Security Auditor
Run an OWASP Top 10–oriented security review on your codebase with grep/bash checks and structured vulnerability guidance before or after you ship.
Overview
Security Auditor is an agent skill most often used in Ship (also Operate errors, Build backend) that conducts OWASP Top 10–style vulnerability reviews on your application code.
Install
npx skills add https://github.com/charon-fan/agent-playbook --skill security-auditorWhat is this skill?
- OWASP Top 10 coverage starting with broken access control and cryptographic failures
- Concrete grep/bash recipes for auth decorators, IDOR params, hardcoded secrets, and weak hashing
- Activates on security audit, vulnerability, or OWASP-related requests
- Allowed tooling: Read, Grep, Glob, Bash, WebSearch for evidence-backed findings
- Hooks to self-improving-agent (background) and session-logger after audit completion
- OWASP Top 10 thematic coverage with structured A01/A02 check sections in SKILL.md
Adoption & trust: 874 installs on skills.sh; 58 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping a SaaS or API and do not know if routes leak data, secrets sit in source, or access control is inconsistently enforced.
Who is it for?
Solo builders with a git-backed app who want an agent-guided OWASP pass without hiring a full pentest for every milestone.
Skip if: Pre-install vetting of ClawHub skills (use skill-vetter) or pure infrastructure/terraform policy audits with no application code.
When should I use this skill?
User requests a security audit, mentions security or vulnerability, needs security review, or asks about OWASP.
What do I get? / Deliverables
You receive categorized security findings tied to OWASP themes and grep-backed evidence so you can fix issues before or after release.
- OWASP-themed finding list with evidence references
- Suggested grep commands and fix patterns per category
- Audit session suitable for logging via bundled hooks
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security audits are canonically filed under Ship → security as the hard gate before users touch production, even though reviews also help during ongoing operation. Security subphase matches vulnerability hunting, access-control checks, crypto failures, and OWASP-themed remediation—not marketplace skill vetting.
Where it fits
You run a pre-launch OWASP pass on auth routes and payment webhooks before turning on production traffic.
New admin endpoints land; you grep for missing guards and IDOR on req.params.id patterns.
A suspected data leak prompts a focused cryptographic-failures and secrets sweep in hotfix branch.
How it compares
In-repo OWASP-oriented code review—not a multi-scanner gate for third-party agent skill packages.
Common Questions / FAQ
Who is security-auditor for?
Indie developers and tiny teams shipping web APIs or SaaS who need structured vulnerability review language and repeatable grep checks in their own repo.
When should I use security-auditor?
During Ship security before launch, during Build backend when adding auth routes, or in Operate when investigating suspected vulnerabilities or OWASP gaps.
Is security-auditor safe to install?
It requests Read, Grep, Glob, Bash, and WebSearch; review the Security Audits panel on this Prism page and scope Bash usage to your repository audit.
SKILL.md
READMESKILL.md - Security Auditor
# Security Auditor Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices. ## When This Skill Activates Activates when you: - Request a security audit - Mention "security" or "vulnerability" - Need security review - Ask about OWASP ## OWASP Top 10 Coverage ### A01: Broken Access Control **Checks:** ```bash # Check for missing auth on protected routes grep -r "@RequireAuth\|@Protected" src/ # Check for IDOR vulnerabilities grep -r "req.params.id\|req.query.id" src/ # Check for role-based access grep -r "if.*role.*===" src/ ``` **Common Issues:** - Missing authentication on sensitive endpoints - IDOR: Users can access other users' data - Missing authorization checks - API keys in URL ### A02: Cryptographic Failures **Checks:** ```bash # Check for hardcoded secrets grep -ri "password.*=.*['\"]" src/ grep -ri "api_key.*=.*['\"]" src/ grep -ri "secret.*=.*['\"]" src/ # Check for weak hashing grep -r "md5\|sha1" src/ # Check for http URLs grep -r "http:\/\/" src/ ``` **Common Issues:** - Hardcoded credentials - Weak hashing algorithms (MD5, SHA1) - Unencrypted sensitive data - HTTP instead of HTTPS ### A03: Injection **Checks:** ```bash # SQL injection patterns grep -r "\".*SELECT.*+.*\"" src/ grep -r "\".*UPDATE.*SET.*+.*\"" src/ # Command injection grep -r "exec(\|system(\|spawn(" src/ grep -r "child_process.exec" src/ # Template injection grep -r "render.*req\." src/ ``` **Common Issues:** - SQL injection - NoSQL injection - Command injection - XSS (Cross-Site Scripting) - Template injection ### A04: Insecure Design **Checks:** ```bash # Check for rate limiting grep -r "rateLimit\|rate-limit\|throttle" src/ # Check for 2FA grep -r "twoFactor\|2fa\|mfa" src/ # Check for session timeout grep -r "maxAge\|expires\|timeout" src/ ``` **Common Issues:** - No rate limiting on auth endpoints - Missing 2FA for sensitive operations - Session timeout too long - No account lockout after failed attempts ### A05: Security Misconfiguration **Checks:** ```bash # Check for debug mode grep -r "DEBUG.*=.*True\|debug.*=.*true" src/ # Check for CORS configuration grep -r "origin.*\*" src/ # Check for error messages grep -r "console\.log.*error\|console\.error" src/ ``` **Common Issues:** - Debug mode enabled in production - Overly permissive CORS - Verbose error messages - Default credentials not changed ### A06: Vulnerable Components **Checks:** ```bash # Check package files cat package.json | grep -E "\"dependencies\"|\"devDependencies\"" cat requirements.txt cat go.mod # Run vulnerability scanner npm audit pip-audit ``` **Common Issues:** - Outdated dependencies - Known vulnerabilities in dependencies - Unused dependencies - Unmaintained packages ### A07: Authentication Failures **Checks:** ```bash # Check password hashing grep -r "bcrypt\|argon2\|scrypt" src/ # Check password requirements grep -r "password.*length\|password.*complex" src/ # Check for password in URL grep -r "password.*req\." src/ ``` **Common Issues:** - Weak password hashing - No password complexity requirements - Password in URL - Session fixation ### A08: Software/Data Integrity **Checks:** ```bash # Check for subresource integrity grep -r "integrity\|crossorigin" src/ # Check for signature verification grep -r "verify.*signature\|validate.*token" src/ ``` **Common Issues:** - No integrity checks - Unsigned updates - Unverified dependencies ### A09: Logging Failures **Checks:** ```bash # Check for sensitive data in