{"id":"48b4006f-6e88-4021-83a2-a895c9640af0","shortId":"KnjLtb","kind":"skill","title":"security-auditor","tagline":"Auto-activate when reviewing code that handles authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, or external API calls. Produces vulnerability report with OWASP category, severity (Critical/High/Medium/Low), attack v","description":"# Security Auditor\n\nA security-focused reviewer that evaluates code for vulnerabilities, insecure patterns, and data handling risks. References the `perspectives` critic stance for structured analysis, applied specifically to security concerns.\n\n## Dispatch\n\nCan be dispatched as a subagent by code-review or flow-review workflows when changes touch security-sensitive areas.\n\n## Direct Invocation\n\n- \"Security audit this authentication flow\"\n- \"Review this for OWASP vulnerabilities\"\n- \"Check this input handling for injection risks\"\n- \"Audit the data handling in this endpoint\"\n\n<workflow>\n\n## Workflow\n\n### Step 1: Apply Persona\n\nThink like an attacker to find exploitable weaknesses, then like a defender for fixes. Severity classification:\n\n- **Critical** — Exploitable now, no preconditions or easily-met ones. Immediate fix required.\n- **High** — Exploitable with effort or specific conditions. Fix before shipping.\n- **Medium** — Defense-in-depth gap. Doesn't enable direct exploitation but reduces cost of other attacks. Fix next iteration.\n- **Low** — Hardening improvement. More robust but no meaningful standalone risk. Fix when convenient.\n\n### Step 2: OWASP Checklist\n\nWork through each category (acknowledge secure categories briefly):\n\n1. **Injection** (SQL, command, XSS) — Is user input sanitized? Are parameterized queries used? Is output encoded for the appropriate context?\n2. **Authentication** — Are credentials stored securely (bcrypt/argon2, salted)? Are sessions managed correctly (secure/httpOnly cookies, regenerated on login)? Brute-force protections in place?\n3. **Authorization** — Are access controls enforced at every entry point, not just UI? Can users escalate via ID manipulation (IDOR)? Are object-level permissions checked?\n4. **Data exposure** — Are secrets hardcoded or committed to version control? Are sensitive fields (passwords, tokens, PII) appearing in logs? Is PII minimized and encrypted at rest?\n5. **Input validation** — Is all external input validated at system boundaries? Are type, length, and format constraints enforced? Are file uploads validated for type and content?\n6. **Configuration** — Are default credentials changed? Debug endpoints disabled in production? CORS policies restrictive? Security headers present (CSP, HSTS, X-Frame-Options)?\n7. **Dependencies** — Known-vulnerable versions in use? Versions pinned (not floating ranges in production)? Unmaintained dependencies?\n8. **Cryptography** — Strong algorithms (AES-256, SHA-256+, RSA-2048+, no MD5/SHA-1)? Key rotation? TLS enforced? CSPRNG for security-sensitive random values?\n\n### Step 3: Report Findings\n\nFor each finding: OWASP category, severity, realistic attack vector, fix. Categories with no findings acknowledged briefly as secure.\n\n</workflow>\n\n<guardrails>\n\n## Guardrails\n\n- Findings must have realistic attack vectors, not theoretical ones requiring impossible preconditions\n- Severity must be justified by actual exploitability, not theoretical purity\n- Focus on what can actually be exploited given the system context\n- Acknowledge when code is secure — thorough input validation and correct auth implementation deserve a note\n\n</guardrails>\n\n<validation>\n\n### Validation Checkpoint\n\nBefore delivering findings, verify:\n\n- [ ] Every finding has a realistic attack vector (not theoretical)\n- [ ] Severity justified by actual exploitability\n- [ ] Fixes are actionable and specific\n- [ ] Categories with no findings briefly acknowledged as secure\n\n</validation>\n\n<example>\n\n## Example\n\n**Context:** Security audit of a user lookup API endpoint.\n\n**Finding 1 — Injection (SQL) — Severity: Critical**\n`db.query(\"SELECT * FROM users WHERE id = \" + req.params.id)` concatenates user input directly into SQL. Attack vector: `GET /users/1;DROP TABLE users--` executes arbitrary SQL. Fix: use parameterized query `db.query(\"SELECT * FROM users WHERE id = $1\", [req.params.id])`.\n\n**Finding 2 — Data Exposure — Severity: High**\nError handler returns full stack trace in production response body: `res.json({ error: err.stack })`. Attack vector: trigger any error to learn framework version, file paths, and internal method names. Fix: return generic error to client, log stack trace server-side only.