ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Production Code Audit

v1.1.0

Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...

0· 134·1 current·1 all-time
bySolomon Neas@solomonneas

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for solomonneas/production-code-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Production Code Audit" (solomonneas/production-code-audit) from ClawHub.
Skill page: https://clawhub.ai/solomonneas/production-code-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install production-code-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install production-code-audit
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the instructions: the skill is an instruction-only audit that reads a repo, reports issues, and — if explicitly requested — creates a branch and applies fixes. No unrelated binaries, environment variables, or installs are requested.
!
Instruction Scope
Most runtime steps stay within auditing/fixing a codebase (reading source files, running tests, creating a fix branch). However the SKILL.md contains a direct contradiction: under 'Secrets handling' it says 'Do NOT remove or commit secrets' but the Fixes example shows removing a hardcoded DB password and committing a change. The doc is also vague about the exact mechanisms for creating/opening PRs (does it use git push, GitHub API, or ask for tokens?), and about what local operations will be executed without explicit, contextual user consent (tests, CI runs, network access). These ambiguities could lead to unexpected modifications or credential usage.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. Low install risk.
!
Credentials
The skill declares no required environment variables or credentials, but its 'fix' mode assumes the agent can create branches, push, and open PRs — operations that require git credentials or API tokens. The SKILL.md does not describe the credential scope required (e.g., repo write vs. repo creation vs. org-level), so users may inadvertently grant overly broad access if they provide tokens. Also running tests or CI may require access to databases or third-party services; the doc instructs asking the user, but concrete safeguards are not specified.
Persistence & Privilege
always: false (good). Autonomous invocation is allowed by default — normal for skills — but because the skill can modify a repository when asked, you should ensure the agent only acts when the user explicitly requests 'fix mode'. There is no instruction that the skill will persist beyond its own actions or modify other skills or system-wide settings.
What to consider before installing
This skill generally does what it says (read a repo, report issues, optionally make fixes), but there are important ambiguities you should resolve before installing or granting access: 1) Clarify secret handling — the doc both forbids committing secrets and shows an example that removes a secret and commits the change. Decide whether you want automated secret-removal and what review/approval is required. 2) Confirm how PRs/branch pushes will be performed and what credentials are required; only grant a token with the minimum scope (e.g., repo:public_repo or repo-specific write) and avoid org-wide admin tokens. 3) Require an explicit, interactive confirmation step before any 'fix mode' actions (create branch, modify files, run tests, push). 4) Prefer that test execution happen in a CI sandbox you control rather than on a developer workstation. 5) Always review the diff/PR before merging and consider running the first audit in read-only mode to see the scope of changes the skill proposes. If you cannot verify those behaviors with the skill owner, treat the 'fix' capability as high-risk and use the skill for read-only audits only.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701c2js4d4ha5cvstfyftgtx83b9et
134downloads
0stars
2versions
Updated 1mo ago
v1.1.0
MIT-0
Solomon Neas@solomonneas
latest
Download

Production Code Audit

Overview

Analyze a codebase to understand its architecture, patterns, and purpose, then produce a detailed audit report with prioritized findings. Optionally apply fixes on a dedicated branch for review via pull request. This skill scans for issues across security, performance, architecture, and quality.

Safety & Workflow

Important: This skill operates in two modes:

  1. Audit mode (default): Read-only scan that produces a report. No files are modified.
  2. Fix mode: When the user explicitly requests fixes, create a new branch (e.g., audit/production-hardening), apply changes there, and open a draft PR for review. Never push directly to main.

Secrets handling: If hardcoded secrets are discovered, flag them in the report with file and line number. Do NOT remove or commit secrets. Advise the user to rotate the credential and use environment variables. Never log or exfiltrate secret values.

Test execution: Only run tests in a sandboxed or CI environment. Ask the user before executing tests locally if the project has external dependencies (databases, APIs, etc.).

When to Use This Skill

  • Use when user says "audit my codebase" or "make this production-ready"
  • Use when preparing for production deployment
  • Use when code needs to meet corporate/enterprise standards

How It Works

Step 1: Codebase Discovery

Scan and understand the codebase:

  1. Read source files - Scan project files (respect .gitignore, skip node_modules/vendor/dist)
  2. Identify tech stack - Detect languages, frameworks, databases, tools
  3. Understand architecture - Map out structure, patterns, dependencies
  4. Identify purpose - Understand what the application does
  5. Find entry points - Locate main files, routes, controllers
  6. Map data flow - Understand how data moves through the system

Step 2: Comprehensive Issue Detection

Scan line-by-line for all issues:

Architecture Issues:

  • Circular dependencies
  • Tight coupling
  • God classes (>500 lines or >20 methods)
  • Missing separation of concerns
  • Poor module boundaries
  • Violation of design patterns

