claude-audit
v1.0.0Full project audit — launches 5 parallel AI agents (security, bugs, dead code, architecture, performance) to scan your codebase read-only, then compiles a un...
⭐ 1· 55·0 current·0 all-time
byAtoullo Sohibzoda@atobones
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (claude-audit / full project audit) align with the instructions and files. The skill only requires reading the codebase, detecting languages, running git diff for --changed, and launching sub-agents to analyze files — all coherent with an auditing tool. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope
Runtime instructions instruct the orchestrator to scan the entire repo (respecting exclusions), run git diff HEAD~1 in --changed mode, read .auditignore, and inject discovery context into agent prompts. Scanning is explicitly read-only, but the project also documents an interactive auto-fix flow (needs explicit user approval / --fix). Important privacy note: scanning will cause file contents to be sent to the model/Agent provider as part of analysis, so secrets in the repo may be exposed to the remote LLM service.
Install Mechanism
There is no complex install spec embedded in the skill. The repo includes an install.sh that downloads a single audit.md file from raw.githubusercontent.com and writes it into ~/.claude/commands or ./.claude/commands. The raw.githubusercontent.com host is a known release host. The README suggests the common 'curl | bash' one-liner — this installer is simple (creates directory, downloads file) but running arbitrary install scripts piped to bash always carries some risk; reviewing the install.sh content (included) shows no hazardous behavior beyond the download and write.
Credentials
The skill requests no environment variables or credentials and does not require external services. That is proportionate. However, because it reads the repository (including config files), it can access secrets stored in the repo; those secrets would be included in what is sent to the model during analysis unless you exclude them (e.g., via .auditignore).
Persistence & Privilege
The skill is not always-enabled and is user-invocable. The installer writes a command file into the user's ~/.claude/commands or project ./.claude/commands directory, which is expected. It does not request system-wide changes beyond that and does not modify other skills or system config.
Assessment
This skill is internally consistent for a repo auditing tool: it only needs to read your files and run git when asked. Before installing or running it, consider: 1) Sensitive data exposure — the agents will analyze and (implicitly) send file contents to the LLM provider; remove or exclude secrets (use .auditignore or remove sensitive files) if you don't want them transmitted. 2) Installer caution — the README recommends piping the included install.sh from GitHub to bash; the script is simple (downloads audit.md) but avoid running arbitrary curl|bash commands from untrusted sources. Prefer project-level install (./.claude/commands) if you want to limit scope. 3) Auto-fix mode — only use --fix or approve fixes after reviewing proposed changes; automated modifications should be reviewed in a diff or via version control to avoid unwanted edits. If you want additional assurance, inspect audit.md locally before installing or run the skill in a sandboxed repository copy.Like a lobster shell, security has layers — review code before you run it.
latestvk97cx8h27a35qp4tnf0ar77rxs83qaza
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
OSmacOS · Linux · Windows