# Add to your Claude Code skills
git clone https://github.com/olasunkanmi-SE/codebuddyLast scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@langchain/core: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@langchain/langgraph: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@langchain/langgraph-checkpoint: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@langchain/langgraph-checkpoint-sqlite: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@mozilla/readability: @mozilla/readability Denial of Service through Regex",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@opentelemetry/exporter-metrics-otlp-http: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@opentelemetry/exporter-prometheus: Prometheus exporter process crash via malformed HTTP request",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@opentelemetry/otlp-exporter-base: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@opentelemetry/otlp-transformer: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@opentelemetry/sdk-node: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tootallnate/once: @tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@traceloop/instrumentation-langchain: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@traceloop/node-server-sdk: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@vscode/test-cli: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "deepagents: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "dompurify: DOMPurify contains a Cross-site Scripting vulnerability",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "gaxios: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "google-gax: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "hono: Hono added timing comparison hardening in basicAuth and bearerAuth",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "langchain: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "langsmith: LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "markdown-it: markdown-it is has a Regular Expression Denial of Service (ReDoS)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mocha: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "natural: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "retry-request: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "simple-git: simple-git Affected by Command Execution via Option-Parsing Bypass",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "tar: Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",
"severity": "high"
},
{
"type": "npm-audit",
"message": "teeny-request: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T16:22:43.228Z",
"npmAuditRan": true,
"pipAuditRan": true
}codebuddy is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by olasunkanmi-SE. An Autonomous AI Software Engineer. It has 139 GitHub stars.
codebuddy failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/olasunkanmi-SE/codebuddy" and add it to your Claude Code skills directory (see the Installation section above).
codebuddy is primarily written in TypeScript. It is open-source under olasunkanmi-SE on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh codebuddy against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
DEPRECATION NOTICE
Active development for CodeBuddy has officially moved to a private repository. This public repository is now archived and will no longer accept new features, bug fixes, issues, or pull requests (including automated dependency updates).Thank you to everyone who supported and interacted with the public version of this project!
Read the DOCS
CodeBuddy is a multi-agent AI software engineer that operates inside VS Code. It plans, writes, debugs, tests, documents, and deploys entire features autonomously -- reading your codebase, running terminal commands, editing files, searching the web, and correcting its own mistakes until the task is done.
It supports 10 AI providers (cloud and local), over 20 built-in tools, 16 bundled skill integrations, a Model Context Protocol gateway for unlimited extensibility, enterprise-grade security controls, and full internationalization in 7 languages.
CodeBuddy is built on an event-driven, layered architecture designed for extensibility, provider-agnosticism, and real-time streaming.
The Orchestrator is a singleton event bus at the center of the system. Every subsystem communicates exclusively through publish/subscribe events. The Orchestrator never calls services directly -- it emits typed events and listeners react independently. This fully decouples the agent layer, webview layer, and service layer from one another.
User message (webview)
--> BaseWebViewProvider receives via onDidReceiveMessage
--> InputValidator sanitizes input
--> ConcurrencyQueueService gates admission (priority-aware semaphore)
--> MessageHandler routes to CodeBuddyAgentService
--> DeveloperAgent invokes createDeepAgent()
--> LangGraph graph executes (reason -> act -> observe loop)
--> Tools execute (file edit, terminal, search, MCP, etc.)
--> Stream events emitted per token / per tool call
--> AgentSafetyGuard enforces event/tool/duration limits
--> ProviderFailoverService retries on alternate providers
--> Events flow back through Orchestrator
--> WebViewProvider forwards to webview via postMessage
User sees streamed response with real-time tool activity indicators
The extension host and the React webview communicate over a bidirectional postMessage protocol. The webview sends structured commands. The extension responds with typed events.
| Layer | Mechanism | Purpose |
|---|---|---|
| In-memory cache | TTL-based Map (Memory singleton) | Session data, model references, transient state |
| File storage | .codebuddy/ workspace directory |
Agent state snapshots, memories, tasks, rules |
| SQLite | sql.js (WASM) with FTS4 full-text search | Codebase analysis, persistent structured data, keyword search |
| LangGraph checkpointer | SqljsCheckpointSaver (SQLite-backed) | Multi-turn conversation threads with resumable state |
| VS Code SecretStorage | Encrypted OS keychain | API keys and credentials |
| Vector store | SqliteVectorStore with pre-normalized vectors | Workspace embeddings for semantic search |
| Credential proxy | In-process HTTP proxy on 127.0.0.1 | Session-token-authenticated credential injection for LLM SDK |
CodeBuddy uses Tree-sitter WASM binaries for accurate AST parsing across 7 languages, powering codebase analysis, symbol extraction, and the code indexing worker thread:
| Language | Binary |
|---|---|
| JavaScript | tree-sitter-javascript.wasm |
| TypeScript | tree-sitter-tsx.wasm |
| Python | tree-sitter-python.wasm |
| Go | tree-sitter-go.wasm |
| Java | tree-sitter-java.wasm |
| Rust | tree-sitter-rust.wasm |
| PHP | tree-sitter-php.wasm |
CodeBuddy uses a multi-agent architecture built on the LangGraph DeepAgents framework. A Developer Agent coordinates the work, with seven specialized subagents that each receive role-specific filtered tools:
| Subagent | Responsibility |
|---|---|
| Code Analyzer | Deep code review, bug identification, complexity analysis, anti-pattern detection |
| Doc Writer | Technical documentation, API references, README generation, tutorials |
| Debugger | Error investigation, stack trace analysis, root cause identification, fix proposals |
| File Organizer | Directory restructuring, file renaming, project layout optimization |
| Architect | System design, pattern selection, architecture decision records, scalability planning |
| Reviewer | Code quality enforcement, security review, best practices, style compliance |
| Tester | Test strategy, unit/integration test generation, test execution and validation |
When the agent encounters a failure -- a build error, a failed test, an invalid command output -- it does not stop. It reads the error, analyzes the root cause, applies a correction, and retries. This loop continues until the task succeeds or the agent determines the issue requires human intervention.
The AgentSafetyGuard enforces hard limits on every agent stream to prevent runaway execution:
The ProductionSafeguards service provides a circuit breaker with CLOSED/OPEN/HALF_OPEN states and 5 recovery strategies for handling sustained failures.
Destructive operations (such as file deletion) trigger an interrupt that pauses execution and asks for explicit approval. The user can approve, edit, or reject the proposed action before the agent continues.
The CheckpointService saves agent execution state to SQLite, enabling resumable conversations. Before each agent operation, a named checkpoint is created so work can be restored if the session is interrupted.
The ConcurrencyQueueService controls the maximum number of concurrent agent operations. When all slots are occupied, incoming requests are queued in priority-aware FIFO order and drained as slots free up.
AbortSignal or a timeout for cooperative cancellation. Runtime polyfills ensure compatibility across VS Code Electron versions.try/finally in the agent service ensures slots are always returned, even on stream failure or cancellation.