Security Vulnerabilities:

  • SQL injection (string concatenation in queries)
  • XSS vulnerabilities (unescaped output)
  • Hardcoded secrets (API keys, passwords in code)
  • Missing authentication/authorization
  • Weak password hashing (MD5, SHA1)
  • Missing input validation
  • CSRF vulnerabilities
  • Insecure dependencies

Performance Problems:

  • N+1 query problems
  • Missing database indexes
  • Synchronous operations that should be async
  • Missing caching
  • Inefficient algorithms (O(n²) or worse)
  • Large bundle sizes
  • Unoptimized images
  • Memory leaks

Code Quality Issues:

  • High cyclomatic complexity (>10)
  • Code duplication
  • Magic numbers
  • Poor naming conventions
  • Missing error handling
  • Inconsistent formatting
  • Dead code
  • TODO/FIXME comments

Testing Gaps:

  • Missing tests for critical paths
  • Low test coverage (<80%)
  • No edge case testing
  • Flaky tests
  • Missing integration tests

Production Readiness:

  • Missing environment variables
  • No logging/monitoring
  • No error tracking
  • Missing health checks
  • Incomplete documentation
  • No CI/CD pipeline

Step 3: Fixes and Optimizations (Fix Mode Only)

When the user explicitly requests fixes, apply them on a new branch:

git checkout -b audit/production-hardening
  1. Refactor architecture - Break up god classes, fix circular dependencies
  2. Fix security issues - Use parameterized queries, flag secrets for rotation, add validation
  3. Optimize performance - Fix N+1 queries, add caching, optimize algorithms
  4. Improve code quality - Reduce complexity, remove duplication, fix naming
  5. Add missing tests - Write tests for untested critical paths
  6. Add production infrastructure - Logging, monitoring, health checks
  7. Optimize everything - Bundle size, images, database queries
  8. Add documentation - README, API docs, architecture docs

Step 4: Verify and Report

After making all changes:

  1. Run all tests to ensure nothing broke
  2. Verify all security issues are fixed
  3. Measure performance improvements
  4. Generate comprehensive report
  5. Provide before/after metrics

Examples

Example 1: Autonomous Codebase Transformation

User: @production-code-audit make this production-ready

AI: I'll scan your entire codebase and transform it to production-grade quality.

**Phase 1: Discovering Codebase** (analyzing 247 files)
- Detected: Node.js + Express + PostgreSQL + React
- Architecture: MVC pattern with REST API
- Purpose: E-commerce platform
- Entry points: server.js, src/index.tsx

**Phase 2: Scanning for Issues** (line-by-line analysis)

Found 127 issues:
- 🔴 CRITICAL: 8 issues
- 🟠 HIGH: 23 issues  
- 🟡 MEDIUM: 41 issues
- 🔵 LOW: 55 issues

**Phase 3: Fixing Issues Automatically**

🔴 CRITICAL FIXES (8/8 completed):

1. ✅ Fixed SQL injection in UserRepository.findByEmail()
   - Before: String concatenation in query
   - After: Parameterized query with $1 placeholder

2. ✅ Removed hardcoded database password from config/database.ts
   - Before: password: 'SuperSecret123!'
   - After: password: process.env.DB_PASSWORD

3. ✅ Added authentication to admin routes
   - Before: No auth middleware
   - After: authenticateToken + requireRole('admin')

4. ✅ Fixed weak password hashing (MD5 → bcrypt)
   - Before: crypto.createHash('md5')
   - After: bcrypt.hash(password, 12)

5. ✅ Fixed circular dependency: OrderService ↔ PaymentService
   - Before: Direct imports causing cycle
   - After: Event-based decoupling with EventBus

6. ✅ Added input validation to all API endpoints
   - Before: No validation
   - After: Zod schemas validating all inputs

7. ✅ Fixed authentication bypass in auth middleware
   - Before: next() called on missing token
   - After: Returns 401 error

8. ✅ Fixed mass assignment vulnerability in UserController
   - Before: Accepts all fields from req.body
   - After: Whitelist of allowed fields only

🟠 HIGH PRIORITY FIXES (23/23 completed):

9. ✅ Fixed N+1 query in OrderService.getOrdersWithItems()
   - Before: Loop with individual queries (2.8s)
   - After: Single query with joins (45ms)
   - Performance: 98% improvement

10. ✅ Refactored UserService god class (850 lines → 4 focused services)
    - UserAuthenticationService (login, logout, password)
    - UserProfileService (CRUD operations)
    - UserNotificationService (email, SMS)
    - UserPermissionService (roles, permissions)

11. ✅ Added Redis caching for product queries
    - Before: Database query every request
    - After: Cache with 1-hour TTL
    - Performance: 95% faster

12. ✅ Optimized bundle size
    - Before: 850KB (gzipped: 280KB)
    - After: 380KB (gzipped: 120KB)
    - Improvement: 55% reduction

13. ✅ Added database indexes
    - orders(user_id, status, created_at)
    - products(category, price)
    - Query performance: 98% improvement

[... 11 more high-priority fixes ...]

