| name | pwp-security-audit |
| description | Security review protocol — systematic checks for common vulnerabilities and security hygiene. Use this skill whenever the user asks about security, wants a security audit, mentions vulnerabilities, OWASP, XSS, SQL injection, authentication issues, or secrets management. Also use when they say 'is this secure', 'check for vulnerabilities', 'security review', 'audit this for security', or 'are there any security issues'. Covers secrets, input validation, auth, authorization, data protection, dependencies, and error handling. |
Security Audit Skill
This skill defines how to perform a security-focused code review. Security changes have high blast radius — always flag findings and get explicit approval before making fixes.
Security Mindset
- Assume all input is hostile. User input, API responses, URL parameters, cookies, headers — all untrusted until validated.
- Defense in depth. Never rely on a single layer of protection. Validate on client AND server.
- Least privilege. Give code, users, and services only the permissions they need. Nothing more.
- Flag, don't fix (without approval). Security changes can break auth flows, lock users out, or introduce regressions. Always get approval first.
Security Review Checklist
1. Secrets & Credentials
2. Input Validation & Sanitization
3. Authentication
4. Authorization
5. Data Protection
6. Dependencies
7. Error Handling
OWASP Top 10 Quick Reference
| # | Vulnerability | What to Check |
|---|
| 1 | Broken Access Control | Authorization on every endpoint, resource ownership |
| 2 | Cryptographic Failures | HTTPS, hashing, no plaintext secrets |
| 3 | Injection | SQL parameterization, input sanitization |
| 4 | Insecure Design | Threat modeling, principle of least privilege |
| 5 | Security Misconfiguration | Default credentials removed, CORS configured |
| 6 | Vulnerable Components | Dependency audit, no known CVEs |
| 7 | Auth Failures | Session management, password policies, rate limiting |
| 8 | Data Integrity Failures | Input validation, signed updates, CI/CD security |
| 9 | Logging Failures | Sufficient logging, no sensitive data in logs |
| 10 | SSRF | URL validation, no user-controlled server-side requests |
Reporting Format
## Security Finding: {title}
**Severity:** Critical | High | Medium | Low
**Category:** {OWASP category or custom}
**Location:** {file:line}
**Description:** What the vulnerability is and why it matters.
**Recommendation:** Specific fix with code suggestion.
**Blast Radius:** What else might be affected by the fix.
Rules
- Never commit secrets — even for testing. Use environment variables.
- Never weaken security for convenience — no disabling CORS, no skipping auth.
- Flag findings, don't auto-fix — security changes need human review.
- Don't guess at security — if unsure, flag it as a question.
- Redact sensitive data — never include real credentials in plans or communication.