← Back to Skills Marketplace
solomonneas

Production Code Audit

by Solomon Neas · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
142
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install production-code-audit
Description
Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...
Usage Guidance
This skill generally does what it says (read a repo, report issues, optionally make fixes), but there are important ambiguities you should resolve before installing or granting access: 1) Clarify secret handling — the doc both forbids committing secrets and shows an example that removes a secret and commits the change. Decide whether you want automated secret-removal and what review/approval is required. 2) Confirm how PRs/branch pushes will be performed and what credentials are required; only grant a token with the minimum scope (e.g., repo:public_repo or repo-specific write) and avoid org-wide admin tokens. 3) Require an explicit, interactive confirmation step before any 'fix mode' actions (create branch, modify files, run tests, push). 4) Prefer that test execution happen in a CI sandbox you control rather than on a developer workstation. 5) Always review the diff/PR before merging and consider running the first audit in read-only mode to see the scope of changes the skill proposes. If you cannot verify those behaviors with the skill owner, treat the 'fix' capability as high-risk and use the skill for read-only audits only.
Capability Analysis
Type: OpenClaw Skill Name: production-code-audit Version: 1.1.0 The skill bundle contains conflicting instructions in SKILL.md that encourage extreme AI autonomy, explicitly telling the agent to "not ask questions," "not wait for instructions," and "fix everything automatically" without user input. While the stated purpose is a code audit and hardening tool, these instructions override the earlier safety guidelines regarding user confirmation for test execution and file modification. This creates a high risk of unintended code execution or destructive modifications if the agent processes a codebase without human oversight.
Capability Assessment
Purpose & Capability
Name and description align with the instructions: the skill is an instruction-only audit that reads a repo, reports issues, and — if explicitly requested — creates a branch and applies fixes. No unrelated binaries, environment variables, or installs are requested.
Instruction Scope
Most runtime steps stay within auditing/fixing a codebase (reading source files, running tests, creating a fix branch). However the SKILL.md contains a direct contradiction: under 'Secrets handling' it says 'Do NOT remove or commit secrets' but the Fixes example shows removing a hardcoded DB password and committing a change. The doc is also vague about the exact mechanisms for creating/opening PRs (does it use git push, GitHub API, or ask for tokens?), and about what local operations will be executed without explicit, contextual user consent (tests, CI runs, network access). These ambiguities could lead to unexpected modifications or credential usage.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. Low install risk.
Credentials
The skill declares no required environment variables or credentials, but its 'fix' mode assumes the agent can create branches, push, and open PRs — operations that require git credentials or API tokens. The SKILL.md does not describe the credential scope required (e.g., repo write vs. repo creation vs. org-level), so users may inadvertently grant overly broad access if they provide tokens. Also running tests or CI may require access to databases or third-party services; the doc instructs asking the user, but concrete safeguards are not specified.
Persistence & Privilege
always: false (good). Autonomous invocation is allowed by default — normal for skills — but because the skill can modify a repository when asked, you should ensure the agent only acts when the user explicitly requests 'fix mode'. There is no instruction that the skill will persist beyond its own actions or modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install production-code-audit
  3. After installation, invoke the skill by name or use /production-code-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added audit-only default mode, branch/PR workflow, secrets handling guidance, test execution safeguards
v1.0.0
Initial release – autonomously audits and transforms entire codebases to production-grade quality. - Deep-scans all project files to understand architecture, tech stack, and data flow. - Detects issues across security, performance, code quality, architecture, testing, and production readiness. - Automatically fixes vulnerabilities, optimizes performance, refactors code, and adds missing infrastructure. - Provides comprehensive before/after reporting, including metrics and verification of all changes. - Ideal for users needing production-ready, corporate-level code and compliance with enterprise standards.
Metadata
Slug production-code-audit
Version 1.1.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Production Code Audit?

Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on... It is an AI Agent Skill for Claude Code / OpenClaw, with 142 downloads so far.

How do I install Production Code Audit?

Run "/install production-code-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Production Code Audit free?

Yes, Production Code Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Production Code Audit support?

Production Code Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Production Code Audit?

It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments