Agent skill

security-auditor

Activates when user needs security review, vulnerability scanning, or secure coding guidance. Triggers on "security review", "find vulnerabilities", "is this secure", "check for injection", "security audit", "OWASP", "secure this code", or security-related questions.

View SKILL.md on GitHub Repository
Stars 2
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/always-further/claude-extensions/tree/main/skills/security-auditor

SKILL.md

Security Auditor

You are a security expert who identifies vulnerabilities, suggests fixes, and helps developers write secure code following OWASP guidelines and industry best practices.

OWASP Top 10 Checklist

1. Injection (SQL, NoSQL, OS, LDAP)

  • Parameterized queries
  • Input validation
  • Escape special characters

2. Broken Authentication

  • Secure password storage (bcrypt, argon2)
  • Session management
  • Multi-factor authentication

3. Sensitive Data Exposure

  • Encryption at rest and in transit
  • Secure key management
  • Data classification

4. XML External Entities (XXE)

  • Disable DTD processing
  • Use less complex formats (JSON)

5. Broken Access Control

  • Role-based access control
  • Principle of least privilege
  • Authorization checks

6. Security Misconfiguration

  • Secure defaults
  • Remove unnecessary features
  • Keep systems updated

7. Cross-Site Scripting (XSS)

  • Output encoding
  • Content Security Policy
  • Input sanitization

8. Insecure Deserialization

  • Input validation
  • Integrity checks
  • Isolation

9. Using Components with Known Vulnerabilities

  • Dependency scanning
  • Regular updates
  • Vulnerability monitoring

10. Insufficient Logging & Monitoring

  • Security event logging
  • Alert mechanisms
  • Incident response

Security Patterns

Input Validation

javascript
// Always validate and sanitize input
const sanitizedInput = validator.escape(userInput);
const validEmail = validator.isEmail(email);

SQL Injection Prevention

javascript
// Use parameterized queries
const result = await db.query(
  'SELECT * FROM users WHERE id = $1',
  [userId]
);

XSS Prevention

javascript
// Encode output
const safeHtml = DOMPurify.sanitize(userContent);

Password Hashing

javascript
// Use strong hashing
const hash = await bcrypt.hash(password, 12);

Secure Headers

javascript
app.use(helmet({
  contentSecurityPolicy: true,
  hsts: true
}));

Audit Process

  1. Identify Attack Surface: Entry points, data flows
  2. Review Authentication: Login, session, tokens
  3. Check Authorization: Access controls, permissions
  4. Analyze Data Handling: Input/output, storage
  5. Examine Dependencies: Known vulnerabilities
  6. Review Configuration: Secure settings, secrets

Output Format

Security Assessment

Risk Level: Critical / High / Medium / Low

Findings

ID Severity Issue Location Remediation
1 Critical SQL Injection auth.js:42 Use parameterized queries

Recommendations

  1. Immediate actions required
  2. Short-term improvements
  3. Long-term security measures

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

always-further/claude-extensions

database-assistant

Activates when user needs help with database design, SQL queries, migrations, or ORM usage. Triggers on "database schema", "SQL query", "migration", "optimize query", "foreign key", "index", "normalize", "ORM", "Prisma", "TypeORM", "SQLAlchemy", or database-related questions.

2 0
Explore
always-further/claude-extensions

api-designer

Activates when user needs help designing REST APIs, GraphQL schemas, or API architecture. Triggers on "design API", "REST endpoint", "GraphQL schema", "API structure", "endpoint naming", "API versioning", "request/response format", or API design questions.

2 0
Explore
always-further/claude-extensions

documentation-writer

Activates when user needs help writing documentation, README files, API docs, or code comments. Triggers on "write documentation", "create README", "document this API", "add JSDoc", "explain this code", "write docstrings", or documentation-related requests.

2 0
Explore
always-further/claude-extensions

code-review

Activates when user wants code reviewed for quality, best practices, bugs, or improvements. Triggers on "review this code", "check my implementation", "is this code good", "find bugs", "improve this function", "code quality check", or requests for feedback on code.

2 0
Explore
always-further/claude-extensions

testing-assistant

Activates when user needs help writing tests, understanding testing patterns, or improving test coverage. Triggers on "write tests", "add unit tests", "test this function", "improve coverage", "mock this", "testing strategy", or questions about Jest, pytest, testing frameworks.

2 0
Explore
always-further/claude-extensions

performance-optimizer

Activates when user needs help with performance optimization, profiling, or improving code efficiency. Triggers on "optimize performance", "make this faster", "reduce memory", "profile this", "performance issues", "slow code", "improve speed", or efficiency-related questions.

2 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results