{"id":"ea66b95d-bad3-4a53-afc2-b01ffcef7c4a","shortId":"4KrRpe","kind":"skill","title":"security-audit","tagline":"Use when conducting security assessments — OWASP Top 10 / API / LLM, CWE Top 25, CVSS scoring — auditing PHP/TYPO3 (v14.3 LTS: #109585, HashService removal, Authorize/RateLimit), APIs, frontend, Terraform/K8s/Docker IaC, AWS/Azure/GCP cloud, AI agent configs, or scanning dependen","description":"# Security Audit Skill\n\nSecurity audit patterns (OWASP Top 10, LLM Top 10 2025, CWE Top 25 2025, CVSS v4.0), cloud/IaC checks, GitHub security. 80+ PHP/TYPO3 checkpoints (v14.3 LTS in `typo3-security.md`).\n\n## Expertise Areas\n\n- **Vulnerabilities**: XXE, SQLi, XSS, CSRF, command injection, path traversal, file upload, deserialization, SSRF, SSTI, JWT, type juggling\n- **Standards**: OWASP Top 10 / API / LLM (2025), CWE Top 25, CVSS v3.1/v4.0, OWASP ASVS\n- **Cloud & IaC**: AWS, Azure, GCP; Terraform, Kubernetes, Docker, Helm\n- **API & Frontend**: REST/GraphQL authZ, rate limits, mass assignment, CSP, DOM-XSS\n- **AI Agents**: SKILL.md/AGENTS.md/CLAUDE.md/mcp.json/hooks.json audit; prompt injection; excessive agency\n\n## Reference Files (in `references/`, `.md` implied)\n\n- **Core**: owasp-top10, cwe-top25, xxe-prevention, cvss-scoring, api-key-encryption\n- **Prevention**: deserialization-prevention, path-traversal-prevention, file-upload-security, input-validation, error-message-sanitization\n- **Architecture**: authentication-patterns, security-headers, security-logging, cryptography-guide\n- **Language features** (`*-security-features`): php, python, javascript-typescript, nodejs, java, csharp, go, rust, ruby\n- **Frameworks** (`*-security`): typo3, typo3-fluid, typo3-typoscript, symfony, laravel, django, flask, fastapi, spring, dotnet, blazor, rails, gin, react, vue, angular, nextjs, nuxt, express, nestjs\n- **Mobile**: android-sdk-security, ios-sdk-security\n- **Cloud & IaC**: aws-security, azure-security, gcp-security, iac-security\n- **API & Frontend**: api-security, frontend-security\n- **AI Agent**: llm-security (OWASP LLM Top 10 2025)\n- **Shared**: framework-security\n- **Threats**: modern-attacks, cve-patterns, cve-database\n- **DevSecOps**: ci-security-pipeline, supply-chain-security, automated-scanning, gha-security\n- **Incident**: supply-chain-incident-response\n\n## Quick Patterns\n\n**XML parsing (prevent XXE):**\n```php\n$doc->loadXML($input, LIBXML_NONET);\n```\n\n**SQL (prevent injection):**\n```php\n$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');\n$stmt->execute([$id]);\n```\n\n**Output (prevent XSS):**\n```php\necho htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');\n```\n\n**API keys, passwords, randomness:**\n```php\n$n = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);\n$enc = 'enc:' . base64_encode($n . sodium_crypto_secretbox($apiKey, $n, $key));\npassword_hash($pw, PASSWORD_ARGON2ID);\nbin2hex(random_bytes(32));   // never mt_rand/rand\n```\n\nAutomated scanners: `references/automated-scanning.md`.\n\n## Security Checklist\n\n- [ ] `semgrep`/`opengrep`, `trivy fs --severity HIGH,CRITICAL`, `gitleaks` clean\n- [ ] bcrypt/Argon2 passwords, CSRF on state changes, TLS 1.2+\n- [ ] Server-side input validation; parameterized SQL; XML entities off\n- [ ] Output encoding + CSP; no unserialize() on user input\n- [ ] API keys encrypted; exception messages sanitized\n- [ ] Secrets out of VCS; audit logging on\n- [ ] Uploads validated, renamed, outside web root\n- [ ] Headers HSTS + X-Content-Type-Options; dependencies scanned\n\n## GitHub Actions Security\n\n- **NEVER** interpolate `${{ inputs.* }}` / `${{ github.event.* }}` in `run:` — use `env:`\n- Dependency triage: upgrade > override > dismiss. Full patterns: `references/gha-security.md`.\n\n## Verification\n\n```bash\n./scripts/security-audit-dispatcher.sh /path/to/project  # auto-detect stack\n./scripts/security-audit.sh /path/to/project             # PHP-only\n./scripts/github-security-audit.sh owner/repo            # GH repo\n```\n\nDispatcher detects the stack from indicator files and runs matching `scripts/scanners/*.sh` (17 ecosystems; see `references/` index).