Agent Skills: Security Auditor (L3 Worker)

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

Security Auditor (L3 Worker)

Specialized worker auditing security vulnerabilities in codebase.

Purpose & Scope

• Worker in ln-620 coordinator pipeline - invoked by ln-620-codebase-auditor
• Audit codebase for security vulnerabilities (Category 1: Critical Priority)
• Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
• Return structured findings to coordinator with severity, location, effort, recommendations
• Calculate compliance score (X/10) for Security category

Inputs (from Coordinator)

MANDATORY READ: Load shared/references/task_delegation_pattern.md#audit-coordinator--worker-contract for contextStore structure.

Receives contextStore with: tech_stack, best_practices, principles, codebase_root, output_dir.

Workflow

1. Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
2. Scan Codebase: Run security checks using Glob/Grep patterns (see Audit Rules below)
3. Collect Findings: Record each violation with severity, location (file:line), effort estimate (S/M/L), recommendation
4. Calculate Score: Count violations by severity, calculate compliance score (X/10)
5. Write Report: Build full markdown report in memory per shared/templates/audit_worker_report_template.md, write to {output_dir}/621-security.md in single Write call
6. Return Summary: Return minimal summary to coordinator (see Output Format)

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

What: API keys, passwords, tokens, private keys in source code

Detection:

• Search patterns: API_KEY = "...", password = "...", token = "...", SECRET = "..."
• File extensions: .ts, .js, .py, .go, .java, .cs
• Exclude: .env.example, README.md, test files with mock data

Severity:

• CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
• HIGH: Development/staging credentials
• MEDIUM: Test credentials in non-test files

Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

Effort: S (replace hardcoded value with process.env.VAR_NAME)

2. SQL Injection Patterns

What: String concatenation in SQL queries instead of parameterized queries

Detection:

• Patterns: query = "SELECT * FROM users WHERE id=" + userId, db.execute(f"SELECT * FROM {table}"), `SELECT * FROM ${table}`
• Languages: JavaScript, Python, PHP, Java

Severity:

• CRITICAL: User input directly concatenated without sanitization
• HIGH: Variable concatenation in production code
• MEDIUM: Concatenation with internal variables only

Recommendation: Use parameterized queries (prepared statements), ORM query builders

Effort: M (refactor query to use placeholders)

3. XSS Vulnerabilities

What: Unsanitized user input rendered in HTML/templates

Detection:

• Patterns: innerHTML = userInput, dangerouslySetInnerHTML={{__html: data}}, echo $userInput;
• Template engines: Check for unescaped output ({{ var | safe }}, <%- var %>)

Severity:

• CRITICAL: User input directly inserted into DOM without sanitization
• HIGH: User input with partial sanitization (insufficient escaping)
• MEDIUM: Internal data with potential XSS if compromised

Recommendation: Use framework escaping (React auto-escapes, use textContent), sanitize with DOMPurify

Effort: S-M (replace innerHTML with textContent or sanitize)

4. Insecure Dependencies

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)

Detection:

• Run npm audit (Node.js), pip-audit (Python), cargo audit (Rust), dotnet list package --vulnerable (.NET)
• Check for outdated critical dependencies

Severity:

• CRITICAL: CVE with exploitable vulnerability in production dependencies
• HIGH: CVE in dev dependencies or lower severity production CVEs
• MEDIUM: Outdated packages without known CVEs but security risk

Recommendation: Update to patched versions, replace unmaintained packages

Effort: S-M (update package.json, test), L (if breaking changes)

5. Missing Input Validation

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)

Detection:

• API routes without validation middleware
• Form handlers without input sanitization
• File uploads without type/size checks
• Missing CORS configuration

Severity:

• CRITICAL: File upload without validation, authentication bypass potential
• HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
• MEDIUM: Missing validation on read-only or internal endpoints

Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization

Effort: M (add validation schema and middleware)

Scoring Algorithm

MANDATORY READ: Load shared/references/audit_scoring.md for unified scoring formula.

Output Format

MANDATORY READ: Load shared/templates/audit_worker_report_template.md for file format.

Write report to {output_dir}/621-security.md with category: "Security" and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.

Return summary to coordinator:

Report written: docs/project/.audit/621-security.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)

Critical Rules

• Do not auto-fix: Report violations only; coordinator creates task for user to fix
• Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
• False positive reduction: Exclude test files, example configs, documentation
• Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
• Location precision: Always include file:line for programmatic navigation

Definition of Done

• contextStore parsed successfully (including output_dir)
• All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
• Findings collected with severity, location, effort, recommendation
• Score calculated using penalty algorithm
• Report written to {output_dir}/621-security.md (atomic single Write call)
• Summary returned to coordinator

Reference Files

• Worker report template: shared/templates/audit_worker_report_template.md
• Audit scoring formula: shared/references/audit_scoring.md
• Audit output schema: shared/references/audit_output_schema.md
• Security audit rules: references/security_rules.md

Version: 3.0.0 Last Updated: 2025-12-23