Agent skill

security-auditor

Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.

Stars 26
Forks 5

Install this agent skill to your Project

npx add-skill https://github.com/zhaono1/agent-playbook/tree/main/skills/security-auditor

Metadata

Additional technical details for this skill

hooks
{
    "after_complete": [
        {
            "mode": "background",
            "reason": "Learn from security patterns",
            "trigger": "self-improving-agent"
        },
        {
            "mode": "auto",
            "reason": "Log security audit",
            "trigger": "session-logger"
        }
    ]
}

SKILL.md

Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

When This Skill Activates

Activates when you:

  • Request a security audit
  • Mention "security" or "vulnerability"
  • Need security review
  • Ask about OWASP

OWASP Top 10 Coverage

A01: Broken Access Control

Checks:

bash
# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/

Common Issues:

  • Missing authentication on sensitive endpoints
  • IDOR: Users can access other users' data
  • Missing authorization checks
  • API keys in URL

A02: Cryptographic Failures

Checks:

bash
# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/

Common Issues:

  • Hardcoded credentials
  • Weak hashing algorithms (MD5, SHA1)
  • Unencrypted sensitive data
  • HTTP instead of HTTPS

A03: Injection

Checks:

bash
# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/

Common Issues:

  • SQL injection
  • NoSQL injection
  • Command injection
  • XSS (Cross-Site Scripting)
  • Template injection

A04: Insecure Design

Checks:

bash
# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/

Common Issues:

  • No rate limiting on auth endpoints
  • Missing 2FA for sensitive operations
  • Session timeout too long
  • No account lockout after failed attempts

A05: Security Misconfiguration

Checks:

bash
# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/

Common Issues:

  • Debug mode enabled in production
  • Overly permissive CORS
  • Verbose error messages
  • Default credentials not changed

A06: Vulnerable Components

Checks:

bash
# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit

Common Issues:

  • Outdated dependencies
  • Known vulnerabilities in dependencies
  • Unused dependencies
  • Unmaintained packages

A07: Authentication Failures

Checks:

bash
# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/

Common Issues:

  • Weak password hashing
  • No password complexity requirements
  • Password in URL
  • Session fixation

A08: Software/Data Integrity

Checks:

bash
# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/

Common Issues:

  • No integrity checks
  • Unsigned updates
  • Unverified dependencies

A09: Logging Failures

Checks:

bash
# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/

Common Issues:

  • Sensitive data in logs
  • No audit trail for critical operations
  • Logs not protected
  • No log tampering detection

A10: SSRF (Server-Side Request Forgery)

Checks:

bash
# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/

Common Issues:

  • No URL validation
  • Fetching user-supplied URLs
  • No allowlist for external calls

Security Audit Checklist

Code Review

  • No hardcoded secrets
  • Input validation on all inputs
  • Output encoding for XSS prevention
  • Parameterized queries for SQL
  • Proper error handling
  • Authentication on protected routes
  • Authorization checks
  • Rate limiting on public APIs

Configuration

  • Debug mode off
  • [ ) HTTPS enforced
  • CORS configured correctly
  • Security headers set
  • Environment variables for secrets
  • Database not exposed

Dependencies

  • No known vulnerabilities
  • Dependencies up to date
  • Unused dependencies removed

Scripts

Run security audit:

bash
python scripts/security_audit.py

Check for secrets:

bash
python scripts/find_secrets.py

References

  • references/owasp.md - OWASP Top 10 details
  • references/checklist.md - Security audit checklist
  • references/remediation.md - Vulnerability remediation guide

Expand your agent's capabilities with these related and highly-rated skills.

zhaono1/agent-playbook

self-improving-agent

A universal self-improving agent that learns from ALL skill experiences. Uses multi-memory architecture (semantic + episodic + working) to continuously evolve the codebase. Auto-triggers on skill completion/error with hooks-based self-correction.

26 5
Explore
zhaono1/agent-playbook

long-task-coordinator

Coordinates multi-session, delegated, or long-running work with persistent state, recovery checks, and explicit status transitions. Use when a task spans multiple turns, multiple agents, background jobs, or scheduled loops, or when interrupted work must be resumed reliably.

26 5
Explore
zhaono1/agent-playbook

api-designer

REST and GraphQL API architect for designing robust, scalable APIs. Use when designing new APIs or improving existing ones.

26 5
Explore
zhaono1/agent-playbook

performance-engineer

Performance optimization specialist for improving application speed and efficiency. Use when investigating performance issues or optimizing code.

26 5
Explore
zhaono1/agent-playbook

session-logger

Saves conversation history to session log files. Use when user says "保存对话", "保存对话信息", "记录会话", "save session", or "save conversation". Automatically creates timestamped session log in sessions/ directory.

26 5
Explore
zhaono1/agent-playbook

code-reviewer

Reviews pull requests and code changes for quality, security, and best practices. Use when user asks for code review, PR review, or mentions reviewing changes.

26 5
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results