\n\n**Finding 3 — Authorization — Severity: High**\nEndpoint checks `req.user.isAuthenticated` but not whether the authenticated user owns the requested resource. Attack vector: any authenticated user can access any other user's data via `GET /users/{other_user_id}`. Fix: add `req.user.id === req.params.id` check or implement object-level permission middleware.\n\n**Secure categories:** Authentication (bcrypt with salt, session regeneration on login), Input validation (express-validator with type/length constraints on all parameters), Dependencies (all pinned, no known CVEs).\n\n</example>\n\n## References Index\n\n- **[Persona](references/persona.md)** — Role, approach, scope, severity classification, and guardrails\n- **[Security Checklist](references/checklist.md)** — Eight OWASP-informed review categories\n- **[Critic Stance](../perspectives/references/stances.md)** — Underlying stance prompt with ethical guardrails (from perspectives skill)","tags":["security","auditor","flow","cofin","agent-skills","ai-agents","beads","claude-code","codex","cursor","developer-tools","gemini-cli"],"capabilities":["skill","source-cofin","skill-security-auditor","topic-agent-skills","topic-ai-agents","topic-beads","topic-claude-code","topic-codex","topic-cursor","topic-developer-tools","topic-gemini-cli","topic-opencode","topic-plugin","topic-slash-commands","topic-spec-driven-development"],"categories":["flow"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/cofin/flow/security-auditor","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add cofin/flow","source_repo":"https://github.com/cofin/flow","install_from":"skills.sh"}},"qualityScore":"0.455","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 11 github stars · SKILL.md body (5,170 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T07:03:19.878Z","embedding":null,"createdAt":"2026-04-23T13:04:01.512Z","updatedAt":"2026-04-24T07:03:19.878Z","lastSeenAt":"2026-04-24T07:03:19.878Z","tsv":"'-2048':379 '-256':375,377 '/perspectives/references/stances.md':692 '/users':627 '/users/1':529 '1':121,208,508,546 '2':197,228,549 '3':251,394,596 '4':277 '5':304 '6':330 '7':353 '8':370 'access':254,619 'acknowledg':204,411,449,494 'action':486 'activ':6 'actual':433,442,482 'add':632 'ae':374 'algorithm':373 'analysi':64 'api':17,27,505 'appear':294 'appli':65,122 'approach':675 'appropri':226 'arbitrari':534 'area':92 'attack':37,127,179,404,420,475,526,567,613 'audit':96,112,500 'auditor':3,40 'auth':459 'authent':12,98,229,607,616,645 'author':13,252,597 'auto':5 'auto-activ':4 'bcrypt':646 'bcrypt/argon2':234 'bodi':563 'boundari':314 'briefli':207,412,493 'brute':246 'brute-forc':245 'call':28 'categori':34,203,206,401,407,489,644,689 'chang':87,335 'check':105,276,601,635 'checklist':199,682 'checkpoint':465 'classif':139,678 'client':587 'code':9,48,79,451 'code-review':78 'command':211 'commit':284 'concaten':520 'concern':69 'condit':159 'configur':331 'constraint':320,660 'content':329 'context':227,448,498 'control':255,287 'conveni':195 'cooki':241 'cor':341 'correct':239,458 'cost':176 'credenti':231,334 'critic':60,140,512,690 'critical/high/medium/low':36 'cryptographi':371 'csp':347 'csprng':386 'cves':669 'data':54,114,278,550,624 'databas':19 'db.query':513,540 'debug':336 'default':333 'defend':135 'defens':165 'defense-in-depth':164 'deliv':467 'depend':354,369,664 'depth':167 'deserv':461 'direct':93,172,523 'disabl':338 'dispatch':70,73 'doesn':169 'drop':530 'easili':147 'easily-met':146 'effort':156 'eight':684 'enabl':171 'encod':223 'encrypt':301 'endpoint':118,337,506,600 'enforc':256,321,385 'entri':259 'err.stack':566 'error':554,565,571,585 'escal':266 'ethic':697 'evalu':47 'everi':258,470 'exampl':497 'execut':533 'exploit':130,141,154,173,434,444,483 'exposur':279,551 'express':656 'express-valid':655 'extern':26,309 'field':290 'file':21,323,576 'find':129,396,399,410,416,468,471,492,507,548,595 'fix':137,151,160,180,193,406,484,536,582,631 'float':364 'flow':83,99 'flow-review':82 'focus':44,438 'forc':247 'format':319 'frame':351 'framework':574 'full':557 'gap':168 'generic':584 'get':528,626 'given':445 'guardrail':415,680,698 'handl':11,55,108,115 'handler':555 'hardcod':282 'harden':184 'header':345 'high':153,553,599 'hsts':348 'id':268,518,545,630 'idor':270 'immedi':150 'implement':460,637 'imposs':426 'improv':185 'index':671 'inform':687 'inject':110,209,509 'input':15,107,215,305,310,455,522,653 'insecur':51 'intern':579 'invoc':94 'iter':182 'justifi':431,480 'key':18,382 'known':356,668 'known-vulner':355 'learn':573 'length':317 'level':274,640 