Agent skill

security-auditor

Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.

View SKILL.md on GitHub Repository
Stars 675
Forks 152

Install this agent skill to your Project

npx add-skill https://github.com/alirezarezvani/claude-code-tresor/tree/main/skills/security/security-auditor

SKILL.md

Security Auditor Skill

Automatic security vulnerability detection.

When I Activate

  • ✅ Code files modified (especially auth, API, database)
  • ✅ User mentions security or vulnerabilities
  • ✅ Before deployments or commits
  • ✅ Dependency changes
  • ✅ Configuration file changes

What I Scan For

OWASP Top 10 Patterns

1. SQL Injection

javascript
// CRITICAL: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

2. XSS (Cross-Site Scripting)

javascript
// CRITICAL: XSS vulnerability
element.innerHTML = userInput;

// SECURE: Use textContent or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);

3. Authentication Issues

javascript
// CRITICAL: Weak JWT secret
const token = jwt.sign(payload, 'secret123');

// SECURE: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET);

4. Sensitive Data Exposure

python
# CRITICAL: Exposed password
password = "admin123"

# SECURE: Environment variable
password = os.getenv("DB_PASSWORD")

5. Broken Access Control

javascript
// CRITICAL: No authorization check
app.delete('/api/users/:id', (req, res) => {
  User.delete(req.params.id);
});

// SECURE: Authorization check
app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {
  User.delete(req.params.id);
});

Additional Security Checks

  • Insecure Deserialization
  • Security Misconfiguration
  • Insufficient Logging
  • CSRF Protection Missing
  • CORS Misconfiguration

Alert Format

🚨 CRITICAL: [Vulnerability type]
📍 Location: file.js:42
🔧 Fix: [Specific remediation]
📖 Reference: [OWASP/CWE link]

Severity Levels

  • 🚨 CRITICAL: Must fix immediately (exploitable vulnerabilities)
  • ⚠️ HIGH: Should fix soon (security weaknesses)
  • 📋 MEDIUM: Consider fixing (potential issues)
  • 💡 LOW: Best practice improvements

Real-World Examples

SQL Injection Detection

javascript
// You write:
app.get('/users', (req, res) => {
  const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;
  db.query(sql, (err, results) => res.json(results));
});

// I alert:
🚨 CRITICAL: SQL injection vulnerability (line 2)
📍 File: routes/users.js, Line 2
🔧 Fix: Use parameterized queries
  const sql = 'SELECT * FROM users WHERE name = ?';
  db.query(sql, [req.query.name], ...);
📖 https://owasp.org/www-community/attacks/SQL_Injection

Password Storage

python
# You write:
def create_user(username, password):
    user = User(username=username, password=password)
    user.save()

# I alert:
🚨 CRITICAL: Storing plain text password (line 2)
📍 File: models.py, Line 2
🔧 Fix: Hash passwords before storing
  from bcrypt import hashpw, gensalt
  hashed = hashpw(password.encode(), gensalt())
  user = User(username=username, password=hashed)
📖 Use bcrypt, scrypt, or argon2 for password hashing

API Key Exposure

javascript
// You write:
const stripe = require('stripe')('sk_live_abc123...');

// I alert:
🚨 CRITICAL: Hardcoded API key detected (line 1)
📍 File: payment.js, Line 1
🔧 Fix: Use environment variables
  const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
📖 Never commit API keys to version control

Dependency Scanning

I can run security audits on dependencies:

bash
# Node.js
npm audit

# Python
pip-audit

# Results flagged with severity

Relationship with @code-reviewer Sub-Agent

Me (Skill): Quick vulnerability pattern detection @code-reviewer (Sub-Agent): Deep security audit with threat modeling

Workflow

  1. I detect vulnerability pattern
  2. I flag: "🚨 SQL injection detected"
  3. You want full analysis → Invoke @code-reviewer sub-agent
  4. Sub-agent provides comprehensive security audit

Common Vulnerability Patterns

Authentication

  • Weak password policies
  • Missing MFA
  • Session fixation
  • Insecure password storage

Authorization

  • Missing access control
  • Privilege escalation
  • IDOR (Insecure Direct Object Reference)

Data Protection

  • Unencrypted sensitive data
  • Weak encryption algorithms
  • Missing HTTPS
  • Insecure cookies

Input Validation

  • SQL injection
  • Command injection
  • XSS
  • Path traversal

Sandboxing Compatibility

Works without sandboxing: ✅ Yes Works with sandboxing: ✅ Yes

Optional: For dependency scanning

json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "api.github.com"
    ]
  }
}

Integration with Tools

With secret-scanner Skill

security-auditor: Checks code patterns
secret-scanner: Checks for exposed secrets
Together: Comprehensive security coverage

With /review Command

bash
/review --scope staged --checks security

# Workflow:
# 1. My automatic security findings
# 2. @code-reviewer sub-agent deep audit
# 3. Comprehensive security report

Customization

Add company-specific security patterns:

bash
cp -r ~/.claude/skills/security/security-auditor \
      ~/.claude/skills/security/company-security-auditor

# Edit SKILL.md to add:
# - Internal API patterns
# - Company security policies
# - Custom vulnerability checks

Learn More

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

alirezarezvani/claude-code-tresor

api-documenter

Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.

675 152
Explore
alirezarezvani/claude-code-tresor

readme-updater

Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.

675 152
Explore
alirezarezvani/claude-code-tresor

secret-scanner

Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.

675 152
Explore
alirezarezvani/claude-code-tresor

dependency-auditor

Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.

675 152
Explore
alirezarezvani/claude-code-tresor

code-reviewer

Automatic code quality and best practices analysis. Use proactively when files are modified, saved, or committed. Analyzes code style, patterns, potential bugs, and security basics. Triggers on file changes, git diff, code edits, quality mentions.

675 152
Explore
alirezarezvani/claude-code-tresor

test-generator

Automatically suggest tests for new functions and components. Use when new code is written, functions added, or user mentions testing. Creates test scaffolding with Jest, Vitest, Pytest patterns. Triggers on new functions, components, test requests, testing mentions.

675 152
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results