🟡 MEDIUM PRIORITY FIXES (41/41 completed):
[... all medium fixes ...]

🔵 LOW PRIORITY IMPROVEMENTS (55/55 completed):
[... all low improvements ...]

**Phase 4: Adding Production Infrastructure**

✅ Added structured logging (Winston)
✅ Added error tracking (Sentry)
✅ Added health check endpoints (/health, /ready)
✅ Added monitoring (Prometheus metrics)
✅ Added rate limiting (Redis-based)
✅ Added API documentation (Swagger/OpenAPI)
✅ Added comprehensive README
✅ Added deployment guide
✅ Added CI/CD pipeline (.github/workflows)

**Phase 5: Verification**

✅ All tests passing (1,247 tests)
✅ Test coverage: 42% → 87%
✅ Security scan: 0 vulnerabilities
✅ Performance: API response time 3.2s → 180ms
✅ Bundle size: 850KB → 380KB
✅ Lighthouse score: 62 → 94

**TRANSFORMATION COMPLETE**

Your codebase is now production-ready with enterprise-grade quality:

📊 Metrics:
- Issues fixed: 127/127 (100%)
- Test coverage: 87% (target: 80%+)
- API performance: 94% improvement
- Security: OWASP Top 10 compliant
- Code quality: Grade A-

📁 Files changed: 89 files
📝 Lines changed: +3,247 / -1,892

🚀 Ready for production deployment!

Example 2: Automatic Security Hardening

User: @production-code-audit secure this codebase

AI: Scanning for security vulnerabilities...

**Security Scan Complete**

Found 15 security issues:
- 🔴 CRITICAL: 5
- 🟠 HIGH: 7
- 🟡 MEDIUM: 3

**Fixing all security issues automatically...**

🔴 CRITICAL (5/5 fixed):

1. ✅ SQL Injection in UserRepository
\`\`\`typescript
// Before (VULNERABLE)
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;

// After (SECURE)
const query = 'SELECT * FROM users WHERE email = $1';
await db.query(query, [email]);
\`\`\`

2. ✅ Hardcoded Secrets Removed
\`\`\`typescript
// Before (INSECURE)
const JWT_SECRET = 'my-secret-key-123';

// After (SECURE)
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error('JWT_SECRET required');
\`\`\`

3. ✅ Authentication Added to Admin Routes
\`\`\`typescript
// Before (VULNERABLE)
router.delete('/api/admin/users/:id', deleteUser);

// After (SECURE)
router.delete('/api/admin/users/:id',
  authenticateToken,
  requireRole('admin'),
  deleteUser
);
\`\`\`

4. ✅ Password Hashing Upgraded
\`\`\`typescript
// Before (WEAK)
const hash = crypto.createHash('md5').update(password).digest('hex');

// After (STRONG)
const hash = await bcrypt.hash(password, 12);
\`\`\`

5. ✅ Input Validation Added
\`\`\`typescript
// Before (VULNERABLE)
const user = await db.user.create({ data: req.body });

// After (SECURE)
const schema = z.object({
  email: z.string().email(),
  password: z.string().min(12),
  name: z.string().min(2).max(100)
});
const validated = schema.parse(req.body);
const user = await db.user.create({ data: validated });
\`\`\`

**Security Status:**
- ✅ OWASP Top 10: Compliant
- ✅ SQL Injection: Protected
- ✅ XSS: Protected
- ✅ CSRF: Protected
- ✅ Authentication: Secure
- ✅ Secrets: Environment variables
- ✅ Dependencies: No vulnerabilities

🔒 Codebase is now secure and production-ready!

Example 3: Performance Optimization

User: @production-code-audit optimize performance

AI: Analyzing performance bottlenecks...

**Performance Analysis Complete**

Current metrics:
- API response time: 3.2s (target: <200ms)
- Page load time: 8.5s (target: <2s)
- Bundle size: 850KB (target: <200KB)

**Optimizing automatically...**

✅ Fixed N+1 queries (3.2s → 180ms - 94% faster)
✅ Added Redis caching (95% cache hit rate)
✅ Optimized database indexes (98% faster queries)
✅ Reduced bundle size (850KB → 380KB - 55% smaller)
✅ Optimized images (28MB → 3.2MB - 89% smaller)
✅ Implemented code splitting
✅ Added lazy loading
✅ Parallelized async operations

**Performance Results:**

| Metric | Before | After | Improvement |
|--------|--------|-------|-------------|
| API Response | 3.2s | 180ms | 94% |
| Page Load | 8.5s | 1.8s | 79% |
| Bundle Size | 850KB | 380KB | 55% |
| Image Size | 28MB | 3.2MB | 89% |
| Lighthouse | 42 | 94 | +52 points |

🚀 Performance optimized to production standards!

