{"manifest":{"name":"Code Health Auditor","version":"1.0.0","description":"Run a full codebase health check in one command: dependency CVEs, security scan, complexity hotspots, and test coverage gaps. Produces a graded health report with prioritized fixes.","tags":["code-quality","audit","security","testing","devops","workflow"],"standard":"agentskills.io","standard_version":"1.0","content_checksum":"955043194f4d102a0c4310195f3a2217ab3cd5d65dd233721393e08e26c33f10","bundle_checksum":null,"metadata":{},"files":[]},"files":{"SKILL.md":"# Code Health Auditor\n\n> **Purpose:** Run a comprehensive codebase health check in one command. Orchestrates four analysis passes — dependency audit, security scan, complexity analysis, and test coverage — and produces a unified, graded health report with prioritized action items. The \"annual physical\" for your codebase.\n\n---\n\n## Invocation\n\n```\n/health [path]\n```\n\n**Examples:**\n- `/health` — audit the entire current directory\n- `/health src/` — audit a specific subdirectory\n- `/health --quick` — skip complexity analysis, just deps + security\n\n---\n\n## Analysis Passes\n\n### Pass 1: Dependency Audit\n\nRun the package manager's built-in audit tool:\n\n```bash\n# Node.js\nnpm audit --json 2>/dev/null || yarn audit --json 2>/dev/null\n\n# Python\npip-audit --format json 2>/dev/null || safety check --json 2>/dev/null\n\n# Go\ngovulncheck ./... 2>/dev/null\n\n# Ruby\nbundle audit 2>/dev/null\n```\n\nCheck for:\n- CVEs with CVSS score ≥ 7.0 (High/Critical) → **CRITICAL**\n- CVEs with CVSS score 4.0–6.9 (Medium) → **HIGH**\n- Packages more than 2 major versions behind → **MEDIUM**\n- Packages more than 1 minor version behind → **LOW**\n- Packages with 0 downloads in 6 months (zombie deps) → **LOW**\n- License violations (GPL in commercial project, etc.) → **HIGH**\n\n---\n\n### Pass 2: Security Scan\n\nPattern-based scan across all source files:\n\n**Hardcoded secrets:**\n```\npatterns: /(?:api_key|secret|password|token|auth)\\s*=\\s*['\"][^'\"]{8,}['\"]/i\n```\n\n**SQL injection:**\n```\npatterns: string interpolation inside SQL strings, format strings with user input\n```\n\n**Command injection:**\n```\npatterns: os.system/exec.Command/shell=True with non-constant arguments\n```\n\n**OWASP Top 10 patterns:**\n- A01 Broken Access Control — missing auth checks on routes\n- A02 Cryptographic Failures — MD5/SHA1 for password hashing\n- A03 Injection — SQL, command, LDAP, XPath\n- A05 Security Misconfiguration — debug mode on, verbose errors in prod\n- A07 Auth Failures — hardcoded credentials, weak token generation\n\n---\n\n### Pass 3: Complexity Hotspots\n\nScan source files for complexity indicators:\n\n| Metric | Warning Threshold | Critical Threshold |\n|--------|------------------|--------------------|\n| Function length | > 50 lines | > 100 lines |\n| File length | > 300 lines | > 500 lines |\n| Nesting depth | > 3 levels | > 5 levels |\n| Function arguments | > 5 params | > 8 params |\n| Duplicate blocks | > 10 lines identical | > 20 lines identical |\n\nReport top 10 most complex files ranked by violation count.\n\n---\n\n### Pass 4: Test Coverage Assessment\n\nIdentify coverage gaps without running the full suite:\n\n```bash\n# Check for test files\nfind . -name \"*.test.*\" -o -name \"*.spec.*\" -o -name \"*_test.*\" | head -50\n```\n\nCross-reference against source files to find:\n- Source files with **no corresponding test file** → flagged\n- Recently modified files with no recent test changes → flagged\n- Critical paths with no tests: auth, payments, data mutations → **HIGH**\n\n---\n\n## Output Format\n\n```markdown\n# Code Health Report — [date]\n**Path:** [audited path]\n**Languages:** [detected]\n\n---\n\n## Overall Grade: [A / B / C / D / F]\n\n| Category | Score | Issues |\n|----------|-------|--------|\n| Dependencies | 90/100 | 1 outdated |\n| Security | 75/100 | 1 HIGH, 2 MEDIUM |\n| Complexity | 