I'm Cole. I build open-source tools and contribute upstream where correctness matters — security, RF/SDR, accessibility, health tech.
Everything below is free for noncommercial use and runs with zero dependencies. Most come with a live demo you can try in your browser right now — no install, no account. Pick whichever fits; each repo has the full story.
| Project | What it does |
|---|---|
| noslop | Catches the AI tells in your writing — buzzwords, filler, flat rhythm — and points you at what to fix before you hit send. Since v0.10.0 it reads source code too: narrated comments, chat residue, stock error handling, each flagged with the exact line. Sixteen languages, each with its own researched tell lists. Runs in your browser (UI in 32 languages), your terminal, CI, or as an agent skill. |
| hopandhaul | Finds when flying into a cheaper hub and taking the train the rest of the way beats flying direct. Click-the-map planner that runs in your browser with no install, 4,175 airports, UI in 46 languages. |
| liftmath | Strength-training math with receipts — consensus 1RM, load charts, volume landmarks, macros, plate loading, program templates. A web app plus a CLI, 32 languages. |
| translint | A linter for your translation files — catches missing keys, placeholder mismatches, and untranslated values before they ship. CLI, CI gate, pre-commit, or agent skill. Its site practices what it lints: 32 languages, RTL included. |
| skillxray | Reads an AI agent skill before you install it and flags what's hiding — prompt injection, invisible Unicode, curl-pipe-sh and reverse shells, credential theft, leaked keys — then grades it A–F. SARIF for the GitHub Security tab, exit codes for CI. Python, zero dependencies. |
| actbreak | A breakpoint debugger for GitHub Actions. Wraps act to pause a workflow mid-step, drop you into a live shell inside the job container, and resume when you're done. Python, zero dependencies. |
| webmcp-devtools | A Chrome DevTools panel that inspects and security-lints the WebMCP tools a web page hands to AI agents — a live tool table, a call-history timeline, and per-tool tool-poisoning checks. Plain JavaScript, no build step. |
They're all open to contributors, several with issues tagged good first issue if you want a place to start.
Thirty-seven landed upstream now, with another thirty-odd open across sixteen more repos: correctness, security, RF/SDR, accessibility, and translation. A few that were fun to track down: a heap out-of-bounds read parsing short iCLASS dumps, byte-order corruption in RFID dump files, authenticode digest buffers that were never null-terminated in YARA, an OAuth open-redirect in a medical-records system, a flipped GPS hemisphere in a photo-evidence app, and a fixed-size HTTP header buffer that overflowed on emit.
| Repo | Change |
|---|---|
| VirusTotal/yara | Null-terminate authenticode digest/thumbprint hex buffers |
| VirusTotal/yara | Fix a string leak in CLI args_free |
| VirusTotal/yara | Honor -w/--no-warnings for the file-too-large skip message |
| YARAHQ/yara-forge | Align indexed and patterned hash meta fields |
| SigmaHQ/sigma | Add a vmmemWSL exception to the non-existing-file rule |
| splunk/security_content | Add a PreAuthType filter to the PetitPotam Kerberos detection |
| osquery/osquery | Scan XDG-base-directory Firefox profiles |
| osquery/osquery | Add the Windsurf .devin path to vscode_extensions |
| RfidResearchGroup/proxmark3 | Fix a heap out-of-bounds read in hf iclass view on short dumps |
| RfidResearchGroup/proxmark3 | Stop the IR56 wiegand decode leaking the header sentinel bit into the facility code |
| RfidResearchGroup/proxmark3 | Fix byte-swapped, corrupted EM 4x05 dump files |
| merbanan/rtl_433 | Fix a uint8_t offset wraparound in the m-bus payload parser |
| merbanan/rtl_433 | Restore a missing bitbuffer_clear in pulse_slicer_dmc |