'like':125,133 'log':296,588 'login':244,652 'lookup':504 'low':183 'manag':24,238 'manipul':269 'md5/sha-1':381 'meaning':190 'medium':163 'met':148 'method':580 'middlewar':642 'minim':299 'must':417,429 'name':581 'next':181 'note':463 'object':273,639 'object-level':272,638 'one':149,424 'option':352 'output':222 'owasp':33,103,198,400,686 'owasp-inform':685 'own':609 'paramet':663 'parameter':218,538 'password':291 'path':577 'pattern':52 'permiss':275,641 'persona':123,672 'perspect':59,700 'pii':293,298 'pin':362,666 'place':250 'point':260 'polici':342 'precondit':144,427 'present':346 'produc':29 'product':340,367,561 'prompt':695 'protect':248 'puriti':437 'queri':20,219,539 'random':391 'rang':365 'realist':403,419,474 'reduc':175 'refer':57,670 'references/checklist.md':683 'references/persona.md':673 'regener':242,650 'report':31,395 'req.params.id':519,547,634 'req.user.id':633 'req.user.isauthenticated':602 'request':611 'requir':152,425 'res.json':564 'resourc':612 'respons':562 'rest':303 'restrict':343 'return':556,583 'review':8,45,80,84,100,688 'risk':56,111,192 'robust':187 'role':674 'rotat':383 'rsa':378 'salt':235,648 'sanit':216 'scope':676 'secret':16,281 'secur':2,39,43,68,90,95,205,233,344,389,414,453,496,499,643,681 'secure/httponly':240 'security-auditor':1 'security-focus':42 'security-sensit':89,388 'select':514,541 'sensit':91,289,390 'server':592 'server-sid':591 'session':23,237,649 'sever':35,138,402,428,479,511,552,598,677 'sha':376 'ship':162 'side':593 'skill':701 'skill-security-auditor' 'source-cofin' 'specif':66,158,488 'sql':210,510,525,535 'stack':558,589 'stanc':61,691,694 'standalon':191 'step':120,196,393 'store':232 'strong':372 'structur':63 'subag':76 'system':313,447 'tabl':531 'theoret':423,436,478 'think':124 'thorough':454 'tls':384 'token':292 'topic-agent-skills' 'topic-ai-agents' 'topic-beads' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-developer-tools' 'topic-gemini-cli' 'topic-opencode' 'topic-plugin' 'topic-slash-commands' 'topic-spec-driven-development' 'touch':88 'trace':559,590 'trigger':569 'type':316,327 'type/length':659 'ui':263 'under':693 'unmaintain':368 'upload':22,324 'use':220,360,537 'user':14,214,265,503,516,521,532,543,608,617,622,629 'v':38 'valid':306,311,325,456,464,654,657 'valu':392 'vector':405,421,476,527,568,614 'verifi':469 'version':286,358,361,575 'via':267,625 'vulner':30,50,104,357 'weak':131 'whether':605 'work':200 'workflow':85,119 'x':350 'x-frame-opt':349 'xss':212","prices":[{"id":"f6dea815-0ccf-4af2-bc4b-200991baaeb9","listingId":"48b4006f-6e88-4021-83a2-a895c9640af0","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"cofin","category":"flow","install_from":"skills.sh"},"createdAt":"2026-04-23T13:04:01.512Z"}],"sources":[{"listingId":"48b4006f-6e88-4021-83a2-a895c9640af0","source":"github","sourceId":"cofin/flow/security-auditor","sourceUrl":"https://github.com/cofin/flow/tree/main/skills/security-auditor","isPrimary":false,"firstSeenAt":"2026-04-23T13:04:01.512Z","lastSeenAt":"2026-04-24T07:03:19.878Z"}],"details":{"listingId":"48b4006f-6e88-4021-83a2-a895c9640af0","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"cofin","slug":"security-auditor","github":{"repo":"cofin/flow","stars":11,"topics":["agent-skills","ai-agents","beads","claude-code","codex","context-driven-development","cursor","developer-tools","gemini-cli","opencode","plugin","slash-commands","spec-driven-development","subagents","tdd","workflow"],"license":"apache-2.0","html_url":"https://github.com/cofin/flow","pushed_at":"2026-04-19T23:22:27Z","description":"Context-Driven Development toolkit for AI agents — spec-first planning, TDD workflow, and Beads integration.","skill_md_sha":"808fbc90250455956c292556deaf8a21af9c692f","skill_md_path":"skills/security-auditor/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/cofin/flow/tree/main/skills/security-auditor"},"layout":"multi","source":"github","category":"flow","frontmatter":{"name":"security-auditor","description":"Auto-activate when reviewing code that handles authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, or external API calls. Produces vulnerability report with OWASP category, severity (Critical/High/Medium/Low), attack vector description, and recommended fix for each finding. Use when: security review needed, assessing attack surface, checking for OWASP vulnerabilities, reviewing access control logic, or auditing data handling. Not for general code quality, business logic review, or non-security concerns."},"skills_sh_url":"https://skills.sh/cofin/flow/security-auditor"},"updatedAt":"2026-04-24T07:03:19.878Z"}}