Audit Code

v0.1.0

Run a two-pass, multidisciplinary code audit led by a tie-breaker lead, combining security, performance, UX, DX, and edge-case analysis into one prioritized report with concrete fixes. Use when the user asks to audit code, perform a deep review, stress-test a codebase, or produce a risk-ranked remediation plan across backend, frontend, APIs, infra scripts, and product flows.

⭐ 0· 1.4k·4 current·4 all-time

by@swader

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (multidisciplinary code audit) match the provided SKILL.md, audit-framework, and README. Included artifacts (audit checklist, finding schema) are appropriate. The sync script and README's intent to copy the skill into agent skill directories is consistent with the stated goal of distributing a canonical SKILL.md to local agents.

✓

Instruction Scope

Runtime instructions focus on reading repository code, product context, and producing findings; they explicitly load the local references/audit-framework.md. The workflow asks agents to analyze code paths, invariants, and produce evidence-based findings. There are no directives to read unrelated system files, export secrets, or contact external endpoints.

✓

Install Mechanism

No remote install or package downloads are declared; this is an instruction-only skill with local reference files. The only executable artifact is a benign local sync script that copies/symlinks the repo into user agent skill directories if run; no network fetches or archive extraction are present.

✓

Credentials

The skill requires no environment variables, credentials, or config-path access. The sync script uses $HOME to determine agent directories (expected for its purpose) but does not request secrets or unrelated service tokens.

ℹ

Persistence & Privilege

The skill does not set always:true and cannot autonomously persist unless the user runs the included sync script. Running that script will create/copy files into ~/.codex, ~/.claude, or ~/.cursor which grants persistent local presence for the skill — this is explicit user-invoked behavior rather than a hidden privilege.

Assessment

This skill appears coherent and contains only local audit guidance and checklists. Before installing/running anything: (1) review SKILL.md and references/audit-framework.md to confirm the audit behavior; (2) inspect scripts/sync-to-agents.sh — it will copy (or symlink) this repo into ~/.codex/.claude/.cursor when you run it, so only run it if you want the skill added to those agent directories; (3) don’t run the sync script as root and verify destination paths are acceptable; (4) because the skill performs code analysis, avoid pointing it at secret-containing paths unless you intend that; and (5) if you plan to let an agent invoke skills autonomously, remember this skill can be invoked by agents but it requests no credentials and contains no remote exfiltration steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bz68fprpp3nd2e660asj8180tfmx

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Audit Code

License

Comments