issues |
| **C** | 70-79 | Acceptable but needs improvement |
| **D** | 60-69 | Poor GraphQL quality |
| **F** | Below 60 | Critical GraphQL problems |

- **Pass threshold:** 70 (Grade C or better)
- Exit code 0 = pass (score >= 70)
- Exit code 1 = fail (score < 70)

## Configuration

Users can configure GQLLint in `~/.openclaw/openclaw.json`:

```json
{
  "skills": {
    "entries": {
      "gqllint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}
```

## Important Notes

- **Free tier** works immediately with no configuration
- **All scanning happens locally** -- no code is sent to external servers
- **License validation is offline** -- no phone-home or network calls
- Pattern matching only -- no AST parsing, no external dependencies beyond bash
- Supports scanning all file types in a single pass
- Git hooks use **lefthook** which must be installed (see install metadata above)
- Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
- Output formats: text (default), json, html

## Error Handling

- If lefthook is not installed and user tries hooks, prompt to install it
- If license key is invalid or expired, show clear message with link to https://gqllint.pages.dev/renew
- If a file is binary, skip it automatically with no warning
- If no scannable files found in target, report clean scan with info message
- If an invalid category is specified with --category, show available categories

## When to Use GQLLint

The user might say things like:
- "Scan my code for GraphQL issues"
- "Check my resolvers for N+1 problems"
- "Find query depth vulnerabilities"
- "Detect over-fetching in my GraphQL API"
- "Are there any auth gaps in my GraphQL schema?"
- "Check if introspection is enabled in production"
- "Audit my GraphQL schema design"
- "Find security issues in my GraphQL setup"
- "Check for query injection vulnerabilities"
- "Scan for missing pagination on list fields"
- "Run a GraphQL quality audit"
- "Generate a GraphQL health report"
- "Check if my resolvers use DataLoader"
- "Find N+1 database query patterns"
- "Check my client code for unsafe GraphQL patterns"

don't have the plugin yet? install it then click "run inline in claude" again.

restructured original into 6 required implexa components, explicitly documented license validation logic and tier access control as decision points, added edge cases (binary files, expired licenses, missing binaries, regex errors, empty result sets), clarified all external connections and env vars, detailed json/html/text output formats with exact keys and structure, mapped exit codes to outcomes throughout.

GQLLint -- GraphQL Anti-Pattern & Security Analyzer

Item: gqllint
Rating: 7.7
Author: Implexa

intent

gqllint scans GraphQL codebases for 90 anti-patterns across 6 categories: query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting and auth gaps, schema design flaws, and client query safety problems. use it when auditing a GraphQL codebase for quality, security, and performance issues. produces a markdown/json/html report with severity-graded findings and a 0-100 quality score. all scanning runs locally with zero telemetry.

inputs

required binaries:

git
bash
python3
jq

required installations:

lefthook (brew formula, manages git hooks). install with: brew install lefthook

environment variables:

GQLLINT_LICENSE_KEY: optional. enables pro (60 patterns) or team (90 patterns) tier. not required for free tier (30 patterns).

configuration file (optional):

~/.openclaw/openclaw.json: user config with severity threshold, ignore patterns, ignored checks, and report format preference.

external connection:

gqllint.pages.dev (https): only used for license renewal links (no telemetry, no code upload). license validation is offline.

scanning target:

file path or directory. gqllint discovers source files and skips .git, node_modules, binaries, images, .min.js files automatically.

