원클릭으로
security-audit
Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Thin slash-command wrapper around the i18n-nfc-auditor agent — audits Korean/CJK string handling for NFC/NFD Unicode normalization mismatches across filenames, URLs, attachments, and DB paths. Use when "한글 파일 깨짐", "Supabase 첨부 안 됨", "한글 파일명 문제", or after Supabase/Vercel deploy.
Thin slash-command wrapper around the migration-reviewer agent — audits SQL/Prisma/Supabase/sqlx/Drizzle migration files for data loss, lock contention, missing indexes, and rollback safety. Use before db push, before Supabase deploy, or "마이그레이션 리뷰", "DB 스키마 검토".
Audit and curate the per-project memory system at ~/.claude/projects/<encoded-cwd>/memory/ — finds duplicates, stale entries, missing-pointer files, oversized MEMORY.md, and entries that violate the user/feedback/project/reference taxonomy. Use when memory feels noisy, before /clear of a long-running project, or when memories stop influencing behavior.
Traces all references to a feature flag/gate across the codebase and produces a removal PR draft. Use when ramping up a flag, removing a kill switch, or "feature flag 정리", "플래그 제거", "킬스위치 제거". Auto-detects flag system (GrowthBook, LaunchDarkly, env vars, custom dictionary). Read-only — produces a draft markdown file, never runs gh pr create.
Performance triage entry point — bundle analysis, build profiling, Lighthouse CI, Next.js Cache Components inspection. Use when asked "why is X slow", "perf 분석", "번들 사이즈 확인", "Lighthouse 점수", "빌드 시간 측정". Delegates deep root-cause analysis to perf-researcher agent.
Scaffolds a Claude Code plugin with .claude-plugin/marketplace.json + plugin.json + a starter skill/agent/hook + GitHub Actions validator — codifies the vibesubin maintenance pattern. Use when creating a new plugin, publishing to a marketplace, or "플러그인 만들어줘", "claude code plugin scaffold", "마켓플레이스 플러그인".
| name | security-audit |
| description | Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks |
| author | subinium |
| user-invocable | true |
| disable-model-invocation | true |
Run a security audit on the current codebase or changes.
/security-audit # Quick mode (default): <60 seconds, changed files only
/security-audit --full # Full mode: 5-10 minutes, entire codebase
git diff)--full)git diff --staged (or git diff, or git diff HEAD~1) to scopequick-scan.sh on changed files.env files in .gitignoregit log -p --all -S 'password\|secret\|api_key\|private_key'grep -rn 'AKIA\|sk-\|ghp_' . for common key patternsdangerouslySetInnerHTML auditedexec(), eval(), child_process.exec() with user input../ in file paths from user input, use path.resolve() + validation* in production)Secure, HttpOnly, SameSitenpm audit / pip audit / cargo auditpackage-lock.json, poetry.lock)Run the bundled automated scanner for common vulnerabilities:
bash ~/.claude/skills/security-audit/scripts/quick-scan.sh .
This checks: hardcoded secrets (AWS, OpenAI, GitHub, Slack patterns), dangerous functions (eval, exec, innerHTML), .env in git, and dependency audit.
# JavaScript/TypeScript
npm audit --production
npx eslint --no-eslintrc -c '{"rules":{"no-eval":"error","no-implied-eval":"error"}}' .
# Python
pip audit
ruff check --select S . # security rules
# Git history
git log --all --oneline -S 'password' --diff-filter=A
git log --all --oneline -S 'secret' --diff-filter=A
# Common patterns
grep -rn 'eval(' --include='*.ts' --include='*.tsx' --include='*.js' .
grep -rn 'dangerouslySetInnerHTML' --include='*.tsx' --include='*.jsx' .
grep -rn 'innerHTML' --include='*.ts' --include='*.js' .