\n\n---\n\n> Contributing: https://github.com/netresearch/security-audit-skill","tags":["security","audit","skill","netresearch","agent-skills","ai-agent","open-standard"],"capabilities":["skill","source-netresearch","skill-security-audit","topic-agent-skills","topic-ai-agent","topic-open-standard"],"categories":["security-audit-skill"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/netresearch/security-audit-skill/security-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add netresearch/security-audit-skill","source_repo":"https://github.com/netresearch/security-audit-skill","install_from":"skills.sh"}},"qualityScore":"0.456","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 12 github stars · SKILL.md body (3,730 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T07:01:25.222Z","embedding":null,"createdAt":"2026-04-19T00:41:22.586Z","updatedAt":"2026-04-22T07:01:25.222Z","lastSeenAt":"2026-04-22T07:01:25.222Z","tsv":"'-8':345 '/agents.md/claude.md/mcp.json/hooks.json':127 '/netresearch/security-audit-skill':505 '/path/to/project':471,477 '/scripts/github-security-audit.sh':481 '/scripts/security-audit-dispatcher.sh':470 '/scripts/security-audit.sh':476 '1.2':402 '10':11,47,50,91,269 '109585':23 '17':497 '2025':51,55,94,270 '25':16,54,97 '32':377 '80':62 'action':450 'agenc':132 'agent':34,124,262 'ai':33,123,261 'android':232 'android-sdk-secur':231 'angular':225 'api':12,27,92,111,153,253,256,346,421 'api-key-encrypt':152 'api-secur':255 'apikey':366 'architectur':175 'area':70 'argon2id':373 'assess':8 'assign':118 'asv':101 'attack':278 'audit':3,19,40,43,128,431 'authent':177 'authentication-pattern':176 'authorize/ratelimit':26 'authz':114 'auto':473 'auto-detect':472 'autom':295,381 'automated-scan':294 'aw':104,242 'aws-secur':241 'aws/azure/gcp':31 'azur':105,245 'azure-secur':244 'base64':360 'bash':469 'bcrypt/argon2':395 'bin2hex':374 'blazor':220 'byte':353,376 'chain':292,303 'chang':400 'check':59 'checklist':385 'checkpoint':64 'ci':287 'ci-security-pipelin':286 'clean':394 'cloud':32,102,239 'cloud/iac':58 'command':76 'conduct':6 'config':35 'content':444 'contribut':502 'core':139 'critic':392 'crypto':355,364 'cryptographi':186 'cryptography-guid':185 'csharp':200 'csp':119,415 'csrf':75,397 'cve':280,283 'cve-databas':282 'cve-pattern':279 'cvss':17,56,98,150 'cvss-score':149 'cwe':14,52,95,144 'cwe-top25':143 'databas':284 'depend':447,460 'dependen':38 'deseri':82,158 'deserialization-prevent':157 'detect':474,486 'devsecop':285 'dismiss':464 'dispatch':485 'django':215 'doc':313 'docker':109 'dom':121 'dom-xss':120 'dotnet':219 'echo':337 'ecosystem':498 'enc':358,359 'encod':361,414 'encrypt':155,423 'ent':340,342 'entiti':411 'env':459 'error':172 'error-message-sanit':171 'except':424 'excess':131 'execut':331 'expertis':69 'express':228 'fastapi':217 'featur':189,192 'file':80,134,165,491 'file-upload-secur':164 'flask':216 'fluid':209 'framework':204,273 'framework-secur':272 'frontend':28,112,254,259 'frontend-secur':258 'fs':389 'full':465 'gcp':106,248 'gcp-secur':247 'gh':483 'gha':298 'gha-secur':297 'gin':222 'github':60,449 'github.com':504 'github.com/netresearch/security-audit-skill':503 'github.event':455 'gitleak':393 'go':201 'guid':187 'hash':370 'hashservic':24 'header':181,440 'helm':110 'high':391 'hsts':441 'html5':343 'htmlspecialchar':338 'iac':30,103,240,251 'iac-secur':250 'id':329,332 'impli':138 'incid':300,304 'index':501 'indic':490 'inject':77,130,320 'input':169,315,339,406,420,454 'input-valid':168 'interpol':453 'io':236 'ios-sdk-secur':235 'java':199 'javascript':196 'javascript-typescript':195 'juggl':87 'jwt':85 'key':154,347,368,422 'kubernet':108 'languag':188 'laravel':214 'libxml':316 'limit':116 'llm':13,48,93,264,267 'llm-secur':263 'loadxml':314 'log':184,432 'lts':22,66 'mass':117 'match':494 'md':137 'messag':173,425 'mobil':230 'modern':277 'modern-attack':276 'mt':379 'n':351,362,367 'nestj':229 'never':378,452 'nextj':226 'nodej':198 'noncebyt':357 'nonet':317 'nuxt':227 'opengrep':387 'option':446 