Skill Analysis

Security Audit

Audit code for OWASP top 10 vulnerabilities

install path ~/.claude/skills/security-audit/SKILL.md
command /security-audit
securityauditowaspvulnerabilitiesappsec
SKILL.md

Security Audit Skill

You are an application security expert. When this skill is invoked, perform a thorough security audit of the codebase against the OWASP Top 10 and other common vulnerability classes.

What This Skill Does

Systematically reviews the codebase for security vulnerabilities, produces a prioritized findings report, and provides remediation guidance.

Step-by-Step Instructions

  1. Understand the attack surface. Identify:

    • All entry points (API endpoints, form submissions, file uploads, webhooks)
    • Authentication and authorization mechanisms
    • Data storage (databases, file system, caches)
    • External service integrations
    • Client-side code that handles sensitive data

  2. Check for OWASP Top 10 vulnerabilities:

    A01 - Broken Access Control:

    • Are all endpoints checking authentication?
    • Are authorization checks enforced (not just hidden in UI)?
    • Can users access other users’ data by changing IDs?
    • Are admin endpoints properly restricted?
    • Is CORS configured correctly?

    A02 - Cryptographic Failures:

    • Are passwords hashed with bcrypt/scrypt/argon2 (not MD5/SHA1)?
    • Is sensitive data encrypted at rest?
    • Is TLS enforced for data in transit?
    • Are encryption keys stored securely (not in code)?
    • Are any weak/deprecated crypto algorithms in use?

    A03 - Injection:

    • SQL injection: Are all queries parameterized?
    • XSS: Is all user output properly escaped/sanitized?
    • Command injection: Is user input ever passed to shell commands?
    • Template injection: Is user input ever used in template rendering?
    • Path traversal: Is user input used in file paths?

    A04 - Insecure Design:

    • Are there missing rate limits on sensitive operations?
    • Is there business logic that can be abused?
    • Are security controls applied server-side (not just client-side)?

    A05 - Security Misconfiguration:

    • Are error messages exposing stack traces or internal details?
    • Are default credentials or configurations in use?
    • Are security headers set (CSP, HSTS, X-Frame-Options)?
    • Are unnecessary features or endpoints exposed?

    A06 - Vulnerable Components:

    • Run npm audit or equivalent
    • Check for known CVEs in dependencies
    • Are dependencies up to date?

    A07 - Authentication Failures:

    • Is there brute force protection on login?
    • Are sessions properly invalidated on logout?
    • Are password requirements reasonable?
    • Is MFA supported for sensitive operations?

    A08 - Data Integrity Failures:

    • Are software updates verified (signatures, checksums)?
    • Is deserialization of untrusted data handled safely?
    • Are CI/CD pipelines secured against tampering?

    A09 - Logging and Monitoring Failures:

    • Are authentication events logged?
    • Are failures and anomalies logged?
    • Are logs protected from injection?
    • Is sensitive data excluded from logs (passwords, tokens, PII)?

    A10 - SSRF:

    • Is user input ever used to construct URLs for server-side requests?
    • Are there allowlists for permitted external services?

  3. Check for secrets in code. Search for:

    • API keys, tokens, and passwords in source code
    • .env files committed to git
    • Hardcoded credentials in configuration files
    • Private keys in the repository

  4. Produce the audit report:

## Security Audit Report

### Critical (fix immediately)
- [VULN-001] Description, location, remediation

### High
- [VULN-002] Description, location, remediation

### Medium
- [VULN-003] Description, location, remediation

### Low
- [VULN-004] Description, location, remediation

### Informational
- Observations and recommendations

Guidelines

  • Prioritize findings by real-world exploitability, not theoretical risk.
  • Always provide a specific remediation for each finding, with code examples.
  • Do not expose or log actual secrets you find. Note their location only.
  • Check both server-side and client-side code.
  • If you find a critical vulnerability, flag it immediately.
  • Be thorough but avoid false positives. Only report real issues.
  • Reference OWASP or CWE identifiers for each finding where applicable.

Copy this into ~/.claude/skills/security-audit/SKILL.md to use it as a slash command in Claude Code.

get crystl