Skills
NYC
skills/charon-fan/agent-playbook/security-auditor

security-auditor

SKILL.md

Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

When This Skill Activates

Activates when you:

  • Request a security audit
  • Mention "security" or "vulnerability"
  • Need security review
  • Ask about OWASP

OWASP Top 10 Coverage

A01: Broken Access Control

Checks:

# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/

Common Issues:

  • Missing authentication on sensitive endpoints
  • IDOR: Users can access other users' data
  • Missing authorization checks
  • API keys in URL

A02: Cryptographic Failures

Checks:

# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/

Common Issues:

  • Hardcoded credentials
  • Weak hashing algorithms (MD5, SHA1)
  • Unencrypted sensitive data
  • HTTP instead of HTTPS

A03: Injection

Checks:

# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/

Common Issues:

  • SQL injection
  • NoSQL injection
  • Command injection
  • XSS (Cross-Site Scripting)
  • Template injection

A04: Insecure Design

Checks:

# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/

Common Issues:

  • No rate limiting on auth endpoints
  • Missing 2FA for sensitive operations
  • Session timeout too long
  • No account lockout after failed attempts

A05: Security Misconfiguration

Checks:

# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/

Common Issues:

  • Debug mode enabled in production
  • Overly permissive CORS
  • Verbose error messages
  • Default credentials not changed

A06: Vulnerable Components

Checks:

# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit

Common Issues:

  • Outdated dependencies
  • Known vulnerabilities in dependencies
  • Unused dependencies
  • Unmaintained packages

A07: Authentication Failures

Checks:

# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/

Common Issues:

  • Weak password hashing
  • No password complexity requirements
  • Password in URL
  • Session fixation

A08: Software/Data Integrity

Checks:

# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/

Common Issues:

  • No integrity checks
  • Unsigned updates
  • Unverified dependencies

A09: Logging Failures

Checks:

# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/

Common Issues:

  • Sensitive data in logs
  • No audit trail for critical operations
  • Logs not protected
  • No log tampering detection

A10: SSRF (Server-Side Request Forgery)

Checks:

# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/

Common Issues:

  • No URL validation
  • Fetching user-supplied URLs
  • No allowlist for external calls

Security Audit Checklist

Code Review

  • No hardcoded secrets
  • Input validation on all inputs
  • Output encoding for XSS prevention
  • Parameterized queries for SQL
  • Proper error handling
  • Authentication on protected routes
  • Authorization checks
  • Rate limiting on public APIs

Configuration

  • Debug mode off
  • [ ) HTTPS enforced
  • CORS configured correctly
  • Security headers set
  • Environment variables for secrets
  • Database not exposed

Dependencies

  • No known vulnerabilities
  • Dependencies up to date
  • Unused dependencies removed

Scripts

Run security audit:

python scripts/security_audit.py

Check for secrets:

python scripts/find_secrets.py

References

  • references/owasp.md - OWASP Top 10 details
  • references/checklist.md - Security audit checklist
  • references/remediation.md - Vulnerability remediation guide
Weekly Installs
33
Repository
charon-fan/agent-playbook
First Seen
Jan 22, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
claude-code28
opencode26
codex24
gemini-cli23
antigravity23
cursor22