Skill Gallery
Back to list
TheDecipherist

security-audit

by TheDecipherist

The complete guide to Claude Code: CLAUDE.md, hooks, skills, MCP servers, and commands

223🍴 27📅 Jan 23, 2026
ai-agentsanthropicclaudeclaude-codeclaude-mdcoding-assistantdeveloper-toolsllm
View on GitHubRun in Manus

SKILL.md

name: security-audit description: Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

  • User mentions "security", "audit", "vulnerability", "CVE"
  • Before deployment commands
  • During PR reviews
  • User asks about dependencies
  • Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

  • No hardcoded API keys, tokens, or passwords
  • .env files in .gitignore
  • No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

  • No critical vulnerabilities
  • No high vulnerabilities > 30 days old
  • Dependencies updated within last 90 days

3. Input Validation

Check for:

  • User inputs sanitized before use
  • SQL queries use parameterized statements
  • File paths validated and sandboxed
  • HTML content escaped before rendering
  • Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
  • Session tokens are cryptographically random
  • Sessions expire appropriately
  • CSRF protection on state-changing endpoints
  • Rate limiting on auth endpoints
  • Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

  • HTTPS enforced (HSTS header)
  • Secure cookie flags (Secure, HttpOnly, SameSite)
  • No mixed content warnings
  • TLS 1.2+ required

6. Error Handling

Check for:

  • Stack traces not exposed in production
  • Generic error messages for users
  • Detailed errors only in logs
  • Sensitive data not in error messages
// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

  • Validate file type server-side (not just extension)
  • Limit file size
  • Scan for malware
  • Store outside webroot
  • Rename uploaded files

8. API Security

  • Authentication required on all sensitive endpoints
  • Authorization checks per resource
  • Rate limiting implemented
  • CORS configured restrictively
  • API versioning in place

Severity Levels

LevelDescriptionAction Required
🔴 CriticalActively exploitableBlock deployment
🟠 HighExploitable with effortFix within 7 days
🟡 MediumRequires conditionsFix within 30 days
🟢 LowMinimal impactFix when convenient

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

  1. Fix critical and high issues before next deployment
  2. Schedule medium issues for next sprint
  3. Add low issues to backlog
  4. Re-run audit after fixes

## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation

Score

Total Score

75/100

Based on repository quality metrics

SKILL.md

SKILL.mdファイルが含まれている

+20
LICENSE

ライセンスが設定されている

+10
説明文

100文字以上の説明がある

0/10
人気

GitHub Stars 100以上

+5
最近の活動

1ヶ月以内に更新

+10
フォーク

10回以上フォークされている

+5
Issue管理

オープンIssueが50未満

+5
言語

プログラミング言語が設定されている

+5
タグ

1つ以上のタグが設定されている

+5

Reviews

💬

Reviews coming soon