| name | security-audit |
| description | Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks |
| author | subinium |
| user-invocable | true |
| disable-model-invocation | true |
Security Audit
Run a security audit on the current codebase or changes.
Usage
/security-audit # Quick mode (default): <60 seconds, changed files only
/security-audit --full # Full mode: 5-10 minutes, entire codebase
Modes
Quick Mode (default)
- Scope: changed files only (
git diff)
- Checks: Secrets, Injection, Auth (categories 1-3)
- Time limit: 60 seconds
- Best for: pre-commit, pre-push reviews
Full Mode (--full)
- Scope: entire codebase
- Checks: All 6 categories
- Time limit: 10 minutes
- Best for: release preparation, initial audits, compliance
Constraints
- DO NOT modify, fix, or patch any code during the audit
- DO NOT commit changes or alter git state
- Only report vulnerabilities and suggest remediations — never apply them
Process
Quick Mode
- Run
git diff --staged (or git diff, or git diff HEAD~1) to scope
- Read changed files and their direct imports
- Check categories 1-3 (Secrets, Injection, Auth)
- Run
quick-scan.sh on changed files
- Output findings
Full Mode
- Identify all source files in the project
- Read ALL source files and their dependencies
- Check all 6 categories below
- Run automated checks
- Output structured findings
Audit Categories
1. Secrets & Credentials (CRITICAL)
2. Injection (CRITICAL)
3. Authentication & Authorization (CRITICAL)
4. Data Protection (HIGH)
5. Dependency Security (HIGH)
6. Infrastructure (MEDIUM)
Quick Scan Script
Run the bundled automated scanner for common vulnerabilities:
bash ~/.claude/skills/security-audit/scripts/quick-scan.sh .
This checks: hardcoded secrets (AWS, OpenAI, GitHub, Slack patterns), dangerous functions (eval, exec, innerHTML), .env in git, and dependency audit.
Manual Checks
npm audit --production
npx eslint --no-eslintrc -c '{"rules":{"no-eval":"error","no-implied-eval":"error"}}' .
pip audit
ruff check --select S .
git log --all --oneline -S 'password' --diff-filter=A
git log --all --oneline -S 'secret' --diff-filter=A
grep -rn 'eval(' --include='*.ts' --include='*.tsx' --include='*.js' .
grep -rn 'dangerouslySetInnerHTML' --include='*.tsx' --include='*.jsx' .
grep -rn 'innerHTML' --include='*.ts' --include='*.js' .