JSPM

fivem-audit

2.0.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 28
  • Score
    100M100P100Q52637F
  • License MIT

Claude Code skill for complete FiveM resource auditing - security, performance, compatibility, cleanup and pre-publish checks

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (fivem-audit) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    FiveM Audit Skill for Claude Code

    npm version License: MIT

    Complete multi-phase audit tool for FiveM resources. Security, performance, compatibility, and code quality — all in one skill.

    Install

    npx fivem-audit

    That's it. The skill is installed in Claude Code. Restart Claude Code and use /fivem-audit in any FiveM resource directory.

    Other install methods

    Uninstall:

    npx fivem-audit --uninstall

    Manual clone:

    git clone https://github.com/matiaspalmac/fivem-audit-skill.git ~/.claude/skills/fivem-audit

    What it does

    When invoked, it performs a 5-phase professional audit on any FiveM resource:

    Phase 1: Security

    • SQL Injection (oxmysql, mysql-async, ghmattimysql, ox_lib MySQL)
    • Server event exploitation (source validation, input validation)
    • Money/item duplication (race conditions, negative amounts, async gaps)
    • Command injection (ExecuteCommand, PerformHttpRequest)
    • XSS in NUI (innerHTML, user content escaping)
    • Permission bypass (client-side vs server-side checks)
    • Sensitive data exposure (webhooks, credentials, identifiers)
    • Brute force detection (PIN codes, passwords)
    • Rate limiting / anti-spam audit
    • Proximity validation for location-based actions

    Phase 2: Performance

    • Thread analysis (Wait(0) loops, conditional sleep, RegisterKeyMapping)
    • Native call optimization (PlayerPedId, GetEntityCoords caching)
    • NUI message throttling and change detection
    • Database query optimization (N+1, indexes, caching)
    • Network overhead (broadcast vs targeted events, payload size)
    • Resmon estimation per resource (idle + active)

    Phase 3: Cleanup & Stability

    • playerDropped handler (cooldowns, locks, sessions, channels)
    • onResourceStop handler (NUI focus, freeze, cameras, props, HUD)
    • Memory leak detection (event handler stacking, unbounded tables)
    • Error resilience (pcall on DB, exports, json.decode)

    Phase 4: Compatibility

    • Frameworks: ESX Legacy, QBCore, QBox (ox_core), ox_lib, Standalone
    • Databases: oxmysql, mysql-async, ghmattimysql, ox_lib MySQL wrapper
    • fxmanifest.lua quality (cerulean, lua54, file order, provide)
    • Config audit (dead values, missing documentation, sensitive data scope)
    • Code quality (debug calls, naming, globals, deprecated patterns)

    Phase 5: Pre-Publish

    • LICENSE, .gitignore, README.md checks
    • Sensitive data scan (webhooks, credentials, IPs)
    • Manifest consistency across multi-resource packs
    • Forbidden files check (.git, .bak, node_modules, IDE config)

    Usage

    Navigate to your FiveM resource directory and use any of these:

    /fivem-audit

    Or ask naturally:

    • "audit this FiveM resource"
    • "check this script for security issues"
    • "optimize this resource's performance"
    • "is this script safe for production?"
    • "review this ESX resource"
    • "check compatibility with QBCore"

    Output

    The skill produces a structured report with:

    • Summary table with issue counts by severity and a score out of 100
    • Detailed findings with file:line locations, exploit descriptions, and exact code fixes
    • Performance metrics with resmon estimates and thread analysis
    • Compatibility matrix showing framework and database support
    • Cleanup status for playerDropped and onResourceStop handlers
    • Auto-fix offer to apply all fixes automatically

    Scoring

    Score Status
    80-100 Production ready
    60-79 Needs fixes before production
    0-59 Not ready for production

    Severity Levels

    Level Meaning Deduction
    CRITICAL Money dupe, SQLi, RCE, perm bypass -15 per issue
    HIGH Griefing, DoS, 64+ player perf impact -8 per issue
    MEDIUM Minor abuse, info exposure, moderate perf -3 per issue
    LOW Code quality, naming, minor optimization -1 per issue

    Frameworks Supported

    Framework Checks
    ESX Legacy getSharedObject, xPlayer API, ESX callbacks, job system
    QBCore GetCoreObject, Player.Functions, QBCore callbacks, job system
    QBox (ox_core) Ox.GetPlayer, ox_inventory, Ox permissions
    ox_lib lib.callback, lib.zones, lib.cache, lib.notify, MySQL wrapper
    Standalone ACE permissions, native FiveM APIs

    Database Drivers Checked

    Driver Detection
    oxmysql exports.oxmysql:execute/insert/update/scalar
    mysql-async MySQL.Async.fetchAll/execute/insert/fetchScalar
    ghmattimysql exports.ghmattimysql:execute/scalar
    ox_lib MySQL MySQL.query/insert/update/scalar (ox_lib wrapper)

    Common Vulnerabilities Detected

    Vulnerability Category Example
    Client-sent player ID trusted CRITICAL TriggerServerEvent('giveMoney', targetId, amount)
    SQL concatenation CRITICAL 'SELECT * FROM users WHERE id = ' .. id
    Negative money exploit CRITICAL xPlayer.removeMoney(-99999) adds money
    Race condition on purchase CRITICAL Async check + deduct without mutex
    ExecuteCommand injection CRITICAL ExecuteCommand('weather ' .. userInput)
    No rate limiting HIGH Server events callable 1000x/second
    No proximity check HIGH Buy vehicle from across the map
    Wait(0) unconditional HIGH 0.05ms wasted per frame permanently
    Event handler stacking MEDIUM RegisterNetEvent inside NUI callback
    Missing playerDropped MEDIUM Memory leak on server over 24h uptime

    License

    MIT License - Dei