Security Auditor
Scan changed code and pre-deploy trees for OWASP Top 10 issues, exposed secrets, and insecure patterns before you ship.
Overview
Security Auditor is an agent skill most often used in Ship (also Build integrations, Ship review) that scans code for OWASP Top 10 and common insecure patterns with severitized findings and fix hints.
Install
npx skills add https://github.com/ovachiever/droid-tings --skill security-auditorWhat is this skill?
- Flags SQL injection, XSS, weak auth, authorization gaps, and insecure storage with CRITICAL/HIGH/MEDIUM/LOW severities
- Surfaces inline fixes and OWASP reference links (e.g. parameterized queries for SQLi)
- Activates on file changes, security-related requests, and deployment prep
- Designed to pair with secret-scanner, @code-reviewer sub-agent, and /review for deeper audits
- Allowed tools: Read, Grep, Bash for repository scanning
- 4 severity levels: CRITICAL, HIGH, MEDIUM, LOW
- 7+ vulnerability classes including SQLi, XSS, and exposed secrets
Adoption & trust: 771 installs on skills.sh; 44 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are changing code or preparing a deploy without a consistent way to catch SQLi, XSS, leaked secrets, and auth bugs before they reach users.
Who is it for?
Indie builders who want automatic security signal on save or before deploy without running a separate SAST pipeline first.
Skip if: Teams that already enforce mandatory CI SAST with signed attestations and do not want agent-side Bash/Grep scanning on the repo.
When should I use this skill?
Reviewing code, before deployments, on file changes, or when security is mentioned.
What do I get? / Deliverables
You get prioritized vulnerability alerts with suggested fixes and OWASP pointers so you can patch or escalate to a full /review pass before shipping.
- Prioritized vulnerability report with line references
- Suggested fixes and OWASP documentation links
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship because the skill explicitly targets review-before-deployment and security gates, even though it also runs on everyday file edits during Build. Security is the primary facet—SQLi, XSS, auth, and misconfig findings map to hardening and release readiness, not generic code review alone.
Where it fits
Get a CRITICAL SQLi alert with a parameterized-query fix right after editing a user lookup route.
Run a deployment-prep scan to catch XSS and auth issues before promoting to production.
Combine with /review and @code-reviewer for a deeper audit after the skill surfaces HIGH findings.
How it compares
Use as a lightweight in-session checker rather than replacing a formal penetration test or compliance audit.
Common Questions / FAQ
Who is security-auditor for?
Solo and small-team developers using AI coding agents who need OWASP-oriented vulnerability detection during edits and pre-release checks.
When should I use security-auditor?
During Build when security-sensitive files change, in Ship before deployments, when you mention security in chat, or when pairing with /review for a broader pass.
Is security-auditor safe to install?
It requests Read, Grep, and Bash—review the Security Audits panel on this Prism page and your org policy before granting shell access to automated scans.
SKILL.md
READMESKILL.md - Security Auditor
# Security Auditor Skill > Automatic OWASP Top 10 and security vulnerability detection ## Quick Example ```javascript // You write: const query = `SELECT * FROM users WHERE id = ${userId}`; // Skill immediately alerts: 🚨 CRITICAL: SQL injection vulnerability (line 1) 🔧 Fix: const query = 'SELECT * FROM users WHERE id = ?'; 📖 https://owasp.org/www-community/attacks/SQL_Injection ``` ## What It Detects - 🚨 SQL Injection - 🚨 XSS (Cross-Site Scripting) - 🚨 Exposed Secrets & API Keys - 🚨 Weak Authentication - 🚨 Authorization Issues - ⚠️ Security Misconfigurations - ⚠️ Insecure Data Storage ## Severity Levels - 🚨 **CRITICAL**: Exploitable vulnerabilities - ⚠️ **HIGH**: Security weaknesses - 📋 **MEDIUM**: Potential issues - 💡 **LOW**: Best practices ## Integration - **secret-scanner skill**: Detects exposed credentials - **@code-reviewer sub-agent**: Deep security audit - **/review command**: Comprehensive security review See [SKILL.md](SKILL.md) for full documentation. --- name: security-auditor description: Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep. allowed-tools: Read, Grep, Bash --- # Security Auditor Skill Automatic security vulnerability detection. ## When I Activate - ✅ Code files modified (especially auth, API, database) - ✅ User mentions security or vulnerabilities - ✅ Before deployments or commits - ✅ Dependency changes - ✅ Configuration file changes ## What I Scan For ### OWASP Top 10 Patterns **1. SQL Injection** ```javascript // CRITICAL: SQL injection const query = `SELECT * FROM users WHERE id = ${userId}`; // SECURE: Parameterized query const query = 'SELECT * FROM users WHERE id = ?'; db.query(query, [userId]); ``` **2. XSS (Cross-Site Scripting)** ```javascript // CRITICAL: XSS vulnerability element.innerHTML = userInput; // SECURE: Use textContent or sanitize element.textContent = userInput; // or element.innerHTML = DOMPurify.sanitize(userInput); ``` **3. Authentication Issues** ```javascript // CRITICAL: Weak JWT secret const token = jwt.sign(payload, 'secret123'); // SECURE: Strong secret from environment const token = jwt.sign(payload, process.env.JWT_SECRET); ``` **4. Sensitive Data Exposure** ```python # CRITICAL: Exposed password password = "admin123" # SECURE: Environment variable password = os.getenv("DB_PASSWORD") ``` **5. Broken Access Control** ```javascript // CRITICAL: No authorization check app.delete('/api/users/:id', (req, res) => { User.delete(req.params.id); }); // SECURE: Authorization check app.delete('/api/users/:id', auth, checkOwnership, (req, res) => { User.delete(req.params.id); }); ``` ### Additional Security Checks - **Insecure Deserialization** - **Security Misconfiguration** - **Insufficient Logging** - **CSRF Protection Missing** - **CORS Misconfiguration** ## Alert Format ``` 🚨 CRITICAL: [Vulnerability type] 📍 Location: file.js:42 🔧 Fix: [Specific remediation] 📖 Reference: [OWASP/CWE link] ``` ### Severity Levels - 🚨 **CRITICAL**: Must fix immediately (exploitable vulnerabilities) - ⚠️ **HIGH**: Should fix soon (security weaknesses) - 📋 **MEDIUM**: Consider fixing (potential issues) - 💡 **LOW**: Best practice improvements ## Real-World Examples ### SQL Injection Detection ```javascript // You write: app.get('/users', (req, res) => { const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`; db.query(sql, (err, results) => res.json(results)); }); // I alert: 🚨 CRITICAL: SQL injection vulnerability (line 2) 📍 File: routes/users.js, Line 2 🔧 Fix: Use parameterized queries const sql = 'SELECT * FROM users WHERE name = ?'; db.query(sql, [req.query.name], ...); 📖 https://owasp.org/www-community/attacks/SQL_Injection ``` ### Password Storage ```python # You wr