The LLM Multi Tool for Code Auditing

A Gemini CLI Extension and Claude Code Plugin with Skills and Tools for code estimation, security auditing, and professional report writing.

Skills are structured workflows that guide the AI through multi-step processes. Each skill contains detailed instructions, phases, and best practices for specific tasks.

Skills provide complete workflows that the AI follows autonomously. When invoked, the AI loads the skill's protocol and executes it step-by-step, using the available tools as needed. Each skill can be invoked through its respective slash command (e.g., /security-auditor, /estimator).

Tools provide structured code analysis through Tree-sitter AST parsing. They support glob patterns for analyzing multiple files at once. Skills use these tools automatically as part of their workflows.

Extracts function and method signatures from source files without reading full implementations. The estimator skill uses peek to quickly understand a codebase's API surface, what functions exist, their parameters, visibility, and modifiers. This is ideal for initial exploration and building a mental map of unfamiliar code, without the need to read full files.

The metrics tool calculates code metrics:

• Normalized Lines of Code (nLOC): Total lines minus blank lines, comment-only lines, and multi-line constructs normalized to single lines (e.g., a function signature spanning 3 lines counts as 1).
• Lines with Comments: Count of lines containing comments, including inline comments.
• Comment Density: Percentage of lines that have/are comments, indicating documentation coverage.
• Cognitive Complexity: Measures control flow complexity by counting branches (if, for, while, etc.) weighted by nesting depth. Deeply nested logic scores higher than flat code.
• Estimated Hours: Review time estimate based on nLOC, adjusted by complexity (penalty for high, benefit for low) and comment density (benefit for well-documented code).

The estimator skill uses this tool to calculate how long it takes to perform a security audit.

Calculates metrics for code changes between two git refs (commits, branches, or tags). Useful for estimating incremental audit effort when reviewing pull requests or comparing versions.

• Added/Removed Lines: Tracks line changes per file
• Diff nLOC: Lines of code added (excluding blanks and comments)
• Diff Complexity: Sum of nesting depths for changed lines (deeply nested changes score higher)
• Estimated Hours: Review time for the diff, using the same estimation formula as metrics

Deleted files are considered "free" (zero effort) since they reduce attack surface.

Returns the actual diff content between two git refs, with two output modes:

• full: Raw unified diff per file - useful for deep inspection during security audits
• signatures: Function-level changes (added/modified/removed) - useful for understanding structural changes

The signatures mode compares function signatures between base and head versions:

• Added: Functions that exist only in head (new code to review)
• Modified: Functions that exist in both but contain changed lines
• Removed: Functions that existed in base but are gone (verify intentional, check for lost validation)

Traces call chains from root functions (functions nothing else calls) through the full call graph, grouped by root and sorted longest-first. The security-auditor skill uses this to understand how execution flows through a system and to identify attack surfaces. A hotspot summary highlights functions appearing across the most chains, giving an immediate prioritization signal for where to focus the audit.

SAiST is a three-phase static analysis pipeline: init → resolve gaps → run rules.

Initializes a scan by building a symbol map (functions, state variables, call edges, modifiers, state reads/writes), computing hotspots, and detecting gaps — callees the static pass cannot resolve (unresolved targets, interface dispatch, external libraries). Returns a scanId for subsequent phases.

Resolves gaps identified during init by providing facts the static pass could not determine (e.g., writesState, callsExternal). Gaps are prioritized by hotspot proximity (high/medium/low). Skip if no gaps or all low priority.

Runs shipped and custom rules against the enriched symbol map. Supports filtering by ruleIds, includeSeverity (critical/high/medium/low/info), and includeKind (issue/smell/pointer). Findings include rule metadata, location, and optional execution paths for deep rules.

Lists all available SAiST rules with their metadata (id, title, description, severity, kind, languages). Supports filtering by languages, severity, and kind. Use to discover the rule catalog before running scans or to interpret finding IDs in results.

# 1. Start Claude Code
claude

# 2. Go to plugins
/plugin

# 3. Navigate to Marketplaces tab
# 4. <enter> on "+ Add Marketplace"
# 5. Paste this repo's link, <enter>
# 6. Hit <space> and <i>

# Install the MCP server
gemini extensions install <this repository URL>

# Verify installation
gemini extensions list

Skills can be installed standalone using the skills CLI. This gives you the workflow prompts (security-auditor, estimator, threat-modeling, etc.) without the MCP tools.

npx skills add Artifex1/auditor-addon

For the full experience (skills + tools like peek, metrics, call_chains, SAiST), run the MCP server locally and register it with your environment:

# 1. Clone the repository
git clone <repository-url>
cd auditor-addon

# 2. Start the MCP server (pre-built, no install needed)
node dist/mcp/server.js

Then add the server to your environment's MCP configuration. For example, in Cursor's .cursor/mcp.json or a generic mcp.json:

{
  "mcpServers": {
    "auditor-addon": {
      "command": "node",
      "args": ["/absolute/path/to/auditor-addon/dist/mcp/server.js"]
    }
  }
}

Optional: Place the context file (CLAUDE.md or GEMINI.md) in your project root or follow your environment's instructions for loading system prompts — this gives the AI the tools reference and usage guidance.

# Clone the repository
git clone <repository-url>
cd auditor-addon

# Install dependencies
pnpm install

# Build the project
pnpm build

# Run tests
pnpm test

# Watch mode for development
pnpm test:watch

• 🧩 Modular: Clear separation between MCP protocol, engine, and language adapters
• 🔌 Extensible: Easy to add new languages via BaseAdapter inheritance
• 🔄 DRY: Common logic shared via BaseAdapter class
• ✅ Tested: Tests for all language adapters

• Runtime:
• AST Engine: Tree-sitter - Fast, incremental parsing for various languages
• Output Format: TOON - Token-Oriented Object Notation
• Protocol: MCP - Model Context Protocol
• Testing:

• .claude-plugin/: 🔌 Claude Code plugin configuration
• CLAUDE.md: 🤖 Claude Code plugin context guide
• GEMINI.md: 🤖 Gemini CLI extension context guide with workflow instructions
• gemini-extension.json: ⚙️ Gemini CLI extension configuration
• skills/: 🎯 Skill definitions and protocols
• src/languages/: 🔧 Language adapter implementations
• commands/: 📋 Command alias definitions for Gemini CLI