{"id":"c691d7c1-2860-4ec8-ac85-28f039b123f3","shortId":"EyYKfF","kind":"skill","title":"audit-security","tagline":"Use when auditing and fixing security in a scope — injection (SQL, shell, template), auth/authz gaps, secrets in code or logs, weak crypto, missing validation at trust boundaries, XSS, SSRF, path traversal. Triggers on \"audit security\", \"security review\", \"fix vulnerabilities\", \"","description":"target = $ARGUMENTS\n\nIf target provided, audit that path. Otherwise, files changed since the default branch. Full-codebase audit requires explicit user request.\n\nFind and fix vulnerabilities where untrusted input or weak controls let an attacker change behavior, exfiltrate data, or escalate privilege. Tag each fix with a CWE so the change is traceable.\n\nThe patterns the model under-weights without prompting: shell or subprocess called with string args instead of array (command injection); SQL via string concatenation, template literals, or ORM escape hatches (`.raw()`, `.extra()`, `RawSQL`) — parameterized queries are non-negotiable; deserialization of untrusted input (`pickle`, `yaml.load`, JSON-into-class hydrators) and XML parsers at default settings (XXE); template engines or DOM APIs rendering user input unescaped (`dangerouslySetInnerHTML`, `innerHTML`, unescaped template vars); IDOR — endpoints fetching a resource by user-supplied ID without an ownership check; JWT misuse — `alg:none` accepted, key/algorithm confusion, missing exp/iss/aud validation; weak primitives — md5/sha1 for passwords, `Math.random` for tokens, ECB mode, missing salt; secrets in source, logs, or error responses; trust-boundary gaps — server relying on client-side validation, parsers invoked on raw input without size/depth limits; SSRF / path traversal where user input becomes a URL or filesystem path without allowlist; LLM output trusted as code, SQL, or shell (insecure output handling).\n\nFilter aggressively before acting. Not a vulnerability: server-controlled config (env vars, constants, `settings.*`), framework-mitigated sinks (React `{x}`, parameterized ORM, prepared statements), UUID identifiers, or client-side-only validation when a server check also exists. Fixes need a concrete attack path from an untrusted source to a sink — theoretical \"could be vulnerable if\" is noise.\n\nApply the fix directly when the safe pattern is already established in the codebase or by the framework: parameterize the query, switch `subprocess` to array form, escape the rendered output, add the ownership check, swap md5 for argon2, scrub the secret from logs. Run tests after the batch; report `git diff --stat` and per-fix the CWE, the attack path closed, and the remediation. Auth/session/crypto changes that rotate secrets, migrate algorithms, or change token format are a separate decision — sketch the change and surface for sign-off, since the migration affects active sessions and stored credentials. Hard-coded secrets discovered in source: stop, surface immediately, and do not commit a \"fix\" that only deletes the line — the secret is already in history and needs rotation.","tags":["audit","security","dotclaude","jhostalek","agent-skills","ai-coding","anthropic","claude","claude-code","claude-code-skills","code-review","codex-cli"],"capabilities":["skill","source-jhostalek","skill-audit-security","topic-agent-skills","topic-ai-coding","topic-anthropic","topic-claude","topic-claude-code","topic-claude-code-skills","topic-code-review","topic-codex-cli","topic-cursor","topic-developer-tools","topic-git-workflow","topic-multi-agent"],"categories":["dotclaude"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/JHostalek/dotclaude/audit-security","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add JHostalek/dotclaude","source_repo":"https://github.com/JHostalek/dotclaude","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (2,682 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:14.978Z","embedding":null,"createdAt":"2026-05-18T13:20:31.347Z","updatedAt":"2026-05-18T19:13:14.978Z","lastSeenAt":"2026-05-18T19:13:14.978Z","tsv":"'accept':187 'act':259 'activ':408 'add':345 'affect':407 'aggress':257 'alg':185 'algorithm':386 'allowlist':244 'alreadi':324,437 'also':293 'api':159 'appli':315 'arg':112 'argon2':352 'argument':44 'array':115,339 'attack':78,299,374 'audit':2,6,37,48,61 'audit-secur':1 'auth/authz':17 'auth/session/crypto':380 'batch':362 'becom':237 'behavior':80 'boundari':30,214 'branch':57 'call':109 'chang':53,79,94,381,388,397 'check':182,292,348 'class':146 'client':220,285 'client-sid':219 'client-side-on':284 'close':376 'code':21,249,415 'codebas':60,328 'command':116 'commit':426 'concaten':121 'concret':298 'config':266 'confus':189 'constant':269 'control':75,265 'could':309 