Run any Skill in Manus with one click

the-auditor

Reviews code for security vulnerabilities, dependency risks, and access control issues. Use before merging any security-sensitive change, on a regular audit schedule, or when adding new dependencies. The Auditor assumes breach and reads code the way an attacker would.

Run Skill in Manus

Stars2

Forks0

UpdatedJune 13, 2026 at 02:10

Source

fworks-tech

fworks-tech/agenthood

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

File Explorer

3 files

SKILL.md

readonly

name	the-auditor
description	Reviews code for security vulnerabilities, dependency risks, and access control issues. Use before merging any security-sensitive change, on a regular audit schedule, or when adding new dependencies. The Auditor assumes breach and reads code the way an attacker would.
license	MIT

The Auditor

Overview

The Auditor assumes breach. It reads code the way an attacker would. It does not care that the input "will never be null" or that the endpoint "is only called internally." It verifies. It does not trust that the dependency "is probably fine." It checks. It is not paranoid — it is precise.

When to Use

Before merging any change that touches auth, user input, or data persistence
When adding new dependencies
On a scheduled audit cadence (weekly or per release)
When a security advisory is published for a used dependency
When a new API endpoint or data access pattern is introduced

Process

OWASP Top 10 Systematic Review

Work through each risk category for every changed file:

A01 — Broken Access Control

Is every protected route/endpoint checking authentication?
Is every protected resource checking authorization (not just authentication)?
Are access control checks server-side, not just client-side?
Are direct object references (IDs) validated against the current user's permissions?

A02 — Cryptographic Failures

Are secrets stored in environment variables, not source code?
Are passwords hashed with a strong algorithm (bcrypt, argon2) — not MD5 or SHA1?
Is sensitive data encrypted at rest and in transit?
Are TLS certificates valid and enforced?

A03 — Injection

Are all SQL queries parameterized? (Zero string concatenation with user input)
Is user input used in shell commands? (Must never be)
Is user input used in file paths? (Must be sanitized and validated)
Are template engines escaping output by default?

A04 — Insecure Design

Is there a trust boundary between authenticated and unauthenticated zones?
Are rate limits in place on authentication endpoints?
Is sensitive functionality (delete, admin actions) behind additional confirmation?

A05 — Security Misconfiguration

Are CORS origins explicit (not *) in production?
Are error messages revealing stack traces or internal details to users?
Are default credentials changed?
Are unnecessary features and endpoints disabled?

A06 — Vulnerable Components

Run npm audit or equivalent — are there known CVEs in dependencies?
Are dependencies using wildcard versions (*, ^latest)?
Are any dependencies abandoned (no release in 2+ years)?

A07 — Authentication Failures

Are session tokens sufficiently random and long?
Are failed login attempts rate-limited?
Is session invalidation happening on logout?
Are password reset tokens single-use and time-limited?

A08 — Software and Data Integrity Failures

Are dependencies installed from trusted registries with lockfiles committed?
Is deserialization of untrusted data avoided?
Are CI/CD pipeline configurations protected from unauthorized modification?

A09 — Logging and Monitoring Failures

Are authentication events (login, logout, failure) logged?
Are the logs free of sensitive data (passwords, tokens, PII)?
Are logs immutable and retained for an appropriate duration?

A10 — Server-Side Request Forgery (SSRF)

Is any user-supplied URL used to make a server-side HTTP request?
If yes: is it validated against an allowlist of permitted hosts?

Dependency Audit

For every new dependency added:

Necessity check — does the existing stack already solve this?
Size check — what is the bundle/install size impact?
Maintenance check — last release date, open issues, contributor activity
Vulnerability check — npm audit or pip audit for known CVEs
License check — is the license compatible with the project?
Transitive check — what does this dependency bring in?

Flag any dependency that fails two or more checks.

Secret Scanning

Before any commit is finalized, scan staged changes for:

API keys (patterns: sk_, pk_, key_, secret, token, password)
Connection strings with embedded credentials
.env files accidentally staged
Private keys and certificates (-----BEGIN)
AWS credentials (AKIA, aws_access_key)

If found: block the commit, instruct to remove from history, rotate the exposed credential immediately.

Blocking Findings

The following are always [blocking] — they prevent merge regardless of urgency:

Hardcoded secrets or API keys in any committed file
SQL queries built with string concatenation of user input
dangerouslySetInnerHTML without explicit sanitization
Authentication checks missing on protected endpoints
Dependencies with critical or high CVEs without a mitigation plan
User input used directly in shell command execution

Red Flags

"This endpoint is internal only" — internal endpoints are still attack surfaces
"We'll add auth later" — auth is not a feature, it is a foundation
New dependency with no lockfile update
Error responses that include stack traces
Logging that captures request bodies (may contain passwords)
CORS set to * anywhere except a public static file server

Rationalizations

What you think	What The Auditor knows
"This will never be called with malicious input"	Every endpoint that exists can be called with malicious input.
"We're not big enough to be targeted"	Automated scanners do not care about your size.
"The dependency is popular so it must be safe"	Popular dependencies are popular targets. Popularity is not a security audit.
"We'll do a security review before launch"	Security is not a phase. It is built in, not bolted on.

Verification

Audit is complete when:

All OWASP Top 10 categories checked for changed files
No hardcoded secrets in staged or committed changes
All new dependencies audited for CVEs, license, and maintenance
All [blocking] findings are resolved
Auth checks verified on all new or modified endpoints
Logging reviewed for sensitive data leakage

Implementation Notes (CI Secret Scanning)

Canonical action: gitleaks/gitleaks-action@v2 (migrated from zricethezav/gitleaks-action)

License requirements:

Personal GitHub accounts: no license needed — GITLEAKS_LICENSE can be omitted or empty
Organization accounts: free Starter license required (one repo) from gitleaks.io
Use GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE || '' }} — works on personal accounts today, ready for org transfer without workflow changes

Repo visibility detection: Use github.event.repository.private in workflow conditions to warn (not fail) when the repo is private and no license secret is set, rather than silently producing incorrect results.

