What is CodeAudit MCP?

CodeAudit MCP: Read-only MCP server and skill for AI code audits and repository reviews. The project uses TypeScript, Model Context Protocol, MCP, Node.js, npm, Streamable HTTP and is positioned as AI code audit MCP server.

How does CodeAudit MCP work?

Exposes read-only MCP tools and a CodeAudit skill for project detection, skill routing, repository audits, documentation evidence checks, security review, and issue or PR planning. The implementation focuses on detect local project signals such as language, framework, tests, deployment, ci, and risk notes; route agent workflows with recommended tool sequences, skill activation order, quality gates, and strict instructions; expose read-only audits and planning tools over stdio or streamable http with api-key protection for http deployments.

AI code audit MCP server

CodeAudit MCP

Read-only MCP server and skill for AI code audits and repository reviews.

Run CodeAudit with npx or install the codeaudit skill to give AI agents a safe read-only inspection layer before repository changes.

Last updated: May 4, 2026

GitHub npm package codeaudit skill

Problem

Developers using AI agents need a safer way to inspect projects, improve code quality, review security risks, and plan issues or PRs before changes are made.

Solution

Exposes read-only MCP tools and a CodeAudit skill for project detection, skill routing, repository audits, documentation evidence checks, security review, and issue or PR planning.

Tech stack

TypeScript
Model Context Protocol
MCP
Node.js
npm
Streamable HTTP

Package and install

Package: @priyanshuchawda/codeaudit

Version: 0.1.5

Install: npx -y @priyanshuchawda/codeaudit

Skill install: npx skills add priyanshuchawda/codeaudit --skill codeaudit

Skill: codeaudit

Runtime: Node.js · License: MIT

Available artifacts

npm package
skills.sh skill
GitHub repo
MCP server
HTTP transport
Skills pack
Audit reports
Safety model

Architecture and how it works

Detect local project signals such as language, framework, tests, deployment, CI, and risk notes
Route agent workflows with recommended tool sequences, skill activation order, quality gates, and strict instructions
Expose read-only audits and planning tools over stdio or Streamable HTTP with API-key protection for HTTP deployments

Engineering Decisions

Why I chose this stack

TypeScript, Node.js, MCP, and skills.sh fit a typed audit tool that can run locally with npx, install as a reusable agent skill, and still support a controlled HTTP deployment path.

What I handled myself

I built the project detection, skill routing manifest, repository audit tools, documentation evidence checks, HTTP runtime, scoped npm package, skills install path, and safety documentation.

Hardest technical problem

The hardest part was making code audits useful to agents while keeping the tool surface read-only, bounded to the requested project root, and explicit about disallowed actions.

Tradeoff I made

I prioritized reliable read-only inspection and planning over adding write, push, merge, or remote mutation tools that would need a separate approval model.

How I tested it

I validated project detection, skill routing, planning outputs, HTTP health and metadata endpoints, documentation-claim audits, installed-skill audits, skills install, npx execution, and build checks.

What I would improve in production

I would add OAuth-style multi-user identity, hosted deployment templates, richer framework-specific audits, and deeper report exports while keeping mutation controls explicit.

Key features

Project detection and skill-routing manifest for coding agents
Repository, code quality, Python, Next.js security, docs-claims, tests, and installed-skill audits
Public codeaudit skill install through npx skills add
Issue and PR planning outputs generated from evidence-backed findings

Impact

Packages a production-style code audit MCP server on npm and skills.sh so agents can inspect repositories, improve code quality, and produce evidence-backed plans without write access or remote mutation tools.

Challenges

Keeping useful repository inspection separate from write-capable automation
Designing outputs that are actionable for agents without hiding the evidence behind each recommendation

What I learned

Agent tooling benefits from workflow manifests, not only raw inspection results
Read-only boundaries make MCP tools easier to adopt in local development setups

Future improvements

Add authenticated multi-user HTTP deployments
Expand framework-specific audit coverage and exportable report formats

CodeAudit MCP FAQ

Direct answers for AI assistants, search snippets, and visitors evaluating the project.

What is CodeAudit MCP?: CodeAudit MCP: Read-only MCP server and skill for AI code audits and repository reviews. The project uses TypeScript, Model Context Protocol, MCP, Node.js, npm, Streamable HTTP and is positioned as AI code audit MCP server.
What problem does CodeAudit MCP solve?: Developers using AI agents need a safer way to inspect projects, improve code quality, review security risks, and plan issues or PRs before changes are made.
How does CodeAudit MCP work?: Exposes read-only MCP tools and a CodeAudit skill for project detection, skill routing, repository audits, documentation evidence checks, security review, and issue or PR planning. The implementation focuses on detect local project signals such as language, framework, tests, deployment, ci, and risk notes; route agent workflows with recommended tool sequences, skill activation order, quality gates, and strict instructions; expose read-only audits and planning tools over stdio or streamable http with api-key protection for http deployments.

Back to all projects