I'm Cole. I build open-source tools and contribute upstream where correctness matters — security, RF/SDR, accessibility, health tech.
Most of these are MIT; the three big apps are free for noncommercial use. Almost everything runs with zero dependencies, and most come with a live demo you can try in your browser right now — no install, no account. Pick whichever fits; each repo has the full story.
| Project | What it does |
|---|---|
| noslop | Catches the AI tells in your writing — buzzwords, filler, flat rhythm — and points you at what to fix before you hit send. Since v0.10.0 it reads source code too: narrated comments, chat residue, stock error handling, each flagged with the exact line. Sixteen languages, each with its own researched tell lists. Runs in your browser (UI in 32 languages), your terminal, CI, or as an agent skill. |
| hopandhaul | Finds when flying into a cheaper hub and taking the train the rest of the way beats flying direct. Click-the-map planner that runs in your browser with no install, 4,175 airports, UI in 46 languages. |
| liftmath | Strength-training math with receipts — consensus 1RM, load charts, volume landmarks, macros, plate loading, program templates. A web app plus a CLI, 32 languages. |
| translint | A linter for your translation files — catches missing keys, placeholder mismatches, and untranslated values before they ship. CLI, CI gate, pre-commit, or agent skill. Its site practices what it lints: 32 languages, RTL included. |
| skillxray | Reads an AI agent skill before you install it and flags what's hiding — prompt injection, invisible Unicode, curl-pipe-sh and reverse shells, credential theft, leaked keys — then grades it A–F. SARIF for the GitHub Security tab, exit codes for CI. Python, zero dependencies. |
| actbreak | A breakpoint debugger for GitHub Actions. Wraps act to pause a workflow mid-step, drop you into a live shell inside the job container, and resume when you're done. Python, zero dependencies. |
| webmcp-devtools | A Chrome DevTools panel that inspects and security-lints the WebMCP tools a web page hands to AI agents — a live tool table, a call-history timeline, and per-tool tool-poisoning checks. Plain JavaScript, no build step. |
| webmcp-lint | The same idea as a CI gate: lints a WebMCP tool manifest against Chrome's own security guidance before you ship it — read-only hints, untrusted-content flags, injection in tool descriptions, unconstrained parameters. Human, JSON, or SARIF out. Python, zero dependencies. |
| framewall | Scans a screenshot for prompt injection a person would miss but a vision model reads — hidden low-contrast text, fake system-message overlays, instructions buried in image metadata — before your agent acts on it. Reads the text with OCR when tesseract is around and falls back to image heuristics when it isn't. Python, Pillow only. |
| injection-fixtures | Known visual prompt-injection payloads packaged as pytest fixtures, so anyone building a screenshot or computer-use agent can test their defenses against poisoned images right in CI. Pip-installable, Pillow only. |
| sessionxray | Audits a Claude Code session transcript after the fact and tells you what the agent actually touched — files outside the project, unexpected outbound hosts, secret reads, destructive commands. A security lens on your own agent's run, all local. Python, zero dependencies. |
| toolsmell | Finds the smells in an MCP server's tool descriptions and schemas — the vague verbs, undocumented parameters, and missing return docs that quietly make agents worse at using your tools. For authors, before you publish. Python, zero dependencies. |
| wouldrun | Answers which GitHub Actions workflows would fire for a given diff or event, statically, without pushing or running act. Resolves triggers, branch and path filters, and reusable-workflow calls, and says why each one runs or doesn't. Python, zero dependencies. |
| ci-safety-gate | One GitHub Action that runs the checks an AI-era repo wants — noslop for slop, zizmor for workflow security, skillxray for agent skills, and a secrets scan — as a single pass-or-fail gate with one combined report. |
| coacheck | Reads a research-peptide Certificate of Analysis and does the math — real deliverable purity from the labeled amount, a red-flag checklist for thin or faked COAs, and reconstitution down to syringe units. A calculator, not advice. Python, zero dependencies. |
They're all open to contributors, several with issues tagged good first issue if you want a place to start. Stars genuinely help other people find them.
Forty-six have landed upstream, with another thirty-odd open across dozens more repos: correctness, security, RF/SDR, accessibility, and translation. A few that were fun to track down: a heap out-of-bounds read parsing short iCLASS dumps, byte-order corruption in RFID dump files, authenticode digest buffers that were never null-terminated in YARA, an OAuth open-redirect in a medical-records system, a flipped GPS hemisphere in a photo-evidence app, and a fixed-size HTTP header buffer that overflowed on emit.
