eventlint

v1.0.1

Event & message queue anti-pattern analyzer -- detects producer/consumer issues, schema problems, dead letter queue gaps, ordering failures, and observabilit...

⭐ 0· 79·0 current·0 all-time

by@suhteevah

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/eventlint.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "eventlint" (suhteevah/eventlint) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/eventlint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install eventlint

ClawHub CLI

Package manager switcher

npx clawhub@latest install eventlint

Security Scan

Capability signals

Requires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The skill name/description (event architecture linting) aligns with required binaries (git, bash, python3, jq), the license key, lefthook install, and the provided pattern-based scanning scripts. Required items (lefthook for git hooks, python3/jq for JSON parsing) are proportionate to the declared features.

ℹ

Instruction Scope

Runtime instructions and scripts operate locally: file discovery, grep-based regex matching, scoring, and report generation. They do read a local config (~/.openclaw/openclaw.json) to find a license key if env var is not set, and the optional 'hooks install' flow modifies the repository's lefthook.yml and runs lefthook install (which changes repo config). This behavior is expected but worth noting before installing hooks.

✓

Install Mechanism

Install spec only requests installing the well-known 'lefthook' brew formula. No downloads from arbitrary URLs or archive extraction are present. The skill's code is delivered as shell scripts (no remote installers) so installation risk is low.

✓

Credentials

The single primary credential EVENTLINT_LICENSE_KEY is justified by tiered license checks. The license module also looks in ~/.openclaw/openclaw.json (declared in SKILL.md) as a fallback and optionally uses CLAWHUB_JWT_SECRET for signature verification — the latter is optional and not required for normal use. No unrelated secrets or broad cloud credentials are requested.

✓

Persistence & Privilege

The skill is not always-enabled and does not request elevated persistent privileges. The only persistent side-effect is optional modification of a project's lefthook.yml when the user runs the hooks installation command, which is consistent with the stated git-hook integration.

Assessment

This skill appears to do what it says: local regex-based scanning for event-driven anti-patterns and optional integration with git hooks. Before installing or enabling hooks: (1) review the lefthook.yml it will add or append to your repo (hooks install modifies repository files), (2) only provide EVENTLINT_LICENSE_KEY if you trust the publisher (the key is used locally or read from ~/.openclaw/openclaw.json), and (3) confirm you want lefthook installed via brew. If you only want one-off scans, run the dispatcher.sh/scan.sh commands directly without installing hooks. Also be aware regex-based linters can produce false positives; review pattern definitions in scripts/patterns.sh if concerned about noisy results.

scripts/patterns.sh:114

File read combined with network send (possible exfiltration).

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📨 Clawdis

OSmacOS · Linux · Windows

Binsgit, bash, python3, jq

Primary envEVENTLINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)

Bins: lefthook

brew install lefthook

latestvk970q33221gmnzjyd14vr5f03h84t4yq

79downloads

0stars

2versions

Updated 1w ago

v1.0.1

MIT-0

macOS, Linux, Windows

EventLint -- Event & Message Queue Anti-Pattern Analyzer

EventLint scans codebases for event-driven architecture anti-patterns, producer/consumer issues, schema validation gaps, dead letter queue misconfigurations, ordering and delivery failures, and observability gaps across Kafka, RabbitMQ, SQS, NATS, and Redis Pub/Sub. It uses regex-based pattern matching against 90 event-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

`eventlint scan [file|directory]`

One-shot event architecture quality scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

Accepts a file path or directory (defaults to current directory)
Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
Runs 30 event architecture patterns against each file (free tier limit)
Calculates an event architecture quality score (0-100) per file and overall
Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
Outputs findings with: file, line number, check ID, severity, description, recommendation
Exit code 0 if score >= 70, exit code 1 if event quality is poor
Free tier limited to first 30 patterns (PP + CP categories)

Example usage scenarios:

"Scan my code for event issues" -> runs eventlint scan .
"Check this file for consumer anti-patterns" -> runs eventlint scan src/consumer.ts
"Find missing dead letter queues" -> runs eventlint scan src/
"Audit my Kafka configuration" -> runs eventlint scan .
"Check for message ordering problems" -> runs eventlint scan .

