A2a Code Audit
v1.0.1Audit Python and JavaScript code for security vulnerabilities, style issues, and bugs using static analysis tools and provide a detailed structured report.
⭐ 0· 6·1 current·1 all-time
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the declared behavior: static analysis of Python and JS/TS using pattern matching and heuristics. No unrelated environment variables, binaries, or installs are requested.
Instruction Scope
SKILL.md stays within scope (identifies patterns like eval, hardcoded keys, SQL injection, etc.). It does reference using the 'platform exec tool' but does not explicitly limit which files or system paths to read; confirm the agent will only analyze code you provide and will not be instructed to read arbitrary filesystem paths or environment variables.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install profile.
Credentials
No environment variables, credentials, or config paths are requested. The checks listed (hardcoded creds, keys) are consistent with the stated auditing purpose.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no request for permanent system presence or modification of other skills' configs.
Assessment
This skill appears coherent for lightweight, pattern-based code reviews. Before installing or running it: only provide the exact code you want analyzed (avoid sharing repositories or secrets), confirm how the platform 'exec' tool is sandboxed and which commands it may run, review the generated report manually (pattern-based scans can have false positives/negatives), and consider running dedicated, offline static analyzers for high-risk or sensitive projects.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Code Audit & Security Scan
Static code analysis for security vulnerabilities, style violations, and bugs.
When to Use
Trigger on: "audit code", "scan for bugs", "security check", "code review", "find vulnerabilities"
What This Does
- Analyzes code for common security issues
- Checks for style violations
- Identifies potential bugs
- Returns structured report with severity levels
Supported Languages
- Python
- JavaScript/TypeScript
Workflow
Step 1: Receive Code
Get code to analyze + language.
Step 2: Static Analysis
Analyze using pattern matching and heuristics:
Python checks:
- Use of eval(), exec(), import()
- Hardcoded credentials
- SQL injection risks
- Path traversal
- Insecure random
JS/TS checks:
- eval() usage
- innerHTML without sanitization
- Hardcoded API keys
- console.log in production code
Step 3: Scoring
Score = 100 - (issues_found × severity_weight)
Verdict: PASS (>80), WARN (50-80), FAIL (<50)
Step 4: Present Results
## Code Audit: [language]
### Summary
| Metric | Value |
|--------|-------|
| Score | [X]/100 |
| Verdict | [PASS/WARN/FAIL] |
| Issues | [N] |
### Issues
1. [SEVERITY] [issue description] (line [N])
2. ...
### Recommendations
- [fix suggestions]
No External Tools Required
This skill uses only:
- Platform exec tool
- Pattern matching
- No external binaries needed
Example
## Code Audit: Python
### Summary
| Metric | Value |
|--------|-------|
| Score | 70/100 |
| Verdict | WARN |
| Issues | 3 |
### Issues
1. HIGH: eval() usage (line 2)
2. MEDIUM: hardcoded 'password' (line 5)
3. LOW: unused import 'os' (line 1)
### Recommendations
- Replace eval() with safer alternatives
- Use environment variables for secrets
- Remove unused imports
Notes
- Works with platform tools only
- No install steps required
- Pattern-based analysis (not full compiler)
- Always note limitations in report
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…