一键导入
do-security-audit
Run a security audit on one or more projects using parallel agents.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run a security audit on one or more projects using parallel agents.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Capture session learnings and save to skills, guidelines, or reference docs under ~/.claude/.
Orchestrate parallel claude -p sessions — bootstrap, launch, monitor, and converge. Works with any skill that produces manifest.json, item directories, and a runner script.
Create a request (pull request or merge request) or update an existing one following project conventions.
Resolve merge or rebase conflicts between branches.
Assess open PRs with unaddressed review comments and generate a parallel addressing script — produces manifest.json and let-it-rip.sh for address-request-comments execution.
Assess open work items and generate a parallel execution script — produces manifest.json and let-it-rip.sh for implement/clarify execution.
| name | do-security-audit |
| description | Run a security audit on one or more projects using parallel agents. |
| disable-model-invocation | true |
| allowed-tools | ["Read","Glob","Grep","Task","WebFetch"] |
Run a structured security audit on one or more projects. Uses parallel agents to check a standard security checklist, flags dead security code, and assesses the deployment risk profile.
~/.claude/skill-references/subagent-patterns.md — Universal patterns for launching and orchestrating subagents/do-security-audit - Audit the current project/do-security-audit <path> - Audit a specific project/do-security-audit <path1> <path2> - Compare two projects side-by-sideSingle project (default): Use the current working directory or provided path.
Multiple projects: Parse space-separated paths. Enable comparison mode.
Launch parallel Explore subagents — one per project — with this checklist:
WebFetch to check CVE databases or advisory pages when specific versions are identifiedEach agent should report findings per checklist item with severity (Critical / High / Medium / Low / Info).
Flag code that exists but is never called. An implemented-but-unwired rate limiter is worse than no rate limiter — it creates false confidence.
Look for:
Evaluate the deployment context to calibrate severity:
Security choices acceptable in one context (e.g., plaintext tokens in dev) become critical in another (e.g., production with real user data).
When auditing multiple projects, compare findings side-by-side:
Present findings in a structured report:
## Security Audit: <project name(s)>
### Summary
- Critical: N | High: N | Medium: N | Low: N
### Findings
#### [Critical] <title>
- **Location**: <file:line>
- **Description**: ...
- **Recommendation**: ...
...
### Dead Security Code
- <file:line> — <description>
### Risk Profile
- Deployment context: ...
- Sensitive data: ...
- Calibration notes: ...