| merbanan/rtl_433 | Fix swapped order/inversion nibbles in the secplus_v2 docs |
| f4exb/sdrangel | Bump bundled faad2 to 2.10.1 to fix a heap overflow |
| f4exb/sdrangel | Fix a crash adding a LocalSink channel with no Local Input device |
| UberGuidoZ/Flipper | Fix dead links in the Sub-GHz docs |
| PentHertz/urh-ng | Decode int8 samples as signed char so magnitudes stay correct on ARM |
| jcsteh/osara | Make paste/duplicate screen-reader messages translatable |
| guardianproject/orbot-android | Request ACCESS_LOCAL_NETWORK before opening the proxy on all interfaces |
| ooni/probe-cli | Remove a stray debug print in the feature-flag cache |
| symfony/symfony | Fix the Finnish BIC/IBAN mismatch translation |
| symfony/symfony | Drop an always-true method_exists check |
| symfony/symfony | Fix broken placeholder translations across Armenian, Arabic, Basque, Turkish, Galician, Azerbaijani, Traditional Chinese, Finnish, and Welsh |
| ghostfolio/ghostfolio | Improve the French localization |
| ghostfolio/ghostfolio | Improve the Dutch localization |
| mdn/translated-content | Correct the Japanese Reflect.deleteProperty() docs |
| openfoodfacts/open-prices | Remove an unreachable branch in the barcode short-code fixups |
| openfoodfacts/robotoff | Replace obsolete facet URLs with the /facets/ prefix |
Open / in review — 30+ PRs across ~16 more repos
Security and detection
- elastic/detection-rules #6383: KQL wildcard lexer fails on escaped specials with spaces
- splunk/security_content #4147: computer-account filter in the service-ticket detection
- openemr/openemr #12768: validate
post_logout_redirect_uribefore redirecting (open-redirect) - chimera-nas/libevpl #114: fixed-size HTTP header buffer overflow on emit
- VirusTotal/yara #2224: bound the tilde-stream row count in
dotnet_parse_tilde_2 - VirusTotal/yara #2223: document the
YR_RE_SCAN_LIMITregex scan limit - YARAHQ/yara-forge #89: match author/reference/description meta keys case-insensitively
- semgrep/semgrep-rules #3999: stop flagging Renovate
packageRulesalready covered byminimumReleaseAge - semgrep/semgrep-rules #3998: remove the obsolete
no-replaceallrule - osquery/osquery #8990: fix a one-past-end iterator deref in
vscode_extensions - osquery/osquery #8989: fix the wrong
key_strengthfor Windows certificates - osquery/osquery #8991: add Edge and Flatpak paths to
chrome_extensionson Linux
RF / SDR
- PentHertz/urh-ng #4: fix CRC data-range detection for reflected (
ref_out) CRCs
Accessibility
- patternfly/patternfly #8481: document listbox/option/aria-selected for select menus
Privacy / anti-censorship
- guardianproject/proofmode-android #136: correct the QR bitmap stride
- guardianproject/proofmode-android #135: correct the C2PA GPS hemisphere
Systems / web
- ClickHouse/click-ui #1141: default Button
htmlTypeto button - ClickHouse/click-ui #1140: respect a consumer-supplied
aria-label - openclimatefix/graph_weather #231: division-by-zero on single-axis grids
- openclimatefix/graph_weather #230: guard optional data-module imports
- hotosm/tasking-manager #7287: replace Nominatim reverse geocoding with pg-nearest-city
Health / food
- davidhealey/waistline #961: guard
Meals.initagainst overlapping calls - davidhealey/waistline #960: distinguish rate-limit/network errors from bad USDA keys
- simonoppowa/OpenNutriTracker #513: catch silent 0-byte exports
Localization
- TheIllusiveC4/Curios #622 and #621: Turkish placeholder and locale-casing bugs
- chubin/wttr.in #1279 and #1278: RTL mark and corrupted Persian/Hebrew/Arabic captions
- ghostfolio/ghostfolio #7297: fix corrupted state attributes in the ca and tr locales
- ghostfolio/ghostfolio #7296: improve the Dutch localization
- tolgee/tolgee-platform #3789: keep the zero plural form in Apple XLIFF export
- jsverse/transloco #940: respect currency in
numberFormatOptions - simonoppowa/OpenNutriTracker #515 and #514: Slovak and English i18n keys
Munzzyy5@proton.me
