一键导入
security-audit
Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Thin slash-command wrapper around the i18n-nfc-auditor agent — audits Korean/CJK string handling for NFC/NFD Unicode normalization mismatches across filenames, URLs, attachments, and DB paths. Use when "한글 파일 깨짐", "Supabase 첨부 안 됨", "한글 파일명 문제", or after Supabase/Vercel deploy.
Thin slash-command wrapper around the migration-reviewer agent — audits SQL/Prisma/Supabase/sqlx/Drizzle migration files for data loss, lock contention, missing indexes, and rollback safety. Use before db push, before Supabase deploy, or "마이그레이션 리뷰", "DB 스키마 검토".
Audit and curate the per-project memory system at ~/.claude/projects/<encoded-cwd>/memory/ — finds duplicates, stale entries, missing-pointer files, oversized MEMORY.md, and entries that violate the user/feedback/project/reference taxonomy. Use when memory feels noisy, before /clear of a long-running project, or when memories stop influencing behavior.
Traces all references to a feature flag/gate across the codebase and produces a removal PR draft. Use when ramping up a flag, removing a kill switch, or "feature flag 정리", "플래그 제거", "킬스위치 제거". Auto-detects flag system (GrowthBook, LaunchDarkly, env vars, custom dictionary). Read-only — produces a draft markdown file, never runs gh pr create.
Performance triage entry point — bundle analysis, build profiling, Lighthouse CI, Next.js Cache Components inspection. Use when asked "why is X slow", "perf 분석", "번들 사이즈 확인", "Lighthouse 점수", "빌드 시간 측정". Delegates deep root-cause analysis to perf-researcher agent.
Scaffolds a Claude Code plugin with .claude-plugin/marketplace.json + plugin.json + a starter skill/agent/hook + GitHub Actions validator — codifies the vibesubin maintenance pattern. Use when creating a new plugin, publishing to a marketplace, or "플러그인 만들어줘", "claude code plugin scaffold", "마켓플레이스 플러그인".
| name | security-audit |
| description | Run a comprehensive security audit — OWASP Top 10, secrets detection, dependency vulnerabilities, injection vectors, auth checks |
| author | subinium |
| user-invocable | true |
| disable-model-invocation | true |
Run a security audit on the current codebase or changes.
/security-audit # Quick mode (default): <60 seconds, changed files only
/security-audit --full # Full mode: 5-10 minutes, entire codebase
git diff)--full)git diff --staged (or git diff, or git diff HEAD~1) to scopequick-scan.sh on changed files.env files in .gitignoregit log -p --all -S 'password\|secret\|api_key\|private_key'grep -rn 'AKIA\|sk-\|ghp_' . for common key patternsdangerouslySetInnerHTML auditedexec(), eval(), child_process.exec() with user input../ in file paths from user input, use path.resolve() + validation* in production)Secure, HttpOnly, SameSitenpm audit / pip audit / cargo auditpackage-lock.json, poetry.lock)Run the bundled automated scanner for common vulnerabilities:
bash ~/.claude/skills/security-audit/scripts/quick-scan.sh .
This checks: hardcoded secrets (AWS, OpenAI, GitHub, Slack patterns), dangerous functions (eval, exec, innerHTML), .env in git, and dependency audit.
# JavaScript/TypeScript
npm audit --production
npx eslint --no-eslintrc -c '{"rules":{"no-eval":"error","no-implied-eval":"error"}}' .
# Python
pip audit
ruff check --select S . # security rules
# Git history
git log --all --oneline -S 'password' --diff-filter=A
git log --all --oneline -S 'secret' --diff-filter=A
# Common patterns
grep -rn 'eval(' --include='*.ts' --include='*.tsx' --include='*.js' .
grep -rn 'dangerouslySetInnerHTML' --include='*.tsx' --include='*.jsx' .
grep -rn 'innerHTML' --include='*.ts' --include='*.js' .