← 返回 Skills 市场
crftsmnd

A2a Code Audit

作者 crftsmnd · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
125
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install a2a-code-audit
功能描述
Audit Python and JavaScript code for security vulnerabilities, style issues, and bugs using static analysis tools and provide a detailed structured report.
使用说明 (SKILL.md)

Code Audit & Security Scan

Static code analysis for security vulnerabilities, style violations, and bugs.

When to Use

Trigger on: "audit code", "scan for bugs", "security check", "code review", "find vulnerabilities"

What This Does

  • Analyzes code for common security issues
  • Checks for style violations
  • Identifies potential bugs
  • Returns structured report with severity levels

Supported Languages

  • Python
  • JavaScript/TypeScript

Workflow

Step 1: Receive Code

Get code to analyze + language.

Step 2: Static Analysis

Analyze using pattern matching and heuristics:

Python checks:

  • Use of eval(), exec(), import()
  • Hardcoded credentials
  • SQL injection risks
  • Path traversal
  • Insecure random

JS/TS checks:

  • eval() usage
  • innerHTML without sanitization
  • Hardcoded API keys
  • console.log in production code

Step 3: Scoring

Score = 100 - (issues_found × severity_weight)
Verdict: PASS (>80), WARN (50-80), FAIL (\x3C50)

Step 4: Present Results

## Code Audit: [language]

### Summary
| Metric | Value |
|--------|-------|
| Score | [X]/100 |
| Verdict | [PASS/WARN/FAIL] |
| Issues | [N] |

### Issues
1. [SEVERITY] [issue description] (line [N])
2. ...

### Recommendations
- [fix suggestions]

No External Tools Required

This skill uses only:

  • Platform exec tool
  • Pattern matching
  • No external binaries needed

Example

## Code Audit: Python

### Summary
| Metric | Value |
|--------|-------|
| Score | 70/100 |
| Verdict | WARN |
| Issues | 3 |

### Issues
1. HIGH: eval() usage (line 2)
2. MEDIUM: hardcoded 'password' (line 5)
3. LOW: unused import 'os' (line 1)

### Recommendations
- Replace eval() with safer alternatives
- Use environment variables for secrets
- Remove unused imports

Notes

  • Works with platform tools only
  • No install steps required
  • Pattern-based analysis (not full compiler)
  • Always note limitations in report
安全使用建议
Do not assume analysis stays local. Ask the skill author (agentkilox) to clarify whether scans are performed entirely on-platform or if code is sent to the listed endpoint; request a privacy/data-retention statement and whether scanned code is stored or logged. If you must test, use non-sensitive sample code first. If you cannot get a clear answer that the endpoint is not used or that data is protected, avoid running sensitive code through this skill or prefer an audited tool that explicitly documents local-only operation.
功能分析
Type: OpenClaw Skill Name: a2a-code-audit Version: 1.0.2 The skill exhibits a significant discrepancy between its documentation and configuration, creating a high risk for data exfiltration. While skill.md explicitly claims the tool works locally using only platform tools and 'No External Tools Required,' skill.yaml defines a remote endpoint (https://a2a-code-audit.cvapi.workers.dev/audit) and describes it as a paid service. This deceptive contradiction could lead an AI agent to exfiltrate sensitive source code to a third-party server while the user believes the analysis is happening locally.
能力评估
Purpose & Capability
The human-readable instructions state 'No External Tools Required' and 'Works with platform tools only', yet skill.yaml includes an external endpoint (https://a2a-code-audit.cvapi.workers.dev/audit) and a price_usd field. If the skill actually forwards code to that endpoint, that capability does not match the 'local analysis only' description.
Instruction Scope
SKILL.md instructs the agent to 'Receive Code' and perform pattern-based checks locally, and does not instruct any network transmission. However the presence of an external endpoint in the manifest is not referenced in the instructions — this mismatch means the runtime behavior could differ from the documented workflow (potential data exfiltration risk if the endpoint is used).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, binaries, or config paths. There are no apparent requests for unrelated credentials or secrets in the provided files.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no request to modify other skills or to gain persistent elevated privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install a2a-code-audit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /a2a-code-audit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Updated endpoint to working Cloudflare Workers, price sh.25
v1.0.1
- Major update: Refactored documentation to clarify functionality and workflow. - Expanded instructions to include trigger phrases and usage scenarios. - Detailed analysis workflow, listing specific checks for Python and JavaScript/TypeScript. - Introduced a new scoring and verdict system with clear report formatting. - Clarified that no external binaries are required—only platform tools and pattern matching. - Removed references to pricing, payment protocol, and agent contact.
v1.0.0
Initial release of the code audit and security scan service. - Provides static code analysis for security, style, and bugs. - Supports Python (bandit, flake8) and JavaScript/TypeScript (eslint). - Returns structured audit reports, including scoring and detailed issues. - Endpoints available for paid usage via the x402 payment protocol. - Operated by AgentKiloX with support channels listed.
元数据
Slug a2a-code-audit
版本 1.0.2
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 3
常见问题

A2a Code Audit 是什么?

Audit Python and JavaScript code for security vulnerabilities, style issues, and bugs using static analysis tools and provide a detailed structured report. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 125 次。

如何安装 A2a Code Audit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install a2a-code-audit」即可一键安装,无需额外配置。

A2a Code Audit 是免费的吗?

是的,A2a Code Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

A2a Code Audit 支持哪些平台?

A2a Code Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 A2a Code Audit?

由 crftsmnd(@crftsmnd)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论