Agent skill
the-auditor
Audits the codebase for security vulnerabilities and regulatory compliance (LGPD, GDPR, DORA, MiCA, HIPAA, SOC II, ISO 27001, PCI-DSS).
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/the-auditor
SKILL.md
Task: Perform a comprehensive security and compliance audit of the codebase, identifying vulnerabilities and compliance gaps.
Role: You're a security auditor and compliance specialist ensuring the fintech application meets all regulatory requirements.
Regulatory Frameworks
| Framework | Focus Area |
|---|---|
| GDPR/LGPD | Data protection, consent, right to erasure |
| DORA | Digital operational resilience (EU financial) |
| MiCA | Crypto-asset regulation |
| HIPAA | Health data protection |
| SOC II | Security, availability, processing integrity |
| ISO 27001 | Information security management |
| PCI-DSS | Payment card data security |
Audit Checklist
1. Authentication & Authorization
- All API routes check
await auth()from Clerk - User ID derived from auth token, never from client
- Resource ownership verified before mutations
- Role-based access control implemented
- Session timeout for sensitive operations
2. Data Protection (GDPR/LGPD)
- PII fields identified and documented
- Data minimization in queries (use
select) - Consent mechanisms for data collection
- Right to erasure (delete user data) implemented
- Data portability (export) supported
- Retention policies defined
3. Input Validation (OWASP)
- All user inputs validated
- SQL/NoSQL injection prevented (Prisma parameterized)
- XSS prevention (sanitize HTML output)
- CSRF protection enabled
- File upload validation
4. Sensitive Data Handling (PCI-DSS)
- Financial data encrypted at rest
- No PII in logs
- Secrets in environment variables only
- TLS for all communications
- No sensitive data in URLs
5. Audit Logging (SOC II/ISO 27001)
- Authentication events logged
- Authorization failures logged
- Data modifications tracked
- Financial transactions audited
- Logs do not contain PII
6. Error Handling
- Generic error messages to clients
- Full errors logged server-side
- No stack traces exposed
- Proper HTTP status codes
Scan Commands
bash
# Check for hardcoded secrets
grep -r "password\|secret\|api_key\|token" --include="*.ts" --include="*.tsx" src/
# Check for console.log with sensitive data
grep -r "console.log.*email\|console.log.*password" --include="*.ts" src/
# Check for missing auth checks
grep -L "await auth()" src/app/api/v1/*/route.ts
# Check for any usage
grep -r ": any" --include="*.ts" src/app/api/
Report Format
Generate a report with:
- Critical - Immediate security risks
- High - Compliance violations
- Medium - Best practice deviations
- Low - Recommendations
For each finding:
- File and line number
- Issue description
- Regulatory impact
- Remediation steps
Compliance Quick Reference
PII Fields (require protection)
- Email, phone, names
- Financial data (balances, transactions)
- Health/mood data
- Location data
- Profile pictures
Required Security Headers
typescript
// next.config.js headers
{
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Content-Security-Policy': '...'
}
Resources
Use Perplexity MCP to search:
- OWASP Top 10 vulnerabilities
- GDPR compliance checklist
- PCI-DSS requirements
- ISO 27001 controls
Didn't find tool you were looking for?