security-audit
Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
Best use case
security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
Teams using security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-audit Compares
| Feature / Agent | security-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Security Audit Skill
Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.
## When to Use This Skill
- User mentions "security", "audit", "vulnerability", "CVE"
- Before deployment commands
- During PR reviews
- User asks about dependencies
- Periodic security checks
## Audit Checklist
### 1. Secrets Exposure
**Check for hardcoded secrets:**
```bash
# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .
```
**Verify .gitignore:**
```bash
# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"
```
**Check git history for leaked secrets:**
```bash
# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"
```
✅ Pass criteria:
- No hardcoded API keys, tokens, or passwords
- `.env` files in `.gitignore`
- No secrets in git history
### 2. Dependency Vulnerabilities
**Node.js:**
```bash
npm audit
# or
yarn audit
# or
pnpm audit
```
**Python:**
```bash
pip-audit
# or
safety check
```
**Go:**
```bash
govulncheck ./...
```
**Rust:**
```bash
cargo audit
```
✅ Pass criteria:
- No critical vulnerabilities
- No high vulnerabilities > 30 days old
- Dependencies updated within last 90 days
### 3. Input Validation
**Check for:**
- User inputs sanitized before use
- SQL queries use parameterized statements
- File paths validated and sandboxed
- HTML content escaped before rendering
- Command injection prevention
**Common vulnerable patterns:**
```javascript
// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])
```
```python
# BAD: Command injection
os.system(f"convert {user_file}")
# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)
```
### 4. Authentication & Authorization
**Check for:**
- Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
- Session tokens are cryptographically random
- Sessions expire appropriately
- CSRF protection on state-changing endpoints
- Rate limiting on auth endpoints
- Account lockout after failed attempts
**Look for:**
```javascript
// BAD: Weak hashing
crypto.createHash('md5').update(password)
// GOOD: Bcrypt
bcrypt.hash(password, 12)
```
### 5. HTTPS & Transport Security
**Check for:**
- HTTPS enforced (HSTS header)
- Secure cookie flags (`Secure`, `HttpOnly`, `SameSite`)
- No mixed content warnings
- TLS 1.2+ required
### 6. Error Handling
**Check for:**
- Stack traces not exposed in production
- Generic error messages for users
- Detailed errors only in logs
- Sensitive data not in error messages
```javascript
// BAD: Exposes internals
res.status(500).send({ error: err.stack })
// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })
```
### 7. File Upload Security
If file uploads exist:
- Validate file type server-side (not just extension)
- Limit file size
- Scan for malware
- Store outside webroot
- Rename uploaded files
### 8. API Security
- Authentication required on all sensitive endpoints
- Authorization checks per resource
- Rate limiting implemented
- CORS configured restrictively
- API versioning in place
## Severity Levels
| Level | Description | Action Required |
|-------|-------------|-----------------|
| 🔴 Critical | Actively exploitable | Block deployment |
| 🟠 High | Exploitable with effort | Fix within 7 days |
| 🟡 Medium | Requires conditions | Fix within 30 days |
| 🟢 Low | Minimal impact | Fix when convenient |
## Output Format
```markdown
## Security Audit Results
**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)
### Summary
| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |
### Findings
#### 1. [🟠 High] Hardcoded API Key
**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable
```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY
```
#### 2. [🟡 Medium] Missing Rate Limiting
**Location:** `src/routes/auth.js`
**Description:** Login endpoint has no rate limiting
**Risk:** Enables brute force attacks
**Recommendation:** Add rate limiting middleware
### Recommendations
1. [ ] Fix critical and high issues before next deployment
2. [ ] Schedule medium issues for next sprint
3. [ ] Add low issues to backlog
4. [ ] Re-run audit after fixes
```
## Commands to Run
After completing the audit, provide the user with:
1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendationRelated Skills
commit-messages
Generate clear, conventional commit messages from git diffs. Use when writing commit messages, reviewing staged changes, or preparing releases.
workspace-surface-audit
Audit the active repo, MCP servers, plugins, connectors, env surfaces, and harness setup, then recommend the highest-value ECC-native skills, hooks, agents, and operator workflows. Use when the user wants help setting up Claude Code or understanding what capabilities are actually available in their environment.
click-path-audit
Trace every user-facing button/touchpoint through its full state change sequence to find bugs where functions individually work but cancel each other out, produce wrong final state, or leave the UI in an inconsistent state. Use when: systematic debugging found no bugs but users report broken buttons, or after any major refactor touching shared state stores.
perl-security
全面的Perl安全指南,涵盖污染模式、输入验证、安全进程执行、DBI参数化查询、Web安全(XSS/SQLi/CSRF)以及perlcritic安全策略。
laravel-security
Laravel security best practices for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment.
springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
security-scan
AgentShield を使用して、Claude Code の設定(.claude/ ディレクトリ)のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。
django-security
Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.
security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
local-legal-seo-audit
Audit and improve local SEO for law firms, attorneys, forensic experts and legal/professional services sites with local presence, focusing on GBP, directories, E-E-A-T and practice/location pages.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.