procedure

base scan (free tier, all users)

accept input: receive file path or directory argument. default to current directory if none provided.
validate binaries: check that git, bash, python3, jq are available in PATH. fail with clear message if any missing.
discover files: recursively find all source files in target directory. skip .git/, node_modules/, binary files, image files, .min.js files. output file count to stderr.
read config: load ~/.openclaw/openclaw.json if present. extract severityThreshold (default: low), ignorePatterns, ignoreChecks, reportFormat (default: text).
apply ignores: filter discovered files against ignorePatterns and ignoreChecks from config.
run pattern matching: execute regex-based pattern matching against first 30 patterns (free tier limit) in QD and RN categories. for each file, iterate line by line. match each pattern. record: file path, line number, pattern ID, severity, description, recommendation.
calculate score: start with 100. for each finding, deduct: critical (-25), high (-15), medium (-8), low (-3). clamp to 0 minimum. final score = max(0, 100 - total_deductions).
assign grade: map score to grade: A (90-100), B (80-89), C (70-79), D (60-69), F (<60).
output report: generate report in chosen format (text/json/html). include: per-file results with line numbers and findings, overall score, overall grade, category breakdown (patterns matched per category), pass/fail status.
exit: return exit code 0 if score >= 70 (pass), exit code 1 if score < 70 (fail). output to stdout (or file if html).

pro tier scan (with valid GQLLINT_LICENSE_KEY)

validate license: read GQLLINT_LICENSE_KEY env var. verify it matches pro or team tier signature (offline validation only, no network call). if invalid or expired, output clear message with link to https://gqllint.pages.dev/renew and exit code 1.
discover files: (same as step 3 above)
read config: (same as step 4 above)
apply ignores: (same as step 5 above)
run pattern matching: execute regex-based pattern matching against first 60 patterns (pro tier limit) across QD, RN, OF, RL categories. include checks for over/under fetching, missing pagination, auth gaps, rate limiting issues, open playgrounds, persisted queries.
calculate score, grade, output: (same as steps 7-10 above, but with 60 patterns)

team tier scan (with valid GQLLINT_LICENSE_KEY at team level)

validate license: read GQLLINT_LICENSE_KEY env var. verify it matches team tier signature (offline validation only). if invalid or expired, output clear error and exit code 1.
discover files: (same as step 3 above)
read config: (same as step 4 above)
apply ignores: (same as step 5 above)
run pattern matching: execute all 90 patterns across all 6 categories: QD, RN, OF, RL, SD, CQ. include schema design checks (input types, naming, json scalars, deprecation) and client query safety checks (string concatenation, template injection, error handling, variables, codegen).
calculate score, grade, output: (same as steps 7-10 above, but with 90 patterns)

category filter scan

accept category: receive --category flag with value from {QD, RN, OF, RL, SD, CQ}.
validate category: if category not recognized, output available categories and exit code 1.
(rest of procedure): run scan as above but match only patterns in specified category. adjust tier access (e.g., free tier cannot access OF, RL, SD, CQ patterns).

json output

(run scan as above)
format json: convert findings to JSON array. each finding: {file, line, patternId, severity, description, recommendation}. include metadata: {overall_score, grade, category_breakdown, tier, timestamp}.
output to stdout or file: write json to stdout (or file if --output specified). exit code 0 if score >= 70, else 1.

html output

(run scan as above)
format html: generate standalone html report with embedded css. include: header with overall score/grade, findings table (file, line, pattern id, severity, description), per-file breakdown chart, category breakdown chart.
output to file: write html to file (default: gqllint-report.html in current directory, or --output path). exit code 0 if score >= 70, else 1.

verbose mode

(run scan as above)
verbose output: for each matched pattern, output: matched line text, full pattern regex, pattern id, severity, category, description, recommendation. increase verbosity in text format.
output report: generate text report with verbose details. exit code 0 if score >= 70, else 1.

status check

read license key: check GQLLINT_LICENSE_KEY env var.
validate license: offline check. if present, determine tier (pro or team) and expiration date (if any).
read config: load ~/.openclaw/openclaw.json if present.
output status: display: license key (masked), tier, expiration (if applicable), current config (severity threshold, ignore patterns count, ignore checks count, report format).
exit: return exit code 0.

patterns list

load all patterns: retrieve all 90 pattern definitions.
output patterns: list each pattern with: ID, category, severity, description, remediation guidance.
group by category: organize output by QD, RN, OF, RL, SD, CQ.
tier note: indicate which patterns are free/pro/team.
exit: return exit code 0.

