Security Audit

Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.

5 stars

Best use case

Security Audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.

Teams using Security Audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/BasharAmso/Bashi/main/.claude/skills/security-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Security Audit Compares

Feature / AgentSecurity AuditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Skill: Security Audit

## Metadata

| Field | Value |
|-------|-------|
| **Skill ID** | SKL-0015 |
| **Version** | 1.0 |
| **Owner** | reviewer |
| **Inputs** | Target files, STATE.md, DECISIONS.md, dependency manifests |
| **Outputs** | Security report, STATE.md updated |
| **Triggers** | `SECURITY_REVIEW_REQUESTED` |

---

## Purpose

Find security vulnerabilities before they reach production. OWASP Top 10 scan, secrets detection, dependency audit, and auth review. Read-only analysis — never modifies source files.

> **See also:** For config-level defaults and hardcoded credentials, see SKL-0029 (Insecure Defaults). For security review of code diffs, see SKL-0030 (Differential Security Review). For dependency health and trust signals, see SKL-0031 (Supply Chain Audit).

---

## Procedure

1. **OWASP Top 10 scan** of target files:
   - Injection (SQL, command, template)
   - Broken auth (weak passwords, session issues, missing MFA)
   - Sensitive data exposure (unencrypted PII, logged secrets, verbose errors)
   - XSS/XXE (unsanitized input in HTML/XML/templates)
   - Broken access control (missing authz checks, privilege escalation)
   - Security misconfiguration (debug mode in prod, default credentials)
   - CSRF (missing tokens on state-changing operations)
2. **Secrets scan** across codebase:
   - API keys, passwords, tokens, private keys, connection strings
   - `.env` files committed to version control
   - Pattern matching for common secret formats (AWS keys, JWT secrets)
3. **Dependency audit** (if manifests exist):
   - Check for known CVEs
   - Flag outdated packages with vulnerabilities
   - Recommend patched versions
4. **Auth and authorization review:**
   - Tokens validated on every protected route?
   - Passwords hashed with strong algorithm (bcrypt, argon2)?
   - Session management secure (httpOnly, secure flags, expiry)?
   - Principle of least privilege followed?
5. **Produce security report** with severity ratings:
   - **CRITICAL:** Exploitable now, blocks deployment
   - **HIGH:** Serious risk, fix before merge
   - **MEDIUM:** Should fix, track in task queue
   - **LOW:** Best practice improvement
6. **Update STATE.md** with findings.

---

## Constraints

- Never modifies source files — read-only analysis
- Never logs, echoes, or exposes secrets — even in reports
- Never suggests disabling security features without justification
- Always recommends well-maintained libraries over custom crypto/auth

---

## Primary Agent

reviewer

---

## Definition of Done

- [ ] OWASP Top 10 scan completed
- [ ] Secrets scan completed
- [ ] Dependency audit completed (if manifests exist)
- [ ] Auth and authorization reviewed (if applicable)
- [ ] All findings rated by severity
- [ ] Security report written to STATE.md

## Output Contract

| Field | Value |
|-------|-------|
| **Artifacts** | Security audit report with severity-rated findings (CRITICAL / HIGH / MEDIUM / LOW) in Execution Summary |
| **State Update** | `.claude/project/STATE.md` — mark task complete, log files modified |
| **Handoff Event** | `TASK_COMPLETED` (findings reported) |

## Knowledge Enhancement (MCP mode)

If Cortex MCP is available:
1. Call `search_knowledge` with query derived from task (e.g., "OWASP security patterns", "authentication best practices"), category="patterns"
2. If relevant results found, call `get_fragment` on the top result
3. Apply as supplementary context (does not override this skill's procedure)

Related Skills

Supply Chain Audit

5
from BasharAmso/Bashi

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

SEO Audit

5
from BasharAmso/Bashi

Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.

Differential Security Review

5
from BasharAmso/Bashi

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

Token Audit

5
from BasharAmso/Bashi

Audit the current project for token waste patterns. Produces a Token Health Report with scored findings and actionable fixes. Use this skill when token usage feels high, sessions are hitting limits, or before optimizing costs.

Friction Audit

5
from BasharAmso/Bashi

Audit user-facing flows for unnecessary friction. Produces a friction report with scored findings and actionable fixes. Use this skill before launch readiness checks, after major UX changes, or when user drop-off is suspected.

Pitch Deck

5
from BasharAmso/Bashi

Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.

Launch Checklist

5
from BasharAmso/Bashi

Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.

Insecure Defaults Detection

5
from BasharAmso/Bashi

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

Copywriting

5
from BasharAmso/Bashi

Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.

Competitor Analysis

5
from BasharAmso/Bashi

Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.

UX Design

5
from BasharAmso/Bashi

Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.

User Acceptance Testing

5
from BasharAmso/Bashi

Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.