← Back to Skills Marketplace
unixlamadev-spec

Code Auditor

by unixlamadev-spec · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
409
Downloads
0
Stars
4
Active Installs
3
Versions
Install in OpenClaw
/install code-auditor
Description
Audit any GitHub repo or raw code for security, quality, or gas optimization. Returns score, findings, severity counts, and summary.
README (SKILL.md)

Code Auditor

Audit any GitHub repository or raw code for security vulnerabilities, code quality issues, and best practices. Supports targeted audits by focus area. Returns a score, severity-scored findings, and actionable summary.

When to Use

  • Security review before deploying code
  • Evaluating third-party dependencies or libraries
  • Code quality assessment for repositories
  • Solidity/smart contract gas optimization
  • Finding vulnerabilities in open source projects

Usage Flow

  1. Provide a GitHub repo URL or paste raw code directly
  2. Optionally specify a focus: security, quality, or gas (default: full audit)
  3. AIProx routes to the code-auditor agent
  4. Returns score (0-100), findings array with severity levels, severity counts, and summary

Security Manifest

Permission Scope Reason
Network aiprox.dev API calls to orchestration endpoint
Env Read AIPROX_SPEND_TOKEN Authentication for paid API

Make Request

curl -X POST https://aiprox.dev/api/orchestrate \
  -H "Content-Type: application/json" \
  -H "X-Spend-Token: $AIPROX_SPEND_TOKEN" \
  -d '{
    "task": "security audit",
    "repo_url": "https://github.com/user/repo",
    "focus": "security"
  }'

Response

{
  "score": 72,
  "findings": [
    {"severity": "critical", "file": "config.js", "line": "12", "issue": "Hardcoded API key", "fix": "Move to environment variable"},
    {"severity": "high", "file": "handler.js", "line": "45", "issue": "No input validation on user-supplied data", "fix": "Validate and sanitize inputs"}
  ],
  "severity_counts": {"critical": 1, "high": 2, "medium": 3, "low": 1},
  "summary": "Repository has moderate security concerns. Critical: 1 hardcoded secret. High: missing input validation. Recommend immediate remediation."
}

Trust Statement

Code Auditor analyzes public repository contents or provided code only. No code is executed. Analysis is performed by Claude via LightningProx. Your spend token is used for payment; no other credentials are stored or transmitted.

Usage Guidance
This skill will send any code or public repo URL you provide to a third-party endpoint (aiprox.dev) and uses AIPROX_SPEND_TOKEN for payment/auth. Before installing: (1) confirm you are comfortable uploading code (do not send private repo contents or secrets); (2) verify the aiprox.dev service and its privacy/security policy and who operates it (homepage is given but source is unknown); (3) understand that private GitHub repos likely require separate credentials — the skill does not request a GitHub token, so clarify how private repos are supported; (4) test on non-sensitive public code first and avoid sending secrets or private keys. If you need audits to stay local, use a local/offline auditing tool instead.
Capability Analysis
Type: OpenClaw Skill Name: code-auditor Version: 1.1.0 The code-auditor skill is a legitimate utility designed to perform security and quality audits on source code via an external API (aiprox.dev). It transparently declares its need for network access and the AIPROX_SPEND_TOKEN environment variable for authentication, and its instructions in SKILL.md align strictly with its stated purpose without any evidence of malicious intent or prompt injection.
Capability Assessment
Purpose & Capability
The declared purpose (auditing code/repos) matches the instructions to POST code or a repo URL to aiprox.dev and use AIPROX_SPEND_TOKEN for payment. However, the SKILL.md claims it can audit "any GitHub repo" but does not request a GitHub token or explain how it will access private repositories. That discrepancy (public vs. private repo access) is unclear and should be clarified.
Instruction Scope
Runtime instructions explicitly direct the agent to upload repository contents or raw code to https://aiprox.dev/api/orchestrate with the X-Spend-Token header. Sending code to a third-party service is consistent with an auditor but is a sensitive operation: private code, secrets, or proprietary IP could be transmitted. The SKILL.md asserts "No code is executed," but the agent cannot verify that on its own — the only observable behavior is network transmission of the code to a remote service.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk or installed by the skill itself. This minimizes local-install risk.
Credentials
The skill requests a single environment variable (AIPROX_SPEND_TOKEN) which is proportional for a paid, networked auditor. Still, the token is sensitive (used for payment/auth) and grants the service the ability to be invoked; there is no clear, declared support for providing GitHub credentials for private repos, which is a functional gap rather than excessive permissioning.
Persistence & Privilege
The skill is not forced-always enabled (always: false) and does not request persistent or elevated agent privileges. Autonomous invocation is allowed (the platform default) but not combined with other high-risk indicators here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install code-auditor
  3. After installation, invoke the skill by name or use /code-auditor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Now supports model selection — specify any of 19 models across 5 providers per request (e.g. gemini-2.5-flash, mistral-large-latest, claude-opus-4-5-20251101)
v1.0.1
- Added support for auditing both GitHub repositories and raw code snippets. - Introduced targeted audit focus areas: security, quality, and gas optimization. - Audit findings now include severity levels, per-severity counts, and suggested fixes. - Usage and API examples updated to reflect enhanced features and options.
v1.0.0
- Initial release of Code Auditor skill. - Audit any GitHub repository for security vulnerabilities and code quality issues. - Provides an overall score, detailed findings, and actionable summary. - Supports optional audit focus (e.g., security, performance). - Requires AIPROX_SPEND_TOKEN for authentication.
Metadata
Slug code-auditor
Version 1.1.0
License MIT-0
All-time Installs 4
Active Installs 4
Total Versions 3
Frequently Asked Questions

What is Code Auditor?

Audit any GitHub repo or raw code for security, quality, or gas optimization. Returns score, findings, severity counts, and summary. It is an AI Agent Skill for Claude Code / OpenClaw, with 409 downloads so far.

How do I install Code Auditor?

Run "/install code-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Code Auditor free?

Yes, Code Auditor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Code Auditor support?

Code Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Code Auditor?

It is built and maintained by unixlamadev-spec (@unixlamadev-spec); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments