{"id":"bdcb093d-8308-4aa8-a802-536925c2dd5a","shortId":"uTX9Sr","kind":"skill","title":"codebase-audit-pre-push","tagline":"Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness.","description":"# Pre-Push Codebase Audit\n\nAs a senior engineer, you're doing the final review before pushing this code to GitHub. Check everything carefully and fix problems as you find them.  \n\n## When to Use This Skill  \n\n- User requests \"audit the codebase\" or \"review before push\"  \n- Before making the first push to GitHub  \n- Before making a repository public  \n- Pre-production deployment review  \n- User asks to \"clean up the code\" or \"optimize everything\"  \n\n## Your Job  \n\nReview the entire codebase file by file. Read the code carefully. Fix issues right away. Don't just note problems—make the necessary changes.  \n\n## Audit Process  \n\n### 1. Clean Up Junk Files  \n\nStart by looking for files that shouldn't be on GitHub:  \n\n**Delete these immediately:**  \n- OS files: `.DS_Store`, `Thumbs.db`, `desktop.ini`  \n- Logs: `*.log`, `npm-debug.log*`, `yarn-error.log*`  \n- Temp files: `*.tmp`, `*.temp`, `*.cache`, `*.swp`  \n- Build output: `dist/`, `build/`, `.next/`, `out/`, `.cache/`  \n- Dependencies: `node_modules/`, `vendor/`, `__pycache__/`, `*.pyc`  \n- IDE files: `.idea/`, `.vscode/` (ask user first), `*.iml`, `.project`  \n- Backup files: `*.bak`, `*_old.*`, `*_backup.*`, `*_copy.*`  \n- Test artifacts: `coverage/`, `.nyc_output/`, `test-results/`  \n- Personal junk: `TODO.txt`, `NOTES.txt`, `scratch.*`, `test123.*`  \n\n**Critical - Check for secrets:**  \n- `.env` files (should never be committed)  \n- Files containing: `password`, `api_key`, `token`, `secret`, `private_key`  \n- `*.pem`, `*.key`, `*.cert`, `credentials.json`, `serviceAccountKey.json`  \n\nIf you find secrets in the code, mark it as a CRITICAL BLOCKER.  \n\n### 2. Fix .gitignore  \n\nCheck if the `.gitignore` file exists and is thorough. If it’s missing or not complete, update it to include all junk file patterns above. Ensure that `.env.example` exists with keys but no values.  \n\n### 3. Audit Every Source File  \n\nLook through each code file and check:  \n\n**Dead Code (remove immediately):**  \n- Commented-out code blocks  \n- Unused imports/requires  \n- Unused variables (declared but never used)  \n- Unused functions (defined but never called)  \n- Unreachable code (after `return`, inside `if (false)`)  \n- Duplicate logic (same code in multiple places—combine)  \n\n**Code Quality (fix issues as you go):**  \n- Vague names: `data`, `info`, `temp`, `thing` → rename to be descriptive  \n- Magic numbers: `if (status === 3)` → extract to named constant  \n- Debug statements: remove `console.log`, `print()`, `debugger`  \n- TODO/FIXME comments: either resolve them or delete them  \n- TypeScript `any`: add proper types or explain why `any` is used  \n- Use `===` instead of `==` in JavaScript  \n- Functions longer than 50 lines: consider splitting  \n- Nested code greater than 3 levels: refactor with early returns  \n\n**Logic Issues (critical):**  \n- Missing null/undefined checks  \n- Array operations on potentially empty arrays  \n- Async functions that are not awaited  \n- Promises without `.catch()` or try/catch  \n- Possibilities for infinite loops  \n- Missing `default` in switch statements  \n\n### 4. Security Check (Zero Tolerance)  \n\n**Secrets:** Search for hardcoded passwords, API keys, and tokens. They must be in environment variables.  \n\n**Injection vulnerabilities:**  \n- SQL: No string concatenation in queries—use parameterized queries only  \n- Command injection: No `exec()` with user-provided input  \n- Path traversal: No file paths from user input without validation  \n- XSS: No `innerHTML` or `dangerouslySetInnerHTML` with user data  \n\n**Auth/Authorization:**  \n- Passwords hashed with bcrypt/argon2 (never MD5 or plain text)  \n- Protected routes check for authentication  \n- Authorization checks on the server side, not just in the UI  \n- No IDOR: verify users own the resources they are accessing  \n\n**Data exposure:**  \n- API responses do not leak unnecessary information  \n- Error messages do not expose stack traces or database details  \n- Pagination is present on list endpoints  \n\n**Dependencies:**  \n- Run `npm audit` or an equivalent tool  \n- Flag critically outdated or vulnerable packages  \n\n### 5. Scalability Check  \n\n**Database:**  \n- N+1 queries: loops with database calls inside → use JOINs or batch queries  \n- Missing indexes on WHERE/ORDER BY columns  \n- Unbounded queries: add LIMIT or pagination  \n- Avoid `SELECT *`: specify columns  \n\n**API Design:**  \n- Heavy operations (like email, reports, file processing) → move to a background queue  \n- Rate limiting on public endpoints  \n- Caching for data that is read frequently  \n- Timeouts on external calls  \n\n**Code:**  \n- No global mutable state  \n- Clean up event listeners (to avoid memory leaks)  \n- Stream large files instead of loading them into memory  \n\n### 6. Architecture Check  \n\n**Organization:**  \n- Clear folder structure  \n- Files are in logical locations  \n- No \"misc\" or \"stuff\" folders  \n\n**Separation of concerns:**  \n- UI layer: only responsible for rendering  \n- Business logic: pure functions  \n- Data layer: isolated database queries  \n- No 500+ line \"god files\"  \n\n**Reusability:**  \n- Duplicate code → extract to shared utilities  \n- Constants defined once and imported  \n- Types/interfaces reused, not redefined  \n\n### 7. Performance  \n\n**Backend:**  \n- Expensive operations do not block requests  \n- Batch database calls when possible  \n- Set cache headers correctly  \n\n**Frontend (if applicable):**  \n- Implement code splitting  \n- Optimize images  \n- Avoid massive dependencies for small utilities  \n- Use lazy loading for heavy components  \n\n### 8. Documentation  \n\n**README.md must include:**  \n- Description of what the project does  \n- Instructions for installation and execution  \n- Required environment variables  \n- Guidance on running tests  \n\n**Code comments:**  \n- Explain WHY, not WHAT  \n- Provide explanations for complex logic  \n- Avoid comments that merely repeat the code  \n\n### 9. Testing  \n\n- Critical paths should have tests (auth, payments, core features)  \n- No `test.only` or `fdescribe` should remain in the code  \n- Avoid `test.skip` without an explanation  \n- Tests should verify behavior, not implementation details  \n\n### 10. Final Verification  \n\nAfter making all changes, run the app. Ensure nothing is broken. Check that:  \n- The app starts without errors  \n- Main features work  \n- Tests pass (if they exist)  \n- No regressions have been introduced  \n\n## Output Format  \n\nAfter auditing, provide a report:  \n\n```\nCODEBASE AUDIT COMPLETE  \n\nFILES REMOVED:  \n- node_modules/ (build artifact)  \n- .env (contained secrets)  \n- old_backup.js (unused duplicate)  \n\nCODE CHANGES:  \n[src/api/users.js]  \n  ✂ Removed unused import: lodash  \n  ✂ Removed dead function: formatOldWay()  \n  🔧 Renamed 'data' → 'userData' for clarity  \n  🛡 Added try/catch around API call (line 47)  \n\n[src/db/queries.js]  \n  ⚡ Fixed N+1 query: now uses JOIN instead of loop  \n\nSECURITY ISSUES:  \n🚨 CRITICAL: Hardcoded API key in config.js (line 12) → moved to .env  \n⚠️ HIGH: SQL injection risk in search.js (line 34) → fixed with parameterized query  \n\nSCALABILITY:  \n⚡ Added pagination to /api/users endpoint  \n⚡ Added index on users.email column  \n\nFINAL STATUS:  \n✅ CLEAN - Ready to push to GitHub  \n\nScores:  \nSecurity: 9/10 (one minor header missing)  \nCode Quality: 10/10  \nScalability: 9/10  \nOverall: 9/10  \n```  \n\n## Key Principles  \n\n- Read the code thoroughly, don't skim  \n- Fix issues immediately, don’t just document them  \n- If uncertain about removing something, ask the user  \n- Test after making changes  \n- Be thorough but practical—focus on real problems  \n- Security issues are blockers—nothing should ship with critical vulnerabilities  \n\n## Related Skills  \n\n- `@security-auditor` - Deeper security review  \n- `@systematic-debugging` - Investigate specific issues  \n- `@git-pushing` - Push code after audit\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["codebase","audit","pre","push","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents"],"capabilities":["skill","source-sickn33","skill-codebase-audit-pre-push","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/codebase-audit-pre-push","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34882 github stars · SKILL.md body (8,141 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T12:50:48.229Z","embedding":null,"createdAt":"2026-04-18T21:34:42.758Z","updatedAt":"2026-04-24T12:50:48.229Z","lastSeenAt":"2026-04-24T12:50:48.229Z","tsv":"'+1':576,905 '/api/users':942 '1':131 '10':823 '10/10':966 '12':922 '2':245 '3':282,353,399 '34':933 '4':437 '47':901 '5':571 '50':391 '500':692 '6':656 '7':712 '8':750 '9':791 '9/10':959,968,970 'access':531 'ad':895,939,944 'add':374,596 'api':221,447,534,604,898,917 'app':832,840 'applic':732 'architectur':657 'around':897 'array':411,416 'artifact':195,872 'ask':94,183,993,1072 'async':417 'audit':3,7,35,69,129,283,560,860,865,1038 'auditor':1022 'auth':798 'auth/authorization':496 'authent':510 'author':511 'avoid':600,644,738,784,811 'await':422 'away':119 'backend':714 'background':616 'backup':188,192 'bak':190 'batch':586,721 'bcrypt/argon2':500 'behavior':819 'block':302,719 'blocker':244,1011 'boundari':1080 'broken':836 'build':166,169,871 'busi':682 'cach':164,172,623,727 'call':316,581,633,723,899 'care':54,115 'catch':425 'cert':229 'chang':128,829,880,999 'check':21,52,209,248,293,410,439,508,512,573,658,837 'clarif':1074 'clariti':894 'clean':96,132,639,951 'clear':660,1047 'code':15,49,99,114,238,290,295,301,318,327,332,396,634,698,734,773,790,810,879,964,975,1036 'codebas':2,34,71,108,864 'codebase-audit-pre-push':1 'column':593,603,948 'combin':331 'command':469 'comment':299,365,774,785 'commented-out':298 'commit':217 'complet':263,866 'complex':782 'compon':749 'concaten':462 'concern':675 'config.js':920 'consid':393 'console.log':361 'constant':357,703 'contain':219,874 'copi':193 'core':800 'correct':729 'coverag':196 'credentials.json':230 'criteria':1083 'critic':208,243,407,566,793,915,1016 