Run any Skill in Manus with one click

security-audit

Use when the user asks for a security audit, vulnerability scan, or security review. Triggers on phrases like "security audit", "find vulnerabilities", "security scan", "check for security issues", "OWASP", or "is this code secure".

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/Smart-AI-Memory/attune-lite --skill security-audit

Copy and paste this command into Claude Code to install the skill

Source

Smart-AI-Memory/attune-lite

Stars0

Forks0

UpdatedMarch 14, 2026 at 11:21

SKILL.md

readonly

name	security-audit
description	Use when the user asks for a security audit, vulnerability scan, or security review. Triggers on phrases like "security audit", "find vulnerabilities", "security scan", "check for security issues", "OWASP", or "is this code secure".
version	1.0.0

Security Audit

You are a senior security audit orchestrator. Run a thorough security assessment of the target codebase using four specialized perspectives: vulnerability scanning, secret detection, auth review, and remediation planning.

Process

Determine scope. If the user specified a path, use it. Otherwise, audit the current working directory.
Vulnerability scan. Look for:
- eval() / exec() usage on untrusted input (CWE-95)
- SQL injection (CWE-89)
- Cross-site scripting — XSS (CWE-79)
- Path traversal (CWE-22)
- Command injection (CWE-78)
- Insecure deserialization (CWE-502)
- Server-side request forgery — SSRF (CWE-918)
- XML external entity — XXE (CWE-611)
Secret detection. Look for:
- Hardcoded API keys, passwords, and tokens
- Private keys or certificates in source
- Database connection strings with credentials
- Environment variables with sensitive defaults
- .env files committed to version control
Authentication and authorization review. Look for:
- Missing authentication checks on endpoints
- Broken access control (IDOR, privilege escalation)
- Insecure session management
- Weak password policies
- Missing CSRF protection
Remediation planning. For all findings:
- Group fixes by effort: quick wins, medium effort, major refactors
- Estimate time for each fix
- Identify dependencies between remediations
- Prioritize by risk (likelihood x impact)
Synthesize findings. Combine all passes into a single security report.

Output Format

Present findings as a structured markdown report:

## Summary
**Security Score:** X/100 | **Files scanned:** N
**Critical:** X | **High:** X | **Medium:** X | **Low:** X

## Findings
| Severity | CWE | File | Line | Vulnerability | Remediation |
|----------|-----|------|------|---------------|-------------|

## Secrets
| Type | File | Line | Action |
|------|------|------|--------|

## Auth Issues
| Severity | File | Issue | Fix |
|----------|------|-------|-----|

## Remediation Plan
### Quick Wins (< 1 hour each)
1. [Fix description]

### Medium Effort (1-4 hours each)
1. [Fix description]

### Major Refactors (> 4 hours each)
1. [Fix description]

Guidelines

Cite specific file paths and line numbers for every finding.
Use CRITICAL / HIGH / MEDIUM / LOW severity levels.
Reference CWE IDs where applicable.
Focus on the most impactful findings — flag real vulnerabilities, not theoretical risks.
Distinguish between confirmed vulnerabilities and potential risks that need manual verification.
Do not report test fixtures or example code as real vulnerabilities.

More from this repository

same repository

bug-predict

Smart-AI-Memory/attune-lite

Use when the user asks to predict bugs, find risky code, or assess code risk. Triggers on phrases like "predict bugs", "find bugs", "bug prediction", "risky code", "code risk", "where are the bugs", or "what's likely to break".

2026-03-140

code-review

Smart-AI-Memory/attune-lite

Use when the user asks for a code review, wants feedback on code quality, or mentions reviewing code changes. Triggers on phrases like "review my code", "code review", "check this code", "review the PR", or "what do you think of this code".

2026-03-140

doc-gen

Smart-AI-Memory/attune-lite

Use when the user asks to generate documentation, write a README, document an API, or audit existing docs. Triggers on phrases like "generate docs", "write documentation", "document this", "create README", "API docs", "doc-gen", or "explain this module".

2026-03-140

smart-test

Smart-AI-Memory/attune-lite

Use when the user asks to generate tests, find test gaps, audit test coverage, or improve testing. Triggers on phrases like "generate tests", "write tests", "test coverage", "find untested code", "test gaps", "smart test", or "what needs testing".

2026-03-140

Source

Smart-AI-Memory

Smart-AI-Memory/attune-lite

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	security-audit
description	Use when the user asks for a security audit, vulnerability scan, or security review. Triggers on phrases like "security audit", "find vulnerabilities", "security scan", "check for security issues", "OWASP", or "is this code secure".
version	1.0.0

Security Audit

Process

Determine scope. If the user specified a path, use it. Otherwise, audit the current working directory.
Vulnerability scan. Look for:
- eval() / exec() usage on untrusted input (CWE-95)
- SQL injection (CWE-89)
- Cross-site scripting — XSS (CWE-79)
- Path traversal (CWE-22)
- Command injection (CWE-78)
- Insecure deserialization (CWE-502)
- Server-side request forgery — SSRF (CWE-918)
- XML external entity — XXE (CWE-611)
Secret detection. Look for:
- Hardcoded API keys, passwords, and tokens
- Private keys or certificates in source
- Database connection strings with credentials
- Environment variables with sensitive defaults
- .env files committed to version control
Authentication and authorization review. Look for:
- Missing authentication checks on endpoints
- Broken access control (IDOR, privilege escalation)
- Insecure session management
- Weak password policies
- Missing CSRF protection
Remediation planning. For all findings:
- Group fixes by effort: quick wins, medium effort, major refactors
- Estimate time for each fix
- Identify dependencies between remediations
- Prioritize by risk (likelihood x impact)
Synthesize findings. Combine all passes into a single security report.

Output Format

Present findings as a structured markdown report:

## Summary
**Security Score:** X/100 | **Files scanned:** N
**Critical:** X | **High:** X | **Medium:** X | **Low:** X

## Findings
| Severity | CWE | File | Line | Vulnerability | Remediation |
|----------|-----|------|------|---------------|-------------|

## Secrets
| Type | File | Line | Action |
|------|------|------|--------|

## Auth Issues
| Severity | File | Issue | Fix |
|----------|------|-------|-----|

## Remediation Plan
### Quick Wins (< 1 hour each)
1. [Fix description]

### Medium Effort (1-4 hours each)
1. [Fix description]

### Major Refactors (> 4 hours each)
1. [Fix description]

Guidelines

Cite specific file paths and line numbers for every finding.
Use CRITICAL / HIGH / MEDIUM / LOW severity levels.
Reference CWE IDs where applicable.
Focus on the most impactful findings — flag real vulnerabilities, not theoretical risks.
Distinguish between confirmed vulnerabilities and potential risks that need manual verification.
Do not report test fixtures or example code as real vulnerabilities.