Code Audit Skill

Comprehensive security and correctness audit of C code that links with the Ioto agent library.

Invoke with: /code-audit

Audit Categories

The audit covers 10 categories:

1. Unsafe C Library Usage

Detects standard C library functions where Safe Runtime alternatives must be used.

Severity	Functions
CRITICAL	`gets`, `sprintf`, `strcat` without bounds, `system()`, `popen()`
HIGH	`strcpy`, `strncpy`, `malloc`/`free` (memory mixing risk)
MEDIUM	`strlen`, `strcmp`, `atoi`, `printf`, `snprintf`
LOW	`strchr`, `strrchr`, `strstr` (not null-tolerant)

2. Memory Leak Detection

Tracks all allocations to ensure every allocation has a corresponding free on all code paths.

Allocation	Required Free
`rAlloc` / `sclone` / `sfmt` / `sjoin`	`rFree()`
`jsonAlloc` / `jsonParse`	`jsonFree()`
`jsonToString`	`rFree()`
`rAllocBuf`	`rFreeBuf()`

3. Integer Overflow / Underflow

Analyzes integer arithmetic for overflow risks on size calculations and loop counters.

4. Array Bounds Checking

Verifies all array subscript references and buffer operations are within bounds. Flags stack buffers > 4KB as fiber stack overflow risks.

5. Error Path Analysis

Ensures consistent error handling, proper resource cleanup, and correct error propagation.

6. TLS/SSL Security

Verifies TLS configuration: certificate verification, protocol version enforcement, and encrypted endpoints.

7. Credential Security

Ensures tokens, keys, passwords, and sensitive data are handled securely. Detects hardcoded credentials and credential logging.

8. Input Validation

Verifies that external inputs (command-line args, config files, network data) are validated before use.

9. Concurrency and Fiber Safety

Verifies code is safe under the single-threaded fiber model. Detects blocking calls, thread-unsafe functions, and large stack allocations.

10. AI API Safety

Verifies OpenAI integration follows security best practices: key management, resource cleanup, and cost limits.

Report Format

The audit produces a structured report with:

Summary table of findings by category and severity
Individual findings with file path, line number, severity, issue description, and recommended fix
Verification steps after fixes are applied

Verification

After applying fixes:

make clean && make — Must complete with zero errors and warnings
make test — All unit tests must pass

Files

AI Skills

OpenAI

Database

URL HTTP Client

Safe Runtime

Web Server

Configuration

Authentication

Man Pages

Code Audit Skill

Audit Categories

1. Unsafe C Library Usage

2. Memory Leak Detection

3. Integer Overflow / Underflow

4. Array Bounds Checking

5. Error Path Analysis

6. TLS/SSL Security

7. Credential Security

8. Input Validation

9. Concurrency and Fiber Safety

10. AI API Safety

Report Format

Verification

Configuration

Authentication

Code Audit Skill ​

Audit Categories ​

1. Unsafe C Library Usage ​

2. Memory Leak Detection ​

3. Integer Overflow / Underflow ​

4. Array Bounds Checking ​

5. Error Path Analysis ​

6. TLS/SSL Security ​

7. Credential Security ​

8. Input Validation ​

9. Concurrency and Fiber Safety ​

10. AI API Safety ​

Report Format ​

Verification ​

Code Audit Skill

Audit Categories

1. Unsafe C Library Usage

2. Memory Leak Detection

3. Integer Overflow / Underflow

4. Array Bounds Checking

5. Error Path Analysis

6. TLS/SSL Security

7. Credential Security

8. Input Validation

9. Concurrency and Fiber Safety

10. AI API Safety

Report Format

Verification