Bug Audit
v1.1.0Comprehensive bug audit for Node.js web projects. Activate when user asks to audit, review, check bugs, find vulnerabilities, or do security/quality review o...
⭐ 0· 507·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Node.js bug audit) match the SKILL.md: it explicitly instructs reading code, building per-project tables, and running logic/flow checks. No unrelated binaries, env vars, or installs are requested — capabilities requested are proportionate to an audit tool.
Instruction Scope
The SKILL.md tells the agent to "Read all project files" and to exhaustively extract endpoints, state, timers, flows, and secrets — appropriate for an audit — but it does not explicitly constrain the file scope to a safe project root or forbid reading system/user files. The pre-scan found a prompt-injection pattern (see scan findings) inside SKILL.md which suggests the skill content itself attempts to influence agent instruction handling; together this raises risk that an agent could be directed to read or exfiltrate sensitive files outside the intended project.
Install Mechanism
Instruction-only skill with no install spec and no code executed by the platform. This minimizes supply-chain risk; README notes an optional git clone for manual install, which is user-driven and not executed automatically.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The audit content recommends searching source for secrets (expected for audits) but does not itself request external secrets or unrelated credentials.
Persistence & Privilege
Flags are default (always:false). The skill does not request permanent presence or system-wide config changes. No indication it will modify other skills or system settings.
Scan Findings in Context
[prompt-injection:ignore-previous-instructions] unexpected: The string pattern 'ignore-previous-instructions' was detected in SKILL.md. An auditing methodology should not need to instruct evaluators/agents to ignore host-level or platform safety instructions; this pattern is a prompt-injection signal and is not expected for a benign audit guide. It could be a benign authoring artifact, but it increases risk and should be investigated.
What to consider before installing
This skill appears coherent for its stated purpose (Node.js project audits) and has low operational footprint (no installs, no credentials). However: 1) Review the SKILL.md yourself before enabling — it contains a prompt-injection pattern; don't allow it to override platform safety policies. 2) Limit the agent's file access to the project root (do not grant access to your home directory, /etc, cloud credential files, or other projects). 3) Treat any reported secrets or credentials as sensitive — do not paste them into external tools or chat without redaction. 4) If you install the optional git clone from the README, inspect that repository before running. 5) Prefer running audits in an isolated environment (container or VM) if the agent will execute any commands or if the project may contain unknown scripts. If you need higher assurance, ask the skill author for explicit scoping language (e.g., "only read files under the current project directory") and removal of any instruction that attempts to override host/platform instructions.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk971qywsjht4kv5x2jvmq6kfyn82c6vzautomationvk971qywsjht4kv5x2jvmq6kfyn82c6vzbug-detectionvk971qywsjht4kv5x2jvmq6kfyn82c6vzcode-reviewvk971qywsjht4kv5x2jvmq6kfyn82c6vzlatestvk971qywsjht4kv5x2jvmq6kfyn82c6vznodejsvk971qywsjht4kv5x2jvmq6kfyn82c6vzopenclawvk971qywsjht4kv5x2jvmq6kfyn82c6vzquality-assurancevk971qywsjht4kv5x2jvmq6kfyn82c6vzsecurity-auditvk971qywsjht4kv5x2jvmq6kfyn82c6vz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.