← スキル一覧に戻る
security-auditor
by alirezarezvani
security-auditorは、業務プロセスの自動化を支援するスキルです。ワークフロー管理と自動化により、生産性の向上と運用効率の改善を実現します。
⭐ 442🍴 109📅 2026年1月23日
Manusで実行SKILL.md
name: security-auditor description: Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep. allowed-tools: Read, Grep, Bash
Security Auditor Skill
Automatic security vulnerability detection.
When I Activate
- ✅ Code files modified (especially auth, API, database)
- ✅ User mentions security or vulnerabilities
- ✅ Before deployments or commits
- ✅ Dependency changes
- ✅ Configuration file changes
What I Scan For
OWASP Top 10 Patterns
1. SQL Injection
// CRITICAL: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
2. XSS (Cross-Site Scripting)
// CRITICAL: XSS vulnerability
element.innerHTML = userInput;
// SECURE: Use textContent or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
3. Authentication Issues
// CRITICAL: Weak JWT secret
const token = jwt.sign(payload, 'secret123');
// SECURE: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET);
4. Sensitive Data Exposure
# CRITICAL: Exposed password
password = "admin123"
# SECURE: Environment variable
password = os.getenv("DB_PASSWORD")
5. Broken Access Control
// CRITICAL: No authorization check
app.delete('/api/users/:id', (req, res) => {
User.delete(req.params.id);
});
// SECURE: Authorization check
app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {
User.delete(req.params.id);
});
Additional Security Checks
- Insecure Deserialization
- Security Misconfiguration
- Insufficient Logging
- CSRF Protection Missing
- CORS Misconfiguration
Alert Format
🚨 CRITICAL: [Vulnerability type]
📍 Location: file.js:42
🔧 Fix: [Specific remediation]
📖 Reference: [OWASP/CWE link]
Severity Levels
- 🚨 CRITICAL: Must fix immediately (exploitable vulnerabilities)
- ⚠️ HIGH: Should fix soon (security weaknesses)
- 📋 MEDIUM: Consider fixing (potential issues)
- 💡 LOW: Best practice improvements
Real-World Examples
SQL Injection Detection
// You write:
app.get('/users', (req, res) => {
const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;
db.query(sql, (err, results) => res.json(results));
});
// I alert:
🚨 CRITICAL: SQL injection vulnerability (line 2)
📍 File: routes/users.js, Line 2
🔧 Fix: Use parameterized queries
const sql = 'SELECT * FROM users WHERE name = ?';
db.query(sql, [req.query.name], ...);
📖 https://owasp.org/www-community/attacks/SQL_Injection
Password Storage
# You write:
def create_user(username, password):
user = User(username=username, password=password)
user.save()
# I alert:
🚨 CRITICAL: Storing plain text password (line 2)
📍 File: models.py, Line 2
🔧 Fix: Hash passwords before storing
from bcrypt import hashpw, gensalt
hashed = hashpw(password.encode(), gensalt())
user = User(username=username, password=hashed)
📖 Use bcrypt, scrypt, or argon2 for password hashing
API Key Exposure
// You write:
const stripe = require('stripe')('sk_live_abc123...');
// I alert:
🚨 CRITICAL: Hardcoded API key detected (line 1)
📍 File: payment.js, Line 1
🔧 Fix: Use environment variables
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
📖 Never commit API keys to version control
Dependency Scanning
I can run security audits on dependencies:
# Node.js
npm audit
# Python
pip-audit
# Results flagged with severity
Relationship with @code-reviewer Sub-Agent
Me (Skill): Quick vulnerability pattern detection @code-reviewer (Sub-Agent): Deep security audit with threat modeling
Workflow
- I detect vulnerability pattern
- I flag: "🚨 SQL injection detected"
- You want full analysis → Invoke @code-reviewer sub-agent
- Sub-agent provides comprehensive security audit
Common Vulnerability Patterns
Authentication
- Weak password policies
- Missing MFA
- Session fixation
- Insecure password storage
Authorization
- Missing access control
- Privilege escalation
- IDOR (Insecure Direct Object Reference)
Data Protection
- Unencrypted sensitive data
- Weak encryption algorithms
- Missing HTTPS
- Insecure cookies
Input Validation
- SQL injection
- Command injection
- XSS
- Path traversal
Sandboxing Compatibility
Works without sandboxing: ✅ Yes Works with sandboxing: ✅ Yes
Optional: For dependency scanning
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"api.github.com"
]
}
}
Integration with Tools
With secret-scanner Skill
security-auditor: Checks code patterns
secret-scanner: Checks for exposed secrets
Together: Comprehensive security coverage
With /review Command
/review --scope staged --checks security
# Workflow:
# 1. My automatic security findings
# 2. @code-reviewer sub-agent deep audit
# 3. Comprehensive security report
Customization
Add company-specific security patterns:
cp -r ~/.claude/skills/security/security-auditor \
~/.claude/skills/security/company-security-auditor
# Edit SKILL.md to add:
# - Internal API patterns
# - Company security policies
# - Custom vulnerability checks
Learn More
スコア
総合スコア
85/100
リポジトリの品質指標に基づく評価
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
✓説明文
100文字以上の説明がある
+10
✓人気
GitHub Stars 100以上
+5
✓最近の活動
1ヶ月以内に更新
+10
✓フォーク
10回以上フォークされている
+5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
レビュー
💬
レビュー機能は近日公開予定です
