Security Audit
Run a structured security scan and CVE remediation pipeline on your Node project before shipping auth, payments, or user-data features.
Overview
security-audit is an agent skill most often used in Ship (also Build backend work) that runs claude-flow security scans for CVEs, injection, XSS, secrets, and validation gaps.
Install
npx skills add https://github.com/ruvnet/ruflo --skill security-auditWhat is this skill?
- Full scan pipeline: input validation, path traversal, SQL injection, XSS, secrets, and dependency CVE checks
- CVE workflow: high-severity scan, npm audit fix, and re-scan via @claude-flow/cli security cve
- Separate remediation script focused on auto-fixing known CVEs after initial scan
- Secure-coding pattern enforcement framed for implementation work—not passive lint-only
- Shell-driven orchestration with npx @claude-flow/cli security scan, validate, and cve subcommands
- Full scan pipeline covers six named check areas plus a dependency CVE scan
- CVE remediation script runs high-severity CVE scan, npm audit fix, then a full re-scan
Adoption & trust: 772 installs on skills.sh; 58.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are adding auth, payments, or APIs and lack a repeatable agent-driven checklist for common exploit classes and dependency CVEs.
Who is it for?
Indie Node/SaaS builders using ruflo or claude-flow who want bash-scriptable security gates before shipping sensitive features.
Skip if: Production runtime threat monitoring, compliance attestations, or non-Node stacks with no npm audit path—use infra-specific tooling instead.
When should I use this skill?
Authentication implementation, authorization logic, payment processing, user data handling, API endpoint creation, file upload handling, or database query work where comprehensive security scanning is needed.
What do I get? / Deliverables
After the scripted scan and optional npm audit fix, you get a completed security pass across named check types plus a post-remediation CVE re-scan to inform merge or deploy decisions.
- Console output from multi-check security scan pipeline
- Post-remediation CVE scan summary after npm audit fix when using the remediation script
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship/security because the skill encodes pre-release vulnerability and secure-coding checks invoked from bash scripts and claude-flow CLI. Security subphase matches explicit triggers for authentication, authorization, payments, uploads, and API surface hardening.
Where it fits
After adding a file-upload API, run the full scan script to catch path traversal and validation gaps before opening a PR.
Gate a payment feature release with CVE scan, npm audit fix, and re-scan documented in the remediation script.
Supplement human code review with automated XSS and SQL injection checks on changed endpoints.
How it compares
Checker workflow around @claude-flow/cli security subcommands, not a standalone SAST SaaS or MCP secrets broker.
Common Questions / FAQ
Who is security-audit for?
Solo builders and small teams shipping web apps or CLIs who already use npm and want the agent to orchestrate claude-flow security scans before risky merges.
When should I use security-audit?
Use it in Ship/security before release when implementing authentication, authorization, payments, user data, uploads, or new APIs; also during Build/backend integrations when hardening queries and endpoints.
Is security-audit safe to install?
It runs shell and network commands including npm audit fix, which can change dependencies; review the Security Audits panel on this Prism page and run scans in a branch before auto-remediation.
SKILL.md
READMESKILL.md - Security Audit
#!/bin/bash # Security Audit - CVE Remediation Script # Auto-remediate known CVEs set -e echo "Scanning for CVEs..." npx @claude-flow/cli security cve --scan --severity high echo "Attempting auto-remediation..." npm audit fix echo "Re-scanning after remediation..." npx @claude-flow/cli security cve --scan echo "CVE remediation complete" #!/bin/bash # Security Audit - Full Scan Script # Run comprehensive security scan pipeline set -e echo "Running full security scan..." # Input validation echo "Checking input validation..." npx @claude-flow/cli security scan --check input-validation # Path traversal echo "Checking path traversal..." npx @claude-flow/cli security scan --check path-traversal # SQL injection echo "Checking SQL injection..." npx @claude-flow/cli security scan --check sql-injection # XSS echo "Checking XSS..." npx @claude-flow/cli security scan --check xss # Secrets echo "Checking for hardcoded secrets..." npx @claude-flow/cli security validate --check secrets # CVE scan echo "Scanning dependencies for CVEs..." npx @claude-flow/cli security cve --scan echo "Security scan complete" --- name: security-audit description: > Comprehensive security scanning and vulnerability detection. Includes input validation, path traversal prevention, CVE detection, and secure coding pattern enforcement. Use when: authentication implementation, authorization logic, payment processing, user data handling, API endpoint creation, file upload handling, database queries, external API integration. Skip when: read-only operations on public data, internal development tooling, static documentation, styling changes. --- # Security Audit Skill ## Purpose Comprehensive security scanning and vulnerability detection. Includes input validation, path traversal prevention, CVE detection, and secure coding pattern enforcement. ## When to Trigger - authentication implementation - authorization logic - payment processing - user data handling - API endpoint creation - file upload handling - database queries - external API integration ## When to Skip - read-only operations on public data - internal development tooling - static documentation - styling changes ## Commands ### Full Security Scan Run comprehensive security analysis on the codebase ```bash npx @claude-flow/cli security scan --depth full ``` **Example:** ```bash npx @claude-flow/cli security scan --depth full --output security-report.json ``` ### Input Validation Check Check for input validation issues ```bash npx @claude-flow/cli security scan --check input-validation ``` **Example:** ```bash npx @claude-flow/cli security scan --check input-validation --path ./src/api ``` ### Path Traversal Check Check for path traversal vulnerabilities ```bash npx @claude-flow/cli security scan --check path-traversal ``` ### SQL Injection Check Check for SQL injection vulnerabilities ```bash npx @claude-flow/cli security scan --check sql-injection ``` ### XSS Check Check for cross-site scripting vulnerabilities ```bash npx @claude-flow/cli security scan --check xss ``` ### CVE Scan Scan dependencies for known CVEs ```bash npx @claude-flow/cli security cve --scan ``` **Example:** ```bash npx @claude-flow/cli security cve --scan --severity high ``` ### Security Audit Report Generate full security audit report ```bash npx @claude-flow/cli security audit --report ``` **Example:** ```bash npx @claude-flow/cli security audit --report --format markdown --output SECURITY.md ``` ### Threat Modeling Run threat modeling analysis ```bash npx @claude-flow/cli security threats --analyze ``` ### Validate Secrets Check for hardcoded secrets ```bash npx @claude-flow/cli security validate --check secrets ``` ## Scripts | Script | Path | Description | |--------|------|-------------| | `security-scan` | `.agents/scripts/security-scan.sh` | Run full security scan pipeline | | `cve-remediate` | `.agents/scripts/cve-remediate.sh` | Auto-remediate known CVEs | ## References | D