菜单
Run a comprehensive security audit against a codebase. Covers OWASP Top 10, secrets exposure, dependency vulnerabilities, misconfigurations, and insecure patterns. Language-agnostic.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | security-audit |
| description | Run a comprehensive security audit against a codebase. Covers OWASP Top 10, secrets exposure, dependency vulnerabilities, misconfigurations, and insecure patterns. Language-agnostic. |
| license | MIT |
| allowed-tools | ["Read","Glob","Grep","Bash","AskUserQuestion"] |
When asked to run a security audit, follow this systematic process. Adapt checks to the languages and frameworks detected in the project.
Identify the tech stack before diving in.
package.json, yarn.lock (Node.js)requirements.txt, Pipfile, pyproject.toml (Python)go.mod (Go)Cargo.toml (Rust)Gemfile (Ruby)pom.xml, build.gradle (Java/Kotlin)*.csproj (C#/.NET)composer.json (PHP)Search for hardcoded secrets. These are critical findings.
# Patterns to grep for (case-insensitive):
- API_KEY, APIKEY, api_key
- SECRET, SECRET_KEY, CLIENT_SECRET
- PASSWORD, PASSWD, DB_PASS
- TOKEN, ACCESS_TOKEN, AUTH_TOKEN, BEARER
- PRIVATE_KEY, private_key, -----BEGIN
- AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
- JDBC connection strings with credentials
- mongodb://, postgres://, mysql:// with embedded passwords
- Base64-encoded strings that are suspiciously long (>40 chars)
Check:
.env files that are NOT gitignored, config.yaml, etc.).gitignore — verify it excludes .env, *.pem, *.keygit log --diff-filter=D -- "*.env" "*.key" "*.pem" (deleted but in history)ARG or ENV with secret valuesSearch for string concatenation or interpolation in database queries:
+ near SQL keywords (SELECT, INSERT, UPDATE, DELETE, WHERE)Search for:
system(), exec(), popen(), spawn(), os.system() with variable argumentsshell=True (Python), backtick execution (Ruby), child_process.exec (Node.js)eval(), Function(), exec() with user-derived dataSearch for:
innerHTML, outerHTML, document.write(), insertAdjacentHTML()dangerouslySetInnerHTML (React), v-html (Vue), [innerHTML] (Angular)| safe (Jinja2), <%== %> (ERB), {{{ }}} (Handlebars)Search for:
../ not being filtered in file path logicos.path.join() or path.join() with user-controlled segments without containment checkCheck:
Check:
Check:
Run the appropriate vulnerability scanner:
# Node.js
npm audit --json 2>/dev/null || true
# Python
pip audit 2>/dev/null || true
# Ruby
bundle audit check 2>/dev/null || true
# Go
govulncheck ./... 2>/dev/null || true
# Rust
cargo audit 2>/dev/null || true
Also check:
Check:
Check:
Structure your audit report as:
## Security Audit Report
### Summary
- **Risk Level:** Critical / High / Medium / Low
- **Tech Stack:** [detected languages, frameworks, databases]
- **Findings:** X critical, Y high, Z medium, W low
### Critical Findings
#### [CRIT-1] Finding title
- **Category:** Injection / Auth / Crypto / Config / etc.
- **Location:** file:line
- **Description:** What the vulnerability is
- **Impact:** What an attacker could do
- **Remediation:** How to fix it
- **Reference:** OWASP/CWE link if applicable
### High Findings
...
### Medium Findings
...
### Low Findings / Informational
...
### Positive Observations
- Things the project does well
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.
Scaffolds REST API endpoints with route handler, validation, error handling, and tests. Use when asked to create a new API endpoint or route.
Reviews staged git changes and provides feedback on code quality, potential bugs, and security issues before committing. Use when asked to review changes or before creating a commit.
Generates production-ready React components with TypeScript, Tailwind CSS, proper accessibility, and test scaffolding. Use when asked to create a new React component.
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
Security-focused code review for staged changes or specified files. Checks for injection, auth flaws, crypto misuse, data exposure, and insecure patterns. Works with any language.