← 返回 Skills 市场
Production Code Audit
作者
Solomon Neas
· GitHub ↗
· v1.1.0
· MIT-0
142
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install production-code-audit
功能描述
Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...
安全使用建议
This skill generally does what it says (read a repo, report issues, optionally make fixes), but there are important ambiguities you should resolve before installing or granting access: 1) Clarify secret handling — the doc both forbids committing secrets and shows an example that removes a secret and commits the change. Decide whether you want automated secret-removal and what review/approval is required. 2) Confirm how PRs/branch pushes will be performed and what credentials are required; only grant a token with the minimum scope (e.g., repo:public_repo or repo-specific write) and avoid org-wide admin tokens. 3) Require an explicit, interactive confirmation step before any 'fix mode' actions (create branch, modify files, run tests, push). 4) Prefer that test execution happen in a CI sandbox you control rather than on a developer workstation. 5) Always review the diff/PR before merging and consider running the first audit in read-only mode to see the scope of changes the skill proposes. If you cannot verify those behaviors with the skill owner, treat the 'fix' capability as high-risk and use the skill for read-only audits only.
功能分析
Type: OpenClaw Skill
Name: production-code-audit
Version: 1.1.0
The skill bundle contains conflicting instructions in SKILL.md that encourage extreme AI autonomy, explicitly telling the agent to "not ask questions," "not wait for instructions," and "fix everything automatically" without user input. While the stated purpose is a code audit and hardening tool, these instructions override the earlier safety guidelines regarding user confirmation for test execution and file modification. This creates a high risk of unintended code execution or destructive modifications if the agent processes a codebase without human oversight.
能力评估
Purpose & Capability
Name and description align with the instructions: the skill is an instruction-only audit that reads a repo, reports issues, and — if explicitly requested — creates a branch and applies fixes. No unrelated binaries, environment variables, or installs are requested.
Instruction Scope
Most runtime steps stay within auditing/fixing a codebase (reading source files, running tests, creating a fix branch). However the SKILL.md contains a direct contradiction: under 'Secrets handling' it says 'Do NOT remove or commit secrets' but the Fixes example shows removing a hardcoded DB password and committing a change. The doc is also vague about the exact mechanisms for creating/opening PRs (does it use git push, GitHub API, or ask for tokens?), and about what local operations will be executed without explicit, contextual user consent (tests, CI runs, network access). These ambiguities could lead to unexpected modifications or credential usage.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. Low install risk.
Credentials
The skill declares no required environment variables or credentials, but its 'fix' mode assumes the agent can create branches, push, and open PRs — operations that require git credentials or API tokens. The SKILL.md does not describe the credential scope required (e.g., repo write vs. repo creation vs. org-level), so users may inadvertently grant overly broad access if they provide tokens. Also running tests or CI may require access to databases or third-party services; the doc instructs asking the user, but concrete safeguards are not specified.
Persistence & Privilege
always: false (good). Autonomous invocation is allowed by default — normal for skills — but because the skill can modify a repository when asked, you should ensure the agent only acts when the user explicitly requests 'fix mode'. There is no instruction that the skill will persist beyond its own actions or modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install production-code-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/production-code-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added audit-only default mode, branch/PR workflow, secrets handling guidance, test execution safeguards
v1.0.0
Initial release – autonomously audits and transforms entire codebases to production-grade quality.
- Deep-scans all project files to understand architecture, tech stack, and data flow.
- Detects issues across security, performance, code quality, architecture, testing, and production readiness.
- Automatically fixes vulnerabilities, optimizes performance, refactors code, and adds missing infrastructure.
- Provides comprehensive before/after reporting, including metrics and verification of all changes.
- Ideal for users needing production-ready, corporate-level code and compliance with enterprise standards.
元数据
常见问题
Production Code Audit 是什么?
Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 142 次。
如何安装 Production Code Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install production-code-audit」即可一键安装,无需额外配置。
Production Code Audit 是免费的吗?
是的,Production Code Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Production Code Audit 支持哪些平台?
Production Code Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Production Code Audit?
由 Solomon Neas(@solomonneas)开发并维护,当前版本 v1.1.0。
推荐 Skills