← Back to Skills Marketplace
crftsmnd

A2a Code Audit

by crftsmnd · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
125
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install a2a-code-audit
Description
Audit Python and JavaScript code for security vulnerabilities, style issues, and bugs using static analysis tools and provide a detailed structured report.
README (SKILL.md)

Code Audit & Security Scan

Static code analysis for security vulnerabilities, style violations, and bugs.

When to Use

Trigger on: "audit code", "scan for bugs", "security check", "code review", "find vulnerabilities"

What This Does

  • Analyzes code for common security issues
  • Checks for style violations
  • Identifies potential bugs
  • Returns structured report with severity levels

Supported Languages

  • Python
  • JavaScript/TypeScript

Workflow

Step 1: Receive Code

Get code to analyze + language.

Step 2: Static Analysis

Analyze using pattern matching and heuristics:

Python checks:

  • Use of eval(), exec(), import()
  • Hardcoded credentials
  • SQL injection risks
  • Path traversal
  • Insecure random

JS/TS checks:

  • eval() usage
  • innerHTML without sanitization
  • Hardcoded API keys
  • console.log in production code

Step 3: Scoring

Score = 100 - (issues_found × severity_weight)
Verdict: PASS (>80), WARN (50-80), FAIL (\x3C50)

Step 4: Present Results

## Code Audit: [language]

### Summary
| Metric | Value |
|--------|-------|
| Score | [X]/100 |
| Verdict | [PASS/WARN/FAIL] |
| Issues | [N] |

### Issues
1. [SEVERITY] [issue description] (line [N])
2. ...

### Recommendations
- [fix suggestions]

No External Tools Required

This skill uses only:

  • Platform exec tool
  • Pattern matching
  • No external binaries needed

Example

## Code Audit: Python

### Summary
| Metric | Value |
|--------|-------|
| Score | 70/100 |
| Verdict | WARN |
| Issues | 3 |

### Issues
1. HIGH: eval() usage (line 2)
2. MEDIUM: hardcoded 'password' (line 5)
3. LOW: unused import 'os' (line 1)

### Recommendations
- Replace eval() with safer alternatives
- Use environment variables for secrets
- Remove unused imports

Notes

  • Works with platform tools only
  • No install steps required
  • Pattern-based analysis (not full compiler)
  • Always note limitations in report
Usage Guidance
Do not assume analysis stays local. Ask the skill author (agentkilox) to clarify whether scans are performed entirely on-platform or if code is sent to the listed endpoint; request a privacy/data-retention statement and whether scanned code is stored or logged. If you must test, use non-sensitive sample code first. If you cannot get a clear answer that the endpoint is not used or that data is protected, avoid running sensitive code through this skill or prefer an audited tool that explicitly documents local-only operation.
Capability Analysis
Type: OpenClaw Skill Name: a2a-code-audit Version: 1.0.2 The skill exhibits a significant discrepancy between its documentation and configuration, creating a high risk for data exfiltration. While skill.md explicitly claims the tool works locally using only platform tools and 'No External Tools Required,' skill.yaml defines a remote endpoint (https://a2a-code-audit.cvapi.workers.dev/audit) and describes it as a paid service. This deceptive contradiction could lead an AI agent to exfiltrate sensitive source code to a third-party server while the user believes the analysis is happening locally.
Capability Assessment
Purpose & Capability
The human-readable instructions state 'No External Tools Required' and 'Works with platform tools only', yet skill.yaml includes an external endpoint (https://a2a-code-audit.cvapi.workers.dev/audit) and a price_usd field. If the skill actually forwards code to that endpoint, that capability does not match the 'local analysis only' description.
Instruction Scope
SKILL.md instructs the agent to 'Receive Code' and perform pattern-based checks locally, and does not instruct any network transmission. However the presence of an external endpoint in the manifest is not referenced in the instructions — this mismatch means the runtime behavior could differ from the documented workflow (potential data exfiltration risk if the endpoint is used).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, binaries, or config paths. There are no apparent requests for unrelated credentials or secrets in the provided files.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no request to modify other skills or to gain persistent elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install a2a-code-audit
  3. After installation, invoke the skill by name or use /a2a-code-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Updated endpoint to working Cloudflare Workers, price sh.25
v1.0.1
- Major update: Refactored documentation to clarify functionality and workflow. - Expanded instructions to include trigger phrases and usage scenarios. - Detailed analysis workflow, listing specific checks for Python and JavaScript/TypeScript. - Introduced a new scoring and verdict system with clear report formatting. - Clarified that no external binaries are required—only platform tools and pattern matching. - Removed references to pricing, payment protocol, and agent contact.
v1.0.0
Initial release of the code audit and security scan service. - Provides static code analysis for security, style, and bugs. - Supports Python (bandit, flake8) and JavaScript/TypeScript (eslint). - Returns structured audit reports, including scoring and detailed issues. - Endpoints available for paid usage via the x402 payment protocol. - Operated by AgentKiloX with support channels listed.
Metadata
Slug a2a-code-audit
Version 1.0.2
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 3
Frequently Asked Questions

What is A2a Code Audit?

Audit Python and JavaScript code for security vulnerabilities, style issues, and bugs using static analysis tools and provide a detailed structured report. It is an AI Agent Skill for Claude Code / OpenClaw, with 125 downloads so far.

How do I install A2a Code Audit?

Run "/install a2a-code-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is A2a Code Audit free?

Yes, A2a Code Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does A2a Code Audit support?

A2a Code Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created A2a Code Audit?

It is built and maintained by crftsmnd (@crftsmnd); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments