← Back to Skills Marketplace
hanwenyolo-dot

Code Audit

by hanwenyolo-dot · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ✓ Security Clean
438
Downloads
1
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install code-audit-claw
Description
Three-mode code auditor for OpenClaw workspaces. (1) Security audit — finds hardcoded secrets, dangerous shell commands, SQL injection, unsafe deserializatio...
README (SKILL.md)

Code Audit Skill

🚨 铁律(ABSOLUTE RULES)

  1. 本 Skill 文件(SKILL.md、references/.md、scripts/.py)严禁自行修改 — 发现问题或改进建议,必须先向用户汇报,等待明确确认后才能执行修改
  2. 审计报告只读:输出报告,不自动修复任何被审计的文件
  3. 修复建议 ≠ 执行:给出修复方案后,等用户确认再动手

扫描脚本

scripts/audit_scanner.py — 核心扫描工具,支持三种模式。

# 全量审计(默认)
python3 scripts/audit_scanner.py \x3C目标路径> --mode all

# 仅安全审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode security

# 仅质量审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode quality

# 仅灵魂文件审计
python3 scripts/audit_scanner.py \x3C目标路径> --mode soul

脚本自动区分"灵魂文件"(SOUL.MD / MEMORY.MD / AGENTS.MD / HEARTBEAT.MD / USER.MD / SKILL.MD)和普通代码文件,分别应用不同规则集。

SOP

  1. 确认目标:让用户指定要审计的文件路径或目录
  2. 推断模式
    • 目标含 SOUL/MEMORY/AGENTS → soul 模式
    • 目标是代码文件 → securityquality
    • 未指定 → all
  3. 运行扫描:执行 audit_scanner.py
  4. 输出报告:分 🔴 Critical / 🟡 Warning / 🟢 Info 三级
  5. 给出建议:针对每个 Critical/Warning 问题,提供修复建议

审计规则参考

  • 安全规则:references/security-rules.md
  • 质量规则:references/quality-rules.md
  • 灵魂文件规则:references/soul-rules.md(含 SOUL.md 铁律完整性检查清单)

常用审计场景

场景 命令
审计整个 workspace --mode all ~/.openclaw/workspace
只看灵魂文件 --mode soul ~/.openclaw/workspace
审计某个脚本 --mode security scripts/analyzer.py
审计所有 Skills --mode soul ~/.openclaw/workspace/skills
系统安全检查 --mode system ~/.openclaw/workspace
Usage Guidance
This skill appears coherent and implements a local audit tool. Before running it: (1) review scripts/audit_scanner.py yourself to confirm you’re comfortable with the checks it performs (it will read any files/directories you point it at, so don’t scan data you don’t want inspected); (2) if you run the 'system' mode, understand it inspects system startup items and runs utilities like codesign/crontab checks (macOS-focused); (3) the skill claims it will not modify files — still exercise caution if you later grant it permission to apply fixes; (4) if you enable automated cron runs, schedule them deliberately and ensure reports are stored where you expect. No credentials or external network actions are required by the manifest.
Capability Analysis
Type: OpenClaw Skill Name: code-audit-claw Version: 1.2.0 The bundle is a comprehensive security and quality auditing tool designed for the OpenClaw environment. The core script, scripts/audit_scanner.py, implements extensive diagnostic checks for hardcoded secrets, dangerous shell commands, and system-level anomalies such as unsigned binaries (via codesign), unauthorized network listeners (via lsof), and suspicious SUID files. The SKILL.md file includes robust safety instructions that explicitly prohibit the AI agent from making unauthorized file modifications or auto-fixing issues. No evidence of data exfiltration, malicious persistence, or harmful prompt injection was found; the tool's behavior is entirely consistent with its stated purpose.
Capability Assessment
Purpose & Capability
Name/description match the provided files: SKILL.md, README, rules references and a scanner script that implements security/quality/soul/system checks. The skill does not ask for unrelated credentials or external access.
Instruction Scope
Runtime instructions tell the agent to run the bundled scanner against a user-supplied path and produce read-only HTML reports. The scanner inspects workspace files and (optionally) system items when run in 'system' mode; this behavior is consistent with the documented purpose. The SKILL.md explicitly forbids automatic modification of skill files and states reports are read-only.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction + a local Python script. Nothing in the manifest requires pulling code from external URLs.
Credentials
The skill requests no environment variables, credentials, or config paths. The scanner may read arbitrary files you point it at (including secrets if present), which is expected for a code-auditor.
Persistence & Privilege
always is false and the skill does not request forced inclusion or system-level configuration changes. The SKILL.md mentions that weekly cron-based audits are supported, but no automatic scheduling code is included in the manifest — scheduling would be a user action and is documented as optional.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install code-audit-claw
  3. After installation, invoke the skill by name or use /code-audit-claw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Initial release of code-audit-claw. - Added LICENSE and README.md files. - Introduced base documentation and usage examples for the code auditing skill. - Defined three scanning modes: security audit, quality audit, and soul audit. - Outlined command-line interface and typical usage scenarios. - Documented audit rules, operating procedures, and strict modification policies.
v1.0.0
Initial release: security audit, quality audit, and OpenClaw-exclusive soul audit for SOUL.md/MEMORY.md/AGENTS.md. HTML report output + AI analysis mode + weekly cron support.
Metadata
Slug code-audit-claw
Version 1.2.0
License MIT-0
All-time Installs 3
Active Installs 3
Total Versions 2
Frequently Asked Questions

What is Code Audit?

Three-mode code auditor for OpenClaw workspaces. (1) Security audit — finds hardcoded secrets, dangerous shell commands, SQL injection, unsafe deserializatio... It is an AI Agent Skill for Claude Code / OpenClaw, with 438 downloads so far.

How do I install Code Audit?

Run "/install code-audit-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Code Audit free?

Yes, Code Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Code Audit support?

Code Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Code Audit?

It is built and maintained by hanwenyolo-dot (@hanwenyolo-dot); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments