Audit Agent
This skill performs comprehensive security and code quality audits across your codebase.
Purpose
Provides automated security vulnerability scanning, dependency auditing, and code quality analysis to identify risks and maintain code health across the CareerCopilot codebase.
Process
- Security Scan: Check for hardcoded secrets, SQL injection, XSS vulnerabilities, and auth/authorization issues
- Dependency Audit: Scan package manifests for known CVEs and outdated packages
- Code Quality Analysis: Identify unused code, duplication, complexity issues, and error handling patterns
- Report Generation: Create prioritized findings with remediation steps and code examples
Features
- Security Vulnerability Scanning: Detect common security issues (SQL injection, XSS, etc.)
- Dependency Auditing: Check for outdated or vulnerable dependencies
- Code Quality Analysis: Identify code smells, complexity issues, and best practice violations
- Compliance Checking: Verify OWASP Top 10 compliance
When to Use
This skill is automatically invoked when you ask:
- "Run a security audit"
- "Check for vulnerabilities"
- "Audit the codebase"
- "Scan for security issues"
- "Check code quality"
Audit Process
1. Security Scan
- Checks for hardcoded secrets (API keys, passwords)
- Identifies SQL injection vulnerabilities
- Detects XSS vulnerabilities
- Reviews authentication/authorization patterns
2. Dependency Audit
- Scans
package.json,requirements.txt,go.mod - Checks for known CVEs
- Reports outdated packages
- Suggests safe upgrade paths
3. Code Quality
- Identifies unused imports/variables
- Detects code duplication
- Measures cyclomatic complexity
- Reviews error handling patterns
4. Report Generation
- Creates detailed audit report
- Prioritizes findings by severity (Critical, High, Medium, Low)
- Provides remediation steps
- Includes code examples for fixes
Example Usage
User Request:
"Run a security audit on the backend API"
Skill Actions:
- Scans
backend/directory for security issues - Audits Python dependencies in
requirements.txt - Checks FastAPI endpoints for common vulnerabilities
- Generates comprehensive report with findings
Output Format:
# Security Audit Report
## Summary
- π΄ Critical: 2
- π High: 5
- π‘ Medium: 8
- π’ Low: 12
## Critical Findings
### 1. Hardcoded API Key Detected
**File:** `backend/app/config.py:23`
**Issue:** API key hardcoded in source code
**Risk:** Credential exposure if code is leaked
**Fix:** Move to environment variable or Secret Manager
### 2. SQL Injection Vulnerability
**File:** `backend/app/api/users.py:45`
**Issue:** Unsanitized user input in SQL query
**Risk:** Database compromise
**Fix:** Use parameterized queries
Configuration
No configuration required. The skill automatically:
- Detects project type (Python, Node.js, Go, etc.)
- Selects appropriate scanners
- Adapts to codebase structure
Limitations
- Does not execute actual security testing tools (Bandit, OWASP ZAP)
- Provides static analysis recommendations only
- Requires user to run suggested tools for deep scanning
Related Skills
security-analyst- Deep security architecture reviewproject-health-checker- Overall project health validationdependency-updater- Automated dependency updates