code-audit-scripts

Run deterministic code security and quality scans — secret detection, debug artifact cleanup, and TODO/FIXME tracking. Use this skill before any security review, code audit, PR review, or when the user says 'scan for secrets', 'find debug logs', 'check for TODOs', 'audit this code', 'security scan', or 'clean up before shipping'. Also use proactively before deployments or when reviewing unfamiliar codebases. Runs all scans in parallel for speed.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "code-audit-scripts" with this command: npx skills add b-open-io/prompts/b-open-io-prompts-code-audit-scripts

Code Audit Scripts

Deterministic security and quality scans that output structured JSON. No LLM reasoning needed for the scanning — your job is to interpret results and recommend fixes.

Quick Start

Run everything at once:

bash <skill-path>/scripts/parallel-audit.sh /path/to/project

Returns a merged JSON report with all findings categorized by type and severity.

Individual Scans

Scan for Hardcoded Secrets

bash <skill-path>/scripts/scan-secrets.sh /path/to/project

Detects: API_KEY, SECRET, PASSWORD, PRIVATE_KEY, ACCESS_KEY, DATABASE_URL, JWT_SECRET, STRIPE_SK, and more. Filters out references to env vars (process.env, os.environ) to reduce false positives.

Scan for Debug Artifacts

bash <skill-path>/scripts/scan-debug.sh /path/to/project
# Include test files:
bash <skill-path>/scripts/scan-debug.sh /path/to/project --include-tests

Detects: console.log/debug/warn, debugger statements (JS/TS), print/breakpoint (Python), fmt.Println (Go). Skips test files by default.

Scan for TODOs and FIXMEs

bash <skill-path>/scripts/scan-todos.sh /path/to/project

Categorizes by severity:

  • High: FIXME, BUG, HACK, XXX — these need attention before shipping
  • Low: TODO — tracked work items

Acting on Results

Finding TypeWhat to Do
Secrets with real valuesImmediately flag to user. Rotate the credential. Move to env var.
Secrets that are env var refsFalse positive — ignore
Debug artifacts in src/Remove before shipping. List specific files and lines.
Debug artifacts in testsUsually fine. Only flag if excessive.
FIXME/HACK/XXXFlag as blockers for the current PR/deployment
TODOInformational. Mention count but don't block on them.

The parallel-audit.sh output includes a summary object with counts per category and high_priority count — use this for quick pass/fail decisions.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

saas-launch-audit

No summary provided by upstream source.

Repository SourceNeeds Review
8-b-open-io
Security

perf-audit

No summary provided by upstream source.

Repository SourceNeeds Review
3-b-open-io
Security

agent-auditor

No summary provided by upstream source.

Repository SourceNeeds Review
3-b-open-io
Research

x-research

No summary provided by upstream source.

Repository SourceNeeds Review
76-b-open-io