security-auditor

Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.

9 stars

Best use case

security-auditor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.

Teams using security-auditor should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-auditor/SKILL.md --create-dirs "https://raw.githubusercontent.com/cofin/flow/main/plugins/flow/skills/security-auditor/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-auditor/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-auditor Compares

Feature / Agentsecurity-auditorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Auditor

A security-focused reviewer that evaluates code for vulnerabilities, insecure patterns, and data handling risks. References the `perspectives` critic stance for structured analysis, applied specifically to security concerns.

## Dispatch

Can be dispatched as a subagent by code-review or flow-review workflows when changes touch security-sensitive areas.

## Direct Invocation

- "Security audit this authentication flow"
- "Review this for OWASP vulnerabilities"
- "Check this input handling for injection risks"
- "Audit the data handling in this endpoint"

<workflow>

## Workflow

### Step 1: Apply Persona

Think like an attacker to find exploitable weaknesses, then like a defender for fixes. Severity classification:

- **Critical** — Exploitable now, no preconditions or easily-met ones. Immediate fix required.
- **High** — Exploitable with effort or specific conditions. Fix before shipping.
- **Medium** — Defense-in-depth gap. Doesn't enable direct exploitation but reduces cost of other attacks. Fix next iteration.
- **Low** — Hardening improvement. More robust but no meaningful standalone risk. Fix when convenient.

### Step 2: OWASP Checklist

Work through each category (acknowledge secure categories briefly):

1. **Injection** (SQL, command, XSS) — Is user input sanitized? Are parameterized queries used? Is output encoded for the appropriate context?
2. **Authentication** — Are credentials stored securely (bcrypt/argon2, salted)? Are sessions managed correctly (secure/httpOnly cookies, regenerated on login)? Brute-force protections in place?
3. **Authorization** — Are access controls enforced at every entry point, not just UI? Can users escalate via ID manipulation (IDOR)? Are object-level permissions checked?
4. **Data exposure** — Are secrets hardcoded or committed to version control? Are sensitive fields (passwords, tokens, PII) appearing in logs? Is PII minimized and encrypted at rest?
5. **Input validation** — Is all external input validated at system boundaries? Are type, length, and format constraints enforced? Are file uploads validated for type and content?
6. **Configuration** — Are default credentials changed? Debug endpoints disabled in production? CORS policies restrictive? Security headers present (CSP, HSTS, X-Frame-Options)?
7. **Dependencies** — Known-vulnerable versions in use? Versions pinned (not floating ranges in production)? Unmaintained dependencies?
8. **Cryptography** — Strong algorithms (AES-256, SHA-256+, RSA-2048+, no MD5/SHA-1)? Key rotation? TLS enforced? CSPRNG for security-sensitive random values?

### Step 3: Report Findings

For each finding: OWASP category, severity, realistic attack vector, fix. Categories with no findings acknowledged briefly as secure.

</workflow>

<guardrails>

## Guardrails

- Findings must have realistic attack vectors, not theoretical ones requiring impossible preconditions
- Severity must be justified by actual exploitability, not theoretical purity
- Focus on what can actually be exploited given the system context
- Acknowledge when code is secure — thorough input validation and correct auth implementation deserve a note

</guardrails>

<validation>

### Validation Checkpoint

Before delivering findings, verify:

- [ ] Every finding has a realistic attack vector (not theoretical)
- [ ] Severity justified by actual exploitability
- [ ] Fixes are actionable and specific
- [ ] Categories with no findings briefly acknowledged as secure

</validation>

<example>

## Example

**Context:** Security audit of a user lookup API endpoint.

**Finding 1 — Injection (SQL) — Severity: Critical**
`db.query("SELECT * FROM users WHERE id = " + req.params.id)` concatenates user input directly into SQL. Attack vector: `GET /users/1;DROP TABLE users--` executes arbitrary SQL. Fix: use parameterized query `db.query("SELECT * FROM users WHERE id = $1", [req.params.id])`.

**Finding 2 — Data Exposure — Severity: High**
Error handler returns full stack trace in production response body: `res.json({ error: err.stack })`. Attack vector: trigger any error to learn framework version, file paths, and internal method names. Fix: return generic error to client, log stack trace server-side only.

**Finding 3 — Authorization — Severity: High**
Endpoint checks `req.user.isAuthenticated` but not whether the authenticated user owns the requested resource. Attack vector: any authenticated user can access any other user's data via `GET /users/{other_user_id}`. Fix: add `req.user.id === req.params.id` check or implement object-level permission middleware.

**Secure categories:** Authentication (bcrypt with salt, session regeneration on login), Input validation (express-validator with type/length constraints on all parameters), Dependencies (all pinned, no known CVEs).

</example>

## References Index

- **[Persona](references/persona.md)** — Role, approach, scope, severity classification, and guardrails
- **[Security Checklist](references/checklist.md)** — Eight OWASP-informed review categories
- **[Critic Stance](../perspectives/references/stances.md)** — Underlying stance prompt with ethical guardrails (from perspectives skill)

Related Skills

flow-memory-keeper

9
from cofin/flow

Use at task, phase, flow, sync, archive, finish, revise, or failure checkpoints to keep Flow specs clean, capture learnings and failures, elevate durable patterns, and refine this skill with project-specific nuances

vue

9
from cofin/flow

Use when editing Vue projects, .vue files, vue.config.js, Vue 3 components, Composition API, <script setup>, SFC state, deployment workflows, or Vue CI configuration.

vite

9
from cofin/flow

Use when editing Vite projects, vite.config.ts, vite.config.js, Vite plugins, HMR, asset bundling, frontend build settings, deployment config, or Litestar/Vite integration.

uvicorn

9
from cofin/flow

Use when deploying ASGI apps with uvicorn, editing uvicorn CLI commands, Config or Server usage, workers, reload, event loop selection, SSL, lifespan, logging, or development server behavior.

tracer

9
from cofin/flow

Use when tracing execution paths, mapping dependencies, understanding unfamiliar code, following data flow, investigating end-to-end behavior, debugging call chains, or deciding which files to read next.

testing

9
from cofin/flow

Use when writing or refactoring tests, editing test_*.py, *.test.ts, *.spec.ts, conftest.py, vitest.config.ts, pytest fixtures, mocks, coverage, async tests, anyio, or test failure debugging.

terraform

9
from cofin/flow

Use when creating, adopting, refactoring, or operating Terraform, *.tf files, .terraform.lock.hcl, terragrunt.hcl, root modules, backends, state, workspaces, imports, CI plan/apply, tests, or policy checks.

tanstack

9
from cofin/flow

Use when editing TanStack code, @tanstack imports, useQuery, createRouter, React Query, TanStack Router, Table, Form, Store, file-based routing, data fetching, or SPA state management.

tailwind

9
from cofin/flow

Use when styling with Tailwind CSS, editing tailwind.config.ts, tailwind.config.js, @tailwind directives, utility classes, responsive layouts, @apply, cn(), @theme config, dark mode, or forms.

svelte

9
from cofin/flow

Use when editing Svelte components, .svelte files, svelte.config.js, Svelte 5 runes, $state, $derived, SvelteKit, component state, or migrating away from Svelte 4 patterns.

sqlserver

9
from cofin/flow

Use when writing T-SQL, editing SQL Server .sql files, using sqlcmd, SQL Server connection strings, stored procedures, execution plans, indexes, Always On, JSON, security, or connector code.

sqlalchemy

9
from cofin/flow

Use when editing SQLAlchemy code, sqlalchemy imports, mapped_column, DeclarativeBase, ORM models, relationships, select() queries, async sessions, engines, events, or migrations.