| Repo | Change |
|---|---|
| VirusTotal/yara | Null-terminate authenticode digest/thumbprint hex buffers |
| VirusTotal/yara | Fix a string leak in CLI args_free |
| VirusTotal/yara | Honor -w/--no-warnings for the file-too-large skip message |
| YARAHQ/yara-forge | Align indexed and patterned hash meta fields |
| SigmaHQ/sigma | Add a vmmemWSL exception to the non-existing-file rule |
| splunk/security_content | Add a PreAuthType filter to the PetitPotam Kerberos detection |
| osquery/osquery | Scan XDG-base-directory Firefox profiles |
| osquery/osquery | Add the Windsurf .devin path to vscode_extensions |
| RfidResearchGroup/proxmark3 | Fix a heap out-of-bounds read in hf iclass view on short dumps |
| RfidResearchGroup/proxmark3 | Stop the IR56 wiegand decode leaking the header sentinel bit into the facility code |
| RfidResearchGroup/proxmark3 | Fix byte-swapped, corrupted EM 4x05 dump files |
| merbanan/rtl_433 | Fix a uint8_t offset wraparound in the m-bus payload parser |
| merbanan/rtl_433 | Restore a missing bitbuffer_clear in pulse_slicer_dmc |
| merbanan/rtl_433 | Fix swapped order/inversion nibbles in the secplus_v2 docs |
The rest of the merged list — RF/SDR, privacy, accessibility, localization, health
| Repo | Change |
|---|---|
| f4exb/sdrangel | Bump bundled faad2 to 2.10.1 to fix a heap overflow |
| f4exb/sdrangel | Fix a crash adding a LocalSink channel with no Local Input device |
| UberGuidoZ/Flipper | Fix dead links in the Sub-GHz docs |
| PentHertz/urh-ng | Decode int8 samples as signed char so magnitudes stay correct on ARM |
| jcsteh/osara | Make paste/duplicate screen-reader messages translatable |
| guardianproject/orbot-android | Request ACCESS_LOCAL_NETWORK before opening the proxy on all interfaces |
| ooni/probe-cli | Remove a stray debug print in the feature-flag cache |
| symfony/symfony | Fix the Finnish BIC/IBAN mismatch translation |
| symfony/symfony | Drop an always-true method_exists check |
| symfony/symfony | Fix broken placeholder translations across Armenian, Arabic, Basque, Turkish, Galician, Azerbaijani, Traditional Chinese, Finnish, and Welsh |
| ghostfolio/ghostfolio | Improve the French localization |
| ghostfolio/ghostfolio | Improve the Dutch localization |
| osquery/osquery | Fix a one-past-end iterator deref in vscode_extensions |
| monero-project/monero-gui | Fix a stale subaddress selection on the Receive page after switching accounts |
| mdn/translated-content | Correct the Japanese Reflect.deleteProperty() docs |
| openfoodfacts/open-prices | Remove an unreachable branch in the barcode short-code fixups |
| openfoodfacts/robotoff | Replace obsolete facet URLs with the /facets/ prefix |
Open / in review — 31 PRs across 23 more repos
Security and detection
- projectdiscovery/nuclei-templates #16579: detect exposed ZooKeeper even when 4lw commands are blocked, the default since 3.5.3
- elastic/detection-rules #6383: KQL wildcard lexer fails on escaped specials with spaces
- splunk/security_content #4147: computer-account filter in the service-ticket detection
- openemr/openemr #12768: validate
post_logout_redirect_uribefore redirecting (open-redirect) - chimera-nas/libevpl #114: fixed-size HTTP header buffer overflow on emit
- VirusTotal/yara #2224: bound the tilde-stream row count in
dotnet_parse_tilde_2 - YARAHQ/yara-forge #89: match author/reference/description meta keys case-insensitively
- semgrep/semgrep-rules #3999: stop flagging Renovate
packageRulesalready covered byminimumReleaseAge - semgrep/semgrep-rules #3998: remove the obsolete
no-replaceallrule - osquery/osquery #8989: fix the wrong
key_strengthfor Windows certificates - ffuf/ffuf #905: stop terminal control characters leaking into redirected output
- evilsocket/opensnitch #1634: fix a duplicated
a-zclass in auto-generated rule names
OSINT
- mxrch/GHunt #601: read
isDefaultfrom the API for profile photos instead of hashing the image - mxrch/GHunt #602: key profile photos by their own container, not the outer loop's
RF / SDR
- PentHertz/urh-ng #4: fix CRC data-range detection for reflected (
ref_out) CRCs
Accessibility
- patternfly/patternfly #8481: document listbox/option/aria-selected for select menus
Privacy / anti-censorship
- guardianproject/proofmode-android #136: correct the QR bitmap stride
- guardianproject/proofmode-android #135: correct the C2PA GPS hemisphere
Systems / web
- ClickHouse/click-ui #1141: default Button
htmlTypeto button - ClickHouse/click-ui #1140: respect a consumer-supplied
aria-label - openclimatefix/graph_weather #231: division-by-zero on single-axis grids
- openclimatefix/graph_weather #230: guard optional data-module imports
- hotosm/tasking-manager #7287: replace Nominatim reverse geocoding with pg-nearest-city
Health / food
- davidhealey/waistline #961: guard
Meals.initagainst overlapping calls - davidhealey/waistline #960: distinguish rate-limit/network errors from bad USDA keys
Localization
- TheIllusiveC4/Curios #622 and #621: Turkish placeholder and locale-casing bugs
- chubin/wttr.in #1279 and #1278: RTL mark and corrupted Persian/Hebrew/Arabic captions
- tolgee/tolgee-platform #3789: keep the zero plural form in Apple XLIFF export
- jsverse/transloco #940: respect currency in
numberFormatOptions
All of this is free and maintained on my own time. If one of these tools saves you a trip, a bad batch, or an afternoon of debugging, sponsoring is what keeps it that way — every sponsor gets a permanent line in SUPPORTERS.md.
Munzzyy1@proton.me
