Agent skill

security-audit

General-purpose security auditing guide. Covers OWASP Top 10, dependency vulnerabilities, authentication, authorization, input validation, and secret management. Use this when performing a security review or audit.

Stars 1
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/s-hiraoku/synapse-a2a/tree/main/.claude/skills/security-audit

SKILL.md

Security Audit Skill

This skill provides a comprehensive framework for security auditing, ensuring that common vulnerabilities are identified and addressed during development and review.

Audit Checklist

1. OWASP Top 10 & Common Vulnerabilities

  • Injection: Check for SQL, Command, or NoSQL injection points. Ensure parameterized queries or proper escaping is used.
  • Broken Access Control: Verify that users cannot access resources outside of their intended permissions.
  • Insecure Design: Evaluate the overall architecture for security flaws.
  • Cryptographic Failures: Ensure sensitive data (passwords, PII) is encrypted at rest and in transit using modern algorithms (e.g., AES-256, TLS 1.3).

2. Dependency Management

  • Vulnerability Scanning: Check for known vulnerabilities in third-party libraries (e.g., using npm audit, pip-audit, or snyk).
  • Outdated Packages: Identify and update significantly outdated dependencies.

3. Authentication & Authorization

  • Credential Management: Ensure passwords are never stored in plain text (use Argon2, bcrypt, or scrypt).
  • Session Management: Verify secure session handling (HttpOnly, Secure, SameSite flags for cookies).
  • MFA/2FA: Check for the implementation or requirement of multi-factor authentication where appropriate.

4. Input Validation & Data Handling

  • Sanitization: Validate and sanitize all user-supplied data at the trust boundary.
  • Encoding: Ensure output encoding is used to prevent Cross-Site Scripting (XSS).
  • Secret Management: Confirm that API keys, secrets, and credentials are NOT committed to the repository (use environment variables or secret managers).

Usage Guidelines

When asked to "audit" or "perform a security review":

  1. Systematically go through each category above.
  2. For each finding, categorize it by severity (Critical, High, Medium, Low).
  3. Provide clear remediation steps for every identified issue.
  4. Document any positive security practices already in place.

Expand your agent's capabilities with these related and highly-rated skills.

s-hiraoku/synapse-a2a

task-planner

Guide for decomposing large tasks into a structured plan with dependency chains, managing priorities, and distributing work across agents. Outputs plan cards or delegation messages as the team contract; TodoList for personal micro-steps.

1 0
Explore
s-hiraoku/synapse-a2a

react-performance

Comprehensive React and Next.js performance optimization guide. Covers waterfall elimination, bundle size reduction, server-side optimization, re-render prevention, and rendering performance. Use when building, reviewing, or optimizing React/Next.js applications for speed.

1 0
Explore
s-hiraoku/synapse-a2a

release

Update version in pyproject.toml, plugin.json, and add changelog entry. This skill should be used when the user wants to bump the version number and update CHANGELOG.md. Triggered by /release or /version commands.

1 0
Explore
s-hiraoku/synapse-a2a

api-design

Guide API design for REST, GraphQL, gRPC, and CLI interfaces. Use this skill when designing new APIs, reviewing existing API contracts, or establishing API conventions for a project. Produces consistent, well-documented API specifications.

1 0
Explore
s-hiraoku/synapse-a2a

pr-guardian

Continuously monitor a GitHub PR for merge conflicts, CI failures, and CodeRabbit review comments, then automatically fix any issues found. Polls every 5 minutes and loops until every check is green. Use this skill whenever a PR has just been created or code has been pushed to a PR branch — it should be the default follow-up action after any PR creation or push. Also trigger on: "watch this PR", "guard this PR", "monitor CI", "keep fixing until green", "PRを監視して", "CIが通るまで 直して", /pr-guardian. When a PostToolUse hook reports that a push or PR creation just happened, proactively invoke this skill to start monitoring without waiting for the user to ask.

1 0
Explore
s-hiraoku/synapse-a2a

post-impl2

Workflow: Test workflow with non-existent agent target. . Triggered by /post-impl2 command.

1 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results