name	code-auditing
description	Provides code auditing methodology, checklists, and best practices. Use when user asks to "audit code", "find technical debt", "security review", "identify dead code", "analyze code quality", or "check best practices".
allowed-tools	Read, Grep, Glob, Bash, TodoWrite

Code Auditing Skill

Comprehensive methodology for systematic code quality audits.

When to Use

Comprehensive code quality audits
Security vulnerability assessments
Technical debt identification
Pre-release code reviews
Best practices verification
Library and dependency audits

Audit Phases

Phase 0: Pre-Analysis Setup

Check for project configuration files (package.json, tsconfig.json, etc.)
Identify tech stack and main libraries
Check for linting/formatting configs
Run existing linting/testing commands as baseline
Load documentation for identified core libraries

Phase 1: Discovery

Find all code files by type
Create tracking list for each file
Group files by module/feature for contextual analysis

Phase 2: File-by-File Analysis

For each file, analyze for:

Dead code (unused functions, variables, imports)
Code smells and anti-patterns
Custom implementations that could use established libraries
Security vulnerabilities
Performance issues
Outdated patterns or deprecated APIs
Missing error handling
Overly complex functions
Duplicate code

Phase 3: Best Practices Verification

For every library and framework:

Retrieve official documentation
Compare implementation against official patterns
Identify deviations from recommendations
Note outdated usage patterns
Flag discouraged anti-patterns

Phase 4: Pattern Detection

Look for recurring issues:

Common anti-patterns across files
Duplicated logic that could be abstracted
Inconsistent coding styles
Missing error handling patterns

Phase 5: Library Recommendations

For custom implementations:

Check if current libraries provide the functionality
Search for mature ecosystem packages
Verify library health (commits, issues, activity)
Check compatibility with project setup

Phase 6: Comprehensive Report

Generate detailed report with:

Executive summary
Critical issues requiring immediate attention
File-by-file findings
Prioritized action plan
Effort estimates
Library recommendations

Issue Priority Levels

Critical - Security vulnerabilities, broken functionality
High Priority - Performance bottlenecks, unmaintainable code
Medium Priority - Code quality, best practices deviations
Low Priority - Style, minor improvements
Quick Wins - Less than 30 minutes to fix

Analysis Categories

Security

Hardcoded secrets
SQL injection risks
XSS vulnerabilities
Missing input validation
Exposed sensitive data

Performance

Inefficient algorithms
Blocking operations
Memory leaks
Missing caching opportunities
N+1 query patterns

TypeScript/Type Safety

Missing type annotations
Use of any type
Custom types duplicating official types
Missing @types packages

Async/Promise Issues

Missing await keywords
Unhandled promise rejections
Callback hell

Dead Code

Unused imports and exports
Unused functions, classes, and methods
Unused variables and types
Unreachable code blocks
Unused files (not imported anywhere)
Unused dependencies

Tools:

JavaScript/TypeScript: npx knip --reporter json
Python: deadcode . --dry

Important: Always verify tool findings before reporting. Check for:

Dynamic imports (import(variable))
Framework patterns (React components, decorators)
Re-exports for public API
Entry points (CLI scripts, serverless handlers)

Resources

See the reference documents for complete methodologies:

references/audit-methodology.md - Full 6-phase audit process with detailed checklists
references/dead-code-methodology.md - Dead code detection tools, verification, and cleanup workflows

Quick Reference

Before Starting

Read project configuration files
Identify tech stack and libraries
Run existing linters as baseline
Create file tracking list

During Audit

Mark files as in-progress
Analyze each category systematically
Note specific line numbers
Document before/after examples
Mark files as completed

After Audit

Categorize all findings by priority
Generate comprehensive report
Save report to project root
Provide brief console summary

code-auditing

Install Skill

SKILL.md