SKILL.md
Security Auditor
Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.
When This Skill Activates
Activates when you:
- Request a security audit
- Mention "security" or "vulnerability"
- Need security review
- Ask about OWASP
OWASP Top 10 Coverage
A01: Broken Access Control
Checks:
# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/
# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/
# Check for role-based access
grep -r "if.*role.*===" src/Common Issues:
- Missing authentication on sensitive endpoints
- IDOR: Users can access other users' data
- Missing authorization checks
- API keys in URL
A02: Cryptographic Failures
Checks:
# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/
# Check for weak hashing
grep -r "md5\|sha1" src/
# Check for http URLs
grep -r "http:\/\/" src/Common Issues:
- Hardcoded credentials
- Weak hashing algorithms (MD5, SHA1)
- Unencrypted sensitive data
- HTTP instead of HTTPS
A03: Injection
Checks:
# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/
# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/
# Template injection
grep -r "render.*req\." src/Common Issues:
- SQL injection
- NoSQL injection
- Command injection
- XSS (Cross-Site Scripting)
- Template injection
A04: Insecure Design
Checks:
# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/
# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/
# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/Common Issues:
- No rate limiting on auth endpoints
- Missing 2FA for sensitive operations
- Session timeout too long
- No account lockout after failed attempts
A05: Security Misconfiguration
Checks:
# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/
# Check for CORS configuration
grep -r "origin.*\*" src/
# Check for error messages
grep -r "console\.log.*error\|console\.error" src/Common Issues:
- Debug mode enabled in production
- Overly permissive CORS
- Verbose error messages
- Default credentials not changed
A06: Vulnerable Components
Checks:
# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod
# Run vulnerability scanner
npm audit
pip-auditCommon Issues:
- Outdated dependencies
- Known vulnerabilities in dependencies
- Unused dependencies
- Unmaintained packages
A07: Authentication Failures
Checks:
# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/
# Check password requirements
grep -r "password.*length\|password.*complex" src/
# Check for password in URL
grep -r "password.*req\." src/Common Issues:
- Weak password hashing
- No password complexity requirements
- Password in URL
- Session fixation
A08: Software/Data Integrity
Checks:
# Check for subresource integrity
grep -r "integrity\|crossorigin" src/
# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/Common Issues:
- No integrity checks
- Unsigned updates
- Unverified dependencies
A09: Logging Failures
Checks:
# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/
# Check for audit trail
grep -r "audit\|activity.*log" src/Common Issues:
- Sensitive data in logs
- No audit trail for critical operations
- Logs not protected
- No log tampering detection
A10: SSRF (Server-Side Request Forgery)
Checks:
# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/
# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/Common Issues:
- No URL validation
- Fetching user-supplied URLs
- No allowlist for external calls
Security Audit Checklist
Code Review
- No hardcoded secrets
- Input validation on all inputs
- Output encoding for XSS prevention
- Parameterized queries for SQL
- Proper error handling
- Authentication on protected routes
- Authorization checks
- Rate limiting on public APIs
Configuration
- Debug mode off
- [ ) HTTPS enforced
- CORS configured correctly
- Security headers set
- Environment variables for secrets
- Database not exposed
Dependencies
- No known vulnerabilities
- Dependencies up to date
- Unused dependencies removed
Scripts
Run security audit:
python scripts/security_audit.pyCheck for secrets:
python scripts/find_secrets.pyReferences
references/owasp.md- OWASP Top 10 details
references/checklist.md- Security audit checklist
references/remediation.md- Vulnerability remediation guide