From code-audit
Run a comprehensive code audit on any codebase. Analyzes security vulnerabilities, hardcoded secrets, dependency CVEs, test coverage, code structure, and AI-generated code patterns. Generates CODE_AUDIT_REPORT.md with findings, severity ratings, and remediation guidance. Intelligently selects and orchestrates the best available tools for each project. Cross-platform. Use when user asks to "audit this code", "run a security scan", "check for vulnerabilities", "find secrets in the code", "assess technical debt", or "check code health". Do NOT use for single-file code reviews or pull request reviews (use code-review skill instead).
npx claudepluginhub variant-systems/skills --plugin postboxThis skill uses the workspace's default tool permissions.
You are a code audit agent. When the user asks you to audit, review, or assess a codebase, follow these instructions.
references/ai-tool-signatures.mdreferences/audit-methodology.mdreferences/severity-definitions.mdscripts/analyzers/ai-patterns.mjsscripts/analyzers/dependencies.mjsscripts/analyzers/imports.mjsscripts/analyzers/secrets.mjsscripts/analyzers/security.mjsscripts/analyzers/structure.mjsscripts/analyzers/tests.mjsscripts/audit.mjsscripts/report/generator.mjsscripts/report/sections.mjsscripts/tools/dedup.mjsscripts/tools/parsers.mjsscripts/tools/registry.mjsscripts/tools/runner.mjsscripts/utils/detect-ecosystem.mjsscripts/utils/fs-walk.mjsscripts/utils/line-reader.mjsEnables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Provides patterns for autonomous Claude Code loops: sequential pipelines, agentic REPLs, PR cycles, de-sloppify cleanups, and RFC-driven multi-agent DAGs. For continuous dev workflows without intervention.
Applies NestJS patterns for modules, controllers, providers, DTO validation, guards, interceptors, config, and production TypeScript backends with project structure and bootstrap examples.
You are a code audit agent. When the user asks you to audit, review, or assess a codebase, follow these instructions.
Activate this skill when the user says any of:
Before anything else, understand what you're auditing. Determine the target directory (user-specified or cwd), then use Glob and Read to quickly scan for:
package.json, requirements.txt, pyproject.toml, mix.exs, Cargo.toml, Gemfile, go.mod, pom.xml, build.gradle, *.cs/*.csproj, *.swift, etc.astro.config.*, next.config.*, nuxt.config.*, angular.json, django, rails, phoenix, etc.Dockerfile, docker-compose.yml, terraform/, *.tf, k8s/, helm/.github/workflows/, .gitlab-ci.yml, Jenkinsfile.env files, config files with credentialsFrom this, build a mental model: What languages? What frameworks? What ecosystem? What are the main risk areas (secrets, dependencies, security patterns, code quality)?
Based on what you found, decide which external tools would produce the best audit for THIS specific project. Think about:
For security scanning — What static analysis tools exist for these languages? Examples:
For secret detection — What tools can find leaked credentials?
For dependency vulnerabilities — What auditors exist for this ecosystem?
For code quality / structure — What tools analyze complexity and imports?
Don't limit yourself to this list. If you know of a tool that would be particularly useful for the detected ecosystem, include it. You are the expert — reason about what would give the best results.
Plan the order: secrets and security first (highest impact), then dependencies, then structure/quality.
For each tool in your plan:
Check if it's installed — Run its version/help command via Bash (e.g., semgrep --version, trivy --version). Run these checks in parallel where possible.
For each missing tool, use AskUserQuestion to ask the user if they want to install it. Batch up to 4 tools per AskUserQuestion call. For each:
"Install (Recommended)" — describe what it does and why it's worth it"Skip" — explain what fallback will be used (regex, or another tool)For tools the user wants to install, figure out the right install command for the current platform. You have access to Bash — detect the OS and package manager:
brew install, pip install, npm install -gsudo apt install, pip install, npm install -gsudo dnf install, pip installwinget install, choco install, scoop install, pip installcargo install, gem install, mix archive.installpip install or download from GitHub releasesRun the install command. If it fails, inform the user and continue without that tool.
If ALL tools are already installed, skip the AskUserQuestion and tell the user: "All recommended tools are installed. Running audit."
Execute each tool against the target directory in your planned order. For each tool:
Also run the built-in regex analysis script, which provides baseline coverage regardless of what tools are installed:
node <path-to-this-skill>/scripts/audit.mjs [target-directory]
This script requires Node.js 18+ and has zero dependencies. It runs 7 analyzers (structure, secrets, security, dependencies, tests, imports, AI patterns) using regex/heuristic analysis and generates an initial CODE_AUDIT_REPORT.md.
Synthesize ALL results — tool outputs + the regex analysis report — into a comprehensive assessment. Read the generated CODE_AUDIT_REPORT.md and enhance it with tool findings.
When presenting to the user:
User says: "Audit this codebase for security issues"
Actions:
node scripts/audit.mjsResult: CODE_AUDIT_REPORT.md generated. User briefed on critical items first with actionable remediation steps.
| Area | What It Finds |
|---|---|
| Secrets | Hardcoded API keys, tokens, credentials, private keys, .env files in repos |
| Security | Injection risks (SQL, XSS, command), eval(), weak crypto, CORS misconfig, and more |
| Dependencies | Known CVEs, unpinned versions, deprecated packages, missing lockfiles |
| Structure | God files, deep nesting, long functions, high complexity |
| Tests | Missing tests, low coverage ratios, weak assertions, no CI integration |
| Imports | Circular dependencies, hub files, coupling hotspots |
| AI Patterns | Tool fingerprints, silent error handling, generic code, structural inconsistencies |
These areas require human judgment and are noted in the report:
If node --version shows below 18, the baseline script will fail. Ask the user to install Node.js 18+ via their package manager or nodejs.org.
Some tools (e.g., pip install semgrep) may need --user flag or a virtual environment. On macOS, prefer brew install. Never run sudo npm install -g — use npx as fallback.
The script caps at 10,000 files and 2MB per file. If it's still slow, check for large generated directories not in the skip list. Suggest the user add them to .gitignore.
Some tools exit silently when they find nothing. This is normal — note "0 findings from [tool]" and move on. Don't treat clean results as errors.
For detailed methodology, consult the bundled reference files:
references/audit-methodology.md — Full audit methodology and scoring approachreferences/severity-definitions.md — Detailed severity level criteria and examplesreferences/ai-tool-signatures.md — Patterns for detecting AI-generated code