Agent-Skills.md

Agent Skills: Security Auditor Skill

Security vulnerability detection and remediation expert for applications and infrastructure

UncategorizedID: louloulin/claude-agent-sdk/security-auditor

Repository

louloulin/claude-agent-sdk
louloulinLicense: MIT
123

Install this agent skill to your local

pnpm dlx add-skill https://github.com/louloulin/claude-agent-sdk/tree/HEAD/crates/claude-agent-sdk/examples/.claude/skills/security-auditor

Skill Files

Browse the full folder contents for security-auditor.

Download Skill

Loading file tree…

crates/claude-agent-sdk/examples/.claude/skills/security-auditor/SKILL.md

Skill Metadata

Name
security-auditor
Description
"Security vulnerability detection and remediation expert for applications and infrastructure"

Security Auditor Skill

You are a security expert. Identify vulnerabilities and recommend security improvements.

Security Categories

1. Application Security

OWASP Top 10

  • A01:2021 - Broken Access Control

    • Verify user permissions for all actions
    • Implement proper authentication
    • Check for IDOR vulnerabilities
    • Validate API access controls

  • A02:2021 - Cryptographic Failures

    • Encrypt sensitive data at rest
    • Use TLS in transit
    • Implement proper key management
    • Avoid weak algorithms

  • A03:2021 - Injection

    • SQL Injection: Use parameterized queries
    • XSS: Sanitize and escape user input
    • Command Injection: Avoid shell commands
    • NoSQL Injection: Validate queries

  • A04:2021 - Insecure Design

    • Implement threat modeling
    • Design secure by default
    • Implement defense in depth
    • Plan security controls

  • A05:2021 - Security Misconfiguration

    • Remove default credentials
    • Disable unnecessary features
    • Keep software updated
    • Secure configuration management

Code Review Checklist

// ❌ Bad: SQL Injection vulnerability
let query = format!("SELECT * FROM users WHERE id = {}", user_input);

// ✅ Good: Parameterized query
let query = "SELECT * FROM users WHERE id = $1";
client.execute(query, &[&user_id]);

// ❌ Bad: Hardcoded secrets
const API_KEY = "sk_live_abc123";

// ✅ Good: Environment variables
let api_key = std::env::var("API_KEY")?;

// ❌ Bad: Unsafe deserialization
let obj = serde_json::from_str::<User>(user_input)?;

// ✅ Good: Validate before deserialization
let validated = validate_and_sanitize(user_input)?;
let obj = serde_json::from_str::<User>(&validated)?;

2. Infrastructure Security

Docker Security

# ✅ Use specific version tags
FROM python:3.11-slim

# ✅ Run as non-root user
RUN groupadd -r appuser && useradd -r -g appuser appuser
USER appuser

# ✅ Use minimal base images
FROM gcr.io/distroless/python3-debian11

# ❌ Avoid: Running as root
USER root

# ❌ Avoid: Using latest
FROM python:latest

Kubernetes Security

# ✅ Security context
apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true

Network Security

# Network policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

3. Secrets Management

Best Practices

  • Never commit secrets to version control
  • Use secret management systems (Vault, AWS Secrets Manager)
  • Rotate credentials regularly
  • Implement principle of least privilege
  • Audit secret access

Tools

# Detect secrets in code
git-secrets scan
trufflehog git https://github.com/org/repo
gitleaks detect --source .

# Environment variables
export DATABASE_URL="postgresql://..."
export API_KEY=$(vault kv get -field=key secret/api)

4. Authentication & Authorization

JWT Best Practices

// ✅ Use strong algorithms
let algorithm = Algorithm::HS512;

// ✅ Set reasonable expiration
let expiration = Utc::now() + Duration::hours(24);

// ✅ Validate all claims
jwt.decode::<Claims>(token, &secret, &Validation::new(&algorithm))?;

// ❌ Avoid: Weak algorithms
let algorithm = Algorithm::HS256; // Use HS512 or RS512

// ❌ Avoid: No expiration
let expiration = None;

OAuth2 / OIDC

// Validate all OAuth2 parameters
- state parameter (CSRF protection)
- redirect_uri (must match registered)
- response_type (code for server-side)
- scope (principle of least privilege)
- nonce (for OpenID Connect)

5. Dependency Security

Supply Chain Security

# Scan for vulnerabilities
npm audit
cargo audit
safety check
pip-audit

# SBOM generation
syft ./app -o sbom > sbom.json

# Check for malicious packages
osv-scanner --sbom=sbom.json

Dependency Updates

Prioritize updates based on:
- Critical vulnerabilities (patch immediately)
- High vulnerabilities (patch within 7 days)
- Medium vulnerabilities (patch within 30 days)
- Low vulnerabilities (patch in next release)

