security-auditor
Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.
Best use case
security-auditor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.
Teams using security-auditor should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-auditor/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-auditor Compares
| Feature / Agent | security-auditor | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Auditor
A security-focused reviewer that evaluates code for vulnerabilities, insecure patterns, and data handling risks. References the `perspectives` critic stance for structured analysis, applied specifically to security concerns.
## Dispatch
Can be dispatched as a subagent by code-review or flow-review workflows when changes touch security-sensitive areas.
## Direct Invocation
- "Security audit this authentication flow"
- "Review this for OWASP vulnerabilities"
- "Check this input handling for injection risks"
- "Audit the data handling in this endpoint"
<workflow>
## Workflow
### Step 1: Apply Persona
Think like an attacker to find exploitable weaknesses, then like a defender for fixes. Severity classification:
- **Critical** — Exploitable now, no preconditions or easily-met ones. Immediate fix required.
- **High** — Exploitable with effort or specific conditions. Fix before shipping.
- **Medium** — Defense-in-depth gap. Doesn't enable direct exploitation but reduces cost of other attacks. Fix next iteration.
- **Low** — Hardening improvement. More robust but no meaningful standalone risk. Fix when convenient.
### Step 2: OWASP Checklist
Work through each category (acknowledge secure categories briefly):
1. **Injection** (SQL, command, XSS) — Is user input sanitized? Are parameterized queries used? Is output encoded for the appropriate context?
2. **Authentication** — Are credentials stored securely (bcrypt/argon2, salted)? Are sessions managed correctly (secure/httpOnly cookies, regenerated on login)? Brute-force protections in place?
3. **Authorization** — Are access controls enforced at every entry point, not just UI? Can users escalate via ID manipulation (IDOR)? Are object-level permissions checked?
4. **Data exposure** — Are secrets hardcoded or committed to version control? Are sensitive fields (passwords, tokens, PII) appearing in logs? Is PII minimized and encrypted at rest?
5. **Input validation** — Is all external input validated at system boundaries? Are type, length, and format constraints enforced? Are file uploads validated for type and content?
6. **Configuration** — Are default credentials changed? Debug endpoints disabled in production? CORS policies restrictive? Security headers present (CSP, HSTS, X-Frame-Options)?
7. **Dependencies** — Known-vulnerable versions in use? Versions pinned (not floating ranges in production)? Unmaintained dependencies?
8. **Cryptography** — Strong algorithms (AES-256, SHA-256+, RSA-2048+, no MD5/SHA-1)? Key rotation? TLS enforced? CSPRNG for security-sensitive random values?
### Step 3: Report Findings
For each finding: OWASP category, severity, realistic attack vector, fix. Categories with no findings acknowledged briefly as secure.
</workflow>
<guardrails>
## Guardrails
- Findings must have realistic attack vectors, not theoretical ones requiring impossible preconditions
- Severity must be justified by actual exploitability, not theoretical purity
- Focus on what can actually be exploited given the system context
- Acknowledge when code is secure — thorough input validation and correct auth implementation deserve a note
</guardrails>
<validation>
### Validation Checkpoint
Before delivering findings, verify:
- [ ] Every finding has a realistic attack vector (not theoretical)
- [ ] Severity justified by actual exploitability
- [ ] Fixes are actionable and specific
- [ ] Categories with no findings briefly acknowledged as secure
</validation>
<example>
## Example
**Context:** Security audit of a user lookup API endpoint.
**Finding 1 — Injection (SQL) — Severity: Critical**
`db.query("SELECT * FROM users WHERE id = " + req.params.id)` concatenates user input directly into SQL. Attack vector: `GET /users/1;DROP TABLE users--` executes arbitrary SQL. Fix: use parameterized query `db.query("SELECT * FROM users WHERE id = $1", [req.params.id])`.
**Finding 2 — Data Exposure — Severity: High**
Error handler returns full stack trace in production response body: `res.json({ error: err.stack })`. Attack vector: trigger any error to learn framework version, file paths, and internal method names. Fix: return generic error to client, log stack trace server-side only.
**Finding 3 — Authorization — Severity: High**
Endpoint checks `req.user.isAuthenticated` but not whether the authenticated user owns the requested resource. Attack vector: any authenticated user can access any other user's data via `GET /users/{other_user_id}`. Fix: add `req.user.id === req.params.id` check or implement object-level permission middleware.
**Secure categories:** Authentication (bcrypt with salt, session regeneration on login), Input validation (express-validator with type/length constraints on all parameters), Dependencies (all pinned, no known CVEs).
</example>
## References Index
- **[Persona](references/persona.md)** — Role, approach, scope, severity classification, and guardrails
- **[Security Checklist](references/checklist.md)** — Eight OWASP-informed review categories
- **[Critic Stance](../perspectives/references/stances.md)** — Underlying stance prompt with ethical guardrails (from perspectives skill)Related Skills
flow-memory-keeper
Use at task, phase, flow, sync, archive, finish, revise, or failure checkpoints to keep Flow specs clean, capture learnings and failures, elevate durable patterns, and refine this skill with project-specific nuances
vue
Use when editing Vue projects, .vue files, vue.config.js, Vue 3 components, Composition API, <script setup>, SFC state, deployment workflows, or Vue CI configuration.
vite
Use when editing Vite projects, vite.config.ts, vite.config.js, Vite plugins, HMR, asset bundling, frontend build settings, deployment config, or Litestar/Vite integration.
uvicorn
Use when deploying ASGI apps with uvicorn, editing uvicorn CLI commands, Config or Server usage, workers, reload, event loop selection, SSL, lifespan, logging, or development server behavior.
tracer
Use when tracing execution paths, mapping dependencies, understanding unfamiliar code, following data flow, investigating end-to-end behavior, debugging call chains, or deciding which files to read next.
testing
Use when writing or refactoring tests, editing test_*.py, *.test.ts, *.spec.ts, conftest.py, vitest.config.ts, pytest fixtures, mocks, coverage, async tests, anyio, or test failure debugging.
terraform
Use when creating, adopting, refactoring, or operating Terraform, *.tf files, .terraform.lock.hcl, terragrunt.hcl, root modules, backends, state, workspaces, imports, CI plan/apply, tests, or policy checks.
tanstack
Use when editing TanStack code, @tanstack imports, useQuery, createRouter, React Query, TanStack Router, Table, Form, Store, file-based routing, data fetching, or SPA state management.
tailwind
Use when styling with Tailwind CSS, editing tailwind.config.ts, tailwind.config.js, @tailwind directives, utility classes, responsive layouts, @apply, cn(), @theme config, dark mode, or forms.
svelte
Use when editing Svelte components, .svelte files, svelte.config.js, Svelte 5 runes, $state, $derived, SvelteKit, component state, or migrating away from Svelte 4 patterns.
sqlserver
Use when writing T-SQL, editing SQL Server .sql files, using sqlcmd, SQL Server connection strings, stored procedures, execution plans, indexes, Always On, JSON, security, or connector code.
sqlalchemy
Use when editing SQLAlchemy code, sqlalchemy imports, mapped_column, DeclarativeBase, ORM models, relationships, select() queries, async sessions, engines, events, or migrations.