'output':333,413 'outsid':437 'overrid':463 'owasp':9,45,89,100,141,266 'owasp-top10':140 'owner/repo':482 'parameter':408 'pars':309 'password':348,369,372,396 'path':78,161 'path-traversal-prevent':160 'pattern':44,178,281,307,466 'pdo':323 'php':193,312,321,336,350,479 'php-on':478 'php/typo3':20,63 'pipelin':289 'prepar':324 'prevent':148,156,159,163,310,319,334 'prompt':129 'pw':371 'python':194 'quick':306 'quot':341 'rail':221 'rand/rand':380 'random':349,352,375 'rate':115 'react':223 'refer':133,136,500 'references/automated-scanning.md':383 'references/gha-security.md':467 'remov':25 'renam':436 'repo':484 'respons':305 'rest/graphql':113 'root':439 'rubi':203 'run':457,493 'rust':202 'sanit':174,426 'scan':37,296,448 'scanner':382 'score':18,151 'scripts/scanners':495 'sdk':233,237 'secret':427 'secretbox':356,365 'secur':2,7,39,42,61,167,180,183,191,205,234,238,243,246,249,252,257,260,265,274,288,293,299,384,451 'security-audit':1 'security-featur':190 'security-head':179 'security-log':182 'see':499 'select':325 'semgrep':386 'server':404 'server-sid':403 'sever':390 'sh':496 'share':271 'side':405 'skill':41 'skill-security-audit' 'skill.md':126 'skill.md/agents.md/claude.md/mcp.json/hooks.json':125 'sodium':354,363 'source-netresearch' 'spring':218 'sql':318,409 'sqli':73 'ssrf':83 'ssti':84 'stack':475,488 'standard':88 'state':399 'stmt':322,330 'suppli':291,302 'supply-chain-incident-respons':301 'supply-chain-secur':290 'symfoni':213 'terraform':107 'terraform/k8s/docker':29 'threat':275 'tls':401 'top':10,15,46,49,53,90,96,268 'top10':142 'top25':145 'topic-agent-skills' 'topic-ai-agent' 'topic-open-standard' 'travers':79,162 'triag':461 'trivi':388 'type':86,445 'typescript':197 'typo3':206,208,211 'typo3-fluid':207 'typo3-security.md':68 'typo3-typoscript':210 'typoscript':212 'unseri':417 'upgrad':462 'upload':81,166,434 'use':4,458 'user':327,419 'utf':344 'v14.3':21,65 'v3.1/v4.0':99 'v4.0':57 'valid':170,407,435 'vcs':430 'verif':468 'vue':224 'vulner':71 'web':438 'x':443 'x-content-type-opt':442 'xml':308,410 'xss':74,122,335 'xxe':72,147,311 'xxe-prevent':146","prices":[{"id":"e2cbbc4d-1b7a-494f-af33-5f382704d8e5","listingId":"ea66b95d-bad3-4a53-afc2-b01ffcef7c4a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"netresearch","category":"security-audit-skill","install_from":"skills.sh"},"createdAt":"2026-04-19T00:41:22.586Z"}],"sources":[{"listingId":"ea66b95d-bad3-4a53-afc2-b01ffcef7c4a","source":"github","sourceId":"netresearch/security-audit-skill/security-audit","sourceUrl":"https://github.com/netresearch/security-audit-skill/tree/main/skills/security-audit","isPrimary":false,"firstSeenAt":"2026-04-19T00:41:22.586Z","lastSeenAt":"2026-04-22T07:01:25.222Z"}],"details":{"listingId":"ea66b95d-bad3-4a53-afc2-b01ffcef7c4a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"netresearch","slug":"security-audit","github":{"repo":"netresearch/security-audit-skill","stars":12,"topics":["agent-skills","ai-agent","open-standard"],"license":"other","html_url":"https://github.com/netresearch/security-audit-skill","pushed_at":"2026-04-21T15:34:19Z","description":"Agent Skill for PHP security audits - OWASP patterns, vulnerability detection | Claude Code compatible","skill_md_sha":"369bfb543f54cb4d1458f628e5a4b00f4808c624","skill_md_path":"skills/security-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/netresearch/security-audit-skill/tree/main/skills/security-audit"},"layout":"multi","source":"github","category":"security-audit-skill","frontmatter":{"name":"security-audit","license":"(MIT AND CC-BY-SA-4.0). See LICENSE-MIT and LICENSE-CC-BY-SA-4.0","description":"Use when conducting security assessments — OWASP Top 10 / API / LLM, CWE Top 25, CVSS scoring — auditing PHP/TYPO3 (v14.3 LTS: #109585, HashService removal, Authorize/RateLimit), APIs, frontend, Terraform/K8s/Docker IaC, AWS/Azure/GCP cloud, AI agent configs, or scanning dependencies.","compatibility":"Requires grep, jq, gh CLI."},"skills_sh_url":"https://skills.sh/netresearch/security-audit-skill/security-audit"},"updatedAt":"2026-04-22T07:01:25.222Z"}}