Agent skill
security-audit
RLS validation, security audits, OWASP compliance, and vulnerability scanning. Use when validating RLS policies, auditing API routes, or scanning for security issues.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/security-audit-bybren-llc-safe-agentic-workfl
SKILL.md
Security Audit Skill
Purpose
Guide security validation with RLS enforcement, OWASP compliance, and vulnerability detection following security-first architecture.
When This Skill Applies
Invoke this skill when:
- Validating RLS policies
- Auditing API routes for auth
- Vulnerability scanning
- Pre-deployment security review
- Checking for exposed credentials
- Reviewing database access patterns
Stop-the-Line Conditions
FORBIDDEN Patterns
// FORBIDDEN: Direct Prisma calls (bypass RLS)
const users = await prisma.user.findMany();
// Must use: withUserContext, withAdminContext, or withSystemContext
// FORBIDDEN: Missing authentication on protected routes
export async function GET(req: Request) {
// No auth check before accessing user data
return getUserData();
}
// FORBIDDEN: Exposed credentials
const API_KEY = "sk_live_abc123"; // Hardcoded secret
// FORBIDDEN: SQL injection vulnerability
const query = `SELECT * FROM users WHERE id = ${userId}`; // Interpolated
CORRECT Patterns
// CORRECT: RLS context wrapper
const users = await withUserContext(prisma, userId, async (client) => {
return client.user.findMany();
});
// CORRECT: Auth check before data access
export async function GET(req: Request) {
const { userId } = await auth();
if (!userId) {
return new Response("Unauthorized", { status: 401 });
}
return getUserData(userId);
}
// CORRECT: Environment variables for secrets
const API_KEY = process.env.STRIPE_SECRET_KEY;
// CORRECT: Parameterized queries
const user = await prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`;
Security Audit Checklist
1. RLS Validation
- All database operations use context wrappers
- No direct Prisma calls in route handlers
- User isolation verified (user A cannot see user B's data)
- Admin operations properly scoped
# Find potential RLS bypasses
grep -r "prisma\." --include="*.ts" app/ lib/ | grep -v "withUserContext\|withAdminContext\|withSystemContext"
2. Authentication Checks
- All protected routes verify authentication
- Clerk auth() called before data access
- Proper 401/403 responses for unauthorized
# Find routes missing auth checks
grep -r "export async function" --include="route.ts" app/ | head -20
# Manually verify each has auth check
3. Credential Scanning
- No hardcoded secrets in code
- No API keys in client-side code
- Environment variables used correctly
# Scan for potential secrets
grep -rE "(sk_live|pk_live|password|secret|key)" --include="*.ts" --include="*.tsx" | grep -v "process.env\|.env"
4. Dependency Vulnerabilities
# Run security audit
npm audit
yarn audit
# Check for high/critical vulnerabilities
npm audit --audit-level=high
5. Input Validation
- User input validated with Zod schemas
- No raw query interpolation
- File upload restrictions in place
OWASP Top 10 Checklist
| Risk | Check | Status |
|---|---|---|
| A01 Broken Access | RLS enforced, auth on all routes | ☐ |
| A02 Crypto Failures | Secrets in env vars only | ☐ |
| A03 Injection | Parameterized queries, Zod | ☐ |
| A04 Insecure Design | Auth-first pattern followed | ☐ |
| A05 Misconfiguration | Prod env properly secured | ☐ |
| A06 Vulnerable Deps | npm audit clean | ☐ |
| A07 Auth Failures | Clerk integration correct | ☐ |
| A08 Data Integrity | RLS prevents tampering | ☐ |
| A09 Logging Failures | Security events logged | ☐ |
| A10 SSRF | External URLs validated | ☐ |
Security Validation Commands
# Complete security check
npm audit && yarn lint && echo "Security checks passed"
# RLS bypass detection
grep -r "prisma\." --include="*.ts" app/ lib/ | wc -l
# Compare with context wrapper count
# Secret detection
git secrets --scan # If git-secrets installed
grep -rE "sk_|pk_|password=" . --include="*.ts"
Pre-Deployment Security Review
Before ANY production deployment:
- npm audit shows no high/critical issues
- RLS policies validated
- No new direct Prisma calls
- Environment variables documented
- Backup taken before migration
- Rollback plan documented
Security Audit Report Template
## Security Audit Report - {TICKET_PREFIX}-XXX
### Summary
- **Date**: [date]
- **Auditor**: Security Engineer
- **Scope**: [what was audited]
### Findings
| Severity | Issue | Location | Status |
| -------- | ----- | -------- | ------ |
| HIGH | ... | ... | FIXED |
| MEDIUM | ... | ... | OPEN |
### RLS Validation
- [x] All tables have RLS enabled
- [x] User isolation verified
- [x] Admin policies scoped correctly
### Recommendations
1. [recommendation]
2. [recommendation]
### Approval
- [ ] Security Engineer approves
- [ ] Ready for deployment
Authoritative References
- Security Architecture:
docs/guides/SECURITY_FIRST_ARCHITECTURE.md - RLS Implementation:
docs/database/RLS_IMPLEMENTATION_GUIDE.md - RLS Policies:
docs/database/RLS_POLICY_CATALOG.md - OWASP Top 10: https://owasp.org/Top10/
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?