{"id":"154e7c23-346c-46a0-a5b7-7e0df685f42b","shortId":"ZdpQPc","kind":"skill","title":"wtf","tagline":"Pre-launch and pre-commit audit for vibe coding projects. Use when asked to check whether a project is ready to ship, deploy, merge, or commit, especially for common AI-built app mistakes: broken project structure, committed secrets or cache files, environment variable hygiene, d","description":"# WTF\n\nUse this skill as a hard-nosed pre-launch or pre-commit audit for fast-moving \"vibe coded\" projects. The goal is to find concrete blockers before code is shipped, not to produce a generic best-practices essay.\n\n## Operating Mode\n\n- Inspect the actual repository before judging it. Start with `git status --short`, project docs, file tree, package manifests, framework config, CI config, and deployment config.\n- Keep the audit scoped to the user's target: current branch, staged changes, a PR diff, or the whole project. If unclear, default to the current worktree plus files likely to affect deploy/runtime.\n- Prefer evidence over guesses. Tie every finding to a file, command output, or missing expected artifact.\n- Do not print secret values. If a secret is committed or exposed, name the file and variable/key shape, but redact the value.\n- If the user asks to fix issues, implement the fixes after the audit and verify them. Otherwise, remain in review/audit mode.\n\n## Audit Workflow\n\n1. **Map the project**\n   - Identify app type, framework, package manager, runtime, deployment target, database, ORM, auth provider, and build/test commands.\n   - Check whether the root is clean or dirty. Preserve unrelated user changes.\n   - Find likely entrypoints: app routes, API routes, workers, server actions, CLI commands, cron jobs, migrations, schemas, and config files.\n\n2. **Check repository hygiene**\n   - Look for committed `.env*` files other than safe examples, local database files, logs, cache directories, build outputs, generated artifacts, coverage, temporary uploads, screenshots, and tool caches.\n   - Verify `.gitignore` covers framework/runtime artifacts such as `.next`, `dist`, `build`, `.turbo`, `.vercel`, `.wrangler`, `.parcel-cache`, `coverage`, `node_modules`, local SQLite files, logs, and upload/cache folders.\n   - Use `git ls-files` to distinguish ignored local junk from files already tracked by Git.\n\n3. **Check secrets and environment variables**\n   - Search for tokens, private keys, API keys, JWT secrets, database URLs, webhook secrets, cloud credentials, and hardcoded production URLs.\n   - Verify required env vars are documented in `.env.example`, deployment docs, or typed config. Flag required envs that are used in code but undocumented.\n   - Check for accidental logging of secrets, auth headers, cookies, session payloads, or provider responses.\n\n4. **Check database readiness**\n   - Identify whether the app uses Prisma, Drizzle, TypeORM, Sequelize, Rails migrations, Django migrations, Alembic, Knex, raw SQL, or another migration system.\n   - Confirm schema changes have matching migrations and that migrations are committed.\n   - Flag schema drift, missing deploy migration commands, destructive migrations without a backfill/rollback plan, seed data required in production, and raw SQL that is not parameterized.\n   - If a database-backed app has no ORM or migration tool, call that out as a launch risk unless the repository has a clear alternative migration process.\n\n5. **Check app correctness and security basics**\n   - Run or inspect available `lint`, `typecheck`, `test`, and `build` scripts when practical.