auditing-security
Security Audit
Use this skill when the user asks to audit security, check for vulnerabilities, review code for security issues, or harden an application.
Steps
-
Scan for hardcoded secrets — search for API keys, tokens, passwords, and connection strings in source files. Check for patterns like:
password=,secret=,token=,api_key=- Base64-encoded credentials
- AWS keys (
AKIA...), Stripe keys (sk_live_...), GitHub tokens (ghp_...) - Files:
.envcommitted to git,config.jsonwith credentials
-
Check authentication & authorization
- Verify all API routes check authentication before processing.
- Ensure role-based access control is enforced server-side, not just in the UI.
- Check that password hashing uses bcrypt/argon2 (not MD5/SHA1).
- Verify session tokens are HTTP-only, secure, and have reasonable expiry.
-
Check for injection vulnerabilities
- SQL injection: look for string concatenation in SQL queries instead of parameterized queries.
- XSS: look for
dangerouslySetInnerHTML,innerHTML, or unescaped user input rendered in templates. - Command injection: look for
exec(),eval(),child_process.exec()with user input. - Path traversal: check file operations for unsanitized user input in paths.
-
Review dependency security
- Run
npm auditorpip auditto check for known vulnerabilities. - Flag outdated dependencies with known CVEs.
- Check for overly permissive dependency ranges.
- Run
-
Check CORS and CSP configuration
- Verify CORS doesn't use
Access-Control-Allow-Origin: *in production. - Check for Content Security Policy headers.
- Verify
X-Frame-Options,X-Content-Type-Options, andStrict-Transport-Securityheaders.
- Verify CORS doesn't use
-
Review data exposure
- Check API responses for leaking sensitive fields (password hashes, internal IDs, PII).
- Verify error messages don't expose stack traces or internal details in production.
- Check logging for sensitive data being written to logs.
-
Generate report — produce a summary with severity ratings (Critical / High / Medium / Low) for each finding, with the file path, line number, and recommended fix.
Notes
- This is a code review, not a penetration test. Recommend tools like
npm audit,trivy, orsnykfor automated scanning. - Always check
.gitignoreto ensure.env, credentials, and key files are excluded. - For comprehensive auditing, recommend the OWASP Testing Guide.
More from spencerpauly/awesome-cursor-skills
reviewing-code
Perform a thorough code review focused on correctness, maintainability, performance, and best practices.
32saving-workspace-context
Automatically persist useful context — research, decisions, learnings, templates — to workspace files so knowledge survives across conversations.
31suggesting-cursor-rules
When the user repeats the same correction or convention multiple times, suggest a Cursor rule to encode it permanently.
31suggesting-cursor-hooks
When the user keeps asking for the same check to run (lint, tests, type-check), suggest a Cursor hook to automate it.
29database-design
Design database schemas — tables, relationships, indexes, constraints, and ORM setup. Covers relational design, normalization, and common patterns.
28monitoring-terminal-errors
Watch running terminal processes for crashes and stack traces. When an error appears, navigate to the failing file and line, diagnose, and fix it automatically.
28