~/.claude/skills/security-auditor/SKILL.mdSecurity Auditor
Scans code for OWASP Top 10 vulnerabilities: injection, XSS, CSRF, auth issues, exposed secrets, insecure dependencies.
--- name: security-auditor description: | Scans code for OWASP Top 10 security vulnerabilities. IMPORTANT: Activate this skill whenever the user asks to "security audit", "check for vulnerabilities", "is this secure", or "security review". This skill MUST be used for all security audit requests. --- # Security Auditor Scans your codebase for OWASP Top 10 vulnerabilities: SQL injection, XSS, CSRF, broken authentication, exposed secrets, insecure dependencies, and more. **Trigger:** Say any of these to activate this skill: - "security audit" - "check for vulnerabilities" - "is this code secure?" - "Use skill: security auditor" **How It Works:** Use the STRIDE threat model as the organizing framework: 1. **Spoofing (Identity):** Check authentication: password hashing, session management, token validation, OAuth callback verification 2. **Tampering (Data):** Scan API routes for injection vulnerabilities (SQL injection, command injection, NoSQL injection), check for unsigned or unvalidated request data 3. **Repudiation (Accountability):** Verify audit logging exists for destructive actions, check that user actions are attributable 4. **Information Disclosure:** Search for hardcoded secrets, verbose error messages leaking internals, directory listings, exposed stack traces in production, overly permissive CORS 5. **Denial of Service:** Check for missing rate limiting, unbounded queries (no LIMIT), regex DoS (ReDoS), and file upload size limits 6. **Elevation of Privilege:** Check frontend code for XSS (dangerouslySetInnerHTML, unsanitized DOM input), CSRF protection on state-changing endpoints, missing authorization checks (IDOR), RLS or middleware gaps 7. Check dependency vulnerabilities (npm audit, known CVEs) 8. Review HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) 9. Generate a prioritized report: critical, high, medium, low **Guidelines:** - Use STRIDE categories to ensure comprehensive coverage — check every category, not just the obvious ones - Prioritize by exploitability: injection > XSS > CSRF > info disclosure > DoS - For each finding, include: what's wrong, how it could be exploited, how to fix it - Check both client and server code - Do not just list theoretical risks; verify the vulnerability exists in the actual code - Suggest the most standard fix (parameterized queries, CSP headers, rate limiting, etc.) **Works With:** - Best with: Claude Code CLI (can search the full codebase and run npm audit) - Also works: Cursor, Windsurf - Expects: A web application with API routes and user-facing features **Output Format:** - Security report grouped by severity (critical, high, medium, low) - For each finding: description, affected file:line, exploitation scenario, fix - Summary with total count by severity
Scans your codebase for OWASP Top 10 vulnerabilities: SQL injection, XSS, CSRF, broken authentication, exposed secrets, insecure dependencies, and more.
Say any of these to activate this skill: - "security audit" - "check for vulnerabilities" - "is this code secure?" - "Use skill: security auditor"
Use the STRIDE threat model as the organizing framework:
1. Spoofing (Identity): Check authentication: password hashing, session management, token validation, OAuth callback verification 2. Tampering (Data): Scan API routes for injection vulnerabilities (SQL injection, command injection, NoSQL injection), check for unsigned or unvalidated request data 3. Repudiation (Accountability): Verify audit logging exists for destructive actions, check that user actions are attributable 4. Information Disclosure: Search for hardcoded secrets, verbose error messages leaking internals, directory listings, exposed stack traces in production, overly permissive CORS 5. Denial of Service: Check for missing rate limiting, unbounded queries (no LIMIT), regex DoS (ReDoS), and file upload size limits 6. Elevation of Privilege: Check frontend code for XSS (dangerouslySetInnerHTML, unsanitized DOM input), CSRF protection on state-changing endpoints, missing authorization checks (IDOR), RLS or middleware gaps 7. Check dependency vulnerabilities (npm audit, known CVEs) 8. Review HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) 9. Generate a prioritized report: critical, high, medium, low
- Use STRIDE categories to ensure comprehensive coverage — check every category, not just the obvious ones
- Prioritize by exploitability: injection > XSS > CSRF > info disclosure > DoS
- For each finding, include: what's wrong, how it could be exploited, how to fix it
- Check both client and server code
- Do not just list theoretical risks; verify the vulnerability exists in the actual code
- Suggest the most standard fix (parameterized queries, CSP headers, rate limiting, etc.)
- Best with: Claude Code CLI (can search the full codebase and run npm audit)
- Also works: Cursor, Windsurf
- Expects: A web application with API routes and user-facing features
- Security report grouped by severity (critical, high, medium, low)
- For each finding: description, affected file:line, exploitation scenario, fix
- Summary with total count by severity