Security Auditor
Walk your app or API against OWASP Top 10 2021 with copy-paste detection patterns and remediation steps before you ship or hand off a security review.
Overview
Security-auditor is an agent skill most often used in Ship (also Build backend work) that guides OWASP Top 10 2021 detection and remediation while you review APIs and access control.
Install
npx skills add https://github.com/erichowens/some_claude_skills --skill security-auditorWhat is this skill?
- OWASP Top 10 2021 reference with per-category detection patterns and remediation
- Concrete BAD/GOOD code samples for access control, IDOR, JWT, and CORS issues
- Remediation themes: deny-by-default authorization, server-side checks, and failure logging
- Usable while implementing backend routes and again before deploy as a checklist pass
- OWASP Top 10 2021 categories with per-category detection and remediation sections
Adoption & trust: 1 installs on skills.sh; 116 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You are shipping a solo-built API or app but lack a repeatable way to spot broken access control and related OWASP issues in your own code.
Who is it for?
Solo builders implementing auth-heavy SaaS or REST APIs who want an OWASP-aligned manual review playbook inside their agent session.
Skip if: Teams needing certified penetration tests, automated SAST/DAST pipelines only, or mobile-native threat models with no web/API surface.
When should I use this skill?
You need OWASP-aligned access-control and API security patterns while reviewing or implementing backend code.
What do I get? / Deliverables
You get category-by-category patterns to find likely vulnerabilities and concrete remediation steps to harden authorization before release.
- Prioritized list of likely OWASP-category issues mapped to your routes
- Remediation actions aligned to deny-by-default and server-side authorization
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security hardening and vulnerability review belong on the Ship shelf because solo builders run this before production release and during launch prep. The skill is a structured security reference and audit aid, which maps directly to the security subphase rather than generic testing or code review.
Where it fits
Compare new user and document routes against IDOR and missing-middleware patterns before merging.
Run an OWASP Top 10 pass on staging endpoints the week before going live.
Re-check access control after a reported permission bug in production.
How it compares
Use as a structured OWASP checklist during agent-assisted code review, not as a substitute for dedicated security scanning tools or MCP vulnerability servers.
Common Questions / FAQ
Who is security-auditor for?
Indie and solo developers shipping web backends or agents who want OWASP Top 10 guidance while coding or reviewing with Claude Code, Cursor, or Codex.
When should I use security-auditor?
During Build when adding authenticated endpoints, during Ship security prep before production, and when debugging suspected IDOR or JWT bypass issues after a staging deploy.
Is security-auditor safe to install?
It is reference documentation for review workflows; check the Security Audits panel on this Prism page for install risk and repo signals before adding it to your agent.
SKILL.md
READMESKILL.md - Security Auditor
# OWASP Top 10 2021 Reference Guide This reference provides detailed guidance for each OWASP Top 10 category with detection patterns and remediation strategies. ## A01:2021 - Broken Access Control ### What It Is Failures in enforcing access control policies that allow users to act outside their intended permissions. ### Common Vulnerabilities - Missing authorization checks on API endpoints - IDOR (Insecure Direct Object References) - Elevation of privilege through parameter tampering - JWT manipulation bypassing access controls - CORS misconfigurations ### Detection Patterns **Missing Auth Middleware:** ```javascript // BAD: No auth check app.get('/api/users/:id', (req, res) => { const user = db.getUser(req.params.id); res.json(user); }); // GOOD: Auth middleware applied app.get('/api/users/:id', authMiddleware, checkOwnership, (req, res) => { const user = db.getUser(req.params.id); res.json(user); }); ``` **IDOR Vulnerability:** ```python # BAD: No ownership check @app.route('/documents/<doc_id>') def get_document(doc_id): return Document.query.get(doc_id) # GOOD: Ownership verification @app.route('/documents/<doc_id>') @login_required def get_document(doc_id): doc = Document.query.get(doc_id) if doc.owner_id != current_user.id: abort(403) return doc ``` ### Remediation 1. Deny by default - require explicit authorization 2. Implement server-side access control 3. Log access control failures and alert on suspicious patterns 4. Rate limit APIs to prevent enumeration 5. Use indirect references (UUIDs vs sequential IDs) --- ## A02:2021 - Cryptographic Failures ### What It Is Failures related to cryptography that expose sensitive data. ### Common Vulnerabilities - Weak or deprecated algorithms (MD5, SHA1 for passwords) - Insufficient key length - Improper key management - Transmitting data in clear text - Not enforcing encryption ### Detection Patterns **Weak Hash Algorithms:** ```javascript // BAD: MD5 for passwords const hash = crypto.createHash('md5').update(password).digest('hex'); // GOOD: bcrypt with proper rounds const hash = await bcrypt.hash(password, 12); ``` **Insecure Randomness:** ```python # BAD: Predictable random token = str(random.randint(100000, 999999)) # GOOD: Cryptographically secure import secrets token = secrets.token_urlsafe(32) ``` ### Remediation 1. Use bcrypt/argon2 for passwords (work factor ≥10) 2. Use SHA-256+ for integrity 3. Use TLS 1.3 for data in transit 4. Use secrets/crypto.randomBytes for security-sensitive random values 5. Rotate keys regularly --- ## A03:2021 - Injection ### What It Is User-supplied data sent to an interpreter as part of a command or query. ### Common Vulnerabilities - SQL injection - Command injection - LDAP injection - XSS (Cross-Site Scripting) - Template injection ### Detection Patterns **SQL Injection:** ```python # BAD: String concatenation query = f"SELECT * FROM users WHERE name = '{name}'" # GOOD: Parameterized query cursor.execute("SELECT * FROM users WHERE name = %s", (name,)) ``` **Command Injection:** ```javascript // BAD: User input in exec exec(`convert ${userInput} output.pdf`); // GOOD: Use execFile with array execFile('convert', [sanitizedInput, 'output.pdf']); ``` **XSS:** ```javascript // BAD: innerHTML with user content element.innerHTML = userContent; // GOOD: textContent for text, sanitize for HTML element.textContent = userContent; // OR element.innerHTML = DOMPurify.sanitize(userContent); ``` ### Remediation 1. Use parameterized queries/prepared statements 2. Validate and sanitize all input 3. Use allowlists for command arguments 4. Escape output based on context 5. Use CSP headers --- ## A04:2021 - Insecure Design ### What It Is Missing or ineffective security controls at the design level. ### Common Vulnerabilities - Missing rate limiting - No account lockout - Credential recovery flaws - Missing fraud detection - Trust boundary violations ### Detection Patterns **Missing Rate Lim