b-open-io/code-audit-scripts
skills/code-audit-scripts/SKILL.md
Run deterministic code security and quality scans — secret detection, debug artifact cleanup, and TODO/FIXME tracking. Use this skill before any security review, code audit, PR review, or when the user says 'scan for secrets', 'find debug logs', 'check for TODOs', 'audit this code', 'security scan', or 'clean up before shipping'. Also use proactively before deployments or when reviewing unfamiliar codebases. Runs all scans in parallel for speed.
$ install --global
skillsauthnpx skillsauth add b-open-io/prompts code-audit-scriptsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 29, 2026, 3:51 AM37.3s8 files scanned
SKILL.md
- name:
- code-audit-scripts
- description:
- Run deterministic code security and quality scans — secret detection, debug artifact cleanup, and TODO/FIXME tracking. Use this skill before any security review, code audit, PR review, or when the user says 'scan for secrets', 'find debug logs', 'check for TODOs', 'audit this code', 'security scan', or 'clean up before shipping'. Also use proactively before deployments or when reviewing unfamiliar codebases. Runs all scans in parallel for speed.
- user-invocable:
- true
Code Audit Scripts
Deterministic security and quality scans that output structured JSON. No LLM reasoning needed for the scanning — your job is to interpret results and recommend fixes.
Quick Start
Run everything at once:
bash <skill-path>/scripts/parallel-audit.sh /path/to/project
Returns a merged JSON report with all findings categorized by type and severity.
Individual Scans
Scan for Hardcoded Secrets
bash <skill-path>/scripts/scan-secrets.sh /path/to/project
Detects: API_KEY, SECRET, PASSWORD, PRIVATE_KEY, ACCESS_KEY, DATABASE_URL, JWT_SECRET, STRIPE_SK, and more. Filters out references to env vars (process.env, os.environ) to reduce false positives.
Scan for Debug Artifacts
bash <skill-path>/scripts/scan-debug.sh /path/to/project
# Include test files:
bash <skill-path>/scripts/scan-debug.sh /path/to/project --include-tests
Detects: console.log/debug/warn, debugger statements (JS/TS), print/breakpoint (Python), fmt.Println (Go). Skips test files by default.
Scan for TODOs and FIXMEs
bash <skill-path>/scripts/scan-todos.sh /path/to/project
Categorizes by severity:
- High: FIXME, BUG, HACK, XXX — these need attention before shipping
- Low: TODO — tracked work items
Acting on Results
| Finding Type | What to Do | |---|---| | Secrets with real values | Immediately flag to user. Rotate the credential. Move to env var. | | Secrets that are env var refs | False positive — ignore | | Debug artifacts in src/ | Remove before shipping. List specific files and lines. | | Debug artifacts in tests | Usually fine. Only flag if excessive. | | FIXME/HACK/XXX | Flag as blockers for the current PR/deployment | | TODO | Informational. Mention count but don't block on them. |
The parallel-audit.sh output includes a summary object with counts per category and high_priority count — use this for quick pass/fail decisions.
Related Skills
b-open-io/html-to-pdf
development
VerifiedTrustedCommunity
This skill should be used when the user asks to "design a business card", "make a printable PDF", "render HTML to PDF", "generate a postcard", "build print collateral", "set up an HTML print pipeline", or needs help with bleed, safe areas, font embedding, or QR generation for print. Provides a Playwright-based pipeline with multiple bundled templates and theme variants for business cards (minimal, watercolor light, watercolor dark) and instructions for adding new templates.
12SKILL.mdUpdated May 29, 2026
b-open-io/x-user-timeline
tools
VerifiedTrustedCommunity
Get recent tweets from an X/Twitter user. Use when user asks "what has @username posted", "recent tweets from", "user's X posts", "show timeline for", "what is @user saying". Requires X_BEARER_TOKEN.
12SKILL.mdUpdated Apr 3, 2026
b-open-io/x-user-lookup
data-ai
VerifiedTrustedCommunity
Get X/Twitter user profile by username. Use when user asks "who is @username", "get X profile", "lookup Twitter user", "find X account", "user details", "follower count for". Requires X_BEARER_TOKEN.
12SKILL.mdUpdated Apr 3, 2026
b-open-io/x-tweet-search
data-ai
VerifiedTrustedCommunity
Search recent X/Twitter posts by query. Returns RAW TWEETS (last 7 days). Use when user asks "search X for", "find tweets about", "what are people saying about", "Twitter search", "raw tweets about". For AI summaries/sentiment, use x-research instead. Requires X_BEARER_TOKEN.
12SKILL.mdUpdated Apr 3, 2026