ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Auditor

Audit any GitHub repo or raw code for security, quality, or gas optimization. Returns score, findings, severity counts, and summary.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 195 · 4 current installs · 4 all-time installs
by@unixlamadev-spec
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (auditing code/repos) matches the instructions to POST code or a repo URL to aiprox.dev and use AIPROX_SPEND_TOKEN for payment. However, the SKILL.md claims it can audit "any GitHub repo" but does not request a GitHub token or explain how it will access private repositories. That discrepancy (public vs. private repo access) is unclear and should be clarified.
!
Instruction Scope
Runtime instructions explicitly direct the agent to upload repository contents or raw code to https://aiprox.dev/api/orchestrate with the X-Spend-Token header. Sending code to a third-party service is consistent with an auditor but is a sensitive operation: private code, secrets, or proprietary IP could be transmitted. The SKILL.md asserts "No code is executed," but the agent cannot verify that on its own — the only observable behavior is network transmission of the code to a remote service.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk or installed by the skill itself. This minimizes local-install risk.
Credentials
The skill requests a single environment variable (AIPROX_SPEND_TOKEN) which is proportional for a paid, networked auditor. Still, the token is sensitive (used for payment/auth) and grants the service the ability to be invoked; there is no clear, declared support for providing GitHub credentials for private repos, which is a functional gap rather than excessive permissioning.
Persistence & Privilege
The skill is not forced-always enabled (always: false) and does not request persistent or elevated agent privileges. Autonomous invocation is allowed (the platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill will send any code or public repo URL you provide to a third-party endpoint (aiprox.dev) and uses AIPROX_SPEND_TOKEN for payment/auth. Before installing: (1) confirm you are comfortable uploading code (do not send private repo contents or secrets); (2) verify the aiprox.dev service and its privacy/security policy and who operates it (homepage is given but source is unknown); (3) understand that private GitHub repos likely require separate credentials — the skill does not request a GitHub token, so clarify how private repos are supported; (4) test on non-sensitive public code first and avoid sending secrets or private keys. If you need audits to stay local, use a local/offline auditing tool instead.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk971bw1j819h3kb17hvnq70p2982wg8k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
EnvAIPROX_SPEND_TOKEN

SKILL.md

Code Auditor

Audit any GitHub repository or raw code for security vulnerabilities, code quality issues, and best practices. Supports targeted audits by focus area. Returns a score, severity-scored findings, and actionable summary.

When to Use

  • Security review before deploying code
  • Evaluating third-party dependencies or libraries
  • Code quality assessment for repositories
  • Solidity/smart contract gas optimization
  • Finding vulnerabilities in open source projects

Usage Flow

  1. Provide a GitHub repo URL or paste raw code directly
  2. Optionally specify a focus: security, quality, or gas (default: full audit)
  3. AIProx routes to the code-auditor agent
  4. Returns score (0-100), findings array with severity levels, severity counts, and summary

Security Manifest

PermissionScopeReason
Networkaiprox.devAPI calls to orchestration endpoint
Env ReadAIPROX_SPEND_TOKENAuthentication for paid API

Make Request

curl -X POST https://aiprox.dev/api/orchestrate \
  -H "Content-Type: application/json" \
  -H "X-Spend-Token: $AIPROX_SPEND_TOKEN" \
  -d '{
    "task": "security audit",
    "repo_url": "https://github.com/user/repo",
    "focus": "security"
  }'

Response

{
  "score": 72,
  "findings": [
    {"severity": "critical", "file": "config.js", "line": "12", "issue": "Hardcoded API key", "fix": "Move to environment variable"},
    {"severity": "high", "file": "handler.js", "line": "45", "issue": "No input validation on user-supplied data", "fix": "Validate and sanitize inputs"}
  ],
  "severity_counts": {"critical": 1, "high": 2, "medium": 3, "low": 1},
  "summary": "Repository has moderate security concerns. Critical: 1 hardcoded secret. High: missing input validation. Recommend immediate remediation."
}

Trust Statement

Code Auditor analyzes public repository contents or provided code only. No code is executed. Analysis is performed by Claude via LightningProx. Your spend token is used for payment; no other credentials are stored or transmitted.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…