Best Practices

✅ Do This

  • Scan Everything - Read all files, understand entire codebase
  • Fix Automatically - Don't just report, actually fix issues
  • Prioritize Critical - Security and data loss issues first
  • Measure Impact - Show before/after metrics
  • Verify Changes - Run tests after making changes
  • Be Comprehensive - Cover architecture, security, performance, testing
  • Optimize Everything - Bundle size, queries, algorithms, images
  • Add Infrastructure - Logging, monitoring, error tracking
  • Document Changes - Explain what was fixed and why

❌ Don't Do This

  • Don't Ask Questions - Understand the codebase autonomously
  • Don't Wait for Instructions - Scan and fix automatically
  • Don't Report Only - Actually make the fixes
  • Don't Skip Files - Scan every file in the project
  • Don't Ignore Context - Understand what the code does
  • Don't Break Things - Verify tests pass after changes
  • Don't Be Partial - Fix all issues, not just some

Autonomous Scanning Instructions

When this skill is invoked, automatically:

  1. Discover the codebase:

    • Use listDirectory to find all files recursively
    • Use readFile to read every source file
    • Identify tech stack from package.json, requirements.txt, etc.
    • Map out architecture and structure

  2. Scan line-by-line for issues:

    • Check every line for security vulnerabilities
    • Identify performance bottlenecks
    • Find code quality issues
    • Detect architectural problems
    • Find missing tests

  3. Fix everything automatically:

    • Use strReplace to fix issues in files
    • Add missing files (tests, configs, docs)
    • Refactor problematic code
    • Add production infrastructure
    • Optimize performance

  4. Verify and report:

    • Run tests to ensure nothing broke
    • Measure improvements
    • Generate comprehensive report
    • Show before/after metrics

Do all of this without asking the user for input.

Common Pitfalls

Problem: Too Many Issues

Symptoms: Team paralyzed by 200+ issues Solution: Focus on critical/high priority only, create sprints

Problem: False Positives

Symptoms: Flagging non-issues Solution: Understand context, verify manually, ask developers

Problem: No Follow-Up

Symptoms: Audit report ignored Solution: Create GitHub issues, assign owners, track in standups

Production Audit Checklist

Security

  • No SQL injection vulnerabilities
  • No hardcoded secrets
  • Authentication on protected routes
  • Authorization checks implemented
  • Input validation on all endpoints
  • Password hashing with bcrypt (10+ rounds)
  • HTTPS enforced
  • Dependencies have no vulnerabilities

Performance

  • No N+1 query problems
  • Database indexes on foreign keys
  • Caching implemented
  • API response time < 200ms
  • Bundle size < 200KB (gzipped)

Testing

  • Test coverage > 80%
  • Critical paths tested
  • Edge cases covered
  • No flaky tests
  • Tests run in CI/CD

Production Readiness

  • Environment variables configured
  • Error tracking setup (Sentry)
  • Structured logging implemented
  • Health check endpoints
  • Monitoring and alerting
  • Documentation complete

Audit Report Template

# Production Audit Report

**Project:** [Name]
**Date:** [Date]
**Overall Grade:** [A-F]

## Executive Summary
[2-3 sentences on overall status]

**Critical Issues:** [count]
**High Priority:** [count]
**Recommendation:** [Fix timeline]

## Findings by Category

### Architecture (Grade: [A-F])
- Issue 1: [Description]
- Issue 2: [Description]

### Security (Grade: [A-F])
- Issue 1: [Description + Fix]
- Issue 2: [Description + Fix]

### Performance (Grade: [A-F])
- Issue 1: [Description + Fix]

### Testing (Grade: [A-F])
- Coverage: [%]
- Issues: [List]

## Priority Actions
1. [Critical issue] - [Timeline]
2. [High priority] - [Timeline]
3. [High priority] - [Timeline]

## Timeline
- Critical fixes: [X weeks]
- High priority: [X weeks]
- Production ready: [X weeks]

Related Skills

  • @code-review-checklist - Code review guidelines
  • @api-security-best-practices - API security patterns
  • @web-performance-optimization - Performance optimization
  • @systematic-debugging - Debug production issues
  • @senior-architect - Architecture patterns

Additional Resources

Pro Tip: Schedule regular audits (quarterly) to maintain code quality. Prevention is cheaper than fixing production bugs!

Comments

Loading comments...