Agent-Skills.md

Agent Skills: Security Auditor

Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.

UncategorizedID: charon-fan/agent-playbook/security-auditor

Repository

charon-fan/agent-playbook
zhaono1
41

Install this agent skill to your local

pnpm dlx add-skill https://github.com/zhaono1/agent-playbook/tree/HEAD/skills/security-auditor

Skill Files

Browse the full folder contents for security-auditor.

Download Skill

Loading file tree…

skills/security-auditor/SKILL.md

Skill Metadata

Name
security-auditor
Description
Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.

Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

When This Skill Activates

Activates when you:

  • Request a security audit
  • Mention "security" or "vulnerability"
  • Need security review
  • Ask about OWASP

OWASP Top 10 Coverage

A01: Broken Access Control

Checks:

# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/

Common Issues:

  • Missing authentication on sensitive endpoints
  • IDOR: Users can access other users' data
  • Missing authorization checks
  • API keys in URL

A02: Cryptographic Failures

Checks:

# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/

Common Issues:

  • Hardcoded credentials
  • Weak hashing algorithms (MD5, SHA1)
  • Unencrypted sensitive data
  • HTTP instead of HTTPS

A03: Injection

Checks:

# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/

Common Issues:

  • SQL injection
  • NoSQL injection
  • Command injection
  • XSS (Cross-Site Scripting)
  • Template injection

A04: Insecure Design

Checks:

# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/

Common Issues:

  • No rate limiting on auth endpoints
  • Missing 2FA for sensitive operations
  • Session timeout too long
  • No account lockout after failed attempts

A05: Security Misconfiguration

Checks:

# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/

Common Issues:

  • Debug mode enabled in production
  • Overly permissive CORS
  • Verbose error messages
  • Default credentials not changed

A06: Vulnerable Components

Checks:

# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit

Common Issues:

  • Outdated dependencies
  • Known vulnerabilities in dependencies
  • Unused dependencies
  • Unmaintained packages

A07: Authentication Failures

Checks:

# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/

Common Issues:

  • Weak password hashing
  • No password complexity requirements
  • Password in URL
  • Session fixation

A08: Software/Data Integrity

Checks:

# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/

Common Issues:

  • No integrity checks
  • Unsigned updates
  • Unverified dependencies

A09: Logging Failures

Checks:

# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/

Common Issues:

  • Sensitive data in logs
  • No audit trail for critical operations
  • Logs not protected
  • No log tampering detection

A10: SSRF (Server-Side Request Forgery)

Checks:

# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/

Common Issues:

  • No URL validation
  • Fetching user-supplied URLs
  • No allowlist for external calls

Security Audit Checklist

Code Review

  • [ ] No hardcoded secrets
  • [ ] Input validation on all inputs
  • [ ] Output encoding for XSS prevention
  • [ ] Parameterized queries for SQL
  • [ ] Proper error handling
  • [ ] Authentication on protected routes
  • [ ] Authorization checks
  • [ ] Rate limiting on public APIs

Configuration

  • [ ] Debug mode off
  • [ ) HTTPS enforced
  • [ ] CORS configured correctly
  • [ ] Security headers set
  • [ ] Environment variables for secrets
  • [ ] Database not exposed

Dependencies

  • [ ] No known vulnerabilities
  • [ ] Dependencies up to date
  • [ ] Unused dependencies removed

Scripts

Run security audit:

python scripts/security_audit.py

Check for secrets:

python scripts/find_secrets.py

References

  • references/owasp.md - OWASP Top 10 details
  • references/checklist.md - Security audit checklist
  • references/remediation.md - Vulnerability remediation guide