'dangerouslysetinnerhtml':492 'data':341,495,532,625,686,891 'databas':549,574,580,689,722 'dead':14,294,887 'debug':358,1028 'debugg':363 'declar':307 'deep':6 'deeper':1023 'default':433 'defin':313,704 'delet':147,370 'depend':173,557,740 'deploy':91 'describ':1051 'descript':348,755 'design':605 'desktop.ini':155 'detail':550,822 'dist':168 'document':751,986 'ds':152 'duplic':324,697,878 'earli':403 'either':366 'email':609 'empti':415 'endpoint':556,622,943 'engin':39 'ensur':273,833 'entir':107 'env':212,873,925 'env.example':275 'environ':455,767,1063 'environment-specif':1062 'equival':563 'error':541,843 'event':641 'everi':22,284 'everyth':53,102 'exec':472 'execut':765 'exist':253,276,851 'expens':715 'expert':1068 'explain':378,775 'explan':780,815 'expos':545 'exposur':533 'extern':632 'extract':354,699 'fals':323 'fdescrib':805 'featur':801,845 'file':13,23,109,111,135,140,151,161,180,189,213,218,252,270,286,291,481,611,649,663,695,867 'final':44,824,949 'find':60,234 'first':79,185 'fix':56,116,246,334,903,934,980 'flag':565 'focus':1004 'folder':661,672 'format':858 'formatoldway':889 'frequent':629 'frontend':730 'function':312,388,418,685,888 'git':1033 'git-push':1032 'github':9,51,82,146,956 'gitignor':247,251 'global':636 'go':338 'god':694 'greater':397 'guidanc':769 'hardcod':445,916 'hash':498 'header':728,962 'heavi':606,748 'high':926 'hole':17 'ide':179 'idea':181 'idor':523 'imag':737 'iml':186 'immedi':149,297,982 'implement':733,821 'import':707,884 'imports/requires':304 'includ':267,754 'index':589,945 'infinit':430 'info':342 'inform':540 'inject':457,470,928 'innerhtml':490 'input':477,485,1077 'insid':321,582 'instal':763 'instead':384,650,910 'instruct':761 'introduc':856 'investig':1029 'isol':688 'issu':20,117,335,406,914,981,1009,1031 'javascript':387 'job':104 'join':584,909 'junk':12,134,203,269 'key':222,226,228,278,448,918,971 'larg':648 'layer':677,687 'lazi':745 'leak':538,646 'level':400 'like':608 'limit':597,619,1039 'line':25,27,392,693,900,921,932 'line-by-lin':24 'list':555 'listen':642 'load':652,746 'locat':667 'lodash':885 'log':156,157 'logic':325,405,666,683,783 'longer':389 'look':138,287 'loop':431,578,912 'magic':349 'main':844 'make':77,84,125,827,998 'mark':239 'massiv':739 'match':1048 'md5':502 'memori':645,655 'mere':787 'messag':542 'minor':961 'misc':669 'miss':260,408,432,588,963,1085 'modul':175,870 'move':613,923 'multipl':329 'must':452,753 'mutabl':637 'n':575,904 'name':340,356 'necessari':127 'nest':395 'never':215,309,315,501 'next':170 'node':174,869 'note':123 'notes.txt':205 'noth':834,1012 'npm':559 'npm-debug.log':158 'null/undefined':409 'number':350 'nyc':197 'old':191 'old_backup.js':876 'one':960 'oper':412,607,716 'optim':19,101,736 'organ':659 'os':150 'outdat':567 'output':167,198,857,1057 'overal':969 'packag':570 'pagin':551,599,940 'parameter':466,936 'pass':848 'password':220,446,497 'path':478,482,794 'pattern':271 'payment':799 'pem':227 'perform':713 'permiss':1078 'person':202 'place':330 'plain':504 'possibl':428,725 'potenti':414 'practic':1003 'pre':4,32,89 'pre-product':88 'pre-push':31 'present':553 'principl':972 'print':362 'privat':225 'problem':57,124,1007 'process':130,612 'product':29,90 'project':187,759 'promis':423 'proper':375 'protect':506 'provid':476,779,861 'public':87,621 'pure':684 'push':5,10,33,47,75,80,954,1034,1035 'pyc':178 'pycach':177 'qualiti':333,965 'queri':464,467,577,587,595,690,906,937 