\n   - Review auth boundaries, protected routes, admin-only actions, server/client separation, CORS, CSRF where relevant, rate limits, file upload validation, SSRF surfaces, open redirects, and unsafe eval/shell execution.\n   - Check error handling and observability: production errors should not leak stack traces, secrets, or internal IDs unnecessarily.\n\n6. **Check dead and legacy code**\n   - Search for unused routes, duplicate pages/components, abandoned API handlers, old feature flags, large commented blocks, stale TODO/FIXME/HACK notes, generated placeholders, console debugging, unused dependencies, and test/demo data paths.\n   - Prefer repository-aware tools when available: TypeScript compiler, ESLint, depcheck, framework route manifests, import graph tools, or existing CI checks.\n   - Treat dead code as lower severity unless it affects security, deploy size, routing, migrations, or user-visible behavior.\n\n7. **Check deployment shape**\n   - Inspect Dockerfiles, wrangler/vercel/netlify/cloudflare config, GitHub Actions, release scripts, cron configuration, and required runtime versions.\n   - Flag missing production build commands, wrong package manager commands, missing migration steps, secrets expected at build time vs runtime, cache directories mounted incorrectly, and local-only assumptions.\n\n## Useful Commands\n\nAdapt commands to the repository; do not run broad destructive commands.\n\n```bash\ngit status --short\ngit ls-files\nrg -n --hidden --glob '!node_modules' --glob '!.git' 'AKIA|BEGIN (RSA |OPENSSH |EC )?PRIVATE KEY|DATABASE_URL|JWT_SECRET|SECRET_KEY|API_KEY|ACCESS_TOKEN|REFRESH_TOKEN|WEBHOOK_SECRET|STRIPE_SECRET|OPENAI_API_KEY|ANTHROPIC_API_KEY|PASSWORD=' .\nrg -n --hidden --glob '!node_modules' --glob '!.git' 'TODO|FIXME|HACK|console\\\\.log|debugger|ts-ignore|eslint-disable' .\n```\n\nFor JavaScript/TypeScript projects, inspect `package.json` scripts first, then run only relevant existing scripts such as `npm run lint`, `npm run typecheck`, `npm test`, or `npm run build`.\n\n## Severity\n\n- **P0 Blocker**: likely secret exposure, data loss, auth bypass, production deploy failure, broken migration, or user-data corruption.\n- **P1 High**: strong launch risk such as missing env documentation, unsafe database access, unprotected sensitive route, failing build/test, or tracked cache/build artifacts.\n- **P2 Medium**: maintainability or reliability issue likely to slow future work, such as stale duplicate code, missing focused tests, weak error handling, or unused dependencies.\n- **P3 Low**: cleanup or polish that is useful but not launch-blocking.\n\n## Host-Specific Review Output\n\nDetect host-specific review capabilities from active system/developer/app instructions, available tools, or local agent docs. Do not infer support from the model name alone, and do not invent pseudo-directives for a host.\n\n- **Codex App**: for findings tied to a specific file and line, emit one inline review comment directive per issue:\n\n  ```text\n  ::code-comment{title=\"[P1] Short issue title\" body=\"Explain the concrete risk and the smallest practical fix. Redact any secret value.\" file=\"/absolute/path/to/file.ts\" start=42 end=42 priority=1}\n  ```\n\n  Use absolute file paths, tight line ranges, and `priority` matching severity (`P0`/`P1` = `1`, `P2` = `2`, `P3` = `3`). Keep repo-level findings, missing-file findings, command failures, and residual risks in the normal findings list.\n\n- **Claude Code**: do not assume an inline review comment output directive. Use normal review findings with `file:line` references unless the current Claude Code environment explicitly provides a comment protocol or tool.\n- **Antigravity**: do not assume a portable text directive for artifact or inline comments. If the active environment exposes a native artifact/comment tool, use that tool; otherwise use normal review findings with `file:line` references.