Audit Code
PassAudited by ClawScan on May 10, 2026.
Overview
Audit Code appears to be a local, user-invoked code scanner that reads project files for security issues, including possible secrets, without artifact-backed evidence of hidden exfiltration, persistence, or destructive behavior.
This skill looks appropriate for local code-security auditing. Before installing, be aware it will recursively read the target repository and may surface real secrets in its output; run it only on intended projects and avoid sharing raw reports publicly. The static eval/exec alerts appear to refer to detection-pattern text, not actual dynamic execution by the skill.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can run the bundled scanner over the selected path; an overly broad or unintended path could cause more local files to be read than the user expected.
The skill grants Bash and tells the agent to run a local Python auditor. This shell use is fixed and central to the stated code-review purpose, but it is still a tool-execution capability users should notice.
allowed-tools: Read, Glob, Grep, Bash ... python3 "$SKILL_DIR/scripts/audit_code.py" "$ARGUMENTS"
Invoke it only for repositories you want audited, and provide an explicit target path if you do not want the whole project scanned.
Secrets or sensitive file paths from the repository could appear in the audit output or conversation if the results are shared.
The scanner intentionally reads .env files and scans their contents for secrets. That is purpose-aligned for a security audit, but it means credential-like material may be processed and surfaced in local findings.
content = env_file.read_text(encoding="utf-8", errors="replace"); findings.extend(Scan_Content(content, Secrets_Patterns, str(env_file)))
Run it in a trusted workspace, treat raw reports as sensitive, and rotate any real secrets found in committed files.