← 返回 Skills 市场
unixlamadev-spec

Code Auditor

作者 unixlamadev-spec · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
409
总下载
0
收藏
4
当前安装
3
版本数
在 OpenClaw 中安装
/install code-auditor
功能描述
Audit any GitHub repo or raw code for security, quality, or gas optimization. Returns score, findings, severity counts, and summary.
使用说明 (SKILL.md)

Code Auditor

Audit any GitHub repository or raw code for security vulnerabilities, code quality issues, and best practices. Supports targeted audits by focus area. Returns a score, severity-scored findings, and actionable summary.

When to Use

  • Security review before deploying code
  • Evaluating third-party dependencies or libraries
  • Code quality assessment for repositories
  • Solidity/smart contract gas optimization
  • Finding vulnerabilities in open source projects

Usage Flow

  1. Provide a GitHub repo URL or paste raw code directly
  2. Optionally specify a focus: security, quality, or gas (default: full audit)
  3. AIProx routes to the code-auditor agent
  4. Returns score (0-100), findings array with severity levels, severity counts, and summary

Security Manifest

Permission Scope Reason
Network aiprox.dev API calls to orchestration endpoint
Env Read AIPROX_SPEND_TOKEN Authentication for paid API

Make Request

curl -X POST https://aiprox.dev/api/orchestrate \
  -H "Content-Type: application/json" \
  -H "X-Spend-Token: $AIPROX_SPEND_TOKEN" \
  -d '{
    "task": "security audit",
    "repo_url": "https://github.com/user/repo",
    "focus": "security"
  }'

Response

{
  "score": 72,
  "findings": [
    {"severity": "critical", "file": "config.js", "line": "12", "issue": "Hardcoded API key", "fix": "Move to environment variable"},
    {"severity": "high", "file": "handler.js", "line": "45", "issue": "No input validation on user-supplied data", "fix": "Validate and sanitize inputs"}
  ],
  "severity_counts": {"critical": 1, "high": 2, "medium": 3, "low": 1},
  "summary": "Repository has moderate security concerns. Critical: 1 hardcoded secret. High: missing input validation. Recommend immediate remediation."
}

Trust Statement

Code Auditor analyzes public repository contents or provided code only. No code is executed. Analysis is performed by Claude via LightningProx. Your spend token is used for payment; no other credentials are stored or transmitted.

安全使用建议
This skill will send any code or public repo URL you provide to a third-party endpoint (aiprox.dev) and uses AIPROX_SPEND_TOKEN for payment/auth. Before installing: (1) confirm you are comfortable uploading code (do not send private repo contents or secrets); (2) verify the aiprox.dev service and its privacy/security policy and who operates it (homepage is given but source is unknown); (3) understand that private GitHub repos likely require separate credentials — the skill does not request a GitHub token, so clarify how private repos are supported; (4) test on non-sensitive public code first and avoid sending secrets or private keys. If you need audits to stay local, use a local/offline auditing tool instead.
功能分析
Type: OpenClaw Skill Name: code-auditor Version: 1.1.0 The code-auditor skill is a legitimate utility designed to perform security and quality audits on source code via an external API (aiprox.dev). It transparently declares its need for network access and the AIPROX_SPEND_TOKEN environment variable for authentication, and its instructions in SKILL.md align strictly with its stated purpose without any evidence of malicious intent or prompt injection.
能力评估
Purpose & Capability
The declared purpose (auditing code/repos) matches the instructions to POST code or a repo URL to aiprox.dev and use AIPROX_SPEND_TOKEN for payment. However, the SKILL.md claims it can audit "any GitHub repo" but does not request a GitHub token or explain how it will access private repositories. That discrepancy (public vs. private repo access) is unclear and should be clarified.
Instruction Scope
Runtime instructions explicitly direct the agent to upload repository contents or raw code to https://aiprox.dev/api/orchestrate with the X-Spend-Token header. Sending code to a third-party service is consistent with an auditor but is a sensitive operation: private code, secrets, or proprietary IP could be transmitted. The SKILL.md asserts "No code is executed," but the agent cannot verify that on its own — the only observable behavior is network transmission of the code to a remote service.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk or installed by the skill itself. This minimizes local-install risk.
Credentials
The skill requests a single environment variable (AIPROX_SPEND_TOKEN) which is proportional for a paid, networked auditor. Still, the token is sensitive (used for payment/auth) and grants the service the ability to be invoked; there is no clear, declared support for providing GitHub credentials for private repos, which is a functional gap rather than excessive permissioning.
Persistence & Privilege
The skill is not forced-always enabled (always: false) and does not request persistent or elevated agent privileges. Autonomous invocation is allowed (the platform default) but not combined with other high-risk indicators here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install code-auditor
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /code-auditor 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Now supports model selection — specify any of 19 models across 5 providers per request (e.g. gemini-2.5-flash, mistral-large-latest, claude-opus-4-5-20251101)
v1.0.1
- Added support for auditing both GitHub repositories and raw code snippets. - Introduced targeted audit focus areas: security, quality, and gas optimization. - Audit findings now include severity levels, per-severity counts, and suggested fixes. - Usage and API examples updated to reflect enhanced features and options.
v1.0.0
- Initial release of Code Auditor skill. - Audit any GitHub repository for security vulnerabilities and code quality issues. - Provides an overall score, detailed findings, and actionable summary. - Supports optional audit focus (e.g., security, performance). - Requires AIPROX_SPEND_TOKEN for authentication.
元数据
Slug code-auditor
版本 1.1.0
许可证 MIT-0
累计安装 4
当前安装数 4
历史版本数 3
常见问题

Code Auditor 是什么?

Audit any GitHub repo or raw code for security, quality, or gas optimization. Returns score, findings, severity counts, and summary. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 409 次。

如何安装 Code Auditor?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install code-auditor」即可一键安装,无需额外配置。

Code Auditor 是免费的吗?

是的,Code Auditor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Code Auditor 支持哪些平台?

Code Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Code Auditor?

由 unixlamadev-spec(@unixlamadev-spec)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论