| name | security-audit |
| description | Comprehensive security audit covering OWASP Top 10, input validation, authentication, authorization, secret management, dependency vulnerabilities, and injection attack prevention. Use when reviewing security posture, implementing auth flows, handling user input, auditing dependencies, conducting penetration test prep, or before production deployment. |
| allowed-tools | Read, Grep, Glob |
| model | sonnet |
| context | fork |
| agent | Explore |
| argument-hint | <file-or-directory> |
| finding_levels | ["S1","S2","S3"] |
| iso_class | none |
Security Audit Skill
When to Use
- Implementing authentication/authorization
- Handling user input
- Working with sensitive data (passwords, tokens, keys)
- Security review requests
- Designing API endpoints
Security Checklist
Input Validation
Authentication
Authorization
Reference Documents (Import Syntax)
@./reference/security.md
@./reference/error-handling.md
@./reference/api-design.md
OWASP Top 10 Reference
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Output
This skill runs in a forked context (context: fork) using the read-only Explore agent. It does not have access to the calling conversation's history — operate entirely from the supplied <file-or-directory> argument.
Return a structured report at the end of analysis:
## Security Audit Report
| Severity | Findings |
|----------|----------|
| S1 (block-merge) | N items |
| S2 (review-required) | N items |
| S3 (advisory) | N items |
### S1 Findings
1. `file.ext:line` — severity: S1 — finding + recommended fix
2. ...
### S2 Findings
1. `file.ext:line` — severity: S2 — finding + recommended fix
### Coverage
- Files inspected: N
- OWASP categories evaluated: 1, 2, 3, ...
- Categories not applicable: ...
Each finding MUST include a severity: field (S1, S2, or S3). When a finding's severity is ambiguous, default to S3 (advisory) per the false-positive playbook.