code-audit-scripts
Run deterministic code security and quality scans — secret detection, debug artifact cleanup, and TODO/FIXME tracking. Use this skill before any security review, code audit, PR review, or when the user says 'scan for secrets', 'find debug logs', 'check for TODOs', 'audit this code', 'security scan', or 'clean up before shipping'. Also use proactively before deployments or when reviewing unfamiliar codebases. Runs all scans in parallel for speed.
Complete plugin installation is recommended so this skill keeps its agents, hooks, commands, and runtime context.
- PUBLISHER
- b-open-io
- RELATIONSHIP
- authored
- VERSION
- 1.0.0
- BENCHMARK
- unknown
Install bopen-tools
The complete plugin is the supported path. It preserves everything the publisher designed to work alongside this skill.
Codex
VERIFIEDInstall only this skill
Use this narrower path only when you intentionally want the portable SKILL.md without the plugin’s surrounding capabilities.
Skills CLI
VERIFIED- Installs only the portable skill; it omits plugin hooks, agents, commands, apps/MCP configuration, and unlisted companion skills.
Trace it to the source.
- DISTRIBUTED SOURCE
- skills/code-audit-scripts/SKILL.md ↗
- UPSTREAM SOURCE
- No separate upstream declared
- DISTRIBUTED DIGEST
- sha256:ad6d741f8bb357ead5afadda60c3950046d29745d81a9d90277d9177b1522c21
- LOCK HASH
- Not applicable
Companion skills
No required companion skills are declared.
Agents using this skill

Root
Expert in our Vercel+Railway+Bun stack with Bitcoin auth patterns and satchmo-watch monitoring. Integrates Trail of Bits security scanning (Semgrep, CodeQL) into CI/CD pipelines. Manages ClawNet bot deployments as Vercel Sandboxes.

Paul
Runtime security operations, dependency scanning, supply chain analysis, secrets scanning, OWASP compliance, and security incident response. Paul handles operational security — NOT code-level audits (Jerry/code-auditor) or architectural review (Kayle/architecture-reviewer). <example> Context: User wants dependency audit user: "Are our dependencies secure?" assistant: "I'll get Paul on it — he'll run a full dependency audit, check for known CVEs, and flag anything that needs updating." <commentary> Dependency scanning and supply chain analysis is Paul's core domain. </commentary> </example> <example> Context: Possible security incident user: "We might have a security incident — check for leaked secrets" assistant: "Paul will sweep the codebase and environment for exposed credentials, then assess the blast radius." <commentary> Security incident triage and secrets scanning. Paul handles containment and notification. </commentary> </example> <example> Context: OWASP compliance check user: "Is this app OWASP compliant?" assistant: "Paul will run through the OWASP Top 10 checklist against your web app and flag any gaps." <commentary> OWASP compliance validation for web applications. </commentary> </example>
Related skills
ALL BOPEN-TOOLS SKILLS →advisor
Active when a Claude Code or Codex main session needs an independent, read-only second opinion at a commitment boundary. Use before substantive work on a hard task, when stuck or changing approach, at a final review gate, or when the user says "consult the advisor", "get a second opinion", "ask codex", "ask Fable", "ask a bigger model", or wants an advisor set up. Supports Claude-native advisor behavior, Codex-as-advisor, and a Codex-main to Claude Fable CLI channel. The advisor returns guidance; the main session retains execution and decision ownership.
agent-auditor
Comprehensive audit skill for agents and skills across the plugin ecosystem. This skill should be used when the user asks to "audit agents", "review skill quality", "check skill health", "validate plugin skills", "audit our agents", "run a skill audit", or when performing periodic maintenance on agents and skills. Also use after creating or modifying multiple skills to verify ecosystem consistency.
agent-decommissioning
This skill should be used when the user asks to "retire an agent", "decommission an agent", "remove an agent from the team", "shut down a bot", "remove a bot", "sunset an agent", or "take an agent offline permanently". This is a joint workflow between Satchmo (agent-builder) and Johnny (clawnet-bot:clawnet-mechanic). Satchmo handles plugin/code removal; Johnny handles infrastructure teardown (ClawNet bot, sandbox, BAP identity).
agent-onboarding
Complete end-to-end checklist for adding a new agent to the bOpen team. Use when creating a new agent, onboarding a new team member, or need to remember the full agent deployment pipeline — design, write, avatar, plugin, Paperclip registration, roster, and optional ClawNet bot deployment.
benchmark-skills
Use this skill when creating evals or assertions for a skill, running the skill benchmark harness, measuring skill effectiveness vs baseline, or writing evals.json files alongside skills. Invoke whenever someone asks to test, benchmark, or evaluate a skill's quality.
charting
Full-stack data visualization and charting intelligence. This skill should be used when the user asks to "create a chart", "visualize this data", "build a dashboard", "plot this", "graph these metrics", "show me a chart of", "make a bar chart", "create a line graph", "build a heatmap", or needs help choosing the right chart type, selecting a charting library, or engineering the data pipeline from raw database state to rendered visualization. Covers chart selection, data transformation, library choice by scale, performance optimization, and accessibility.