Agent skill
security-auditor
Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.
Install this agent skill to your Project
npx add-skill https://github.com/zhaono1/agent-playbook/tree/main/skills/security-auditor
Metadata
Additional technical details for this skill
- hooks
-
{ "after_complete": [ { "mode": "background", "reason": "Learn from security patterns", "trigger": "self-improving-agent" }, { "mode": "auto", "reason": "Log security audit", "trigger": "session-logger" } ] }
SKILL.md
Security Auditor
Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.
When This Skill Activates
Activates when you:
- Request a security audit
- Mention "security" or "vulnerability"
- Need security review
- Ask about OWASP
OWASP Top 10 Coverage
A01: Broken Access Control
Checks:
# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/
# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/
# Check for role-based access
grep -r "if.*role.*===" src/
Common Issues:
- Missing authentication on sensitive endpoints
- IDOR: Users can access other users' data
- Missing authorization checks
- API keys in URL
A02: Cryptographic Failures
Checks:
# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/
# Check for weak hashing
grep -r "md5\|sha1" src/
# Check for http URLs
grep -r "http:\/\/" src/
Common Issues:
- Hardcoded credentials
- Weak hashing algorithms (MD5, SHA1)
- Unencrypted sensitive data
- HTTP instead of HTTPS
A03: Injection
Checks:
# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/
# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/
# Template injection
grep -r "render.*req\." src/
Common Issues:
- SQL injection
- NoSQL injection
- Command injection
- XSS (Cross-Site Scripting)
- Template injection
A04: Insecure Design
Checks:
# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/
# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/
# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/
Common Issues:
- No rate limiting on auth endpoints
- Missing 2FA for sensitive operations
- Session timeout too long
- No account lockout after failed attempts
A05: Security Misconfiguration
Checks:
# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/
# Check for CORS configuration
grep -r "origin.*\*" src/
# Check for error messages
grep -r "console\.log.*error\|console\.error" src/
Common Issues:
- Debug mode enabled in production
- Overly permissive CORS
- Verbose error messages
- Default credentials not changed
A06: Vulnerable Components
Checks:
# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod
# Run vulnerability scanner
npm audit
pip-audit
Common Issues:
- Outdated dependencies
- Known vulnerabilities in dependencies
- Unused dependencies
- Unmaintained packages
A07: Authentication Failures
Checks:
# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/
# Check password requirements
grep -r "password.*length\|password.*complex" src/
# Check for password in URL
grep -r "password.*req\." src/
Common Issues:
- Weak password hashing
- No password complexity requirements
- Password in URL
- Session fixation
A08: Software/Data Integrity
Checks:
# Check for subresource integrity
grep -r "integrity\|crossorigin" src/
# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/
Common Issues:
- No integrity checks
- Unsigned updates
- Unverified dependencies
A09: Logging Failures
Checks:
# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/
# Check for audit trail
grep -r "audit\|activity.*log" src/
Common Issues:
- Sensitive data in logs
- No audit trail for critical operations
- Logs not protected
- No log tampering detection
A10: SSRF (Server-Side Request Forgery)
Checks:
# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/
# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/
Common Issues:
- No URL validation
- Fetching user-supplied URLs
- No allowlist for external calls
Security Audit Checklist
Code Review
- No hardcoded secrets
- Input validation on all inputs
- Output encoding for XSS prevention
- Parameterized queries for SQL
- Proper error handling
- Authentication on protected routes
- Authorization checks
- Rate limiting on public APIs
Configuration
- Debug mode off
- [ ) HTTPS enforced
- CORS configured correctly
- Security headers set
- Environment variables for secrets
- Database not exposed
Dependencies
- No known vulnerabilities
- Dependencies up to date
- Unused dependencies removed
Scripts
Run security audit:
python scripts/security_audit.py
Check for secrets:
python scripts/find_secrets.py
References
references/owasp.md- OWASP Top 10 detailsreferences/checklist.md- Security audit checklistreferences/remediation.md- Vulnerability remediation guide
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
self-improving-agent
A universal self-improving agent that learns from ALL skill experiences. Uses multi-memory architecture (semantic + episodic + working) to continuously evolve the codebase. Auto-triggers on skill completion/error with hooks-based self-correction.
long-task-coordinator
Coordinates multi-session, delegated, or long-running work with persistent state, recovery checks, and explicit status transitions. Use when a task spans multiple turns, multiple agents, background jobs, or scheduled loops, or when interrupted work must be resumed reliably.
api-designer
REST and GraphQL API architect for designing robust, scalable APIs. Use when designing new APIs or improving existing ones.
performance-engineer
Performance optimization specialist for improving application speed and efficiency. Use when investigating performance issues or optimizing code.
session-logger
Saves conversation history to session log files. Use when user says "保存对话", "保存对话信息", "记录会话", "save session", or "save conversation". Automatically creates timestamped session log in sessions/ directory.
code-reviewer
Reviews pull requests and code changes for quality, security, and best practices. Use when user asks for code review, PR review, or mentions reviewing changes.
Didn't find tool you were looking for?