Skills

auth-audit

Installation
SKILL.md

Auth Audit Skill

Overview

Comprehensive audit of authentication and authorization implementations.

Audit Categories

Category Checks
JWT Signing algo, expiration, refresh, storage
Sessions Storage, expiry, regeneration, fixation
OAuth2 PKCE, state param, redirect validation
Passwords Hashing algo, strength rules, reset flow
MFA Implementation, backup codes, recovery

Workflow

  1. Detect auth implementation (JWT, sessions, OAuth)
  2. Scan for known anti-patterns
  3. Verify cryptographic choices
  4. Check token/session lifecycle
  5. Audit authorization logic (RBAC, ABAC)

Common Vulnerabilities

  • JWT signed with none algorithm
  • JWT secret too short (< 256 bits)
  • No token expiration or too long
  • Refresh tokens stored in localStorage
  • Session fixation after login
  • Missing CSRF protection
  • OAuth without PKCE for public clients
  • Missing state parameter in OAuth flow

References

Related skills

More from fusengine/agents

Installs
25
Repository
fusengine/agents
GitHub Stars
11
First Seen
Feb 28, 2026