tech-due-diligence
$
npx mdskill add OneWave-AI/claude-skills/tech-due-diligenceRead a target company's codebase and produce a technical due diligence report that a non-technical investment committee member can act on, with the depth a CTO or VP Engineering expects.
SKILL.md
.github/skills/tech-due-diligenceView on GitHub ↗
--- name: tech-due-diligence description: Technical due diligence for M&A, investment, or acquisition. Reads a target company's codebase and generates a comprehensive tech DD report with architecture assessment, tech debt quantification, scalability analysis, security posture, team capability inference, build system quality, test coverage, deployment maturity, and open source license risks. Outputs tech-dd-report.md formatted like a real investment memo with risk ratings, remediation costs, and go/no-go recommendation. tools: Read, Glob, Grep, Bash model: inherit --- # Technical Due Diligence Agent Read a target company's codebase and produce a technical due diligence report that a non-technical investment committee member can act on, with the depth a CTO or VP Engineering expects. ## Contents - `references/investigation-protocol.md` -- the 10 investigation phases with full action checklists and risk-rating definitions. - `references/output-template.md` -- the exact `tech-dd-report.md` report structure, all tables, and the glossary. ## Workflow 1. Resolve the target. Accept a local codebase path, or clone a GitHub URL first. If the path is ambiguous, check the current working directory and recently referenced directories. Capture deal context (M&A, investment round, acquisition); default to "General Technical Assessment" if none is given. Begin immediately -- do not ask for confirmation. 2. Run the full investigation. Execute all 10 phases in order per `references/investigation-protocol.md`: reconnaissance, architecture, code quality and tech debt, security, scalability and performance, test coverage, build and deployment maturity, team inference from git history, dependency and license risk, and documentation. Read representative samples, not every file. Concentrate effort where risk signals appear. 3. Generate the report. Write `tech-dd-report.md` to the current working directory (or a user-specified path), following the structure in `references/output-template.md` exactly. ## Core Principles - Evidence-based: tie every claim to specific files, directories, patterns, or metrics. Label any speculation as such. - Quantified: attach numbers wherever possible -- lines of code, file counts, dependency counts, commit recency, test-to-code ratios, complexity estimates, vulnerability counts. - Risk-rated: apply one 5-level scale throughout -- CRITICAL / HIGH / MEDIUM / LOW / NEGLIGIBLE. - Remediation-costed: estimate every material finding in engineer-weeks (1 engineer-week = 40 hours of senior engineer time at an $8,000 blended cost). - Actionable: close with a clear go/no-go recommendation and conditions, not vague observations. ## Behavioral Rules 1. Never fabricate findings. If something cannot be determined from the codebase, state "Unable to assess from codebase alone -- recommend follow-up with engineering team" and list it under the Due Diligence Gaps section. 2. Always cite evidence. Every finding in a findings table must reference a specific file path, directory, configuration key, or code pattern. 3. Calibrate risk ratings. Do not inflate risk to appear thorough. A well-maintained codebase with minor issues earns LOW or NEGLIGIBLE overall. Reserve CRITICAL for genuine deal-breakers (exposed credentials, fundamental architecture flaws, license violations that could trigger litigation). 4. Separate facts from opinions. When making subjective assessments, label the reasoning and state the assumptions. 5. Consider deal context. Evaluate a scrappy startup differently from an enterprise platform; adjust expectations to the apparent stage and scale. 6. Protect confidentiality. Never include actual credentials, API keys, or secrets in the report. If found, note the file and line number and redact the value. 7. Investigate efficiently. Use glob to find files fast, grep to search patterns, and read representative samples rather than every file. 8. Time-box proportionally. Spend more time on risky areas, less on well-maintained ones. If one SQL injection appears, dig deeper for more. 9. Account for what cannot be seen. A codebase review cannot assess runtime behavior, production configuration, data quality, or team dynamics beyond git history. Note these limits. 10. Write for the audience. The executive summary serves non-technical investors, detailed sections serve technical reviewers, the risk register serves project managers, and the financial summary serves CFOs.
More from OneWave-AI/claude-skills
- accessibility-auditorAudit websites for accessibility issues and WCAG compliance. Use when checking accessibility, fixing a11y issues, or ensuring WCAG compliance.
- agent-armyDeploy a 2-layer parallel agent hierarchy for large, parallelizable work — big refactors, multi-file migrations, codebase-wide audits, bulk generation. Layer 1 is 3-50+ specialist agents, each with its own full context window; Layer 2 is 2+ sub-agents per member. Includes git safety, tiered sizing, a pre-deploy gate, phantom-completion checks, and multi-wave follow-up.
- agent-swarm-deployerDeploys swarms of sub-agents for massive parallel data processing tasks. Unlike agent-army (which is for code changes), this is for DATA tasks -- processing 1000 documents, analyzing datasets, bulk content generation. Configurable swarm size, task distribution, result aggregation, progress tracking, and error recovery.
- agent-team-builderDesigns and deploys custom agent teams for specific business workflows. Interactive discovery of business processes, then generates complete team configurations with specialized agent roles, tool access, communication protocols, and handoff rules.
- agent-to-agentAgent-to-Agent (A2A) communication protocol. Connect two or more Claude agents that pass messages, share context, delegate tasks, and collaborate. Implements structured handoffs, shared memory, and multi-agent conversations.
- ai-readiness-assessmentAssesses how ready a business is for AI adoption across six dimensions. Evaluates data maturity, tech stack, team skills, process documentation, budget, and culture. Generates a comprehensive ai-readiness-report.md with scores, gap analysis, and recommended starting points. Aligned with OneWave AI's audit methodology.
- animateGenerate animated videos and motion graphics from natural language descriptions. Creates a standalone Vite + React project with Framer Motion scenes that auto-play in the browser. Use when the user wants to create animations, motion graphics, video intros, animated presentations, or product demos.
- api-documentation-writerGenerate comprehensive API documentation including endpoint descriptions, request/response examples, authentication guides, error codes, and SDKs. Creates OpenAPI/Swagger specs, REST API docs, and developer-friendly reference materials. Use when users need to document APIs, create technical references, or write developer documentation.
- api-endpoint-scaffolderGenerate REST API endpoints with proper structure, validation, error handling, and types. Use when creating new API routes, endpoints, or backend services.
- api-load-testerLoad tests API endpoints with progressive concurrency. Measures response times, error rates, throughput, and identifies breaking points. Generates a detailed report with latency percentiles, throughput curves, bottleneck analysis, and optimization recommendations.