by timwuhaotian
Open-source AI pair programming for desktop: a Mentor + Executor agent cross-check each other's code to catch AI hallucinations. Works with Claude Code, Codex, Gemini & opencode. macOS / Windows / Linux.
# Add to your Claude Code skills
git clone https://github.com/timwuhaotian/the-pairLast scanned: 5/29/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@appium/base-driver: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@appium/docutils: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@appium/logger: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@appium/support: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@wdio/mocha-framework: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: Uncontrolled recursion in XML serialization leads to DoS",
"severity": "high"
},
{
"type": "npm-audit",
"message": "appium: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "high"
},
{
"type": "npm-audit",
"message": "basic-ftp: basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-builder: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-parser: fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mocha: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "next: Next.js has a Denial of Service with Server Components",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yauzl: yauzl contains an off-by-one error",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-05-29T07:56:25.704Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}the-pair is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by timwuhaotian. Open-source AI pair programming for desktop: a Mentor + Executor agent cross-check each other's code to catch AI hallucinations. Works with Claude Code, Codex, Gemini & opencode. macOS / Windows / Linux. It has 343 GitHub stars.
the-pair returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/timwuhaotian/the-pair" and add it to your Claude Code skills directory (see the Installation section above).
the-pair is primarily written in TypeScript. It is open-source under timwuhaotian on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh the-pair against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
Automated AI pair programming â two AI agents cross-check each other's code, so you can grab a coffee and come back to reviewed, validated work. (Yes, The Pair was built by The Pair.)
đ English âĸ įŽäŊ䏿 âĸ íęĩė´ âĸ æĨæŦčĒ Â |Â
macOS âĸ Windows âĸ Linux  | âŦ Download  âĸ CLI  âĸ đ Website
Watch Mentor and Executor agents collaborate in real-time
The Pair is a free, open-source desktop app that runs two AI coding agents â a read-only Mentor that plans and reviews, and an Executor that writes code and runs commands â which cross-check each other's work to catch AI hallucinations before they reach your codebase. It runs locally on macOS, Windows, and Linux, and is model-agnostic: pair Claude Code, OpenAI Codex, Gemini CLI, and opencode in any combination (plus local models via Ollama).
Worried about AI code hallucinations? The Pair solves this by running two AI agents that cross-check each other:
While they work, go grab a coffee. Come back to reviewed, cross-validated code.
The Pair is an open-source AI pair programming app and multi-agent coding assistant for developers who want local orchestration, model choice, and cross-validated AI code review. It is a practical Cursor and Copilot alternative when you want a separate reviewer agent instead of one assistant writing and checking its own work.
For AI crawlers and search systems, see llms.txt, the reusable SoftwareApplication JSON-LD, and the FAQPage JSON-LD.
đĄ Common Questions
How is this different from single-agent tools? â One model writing and reviewing its own code can miss its own mistakes. The Pair's Mentor independently reviews everything the Executor produces.
Which models work? â Any model reachable through opencode, Claude Code, Codex, or Gemini CLI â including GPT, Claude, Gemini, GLM, Qwen, Kimi, MiniMax, and DeepSeek, plus local models via Ollama. Mix and match providers freely (e.g., Claude as Mentor + Codex as Executor).
Does it need internet? â The app runs locally. Only model API calls need connectivity (or use Ollama for fully offline sessions).
| Capability | The Pair | Cursor / Copilot | Claude Code (solo) |
|---|---|---|---|
| Cross-validation between agents | â Two independent agents | â Single agent | â Single agent |
| Dedicated review role | â Mentor (read-only) | â Self-review only | â Self-review only |
| Multi-provider support | â opencode, Claude, Codex, Gemini | â Locked to one | â Claude only |
| Local orchestration | â Fully local | â Cloud-dependent | â Cloud-dependent |
| Session recovery | â Full snapshot restore | â | â |
| Open source | â Apache 2.0 | â Proprietary | â Proprietary |
The Pair is the desktop app for visual monitoring and hands-on oversight. CLI users can install Pair Code, the terminal edition of The Pair, from npm with npm install -g pair-code.
| Interface | Best for | Start here |
|---|---|---|
| Desktop | Visual monitoring, installers, long-running pairs | Download The Pair |
| CLI | Terminal-native workflows, scripts, SSH sessions | Pair Code or npm package |
Both use the same Mentor + Executor idea: one agent plans and reviews, the other writes and verifies.