Security Audit
Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.
Best use case
Security Audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.
Teams using Security Audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Security Audit Compares
| Feature / Agent | Security Audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Skill: Security Audit ## Metadata | Field | Value | |-------|-------| | **Skill ID** | SKL-0015 | | **Version** | 1.0 | | **Owner** | reviewer | | **Inputs** | Target files, STATE.md, DECISIONS.md, dependency manifests | | **Outputs** | Security report, STATE.md updated | | **Triggers** | `SECURITY_REVIEW_REQUESTED` | --- ## Purpose Find security vulnerabilities before they reach production. OWASP Top 10 scan, secrets detection, dependency audit, and auth review. Read-only analysis — never modifies source files. > **See also:** For config-level defaults and hardcoded credentials, see SKL-0029 (Insecure Defaults). For security review of code diffs, see SKL-0030 (Differential Security Review). For dependency health and trust signals, see SKL-0031 (Supply Chain Audit). --- ## Procedure 1. **OWASP Top 10 scan** of target files: - Injection (SQL, command, template) - Broken auth (weak passwords, session issues, missing MFA) - Sensitive data exposure (unencrypted PII, logged secrets, verbose errors) - XSS/XXE (unsanitized input in HTML/XML/templates) - Broken access control (missing authz checks, privilege escalation) - Security misconfiguration (debug mode in prod, default credentials) - CSRF (missing tokens on state-changing operations) 2. **Secrets scan** across codebase: - API keys, passwords, tokens, private keys, connection strings - `.env` files committed to version control - Pattern matching for common secret formats (AWS keys, JWT secrets) 3. **Dependency audit** (if manifests exist): - Check for known CVEs - Flag outdated packages with vulnerabilities - Recommend patched versions 4. **Auth and authorization review:** - Tokens validated on every protected route? - Passwords hashed with strong algorithm (bcrypt, argon2)? - Session management secure (httpOnly, secure flags, expiry)? - Principle of least privilege followed? 5. **Produce security report** with severity ratings: - **CRITICAL:** Exploitable now, blocks deployment - **HIGH:** Serious risk, fix before merge - **MEDIUM:** Should fix, track in task queue - **LOW:** Best practice improvement 6. **Update STATE.md** with findings. --- ## Constraints - Never modifies source files — read-only analysis - Never logs, echoes, or exposes secrets — even in reports - Never suggests disabling security features without justification - Always recommends well-maintained libraries over custom crypto/auth --- ## Primary Agent reviewer --- ## Definition of Done - [ ] OWASP Top 10 scan completed - [ ] Secrets scan completed - [ ] Dependency audit completed (if manifests exist) - [ ] Auth and authorization reviewed (if applicable) - [ ] All findings rated by severity - [ ] Security report written to STATE.md ## Output Contract | Field | Value | |-------|-------| | **Artifacts** | Security audit report with severity-rated findings (CRITICAL / HIGH / MEDIUM / LOW) in Execution Summary | | **State Update** | `.claude/project/STATE.md` — mark task complete, log files modified | | **Handoff Event** | `TASK_COMPLETED` (findings reported) | ## Knowledge Enhancement (MCP mode) If Cortex MCP is available: 1. Call `search_knowledge` with query derived from task (e.g., "OWASP security patterns", "authentication best practices"), category="patterns" 2. If relevant results found, call `get_fragment` on the top result 3. Apply as supplementary context (does not override this skill's procedure)
Related Skills
Supply Chain Audit
Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.
SEO Audit
Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.
Differential Security Review
Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.
Token Audit
Audit the current project for token waste patterns. Produces a Token Health Report with scored findings and actionable fixes. Use this skill when token usage feels high, sessions are hitting limits, or before optimizing costs.
Friction Audit
Audit user-facing flows for unnecessary friction. Produces a friction report with scored findings and actionable fixes. Use this skill before launch readiness checks, after major UX changes, or when user drop-off is suspected.
Pitch Deck
Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.
Launch Checklist
Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.
Insecure Defaults Detection
Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.
Copywriting
Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.
Competitor Analysis
Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.
UX Design
Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.
User Acceptance Testing
Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.