Codemend
v1.1.0Monitor, report, and get AI-generated fixes for JavaScript and TypeScript production errors with automated analysis and pull request integration.
⭐ 0· 20·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes Codemend (codemend.ai) and requires CODEMEND_API_KEY; README and SKILL.md instruct adding codemend.ai scripts and API calls. However the shipped helper script (scripts/check-errors.sh) calls https://autohealai.com and requires AUTOHEAL_API_KEY, and README suggests keys prefixed ah_—all inconsistent with the stated Codemend purpose. This mismatch indicates copy-paste or packaging errors and raises the possibility the included script would send data/keys to an unrelated service.
Instruction Scope
The SKILL.md's runtime instructions are scoped to Codemend API endpoints (codemend.ai) and ask for a CODEMEND_API_KEY; they do not reference the packaged check-errors.sh. The packaged script, though documented in README, performs network calls to autohealai.com and insists on an undeclared env var (AUTOHEAL_API_KEY). The presence of an outside-networking script that is not aligned with the documented service is scope creep and a red flag.
Install Mechanism
No installation spec (instruction-only) — low-risk from installer perspective. The instructions do reference downloading a client script from codemend.ai and an npm package 'codemend', which is expected for an error-monitoring integration. The main risk is the included helper script making outbound requests to a different domain; there is no automated install that writes files on its own.
Credentials
Declared runtime in SKILL.md requires CODEMEND_API_KEY, but the bundled script requires AUTOHEAL_API_KEY (undeclared) and README suggests an 'ah_' key format. The mismatch means a user might provide credentials intended for one service while a bundled script would accept or require different credentials and send them to a different domain — disproportionate and potentially dangerous.
Persistence & Privilege
The skill does not request elevated platform privileges (always:false). It suggests adding a monitoring script to your app or npm package, which is normal for this category and does not itself grant the skill system-level persistence. Still, adding third-party monitoring code to production apps is an action with runtime impact — verify source before embedding.
Scan Findings in Context
[undeclared_env_AUTOHEAL_API_KEY] unexpected: scripts/check-errors.sh requires AUTOHEAL_API_KEY but SKILL.md declares (and the skill should require) CODEMEND_API_KEY for codemend.ai. An undeclared credential for a different service is unexpected.
[mismatched_domain_autoheal_vs_codemend] unexpected: SKILL.md/README use codemend.ai endpoints; the included script calls https://autohealai.com. Sending error payloads to a different domain than documented is inconsistent and suspicious.
[readme_key_prefix_ah] unexpected: README indicates API keys prefixed 'ah_' (suggesting AutoHeal). That prefix conflicts with the CODEMEND_API_KEY name used in SKILL.md.
What to consider before installing
Do not install or provide API keys until the maintainers clarify the inconsistency. Specific steps:
- Ask the publisher which service is authoritative (codemend.ai or autohealai.com) and request corrected SKILL.md/README and scripts.
- Do not provide your CODEMEND_API_KEY (or any secret) to this skill until the domain and env var names are reconciled.
- Inspect any remote script (https://codemend.ai/s.js) and the npm package 'codemend' on the public registry before embedding in production.
- If you already supplied keys or used the helper script, rotate those keys and audit outbound requests to confirm where data was sent.
- Prefer installing in a sandboxed environment first and run network monitoring (or code review) to confirm traffic goes to the expected codemend.ai domain.
The inconsistency is likely accidental but could lead to credentials or error data being sent to an unrelated service; treat it as suspicious until resolved.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Codemend AI Skill
Codemend captures production JavaScript/TypeScript errors, analyzes them with AI, and generates fixes — either as GitHub PRs or paste-back prompts for AI coding tools like Lovable, Replit, and Cursor.
Tools
report_error
Report a production error to Codemend. The error will be analyzed by AI within seconds.
curl -X POST "https://codemend.ai/api/errors/ingest" \
-H "Content-Type: application/json" \
-d '{
"key": "'$CODEMEND_API_KEY'",
"message": "TypeError: Cannot read properties of undefined (reading '\''map'\'')",
"stack": "TypeError: Cannot read properties of undefined\n at renderList (src/components/List.tsx:15:23)",
"source_url": "https://myapp.com/dashboard",
"source_type": "openclaw"
}'
Response:
{ "status": "queued", "error_id": "uuid-here" }
get_fix
Get the AI-generated fix for a reported error. Includes explanation, root cause, confidence score, and a fix prompt you can paste into your AI coding tool.
curl -s "https://codemend.ai/api/errors/{ERROR_ID}/fix" \
-H "x-api-key: $CODEMEND_API_KEY"
Response:
{
"error": {
"id": "uuid",
"status": "analyzed",
"message": "TypeError: Cannot read properties of undefined",
"stack_trace": "...",
"source_url": "https://myapp.com/dashboard"
},
"fix": {
"id": "uuid",
"explanation": "The map() call fails because data is undefined on first render",
"root_cause": "Missing null check before array operation",
"confidence": 0.92,
"fix_prompt": "In src/components/List.tsx, add an early return if data is undefined...",
"pr_url": "https://github.com/user/repo/pull/42"
},
"dashboard_url": "https://codemend.ai/errors/uuid"
}
If the error is still being analyzed, the fix field will be null. Poll with check_status first.
check_status
Check if an error has been analyzed yet.
curl -s "https://codemend.ai/api/errors/{ERROR_ID}/status" \
-H "x-api-key: $CODEMEND_API_KEY"
Response:
{
"status": "analyzed",
"message": "TypeError: Cannot read properties of undefined",
"has_fix": true,
"fix_id": "uuid-here",
"dashboard_url": "https://codemend.ai/dashboard/errors/uuid"
}
Statuses: new → analyzing → analyzed / fix_applied / ignored
list_errors
List recent errors for this project.
curl -s "https://codemend.ai/api/errors?limit=10&status=analyzed" \
-H "x-api-key: $CODEMEND_API_KEY"
Response:
{
"errors": [
{
"id": "uuid",
"status": "analyzed",
"message": "TypeError: Cannot read properties of undefined",
"source_type": "openclaw",
"has_fix": true,
"fix_id": "uuid",
"created_at": "2026-03-11T12:00:00Z"
}
],
"total": 42
}
Setup in a Project
Browser (React, Next.js, Vue, etc.)
Add to your HTML <head>:
<script src="https://codemend.ai/s.js" data-key="YOUR_API_KEY"></script>
Or if using an AI coding tool (Lovable, Replit, Bolt, etc.), paste this prompt:
Add this error monitoring script to my app. Put it in the
<head>section of index.html:<script src="https://codemend.ai/s.js" data-key="YOUR_API_KEY"></script>
Node.js / Backend
npm install codemend
const codemend = require('codemend');
codemend.init({ apiKey: process.env.CODEMEND_API_KEY });
codemend.setupProcessHandlers();
Express
const codemend = require('codemend');
codemend.init({ apiKey: process.env.CODEMEND_API_KEY });
app.use(codemend.expressErrorHandler());
React Native
import codemend from 'codemend/react-native';
codemend.init({ apiKey: 'YOUR_API_KEY' });
codemend.setupErrorHandler();
Typical Workflow
- Set up error monitoring in your project (above)
- Errors are automatically captured and sent to Codemend
- Use
list_errorsto see recent errors - Use
get_fixto get the AI-generated fix - Apply the fix: paste the
fix_promptinto your AI tool, or review the PR on GitHub
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…