name	security
description	Rapid security assessment focused on OWASP Top 10 vulnerabilities
argument-hint	[path] [--depth quick\|full]
effort	medium
when_to_use	Use when reviewing code for security vulnerabilities or before merging sensitive changes.
disable-model-invocation	true

Security Quick Audit

Rapid security assessment focused on OWASP Top 10 vulnerabilities.

Purpose

Perform a quick security scan to identify common vulnerabilities:

Hardcoded secrets and credentials
SQL injection risks
XSS vulnerabilities
Insecure dependencies
Authentication/authorization issues

Instructions

Step 1: Secrets Scan

# Common secret patterns
grep -rn --include="*.{js,ts,py,go,java,rb,php,env}" \
  -E "(password|secret|api_key|apikey|token|auth|credential).*[=:].*['\"][^'\"]{8,}['\"]" \
  --exclude-dir={node_modules,vendor,.git,dist,build} . 2>/dev/null | head -20

# .env files that might be committed
find . -name ".env*" -not -path "*/node_modules/*" -type f 2>/dev/null

# Check if secrets are gitignored
[ -f ".gitignore" ] && grep -q "\.env" .gitignore && echo "✅ .env in .gitignore" || echo "⚠️ .env NOT in .gitignore"

Step 2: Injection Vulnerabilities

# SQL injection patterns (raw queries with string concat)
grep -rn --include="*.{js,ts,py,go,java,php}" \
  -E "(query|execute|raw|sql).*\+.*\$|f['\"].*SELECT|\.format\(.*SELECT" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15

# Command injection patterns
grep -rn --include="*.{js,ts,py,go,rb,php}" \
  -E "(exec|spawn|system|shell_exec|popen)\s*\(" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15

Step 3: XSS Patterns

# Dangerous innerHTML/dangerouslySetInnerHTML usage
grep -rn --include="*.{js,ts,jsx,tsx,vue}" \
  -E "(innerHTML|dangerouslySetInnerHTML|v-html)" \
  --exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -15

# Unescaped template literals in HTML context
grep -rn --include="*.{js,ts,jsx,tsx}" \
  -E "\`.*\$\{.*\}.*<" \
  --exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -10

Step 4: Dependency Check

# Check for known vulnerabilities in npm packages
[ -f "package-lock.json" ] && npm audit --json 2>/dev/null | jq '{vulnerabilities: .metadata.vulnerabilities}' 2>/dev/null

# Check for outdated packages with security issues
[ -f "package.json" ] && npm outdated --json 2>/dev/null | jq 'to_entries | map(select(.value.current != .value.latest)) | length' 2>/dev/null

Step 5: Auth & Session Issues

# Hardcoded JWT secrets
grep -rn --include="*.{js,ts,py,go}" \
  -E "(jwt|JWT).*secret.*[=:].*['\"].{8,}['\"]" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null

# Missing CSRF protection patterns
grep -rn --include="*.{js,ts,py}" \
  -E "(POST|PUT|DELETE|PATCH).*fetch|axios\.(post|put|delete|patch)" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -10

Output Format

🛡️ Security Audit Report

Scan Date: [timestamp] Scope: [directory scanned]

🔴 Critical Issues

Issue	Location	Description
[type]	[file:line]	[brief description]

🟠 High Severity

Issue	Location	Recommendation
[type]	[file:line]	[fix suggestion]

🟡 Medium Severity

Issue	Location	Note
[type]	[file:line]	[context]

📊 Summary

Critical: X issues
High: X issues
Medium: X issues
Dependencies: X vulnerabilities

🔧 Quick Fixes

[Highest priority fix with command/code]
[Second priority]
[Third priority]

Severity Levels

Level	Examples	Action
🔴 Critical	Hardcoded prod secrets, SQL injection	Fix immediately
🟠 High	Missing auth, XSS vectors	Fix before deploy
🟡 Medium	Outdated deps, missing CSRF	Plan remediation
🟢 Low	Best practice violations	Track for improvement

Usage

Full audit:

/security

Focus on specific area:

/security auth
/security deps
/security injection

Specific file/directory:

/security src/api/

Notes

This is a quick heuristic scan, not a comprehensive security audit
For production systems, complement with dedicated tools (Snyk, SonarQube, OWASP ZAP)
False positives are possible - verify findings manually
See examples/hooks/security-hooks.sh for automated pre-commit security checks

$ARGUMENTS

More from this repository

same repository

eval-agents

FlorianBruniaux/claude-code-ultimate-guide

Audit Claude Code agents defined in .claude/agents/ for description specificity, model tier appropriateness, tools scoping, and system prompt quality. Detects dispatch ambiguity between agents, flags over-permissive tool grants, and checks for human-in-the-loop patterns that break programmatic orchestration. Use when onboarding to a project with existing agents, after adding new agents to a fleet, or when an orchestrator consistently selects the wrong agent.

2026-06-044.8k

eval-hooks

FlorianBruniaux/claude-code-ultimate-guide

Audit Claude Code hooks defined in settings.json files for validity, performance safety, and correctness. Resolves each command against the filesystem, checks exit-code strategy for blocking hooks, flags missing timeouts, and reviews interactive vs async patterns. Use when setting up hooks for the first time, debugging a hook that never fires or hangs the agent, or doing a periodic hooks hygiene pass.