85/100 | 3 complex files |\n| Test Coverage | 60/100 | 8 untested modules |\n| **Overall** | **77/100** | **B** |\n\n---\n\n## 🔴 Critical — Fix Immediately\n\n[List of CRITICAL findings with file:line and fix command]\n\n---\n\n## 🟡 High — Fix This Sprint\n\n[List of HIGH findings]\n\n---\n\n## 🔵 Medium — Track in Backlog\n\n[List of MEDIUM findings]\n\n---\n\n## 💚 Low — Nice to Have\n\n[List of LOW findings]\n\n---\n\n## Quick Wins\n\nCommands you can run right now to fix the easiest issues:\n\n```bash\nnpm audit fix          # Auto-fix compatible CVEs\nnpm update --save      # Update to latest compatible versions\n```\n\n---\n\n## Trend\n\n[If run previously: show improvement/regression since last run]\n```\n\n---\n\n## Grading Scale\n\n| Score | Grade | Meaning |\n|-------|-------|---------|\n| 90-100 | A | Excellent — production-ready |\n| 80-89 | B | Good — minor improvements needed |\n| 70-79 | C | Fair — some attention required |\n| 60-69 | D | Poor — significant issues |\n| < 60 | F | Critical — immediate action needed |\n\n---\n\n## Rules\n\n- Run all passes even if one fails — partial results are better than no results\n- Critical/High findings always surfaced first regardless of category\n- Quick Wins section must include actual runnable commands, not vague suggestions\n- If no test files found at all: automatically rate Test Coverage as 0/100 (F)\n- Never fail silently — if a tool is missing, note it and skip that check with a warning\n- Security findings always overrule the grade — one CRITICAL finding caps at D\n\n## Playground\n\n<!DOCTYPE html><html><head><meta charset='utf-8'><style>*{box-sizing:border-box;margin:0;padding:0}body{background:#0d1117;color:#e6edf3;font-family:monospace;font-size:12px;height:100vh;display:flex;flex-direction:column;overflow:hidden}.header{background:#161b22;border-bottom:1px solid #30363d;padding:8px 14px;font-size:11px;color:#8b949e;display:flex;justify-content:space-between;align-items:center;flex-shrink:0}.title{color:#58a6ff;font-weight:bold;font-size:13px}.panels{display:flex;flex:1;overflow:hidden}.panel{flex:1;overflow:auto;padding:12px;border-right:1px solid #30363d}.panel:last-child{border-right:none}.label{font-size:10px;color:#8b949e;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px}pre{white-space:pre-wrap;word-break:break-word;line-height:1.5}</style></head><body><div class='header'><span class='title'>Code Health Auditor</span><span>Example · SkillSlap</span></div><div class='panels'><div class='panel'><div class='label'>Input: File stats</div><pre><span style='color:#8b949e'>File: src/lib/orders.ts</span>\n<span style='color:#8b949e'>Lines: 847</span>\n<span style='color:#8b949e'>Functions: 34</span>\n<span style='color:#8b949e'>Longest fn: processAllOrders (312 ln)</span>\n<span style='color:#8b949e'>Test coverage: 41%</span>\n<span style='color:#8b949e'>Last modified: 6 months ago</span>\n<span style='color:#8b949e'>Dependencies: 11 imports</span></pre></div><div class='panel'><div class='label'>Output: Health report</div><pre><span style='color:#f85149'>🔴 Complexity — 847 lines in one file</span>\n<span style='color:#f85149'>   God file smell. Split by concern:</span>\n<span style='color:#f85149'>   query / submit / process</span>\n\n<span style='color:#f85149'>🔴 Function length — processAllOrders</span>\n<span style='color:#f85149'>   312 lines. Max recommended: 40.</span>\n<span style='color:#f85149'>   Extract into pipeline steps.</span>\n\n<span style='color:#e3b341'>🟡 Coverage — 41% (target &gt;80%)</span>\n<span style='color:#e3b341'>   Focus: processAllOrders has 0%.</span>\n<span style='color:#e3b341'>   Add table-driven tests first.</span>\n\n<span style='color:#3fb950'>✅ Stable — no churn in 6 months.</span>\n<span style='color:#3fb950'>   Good time to safely refactor.</span>\n\n<span style='color:#8b949e'>Priority: split file → test → refactor</span></pre></div></div></body></html>"}}