decision points

if no target path provided: use current directory (.).

if target is a file: scan only that file.

if target is a directory: recursively discover and scan all files.

if license key is not set: run free tier scan (30 patterns, QD + RN only).

if license key is set but invalid/expired: output error message with renewal link and exit code 1. do not fall back to free tier.

if --tier pro is specified but license is free: output error message stating pro tier requires valid pro license key and exit code 1.

if --tier team is specified but license is pro: output error message stating team tier requires valid team license key and exit code 1.

if --category is specified but requires higher tier than user has: output error message stating category requires higher tier and exit code 1.

if no scannable files are found in target: report clean scan with info message "no graphql files found" and exit code 0.

if a file is binary: skip it silently (no warning).

if lefthook is not installed and user has git hooks configured: prompt to install lefthook with brew install lefthook and exit code 1.

if config file has ignorePatterns that match all discovered files: report clean scan and exit code 0.

if a pattern match fails due to regex error: log error to stderr (do not crash), skip that pattern, continue scanning.

if score calculation results in negative value: clamp to 0.

if no findings are present: assign score 100, grade A, output pass message and exit code 0.

output contract

text format (default):

stdout: human-readable report with header (overall score, grade, pass/fail), per-file findings (file path, line number, pattern id, severity, description, recommendation), category breakdown (count of patterns matched per category), footer (total findings count).
file location: stdout unless --output specified.

json format:

stdout: json object with keys: {overall_score (number), grade (string), pass (boolean), tier (string), timestamp (iso-8601), findings (array of objects), category_breakdown (object)}.
each finding object: {file (string), line (number), patternId (string), severity (string), description (string), recommendation (string)}.
file location: stdout unless --output specified.

html format:

file: gqllint-report.html (or custom path if --output specified).
contents: standalone html with embedded css, header with title/score/grade, findings table (sortable by severity), per-file bar chart, category breakdown pie chart, footer with scan timestamp.

markdown report (optional, legacy):

file location: gqllint-report.md (if --format markdown specified).
contents: markdown formatted findings with sections per category, remediation guidance links.

scoring metadata:

overall_score: 0-100 (integer).
grade: A, B, C, D, or F (string).
pass: true if score >= 70, false otherwise (boolean).
per-file scores: each file receives its own score based on its findings.
category breakdown: count of critical/high/medium/low findings per category.

file discovery log:

stderr: number of files discovered, number of files scanned, number of files skipped (with reason if verbose).

exit code:

0: scan completed successfully, score >= 70 (pass).
1: scan completed with score < 70 (fail), or error occurred (license invalid, binary missing, etc.).

outcome signal

user knows the skill worked if:

scan completes: output appears in terminal (or file if html/json) with no crash.
score is displayed: user sees "overall score: 85/100" or similar at top of report.
grade is clear: user sees "grade: B" or similar.
pass/fail is unambiguous: user sees "pass" (green, exit code 0) or "fail" (red, exit code 1).
findings are actionable: each finding lists line number, pattern id, severity, description, and remediation guidance.
category breakdown is visible: user can see how many issues are in query depth vs resolver n+1 vs over-fetching etc.
no telemetry occurred: user can confirm via firewall logs or network monitor that no code was uploaded anywhere.
exit code matches result: echo $? shows 0 for pass, 1 for fail.
html report is readable: if html output chosen, report opens in browser and is fully styled with interactive elements.
json is valid: if json output chosen, output can be piped to jq without error.

gqllint

related skills

GQLLint -- GraphQL Anti-Pattern & Security Analyzer

intent

inputs

procedure

base scan (free tier, all users)

pro tier scan (with valid GQLLINT_LICENSE_KEY)

team tier scan (with valid GQLLINT_LICENSE_KEY at team level)

category filter scan

json output

html output

verbose mode

status check

patterns list

decision points

output contract

outcome signal