'credenti':412 'crypto':25 'cwe':91,372 'dangerouslysetinnerhtml':164 'data':82 'decis':394 'default':56,152 'delet':431 'deseri':137 'diff':365 'direct':318 'discov':417 'dom':158 'ecb':201 'endpoint':170 'engin':156 'env':267 'error':210 'escal':84 'escap':126,341 'establish':325 'exfiltr':81 'exist':294 'exp/iss/aud':191 'explicit':63 'extra':129 'fetch':171 'file':52 'filesystem':241 'filter':256 'find':66 'fix':8,41,68,88,295,317,370,428 'form':340 'format':390 'framework':272,332 'framework-mitig':271 'full':59 'full-codebas':58 'gap':18,215 'git':364 'handl':255 'hard':414 'hard-cod':413 'hatch':127 'histori':439 'hydrat':147 'id':178 'identifi':282 'idor':169 'immedi':422 'inject':13,117 'innerhtml':165 'input':72,140,162,227,236 'insecur':253 'instead':113 'invok':224 'json':144 'json-into-class':143 'jwt':183 'key/algorithm':188 'let':76 'limit':230 'line':433 'liter':123 'llm':245 'log':23,208,357 'math.random':198 'md5':350 'md5/sha1':195 'migrat':385,406 'miss':26,190,203 'misus':184 'mitig':273 'mode':202 'model':100 'need':296,441 'negoti':136 'nois':314 'non':135 'non-negoti':134 'none':186 'orm':125,278 'otherwis':51 'output':246,254,344 'ownership':181,347 'parameter':131,277,333 'parser':150,223 'password':197 'path':33,50,232,242,300,375 'pattern':98,322 'per':369 'per-fix':368 'pickl':141 'prepar':279 'primit':194 'privileg':85 'prompt':105 'provid':47 'queri':132,335 'raw':128,226 'rawsql':130 'react':275 'reli':217 'remedi':379 'render':160,343 'report':363 'request':65 'requir':62 'resourc':173 'respons':211 'review':40 'rotat':383,442 'run':358 'safe':321 'salt':204 'scope':12 'scrub':353 'secret':19,205,355,384,416,435 'secur':3,9,38,39 'separ':393 'server':216,264,291 'server-control':263 'session':409 'set':153,270 'shell':15,106,252 'side':221,286 'sign':402 'sign-off':401 'sinc':54,404 'sink':274,307 'size/depth':229 'sketch':395 'skill' 'skill-audit-security' 'sourc':207,304,419 'source-jhostalek' 'sql':14,118,250 'ssrf':32,231 'stat':366 'statement':280 'stop':420 'store':411 'string':111,120 'subprocess':108,337 'suppli':177 'surfac':399,421 'swap':349 'switch':336 'tag':86 'target':43,46 'templat':16,122,155,167 'test':359 'theoret':308 'token':200,389 'topic-agent-skills' 'topic-ai-coding' 'topic-anthropic' 'topic-claude' 'topic-claude-code' 'topic-claude-code-skills' 'topic-code-review' 'topic-codex-cli' 'topic-cursor' 'topic-developer-tools' 'topic-git-workflow' 'topic-multi-agent' 'traceabl':96 'travers':34,233 'trigger':35 'trust':29,213,247 'trust-boundari':212 'under-weight':101 'unescap':163,166 'untrust':71,139,303 'url':239 'use':4 'user':64,161,176,235 'user-suppli':175 'uuid':281 'valid':27,192,222,288 'var':168,268 'via':119 'vulner':42,69,262,311 'weak':24,74,193 'weight':103 'without':104,179,228,243 'x':276 'xml':149 'xss':31 'xxe':154 'yaml.load':142","prices":[{"id":"c9e6c94c-65aa-4e75-963e-587a032581eb","listingId":"c691d7c1-2860-4ec8-ac85-28f039b123f3","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"JHostalek","category":"dotclaude","install_from":"skills.sh"},"createdAt":"2026-05-18T13:20:31.347Z"}],"sources":[{"listingId":"c691d7c1-2860-4ec8-ac85-28f039b123f3","source":"github","sourceId":"JHostalek/dotclaude/audit-security","sourceUrl":"https://github.com/JHostalek/dotclaude/tree/main/skills/audit-security","isPrimary":false,"firstSeenAt":"2026-05-18T13:20:31.347Z","lastSeenAt":"2026-05-18T19:13:14.978Z"}],"details":{"listingId":"c691d7c1-2860-4ec8-ac85-28f039b123f3","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"JHostalek","slug":"audit-security","github":{"repo":"JHostalek/dotclaude","stars":8,"topics":["agent-skills","ai-coding","anthropic","claude","claude-code","claude-code-skills","code-review","codex-cli","cursor","developer-tools","git-workflow","multi-agent","prompt-engineering","skill-md"],"license":"cc0-1.0","html_url":"https://github.com/JHostalek/dotclaude","pushed_at":"2026-05-17T15:07:41Z","description":"Agent skills for agentic coding tools. Extremely opinionated. Updated (almost) daily.","skill_md_sha":"bddce53db75b97c484975bd2f5c5a4410677dd03","skill_md_path":"skills/audit-security/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/JHostalek/dotclaude/tree/main/skills/audit-security"},"layout":"multi","source":"github","category":"dotclaude","frontmatter":{"name":"audit-security","description":"Use when auditing and fixing security in a scope — injection (SQL, shell, template), auth/authz gaps, secrets in code or logs, weak crypto, missing validation at trust boundaries, XSS, SSRF, path traversal. Triggers on \"audit security\", \"security review\", \"fix vulnerabilities\", \"OWASP check\"."},"skills_sh_url":"https://skills.sh/JHostalek/dotclaude/audit-security"},"updatedAt":"2026-05-18T19:13:14.978Z"}}