2026-06-044.8k

autoresearch

FlorianBruniaux/claude-code-ultimate-guide

Autonomous improvement loop: scan codebase metrics, scaffold experiment files, run agent-driven iterations until metric improves

2026-06-044.8k

canary

FlorianBruniaux/claude-code-ultimate-guide

Post-deploy monitoring: watch production after a deploy and alert on regressions

2026-06-044.8k

catchup

FlorianBruniaux/claude-code-ultimate-guide

Restore context after /clear by summarizing recent work and project state

2026-06-044.8k

ccboard

FlorianBruniaux/claude-code-ultimate-guide

Launch and navigate the ccboard TUI/Web dashboard for Claude Code. Use when monitoring token usage, tracking costs, browsing sessions, or checking MCP server status across projects.

2026-06-044.8k

name	security
description	Rapid security assessment focused on OWASP Top 10 vulnerabilities
argument-hint	[path] [--depth quick\|full]
effort	medium
when_to_use	Use when reviewing code for security vulnerabilities or before merging sensitive changes.
disable-model-invocation	true

Security Quick Audit

Rapid security assessment focused on OWASP Top 10 vulnerabilities.

Purpose

Perform a quick security scan to identify common vulnerabilities:

Hardcoded secrets and credentials
SQL injection risks
XSS vulnerabilities
Insecure dependencies
Authentication/authorization issues

Instructions

Step 1: Secrets Scan

# Common secret patterns
grep -rn --include="*.{js,ts,py,go,java,rb,php,env}" \
  -E "(password|secret|api_key|apikey|token|auth|credential).*[=:].*['\"][^'\"]{8,}['\"]" \
  --exclude-dir={node_modules,vendor,.git,dist,build} . 2>/dev/null | head -20

# .env files that might be committed
find . -name ".env*" -not -path "*/node_modules/*" -type f 2>/dev/null

# Check if secrets are gitignored
[ -f ".gitignore" ] && grep -q "\.env" .gitignore && echo "✅ .env in .gitignore" || echo "⚠️ .env NOT in .gitignore"

Step 2: Injection Vulnerabilities

# SQL injection patterns (raw queries with string concat)
grep -rn --include="*.{js,ts,py,go,java,php}" \
  -E "(query|execute|raw|sql).*\+.*\$|f['\"].*SELECT|\.format\(.*SELECT" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15

# Command injection patterns
grep -rn --include="*.{js,ts,py,go,rb,php}" \
  -E "(exec|spawn|system|shell_exec|popen)\s*\(" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15

Step 3: XSS Patterns

# Dangerous innerHTML/dangerouslySetInnerHTML usage
grep -rn --include="*.{js,ts,jsx,tsx,vue}" \
  -E "(innerHTML|dangerouslySetInnerHTML|v-html)" \
  --exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -15

# Unescaped template literals in HTML context
grep -rn --include="*.{js,ts,jsx,tsx}" \
  -E "\`.*\$\{.*\}.*<" \
  --exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -10

Step 4: Dependency Check

# Check for known vulnerabilities in npm packages
[ -f "package-lock.json" ] && npm audit --json 2>/dev/null | jq '{vulnerabilities: .metadata.vulnerabilities}' 2>/dev/null

# Check for outdated packages with security issues
[ -f "package.json" ] && npm outdated --json 2>/dev/null | jq 'to_entries | map(select(.value.current != .value.latest)) | length' 2>/dev/null

Step 5: Auth & Session Issues

# Hardcoded JWT secrets
grep -rn --include="*.{js,ts,py,go}" \
  -E "(jwt|JWT).*secret.*[=:].*['\"].{8,}['\"]" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null

# Missing CSRF protection patterns
grep -rn --include="*.{js,ts,py}" \
  -E "(POST|PUT|DELETE|PATCH).*fetch|axios\.(post|put|delete|patch)" \
  --exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -10

Output Format

🛡️ Security Audit Report

Scan Date: [timestamp] Scope: [directory scanned]

🔴 Critical Issues

Issue	Location	Description
[type]	[file:line]	[brief description]

🟠 High Severity

Issue	Location	Recommendation
[type]	[file:line]	[fix suggestion]

🟡 Medium Severity

Issue	Location	Note
[type]	[file:line]	[context]

📊 Summary

Critical: X issues
High: X issues
Medium: X issues
Dependencies: X vulnerabilities

🔧 Quick Fixes

[Highest priority fix with command/code]
[Second priority]
[Third priority]

Severity Levels

Level	Examples	Action
🔴 Critical	Hardcoded prod secrets, SQL injection	Fix immediately
🟠 High	Missing auth, XSS vectors	Fix before deploy
🟡 Medium	Outdated deps, missing CSRF	Plan remediation
🟢 Low	Best practice violations	Track for improvement

Usage

Full audit:

/security

Focus on specific area:

/security auth
/security deps
/security injection

Specific file/directory:

/security src/api/

Notes

This is a quick heuristic scan, not a comprehensive security audit
For production systems, complement with dedicated tools (Snyk, SonarQube, OWASP ZAP)
False positives are possible - verify findings manually
See examples/hooks/security-hooks.sh for automated pre-commit security checks

$ARGUMENTS