← Back to Skills Marketplace
86
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install concurrencyguard
Description
Race condition & concurrency safety analyzer -- detects unprotected shared state, missing locks, TOCTOU vulnerabilities, async/await pitfalls, thread-unsafe...
README (SKILL.md)
\r \r
ConcurrencyGuard -- Race Condition & Concurrency Safety Analyzer\r
\r ConcurrencyGuard scans codebases for concurrency hazards: unprotected shared state, missing mutex/locks, TOCTOU vulnerabilities, async/await pitfalls, thread-unsafe singletons, missing transaction isolation, data races in goroutines, unguarded lazy initialization, non-atomic read-modify-write, and deadlock-prone lock ordering -- across JS/TS, Python, Java, Go, Rust, and C#. It uses regex-based pattern matching against 90+ concurrency safety patterns, lefthook for git hook integration, and produces markdown reports with actionable remediation recommendations. 100% local. Zero telemetry.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
concurrencyguard scan [file|directory]\r
One-shot concurrency safety scan of files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)\r
3. Runs 90+ concurrency safety patterns against each file\r
4. Respects .gitignore and allowlist files\r
5. Calculates a concurrency safety score (0-100) per file and overall\r
6. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (\x3C60)\r
7. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
8. Exit code 0 if score >= 70, exit code 1 if too many issues found\r
9. Free tier limited to 5 files per scan\r
\r
**Example usage scenarios:**\r
- "Scan my code for race conditions" -> runs `concurrencyguard scan .`\r
- "Check this file for concurrency issues" -> runs `concurrencyguard scan src/server.go`\r
- "Find thread safety problems in my project" -> runs `concurrencyguard scan src/`\r
- "Are there any deadlock risks in my code?" -> runs `concurrencyguard scan .`\r
- "Check for missing locks" -> runs `concurrencyguard scan .`\r
- "Find TOCTOU vulnerabilities" -> runs `concurrencyguard scan .`\r
\r
#### `concurrencyguard hook install`\r
Install git pre-commit hooks that scan staged files for concurrency issues before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" hook install\r
```\r
\r
**What it does:**\r
1. Copies lefthook config to project root\r
2. Installs lefthook pre-commit hook\r
3. On every commit: scans all staged files for concurrency hazards, blocks commit if critical/high findings, shows remediation advice\r
\r
#### `concurrencyguard hook uninstall`\r
Remove ConcurrencyGuard git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" hook uninstall\r
```\r
\r
#### `concurrencyguard report [directory]`\r
Generate a markdown concurrency safety report with findings, severity breakdown, and remediation steps.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Runs full scan of the directory\r
2. Generates a formatted markdown report from template\r
3. Includes per-file breakdowns, concurrency safety scores, remediation priority\r
4. Output suitable for code reviews and architecture audits\r
\r
### Pro Tier ($19/user/month -- requires CONCURRENCYGUARD_LICENSE_KEY)\r
\r
#### `concurrencyguard watch [directory]`\r
Continuous file-watching mode that re-scans on every file change.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" watch [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Watches directory for file changes using filesystem events\r
3. Re-scans changed files automatically\r
4. Reports new concurrency issues in real time\r
5. Ideal for active development sessions\r
\r
#### `concurrencyguard ci [directory]`\r
CI/CD integration mode with strict exit codes and machine-readable output.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" ci [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory\r
3. Outputs machine-readable results with exit codes for CI systems\r
4. Exit 0 = clean, exit 1 = critical/high issues, exit 2 = medium issues\r
5. Compatible with GitHub Actions, GitLab CI, Jenkins, CircleCI\r
\r
### Team Tier ($39/user/month -- requires CONCURRENCYGUARD_LICENSE_KEY with team tier)\r
\r
#### `concurrencyguard team-report [directory]`\r
Generate an aggregate team-level concurrency safety report with trend data.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" team-report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan with aggregation by module/package\r
3. Generates team-level metrics (hotspot files, worst categories, trend indicators)\r
4. Includes per-developer breakdown when git blame data is available\r
5. Suitable for sprint retrospectives and architecture reviews\r
\r
#### `concurrencyguard baseline [directory]`\r
Establish a baseline of known concurrency issues for allowlisting.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" baseline [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Scans directory and records all current findings as baseline\r
3. Saves baseline to .concurrencyguard-baseline.json\r
4. Future scans only report NEW issues not in the baseline\r
5. Useful for legacy codebases with known accepted concurrency patterns\r
\r
#### `concurrencyguard status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/concurrencyguard.sh" status\r
```\r
\r
## Detected Concurrency Patterns\r
\r
ConcurrencyGuard detects 90+ concurrency safety patterns across 6 categories:\r
\r
| Category | Examples | Severity |\r
|----------|----------|----------|\r
| **Shared State (SS)** | Global mutable variables, unprotected static fields, module-level mutable state, shared variables without volatile/atomic, global object mutation in worker threads | Critical/High |\r
| **Locking & Mutex (LK)** | Missing synchronized in Java, missing lock in C#, missing mutex.Lock() in Go, Lock without Unlock, nested locks (deadlock risk), missing RWMutex, spin locks in user code | Critical/High |\r
| **TOCTOU & Atomicity (TC)** | Check-then-act without synchronization, file exists then open, read-modify-write without CAS, double-checked locking without volatile, non-atomic counters | Critical/High |\r
| **Async/Await Pitfalls (AW)** | Await in loop (sequential not parallel), missing await, async void, fire-and-forget promises, race conditions after await, missing Promise.all | High/Medium |\r
| **Thread Safety (TS)** | Thread-unsafe singleton, HashMap without sync, non-thread-safe datetime, mutable defaults shared across threads, lazy init without double-check | High/Medium |\r
| **Deadlock & Starvation (DL)** | Inconsistent lock ordering, holding lock across external call, channel without timeout, unbuffered channel in goroutine, missing select/default, lock held across await | Critical/High |\r
\r
## Configuration\r
\r
Users can configure ConcurrencyGuard in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"concurrencyguard": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "high",\r
"ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],\r
"ignoreChecks": [],\r
"allowlistFile": ".concurrencyguard-allowlist",\r
"reportFormat": "markdown"\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies beyond bash\r
- Supports scanning JS/TS, Python, Java, Go, Rust, and C# in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = clean (score >= 70), 1 = issues detected (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hook install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://concurrencyguard.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no scannable files found in target, report clean scan with info message\r
- If .concurrencyguard-allowlist is missing, skip allowlist filtering gracefully\r
\r
## When to Use ConcurrencyGuard\r
\r
The user might say things like:\r
- "Scan my code for race conditions"\r
- "Find concurrency bugs in my project"\r
- "Check for thread safety issues"\r
- "Are there any deadlock risks in my code?"\r
- "Scan for missing locks or mutexes"\r
- "Find TOCTOU vulnerabilities"\r
- "Check my async/await code for pitfalls"\r
- "Find unprotected shared state"\r
- "Detect data races in my Go code"\r
- "Check for thread-unsafe singletons"\r
- "Scan for concurrency issues before I push"\r
- "Set up pre-commit hooks for concurrency checking"\r
- "Generate a concurrency safety report"\r
- "Find missing synchronization in my Java code"\r
- "Check for non-atomic operations"\r
- "Detect deadlock-prone lock ordering"\r
Usage Guidance
This skill appears to do what it claims: a local, regex-based concurrency scanner with optional pre-commit hook integration and a paid license for Pro/Team features. Before installing, note: (1) the hook installer will add/append a lefthook.yml in your repo and run lefthook install — back up any existing lefthook.yml if you care about custom hooks; (2) Pro/Team modes require you to provide CONCURRENCYGUARD_LICENSE_KEY (or store it in ~/.openclaw/openclaw.json), and the license-check runs locally (no network calls in the code); (3) the scanner uses many regex patterns and may produce false positives — review findings before making code changes. If you want absolute assurance, inspect the scripts in the skill directory on your machine (scripts/*.sh and config/lefthook.yml) before running hook install.
Capability Analysis
Type: OpenClaw Skill
Name: concurrencyguard
Version: 1.0.1
ConcurrencyGuard is a static analysis tool designed to detect race conditions and concurrency hazards across multiple languages using regex-based pattern matching. The skill performs local file scanning, generates markdown reports, and integrates with git hooks via lefthook (scripts/analyzer.sh, scripts/concurrencyguard.sh). It includes a standard offline JWT-based license validation mechanism (scripts/license.sh) and does not exhibit any signs of data exfiltration, malicious execution, or unauthorized persistence beyond its stated functionality.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (concurrency analysis) match the shipped scripts, regex pattern library, and hook integration. Required binaries (git, bash, python3, jq) are reasonable for code discovery, .gitignore awareness, and config parsing. The primary credential (CONCURRENCYGUARD_LICENSE_KEY) matches advertised Pro/Team features.
Instruction Scope
SKILL.md instructs the agent to run local bash scripts in the skill directory to scan files, install lefthook hooks, or generate reports. The scripts read local files (repo sources, optional ~/.openclaw/openclaw.json), respect .gitignore/allowlists/baselines, and do not perform network calls. Installing hooks will add/modify lefthook.yml in the repository (expected behavior).
Install Mechanism
The only declared install action is a Homebrew formula (lefthook), which is a known git-hook manager; the code also documents an npm alternative. No arbitrary remote downloads or extracted archives were observed.
Credentials
Only the license key (CONCURRENCYGUARD_LICENSE_KEY) is treated as a primary credential. The scripts optionally read ~/.openclaw/openclaw.json to find the key. An optional CLAWHUB_JWT_SECRET is used only to verify JWT signatures if present (not required). No unrelated service credentials or secrets are requested.
Persistence & Privilege
always:false and model invocation allowed (default). The skill writes lefthook.yml to a repository only when the user runs 'hook install' (explicit action). It does not attempt to modify other skills or global agent settings beyond reading ~/.openclaw/openclaw.json for a license key.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install concurrencyguard - After installation, invoke the skill by name or use
/concurrencyguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fix: declare all deps, JWT verification, configPaths
Metadata
Frequently Asked Questions
What is concurrencyguard?
Race condition & concurrency safety analyzer -- detects unprotected shared state, missing locks, TOCTOU vulnerabilities, async/await pitfalls, thread-unsafe... It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.
How do I install concurrencyguard?
Run "/install concurrencyguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is concurrencyguard free?
Yes, concurrencyguard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does concurrencyguard support?
concurrencyguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created concurrencyguard?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.1.
More Skills