security-audit
Installation
SKILL.md
Security Audit Skill
When auditing code for security, follow this structured process. Treat every finding seriously — a single vulnerability can compromise an entire system.
1. Secrets & Credentials
Scan the entire codebase for exposed secrets:
- Hardcoded API keys, tokens, passwords in source code
- Secrets in config files committed to Git (.env, config.json, settings.py)
- Secrets in logs — sensitive data printed in console.log, logger.info, etc.
- Secrets in error messages — stack traces or error responses leaking internals
- Secrets in comments — old credentials left in TODO or commented-out code
- Secrets in Git history — check if secrets were committed and later removed (still in history)
Check commands:
# Search for common secret patterns
grep -rn "password\|secret\|api_key\|apikey\|token\|private_key\|AWS_SECRET\|DATABASE_URL" --include="*.ts" --include="*.js" --include="*.py" --include="*.env" --include="*.json" --include="*.yaml" --include="*.yml" .