Pro Tier ($19/user/month -- requires EVENTLINT_LICENSE_KEY)

`eventlint scan --tier pro [file|directory]`

Extended scan with 60 patterns covering producer, consumer, schema, and dead letter patterns.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

Validates Pro+ license
Runs 60 event architecture patterns (PP, CP, MS, ED categories)
Detects schema validation gaps and breaking changes
Identifies dead letter queue misconfigurations
Full category breakdown reporting

`eventlint scan --format json [directory]`

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

`eventlint scan --format html [directory]`

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

`eventlint scan --category ED [directory]`

Filter scan to a specific check category (PP, CP, MS, ED, OD, EO).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category ED

Team Tier ($39/user/month -- requires EVENTLINT_LICENSE_KEY with team tier)

`eventlint scan --tier team [directory]`

Full scan with all 90 patterns across all 6 categories including ordering/delivery and observability.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

Validates Team+ license
Runs all 90 patterns across 6 categories
Includes ordering & delivery detection (dual-write, missing outbox, race conditions)
Includes event observability checks (no tracing, missing metrics, no audit trail)
Full category breakdown with per-file results

`eventlint scan --verbose [directory]`

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

`eventlint status`

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

EventLint detects 90 event architecture anti-patterns across 6 categories:

Category	Code	Patterns	Description	Severity Range
Producer Patterns	PP	15	Fire-and-forget publish, missing keys, no schema validation, acks=0	medium -- critical
Consumer Patterns	CP	15	No idempotency, auto-ack, unbounded prefetch, blocking handlers	low -- critical
Message Schema	MS	15	No schema registry, unversioned, breaking changes, loose typing	low -- critical
Error & Dead Letter	ED	15	Missing DLQ, infinite redelivery, swallowed exceptions, no poison handling	low -- critical
Ordering & Delivery	OD	15	Dual-write, no outbox, missing dedup, saga without timeout	low -- critical
Event Observability	EO	15	No tracing, missing metrics, no audit trail, no alerting	low -- medium

Tier-Based Pattern Access

Tier	Patterns	Categories
Free	30	PP, CP
Pro	60	PP, CP, MS, ED
Team	90	PP, CP, MS, ED, OD, EO
Enterprise	90	PP, CP, MS, ED, OD, EO + priority support

Scoring

EventLint uses a deductive scoring system starting at 100 (perfect):

Severity	Point Deduction	Description
Critical	-25 per finding	Severe reliability issue (message loss, infinite redelivery, dual-write)
High	-15 per finding	Significant event problem (missing DLQ, auto-ack, no idempotency)
Medium	-8 per finding	Moderate concern (missing correlation ID, unversioned schema)
Low	-3 per finding	Informational / best practice suggestion

Grading Scale

Grade	Score Range	Meaning
A	90-100	Excellent event architecture quality
B	80-89	Good architecture with minor issues
C	70-79	Acceptable but needs improvement
D	60-69	Poor event architecture quality
F	Below 60	Critical event architecture problems

Pass threshold: 70 (Grade C or better)
Exit code 0 = pass (score >= 70)
Exit code 1 = fail (score < 70)

Configuration

Users can configure EventLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "eventlint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

Free tier works immediately with no configuration
All scanning happens locally -- no code is sent to external servers
License validation is offline -- no phone-home or network calls
Pattern matching only -- no AST parsing, no external dependencies beyond bash
Supports scanning all file types in a single pass
Git hooks use lefthook which must be installed (see install metadata above)
Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
Output formats: text (default), json, html

Error Handling

If lefthook is not installed and user tries hooks, prompt to install it
If license key is invalid or expired, show clear message with link to https://eventlint.pages.dev/renew
If a file is binary, skip it automatically with no warning
If no scannable files found in target, report clean scan with info message
If an invalid category is specified with --category, show available categories

When to Use EventLint

The user might say things like:

"Scan my code for event issues"
"Check my message queue patterns"
"Find missing dead letter queues"
"Detect fire-and-forget publishing"
"Are there any consumer anti-patterns?"
"Check for schema validation gaps"
"Audit my Kafka configuration"
"Find ordering and delivery issues"
"Check for dual-write problems"
"Scan for event observability gaps"
"Run an event architecture audit"
"Generate an event quality report"
"Check if my consumers have idempotency"
"Find missing DLQ configuration"
"Check my code for auto-ack issues"

Comments

Loading comments...