\n- **Zed**: do not assume a response-level inline comment directive. Zed may show agent edit review UI, but audit findings should stay in normal review format unless the active Zed environment explicitly provides a comment protocol or tool.\n\n## Output Format\n\nLead with findings, ordered by severity. For each finding include:\n\n- Severity and short title.\n- Evidence: file path, line, command, or missing expected file.\n- Impact: what can break or leak.\n- Fix: the smallest practical next step.\n\nThen add:\n\n- **Verified**: commands actually run and their result.\n- **Not verified**: checks skipped and why.\n- **Residual risk**: anything the repository shape prevented you from proving.","tags":["wtf","noobnooc","agent-skills","profile","profile-readme"],"capabilities":["skill","source-noobnooc","skill-wtf","topic-agent-skills","topic-profile","topic-profile-readme"],"categories":["noobnooc"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/noobnooc/noobnooc/wtf","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add noobnooc/noobnooc","source_repo":"https://github.com/noobnooc/noobnooc","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 1369 github stars · SKILL.md body (7,727 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:53:07.189Z","embedding":null,"createdAt":"2026-05-09T06:53:15.589Z","updatedAt":"2026-05-18T18:53:07.189Z","lastSeenAt":"2026-05-18T18:53:07.189Z","tsv":"'/absolute/path/to/file.ts':942 '1':215,948,962 '2':266,964 '3':338,966 '4':400 '42':944,946 '5':489 '6':553 '7':627 'abandon':565 'absolut':950 'access':717,811 'accident':388 'action':256,516,636 'activ':871,1033,1081 'actual':98,1132 'adapt':675 'add':1129 'admin':514 'admin-on':513 'affect':152,616 'agent':878,1066 'ai':34 'ai-built':33 'akia':702 'alemb':417 'alon':888 'alreadi':334 'altern':486 'anoth':422 'anthrop':728 'antigrav':1018 'anyth':1145 'api':252,349,566,715,726,729 'app':36,220,250,407,466,491,900 'artifact':169,288,300,820,1027 'artifact/comment':1038 'ask':16,195 'assum':990,1021,1055 'assumpt':672 'audit':9,66,123,204,213,1071 'auth':230,392,509,787 'avail':499,593,874 'awar':590 'back':465 'backfill/rollback':447 'bash':686 'basic':495 'begin':703 'behavior':626 'best':91 'best-practic':90 'block':573,858 'blocker':80,781 'bodi':927 'boundari':510 'branch':131 'break':1119 'broad':683 'broken':38,792 'build':285,305,504,648,660,778 'build/test':233,816 'built':35 'bypass':788 'cach':44,283,295,311,664 'cache/build':819 'call':473 'capabl':869 'chang':133,246,427 'check':18,235,267,339,386,401,490,536,554,607,628,1139 'ci':116,606 'claud':986,1008 'clean':240 'cleanup':848 'clear':485 'cli':257 'cloud':357 'code':12,72,82,383,558,610,836,920,987,1009 'code-com':919 'codex':899 'command':164,234,258,442,649,653,674,676,685,976,1111,1131 'comment':572,914,921,994,1014,1030,1061,1087 'commit':8,29,41,65,179,272,435 'common':32 'compil':595 'concret':79,930 'config':115,117,120,264,375,634 'configur':640 'confirm':425 'consol':579,743 'cooki':394 'cor':519 'correct':492 'corrupt':798 'cover':298 'coverag':289,312 'credenti':358 'cron':259,639 'csrf':520 'current':130,146,1007 'd':49 'data':450,585,785,797 'databas':228,280,353,402,464,709,810 'database-back':463 'dead':555,609 'debug':580 'debugg':745 'default':143 'depcheck':597 'depend':582,845 'deploy':26,119,226,371,440,618,629,790 'deploy/runtime':153 'destruct':443,684 'detect':864 'diff':136 'direct':895,915,996,1025,1062 'directori':284,665 'dirti':242 'disabl':751 'dist':304 'distinguish':328 'django':415 'doc':109,372,879 'dockerfil':632 'document':368,808 'drift':438 'drizzl':410 'duplic':563,835 'ec':706 'edit':1067 'emit':910 'end':945 'entrypoint':249 'env':273,365,378,807 'env.example':370 'environ':46,342,1010,1034,1083 'error':537,542,841 'eslint':596,750 'eslint-dis':749 'especi':30 'essay':93 'eval/shell':534 'everi':159 'evid':155,1107 'exampl':278 'execut':535 'exist':605,763 'expect':168,658,1114 'explain':928 'explicit':1011,1084 'expos':181,1035 'exposur':784 'fail':815 'failur':791,977 'fast':69 'fast-mov':68 'featur':569 'file':45,110,149,163,184,265,274,281,317,326,333,525,693,907,941,951,974,1002,1049,1108,1115 'find':78,160,247,902,971,975,984,1000,1047,1072,1095,1101 'first':758 'fix':197,201,936,1122 'fixm':741 'flag':376,436,570,645 'focus':838 'folder':321 'format':1078,1092 'framework':114,222,598 'framework/runtime':299 'futur':830 'generat':287,577 'generic':89 'git':105,323,337,687,690,701,739 'github':635 'gitignor':297 'glob':697,700,735,738 'goal':75 'graph':602 'guess':157 'hack':742 'handl':538,842 'handler':567 'hard':57 'hard-nos':56 'hardcod':360 'header':393 'hidden':696,734 'high':800 'host':860,866,898 'host-specif':859,865 'hygien':48,269 'id':551 'identifi':219,404 'ignor':329,748 'impact':1116 'implement':199 'import':601 'includ':1102 'incorrect':667 'infer':882 'inlin':912,992,1029,1060 'inspect':96,498,631,755 'instruct':873 'intern':550 'invent':892 'issu':198,826,917,925 'javascript/typescript':753 'job':260 'judg':101 'junk':331 'jwt':351,711 'keep':121,967 'key':348,350,708,714,716,727,730 'knex':418 'larg':571 'launch':4,61,478,802,857 'launch-block':856 'lead':1093 'leak':545,1121 'legaci':557 'level':970,1059 'like':150,248,782,827 'limit':524 'line':909,954,1003,1050,1110 'lint':500,769 'list':985 'local':279,315,330,670,877 'local-on':669 'log':282,318,389,744 'look':270 'loss':786 'low':847 'lower':612 'ls':325,692 'ls-file':324,691 'maintain':823 'manag':224,652 'manifest':113,600 'map':216 'match':429,958 'may':1064 'medium':822 'merg':27 'migrat':261,414,416,423,430,433,441,444,471,487,621,655,793 'miss':167,439,646,654,806,837,973,1113 'missing-fil':972 'mistak':37 'mode':95,212 'model':886 'modul':314,699,737 'mount':666 'move':70 'n':695,733 'name':182,887 'nativ':1037 'next':303,1126 'node':313,698,736 'normal':983,998,1045,1076 'nose':58 'note':576 'npm':767,770,773,776 'observ':540 'old':568 'one':911 'open':530 'openai':725 'openssh':705 'oper':94 'order':1096 'orm':229,469 'otherwis':208,1043 'output':165,286,863,995,1091 'p0':780,960 'p1':799,923,961 'p2':821,963 'p3':846,965 'packag':112,223,651 'package.json':756 'pages/components':564 'parameter':460 'parcel':310 'parcel-cach':309 'password':731 'path':586,952,1109 'payload':396 'per':916 'placehold':578 'plan':448 'plus':148 'polish':850 'portabl':1023 'pr':135 'practic':92,507,935,1125 'pre':3,7,60,64 'pre-commit':6,63 'pre-launch':2,59 'prefer':154,587 'preserv':243 'prevent':1149 'print':172 'prioriti':947,957 'prisma':409 'privat':347,707 'process':488 'produc':87 'product':361,453,541,647,789 'project':13,21,39,73,108,140,218,754 'protect':511 'protocol':1015,1088 'prove':1152 'provid':231,398,1012,1085 'pseudo':894 'pseudo-direct':893 'rail':413 'rang':955 'rate':523 'raw':419,455 'readi':23,403 'redact':189,937 'redirect':531 'refer':1004,1051 'refresh':719 'releas':637 'relev':522,762 'reliabl':825 'remain':209 'repo':969 'repo-level':968 'repositori':99,268,482,589,679,1147 'repository-awar':588 'requir':364,377,451,642 'residu':979,1143 'respons':399,1058 'response-level':1057 'result':1136 'review':508,862,868,913,993,999,1046,1068,1077 'review/audit':211 'rg':694,732 'risk':479,803,931,980,1144 'root':238 'rout':251,253,512,562,599,620,814 'rsa':704 'run':496,682,760,768,771,777,1133 