6. Logging & Monitoring

Security Events to Log

Authentication:
- Failed login attempts
- Successful logins
- Password changes
- Permission changes

Authorization:
- Access denied
- Privilege escalation attempts
- Resource access violations

Data:
- Sensitive data access
- Data export/download
- Configuration changes

System:
- Security control failures
- System errors
- Anomalous behavior

Security Metrics

  • Mean Time to Detect (MTTD)
  • Mean Time to Respond (MTTR)
  • Number of vulnerabilities
  • Patch compliance rate
  • Security incident frequency

7. Compliance

GDPR Requirements

  • Data minimization
  • Consent management
  • Right to be forgotten
  • Data portability
  • Breach notification

SOC 2 Controls

  • Access control
  • Encryption
  • Monitoring
  • Change management
  • Incident response

PCI DSS

  • Network security
  • Data protection
  • Vulnerability management
  • Access control
  • Monitoring and testing

Security Review Process

Phase 1: Automated Scanning

# Static Application Security Testing (SAST)
semgrep --config=auto .
sonar-scanner

# Software Composition Analysis (SCA)
npm audit
cargo audit

# Container scanning
trivy image myapp:latest
docker scout cves myapp:latest

# Infrastructure as Code scanning
tfsec .
checkov -d .

Phase 2: Manual Review

  • Review authentication flows
  • Check authorization logic
  • Validate input sanitization
  • Review error handling
  • Check logging practices

Phase 3: Penetration Testing

  • Black-box testing
  • White-box testing
  • API security testing
  • Network penetration testing

Phase 4: Remediation

  • Prioritize findings
  • Implement fixes
  • Verify remediation
  • Update documentation

Common Vulnerabilities

Web Application Security

// ❌ XSS Vulnerability
div.innerHTML = userInput;

// ✅ Safe alternative
div.textContent = userInput;
// or
div.innerHTML = DOMPurify.sanitize(userInput);

// ❌ SQL Injection
db.query(`SELECT * FROM users WHERE id = ${id}`);

// ✅ Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [id]);

API Security

Common Issues:
- Missing rate limiting
- No authentication on sensitive endpoints
- Exposing internal IDs (IDOR)
- Missing CORS validation
- Inadequate input validation
- Verbose error messages

Infrastructure Security

Common Issues:
- Open ports/firewalls
- Default credentials
- Unpatched systems
- Weak encryption
- Missing network segmentation
- Exposed management interfaces

Security Testing Tools

SAST Tools

  • Semgrep - Customizable rule engine
  • SonarQube - Code quality and security
  • CodeQL - Semantic code analysis
  • Bandit - Python security linter

DAST Tools

  • OWASP ZAP - Web application scanner
  • Burp Suite - Security testing platform
  • Nuclei - Vulnerability scanner

Container Security

  • Trivy - Vulnerability scanner
  • Clair - Container analysis
  • Docker Scout - Docker security

Dependency Scanning

  • Snyk - Dependency vulnerability scanner
  • Dependabot - Automated dependency updates
  • OWASP Dependency-Check

Security Best Practices

DO:

  • Implement defense in depth
  • Use security headers (CSP, HSTS, X-Frame-Options)
  • Enable HTTPS everywhere
  • Implement rate limiting
  • Validate and sanitize all input
  • Use parameterized queries
  • Implement proper authentication
  • Follow principle of least privilege
  • Keep dependencies updated
  • Log security events
  • Implement security monitoring
  • Have incident response plan

DON'T:

  • Trust user input
  • Roll your own crypto
  • Store passwords in plain text
  • Use weak encryption
  • Ignore security warnings
  • Disable security controls
  • Expose sensitive data
  • Use hardcoded credentials
  • Forget to audit access
  • Skip security reviews
  • Ignore vulnerabilities
  • Disable logging

Incident Response

Preparation

  1. Establish incident response team
  2. Define communication channels
  3. Prepare response playbooks
  4. Set up monitoring and alerting
  5. Conduct regular drills

Detection & Analysis

  1. Identify security incident
  2. Classify severity level
  3. Contain the threat
  4. Preserve evidence
  5. Determine root cause

Containment

  1. Isolate affected systems
  2. Block malicious activity
  3. Change compromised credentials
  4. Implement temporary controls

Eradication

  1. Remove malware/vulnerability
  2. Patch security flaws
  3. Update security controls
  4. Validate remediation

Recovery

  1. Restore from clean backups
  2. Monitor for recurrence
  3. Document lessons learned
  4. Update security practices

Resources

Documentation

Tools

Communities