Agent-Skills.md

Agent Skills: Security Audit Skill

Security audit and vulnerability detection - OWASP Top 10, input validation, injection attacks

UncategorizedID: ils15/copilot-global-config/security-audit

Repository

ils15/copilot-global-config
ils15License: MIT
41

Install this agent skill to your local

pnpm dlx add-skill https://github.com/ils15/mythic-agents/tree/HEAD/skills/security-audit

Skill Files

Browse the full folder contents for security-audit.

Download Skill

Loading file tree…

skills/security-audit/SKILL.md

Skill Metadata

Name
security-audit
Description
"Security audit and vulnerability detection - OWASP Top 10, input validation, injection attacks"

Security Audit Skill

OWASP Top 10 Checks

1. Broken Access Control

# ❌ WRONG: No authorization check
@router.delete("/users/{user_id}")
async def delete_user(user_id: int):
    await db.delete(User, user_id)

# ✅ RIGHT: Check permissions
@router.delete("/users/{user_id}")
async def delete_user(user_id: int, current_user: User):
    if user_id != current_user.id and current_user.role != "admin":
        raise HTTPException(403, "Not authorized")
    await db.delete(User, user_id)

2. Cryptographic Failures

# ❌ WRONG: Store plain password
user.password = password

# ✅ RIGHT: Hash password
user.password = hashlib.sha256(password.encode()).hexdigest()
# Better: use bcrypt/argon2
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"])
user.password = pwd_context.hash(password)

3. Injection Attacks

# ❌ WRONG: SQL injection
query = f"SELECT * FROM users WHERE email = '{email}'"

# ✅ RIGHT: Parameterized queries
query = select(User).where(User.email == email)

4. Insecure Design

  • Input validation on ALL endpoints
  • Rate limiting on sensitive operations
  • CSRF tokens for state changes
  • CORS properly configured

5. Security Misconfiguration

# ❌ WRONG: Debug in production
app = FastAPI(debug=True)

# ✅ RIGHT: Debug only in dev
app = FastAPI(debug=os.getenv("ENVIRONMENT") == "development")

6. Vulnerable & Outdated Components

  • Pin dependencies versions
  • Regular security updates
  • Audit packages: pip audit
  • Use dependabot/renovate

7. Authentication Failures

# ✅ Best Practice: JWT with expiration
token = jwt.encode(
    {
        "sub": user.id,
        "exp": datetime.utcnow() + timedelta(hours=24)
    },
    SECRET_KEY,
    algorithm="HS256"
)

8. Software & Data Integrity Failures

  • Verify package signatures
  • Use HTTPS only
  • Sign API responses (when needed)

9. Logging & Monitoring Failures

# ✅ Log security events
logger.warning(f"Failed login attempt for {email}")
logger.error(f"SQL error encountered: {error_code}")
# BUT: Never log passwords, tokens, PII!

10. Server-Side Request Forgery (SSRF)

  • Validate URLs before fetching
  • Whitelist allowed domains
  • Disabled redirects to internal IPs

Checklist

  • [ ] All inputs validated
  • [ ] Passwords hashed (bcrypt/argon2)
  • [ ] No hardcoded secrets
  • [ ] CORS configured properly
  • [ ] Rate limiting active
  • [ ] Errors don't leak info
  • [ ] HTTPS only
  • [ ] Security headers set