'runtim':225,643,663 'safe':277 'schema':262,426,437 'scope':124 'screenshot':292 'script':505,638,757,764 'search':344,559 'secret':42,173,177,340,352,356,391,548,657,712,713,722,724,783,939 'secur':494,617 'seed':449 'sensit':813 'separ':518 'sequel':412 'server':255 'server/client':517 'session':395 'sever':613,779,959,1098,1103 'shape':187,630,1148 'ship':25,84 'short':107,689,924,1105 'show':1065 'size':619 'skill':53 'skill-wtf' 'skip':1140 'slow':829 'smallest':934,1124 'source-noobnooc' 'specif':861,867,906 'sql':420,456 'sqlite':316 'ssrf':528 'stack':546 'stage':132 'stale':574,834 'start':103,943 'status':106,688 'stay':1074 'step':656,1127 'stripe':723 'strong':801 'structur':40 'support':883 'surfac':529 'system':424 'system/developer/app':872 'target':129,227 'temporari':290 'test':502,774,839 'test/demo':584 'text':918,1024 'tie':158,903 'tight':953 'time':661 'titl':922,926,1106 'todo':740 'todo/fixme/hack':575 'token':346,718,720 'tool':294,472,591,603,875,1017,1039,1042,1090 'topic-agent-skills' 'topic-profile' 'topic-profile-readme' 'trace':547 'track':335,818 'treat':608 'tree':111 'ts':747 'ts-ignor':746 'turbo':306 'type':221,374 'typecheck':501,772 'typeorm':411 'typescript':594 'ui':1069 'unclear':142 'undocu':385 'unless':480,614,1005,1079 'unnecessarili':552 'unprotect':812 'unrel':244 'unsaf':533,809 'unus':561,581,844 'upload':291,526 'upload/cache':320 'url':354,362,710 'use':14,51,322,381,408,673,853,949,997,1040,1044 'user':127,194,245,624,796 'user-data':795 'user-vis':623 'valid':527 'valu':174,191,940 'var':366 'variabl':47,343 'variable/key':186 'vercel':307 'verifi':206,296,363,1130,1138 'version':644 'vibe':11,71 'visibl':625 'vs':662 'weak':840 'webhook':355,721 'whether':19,236,405 'whole':139 'without':445 'work':831 'worker':254 'workflow':214 'worktre':147 'wrangler':308 'wrangler/vercel/netlify/cloudflare':633 'wrong':650 'wtf':1,50 'zed':1052,1063,1082","prices":[{"id":"87e9cbbb-793e-42a2-8ce3-898696891896","listingId":"154e7c23-346c-46a0-a5b7-7e0df685f42b","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"noobnooc","category":"noobnooc","install_from":"skills.sh"},"createdAt":"2026-05-09T06:53:15.589Z"}],"sources":[{"listingId":"154e7c23-346c-46a0-a5b7-7e0df685f42b","source":"github","sourceId":"noobnooc/noobnooc/wtf","sourceUrl":"https://github.com/noobnooc/noobnooc/tree/main/skills/wtf","isPrimary":false,"firstSeenAt":"2026-05-09T06:53:15.589Z","lastSeenAt":"2026-05-18T18:53:07.189Z"}],"details":{"listingId":"154e7c23-346c-46a0-a5b7-7e0df685f42b","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"noobnooc","slug":"wtf","github":{"repo":"noobnooc/noobnooc","stars":1369,"topics":["agent-skills","profile","profile-readme"],"license":null,"html_url":"https://github.com/noobnooc/noobnooc","pushed_at":"2026-05-13T03:04:28Z","description":"My profile & the agent skills I created","skill_md_sha":"45d6cb4b60dee6f5d483c4a6cdc362af2e9abe53","skill_md_path":"skills/wtf/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/noobnooc/noobnooc/tree/main/skills/wtf"},"layout":"multi","source":"github","category":"noobnooc","frontmatter":{"name":"wtf","description":"Pre-launch and pre-commit audit for vibe coding projects. Use when asked to check whether a project is ready to ship, deploy, merge, or commit, especially for common AI-built app mistakes: broken project structure, committed secrets or cache files, environment variable hygiene, database migrations, ORM/schema drift, unsafe raw SQL, unused legacy code, dead routes/components, weak auth, missing tests, build failures, and deployment footguns."},"skills_sh_url":"https://skills.sh/noobnooc/noobnooc/wtf"},"updatedAt":"2026-05-18T18:53:07.189Z"}}