Stats
Actions
Tags
From bopen-tools
Runs parallel security and quality scans for hardcoded secrets, debug artifacts, and TODO/FIXME tracking. Produces structured JSON reports for security reviews, PR audits, and pre-deployment checks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bopen-tools:code-audit-scriptsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Deterministic security and quality scans that output structured JSON. No LLM reasoning needed for the scanning — your job is to interpret results and recommend fixes.
Deterministic security and quality scans that output structured JSON. No LLM reasoning needed for the scanning — your job is to interpret results and recommend fixes.
Run everything at once:
bash <skill-path>/scripts/parallel-audit.sh /path/to/project
Returns a merged JSON report with all findings categorized by type and severity.
bash <skill-path>/scripts/scan-secrets.sh /path/to/project
Detects: API_KEY, SECRET, PASSWORD, PRIVATE_KEY, ACCESS_KEY, DATABASE_URL, JWT_SECRET, STRIPE_SK, and more. Filters out references to env vars (process.env, os.environ) to reduce false positives.
bash <skill-path>/scripts/scan-debug.sh /path/to/project
# Include test files:
bash <skill-path>/scripts/scan-debug.sh /path/to/project --include-tests
Detects: console.log/debug/warn, debugger statements (JS/TS), print/breakpoint (Python), fmt.Println (Go). Skips test files by default.
bash <skill-path>/scripts/scan-todos.sh /path/to/project
Categorizes by severity:
| Finding Type | What to Do |
|---|---|
| Secrets with real values | Immediately flag to user. Rotate the credential. Move to env var. |
| Secrets that are env var refs | False positive — ignore |
| Debug artifacts in src/ | Remove before shipping. List specific files and lines. |
| Debug artifacts in tests | Usually fine. Only flag if excessive. |
| FIXME/HACK/XXX | Flag as blockers for the current PR/deployment |
| TODO | Informational. Mention count but don't block on them. |
The parallel-audit.sh output includes a summary object with counts per category and high_priority count — use this for quick pass/fail decisions.
npx claudepluginhub b-open-io/claude-plugins --plugin bopen-toolsScans codebase for security issues like hardcoded secrets, debug artifacts like console.log/debug, and code smells with context-aware severity levels (src vs tests). Use before work or for quality checks.
Scans codebase for debug artifacts (console.log, debugger), TODO/FIXME markers, and TypeScript `any` types. Optionally auto-fixes safe patterns. Useful before commits or during PR review.
Scans codebases for leaked secrets (API keys, tokens, passwords, private keys), insecure code patterns, and configuration issues. Returns severity-rated findings with file locations and remediation steps.