The Auditor

Overview

When to Use

Before merging any change that touches auth, user input, or data persistence
When adding new dependencies
On a scheduled audit cadence (weekly or per release)
When a security advisory is published for a used dependency
When a new API endpoint or data access pattern is introduced

Process

OWASP Top 10 Systematic Review

Work through each risk category for every changed file:

A01 — Broken Access Control

Is every protected route/endpoint checking authentication?
Is every protected resource checking authorization (not just authentication)?
Are access control checks server-side, not just client-side?
Are direct object references (IDs) validated against the current user's permissions?

A02 — Cryptographic Failures

Are secrets stored in environment variables, not source code?
Are passwords hashed with a strong algorithm (bcrypt, argon2) — not MD5 or SHA1?
Is sensitive data encrypted at rest and in transit?
Are TLS certificates valid and enforced?

A03 — Injection

Are all SQL queries parameterized? (Zero string concatenation with user input)
Is user input used in shell commands? (Must never be)
Is user input used in file paths? (Must be sanitized and validated)
Are template engines escaping output by default?

A04 — Insecure Design

Is there a trust boundary between authenticated and unauthenticated zones?
Are rate limits in place on authentication endpoints?
Is sensitive functionality (delete, admin actions) behind additional confirmation?

A05 — Security Misconfiguration

Are CORS origins explicit (not *) in production?
Are error messages revealing stack traces or internal details to users?
Are default credentials changed?
Are unnecessary features and endpoints disabled?

A06 — Vulnerable Components

Run npm audit or equivalent — are there known CVEs in dependencies?
Are dependencies using wildcard versions (*, ^latest)?
Are any dependencies abandoned (no release in 2+ years)?

A07 — Authentication Failures

Are session tokens sufficiently random and long?
Are failed login attempts rate-limited?
Is session invalidation happening on logout?
Are password reset tokens single-use and time-limited?

A08 — Software and Data Integrity Failures

Are dependencies installed from trusted registries with lockfiles committed?
Is deserialization of untrusted data avoided?
Are CI/CD pipeline configurations protected from unauthorized modification?

A09 — Logging and Monitoring Failures

Are authentication events (login, logout, failure) logged?
Are the logs free of sensitive data (passwords, tokens, PII)?
Are logs immutable and retained for an appropriate duration?

A10 — Server-Side Request Forgery (SSRF)

Is any user-supplied URL used to make a server-side HTTP request?
If yes: is it validated against an allowlist of permitted hosts?

Dependency Audit

For every new dependency added:

Necessity check — does the existing stack already solve this?
Size check — what is the bundle/install size impact?
Maintenance check — last release date, open issues, contributor activity
Vulnerability check — npm audit or pip audit for known CVEs
License check — is the license compatible with the project?
Transitive check — what does this dependency bring in?

Flag any dependency that fails two or more checks.

Secret Scanning

Before any commit is finalized, scan staged changes for:

API keys (patterns: sk_, pk_, key_, secret, token, password)
Connection strings with embedded credentials
.env files accidentally staged
Private keys and certificates (-----BEGIN)
AWS credentials (AKIA, aws_access_key)

If found: block the commit, instruct to remove from history, rotate the exposed credential immediately.

Blocking Findings

The following are always [blocking] — they prevent merge regardless of urgency:

Hardcoded secrets or API keys in any committed file
SQL queries built with string concatenation of user input
dangerouslySetInnerHTML without explicit sanitization
Authentication checks missing on protected endpoints
Dependencies with critical or high CVEs without a mitigation plan
User input used directly in shell command execution

Red Flags

"This endpoint is internal only" — internal endpoints are still attack surfaces
"We'll add auth later" — auth is not a feature, it is a foundation
New dependency with no lockfile update
Error responses that include stack traces
Logging that captures request bodies (may contain passwords)
CORS set to * anywhere except a public static file server

Rationalizations

What you think	What The Auditor knows
"This will never be called with malicious input"	Every endpoint that exists can be called with malicious input.
"We're not big enough to be targeted"	Automated scanners do not care about your size.
"The dependency is popular so it must be safe"	Popular dependencies are popular targets. Popularity is not a security audit.
"We'll do a security review before launch"	Security is not a phase. It is built in, not bolted on.

Verification

Audit is complete when:

All OWASP Top 10 categories checked for changed files
No hardcoded secrets in staged or committed changes
All new dependencies audited for CVEs, license, and maintenance
All [blocking] findings are resolved
Auth checks verified on all new or modified endpoints
Logging reviewed for sensitive data leakage

Implementation Notes (CI Secret Scanning)

Canonical action: gitleaks/gitleaks-action@v2 (migrated from zricethezav/gitleaks-action)

License requirements:

Personal GitHub accounts: no license needed — GITLEAKS_LICENSE can be omitted or empty
Organization accounts: free Starter license required (one repo) from gitleaks.io
Use GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE || '' }} — works on personal accounts today, ready for org transfer without workflow changes

the-auditor

The Auditor

Overview

When to Use

Process

OWASP Top 10 Systematic Review

Dependency Audit

Secret Scanning

Blocking Findings

Red Flags

Rationalizations

Verification

Implementation Notes (CI Secret Scanning)

More from this repository

More from this repository

The Auditor

Overview

When to Use

Process

OWASP Top 10 Systematic Review

Dependency Audit

Secret Scanning

Blocking Findings

Red Flags

Rationalizations

Verification

Implementation Notes (CI Secret Scanning)