'queue':617 'rate':618 're':41 'read':112,628,973 'readi':30,952 'readme.md':752 'real':1006 'redefin':711 'refactor':401 'regress':853 'relat':1018 'remain':807 'remov':11,296,360,868,882,886,991 'renam':345,890 'render':681 'repeat':788 'report':610,863 'repositori':86 'request':68,720 'requir':766,1076 'resolv':367 'resourc':528 'respons':535,679 'result':201 'return':320,404 'reus':709 'reusabl':696 'review':45,73,92,105,1025,1069 'right':118 'risk':929 'rout':507 'run':558,771,830 'safeti':1079 'scalabl':572,938,967 'scope':1050 'score':957 'scratch':206 'search':443 'search.js':931 'secret':211,224,235,442,875 'secur':16,438,913,958,1008,1021,1024 'security-auditor':1020 'select':601 'senior':38 'separ':673 'server':515 'serviceaccountkey.json':231 'set':726 'share':701 'ship':1014 'shouldn':142 'side':516 'skill':66,1019,1042 'skill-codebase-audit-pre-push' 'skim':979 'small':742 'someth':992 'sourc':285 'source-sickn33' 'specif':1030,1064 'specifi':602 'split':394,735 'sql':459,927 'src/api/users.js':881 'src/db/queries.js':902 'stack':546 'start':136,841 'state':638 'statement':359,436 'status':352,950 'stop':1070 'store':153 'stream':647 'string':461 'structur':662 'stuff':671 'substitut':1060 'success':1082 'switch':435 'swp':165 'systemat':1027 'systematic-debug':1026 'task':1046 'temp':160,163,343 'test':194,200,772,792,797,816,847,996,1066 'test-result':199 'test.only':803 'test.skip':812 'test123':207 'text':505 'thing':344 'thorough':256,976,1001 'thumbs.db':154 'timeout':630 'tmp':162 'todo.txt':204 'todo/fixme':364 'token':223,450 'toler':441 'tool':564 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':547 'travers':479 'treat':1055 'try/catch':427,896 'type':376 'types/interfaces':708 'typescript':372 'ui':521,676 'unbound':594 'uncertain':989 'unnecessari':539 'unreach':317 'unus':303,305,311,877,883 'updat':264 'use':64,310,382,383,465,583,744,908,1040 'user':67,93,184,475,484,494,525,995 'user-provid':474 'userdata':892 'users.email':947 'util':702,743 'vagu':339 'valid':487,1065 'valu':281 'variabl':306,456,768 'vendor':176 'verif':825 'verifi':524,818 'vscode':182 'vulner':458,569,1017 'where/order':591 'without':424,486,813,842 'work':846 'xss':488 'yarn-error.log':159 'zero':440","prices":[{"id":"681a2805-529c-4337-a4e0-11b62820c1cb","listingId":"bdcb093d-8308-4aa8-a802-536925c2dd5a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:34:42.758Z"}],"sources":[{"listingId":"bdcb093d-8308-4aa8-a802-536925c2dd5a","source":"github","sourceId":"sickn33/antigravity-awesome-skills/codebase-audit-pre-push","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/codebase-audit-pre-push","isPrimary":false,"firstSeenAt":"2026-04-18T21:34:42.758Z","lastSeenAt":"2026-04-24T12:50:48.229Z"}],"details":{"listingId":"bdcb093d-8308-4aa8-a802-536925c2dd5a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"codebase-audit-pre-push","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34882,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-24T06:41:17Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"9061c22f5e5da6cf9b53a63e2ddec4c79a1d2982","skill_md_path":"skills/codebase-audit-pre-push/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/codebase-audit-pre-push"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"codebase-audit-pre-push","description":"Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/codebase-audit-pre-push"},"updatedAt":"2026-04-24T12:50:48.229Z"}}