// Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.
Automatic code quality and best practices analysis. Use proactively when files are modified, saved, or committed. Analyzes code style, patterns, potential bugs, and security basics. Triggers on file changes, git diff, code edits, quality mentions.
Generate conventional commit messages automatically. Use when user runs git commit, stages changes, or asks for commit message help. Analyzes git diff to create clear, descriptive conventional commit messages. Triggers on git commit, staged changes, commit message requests.
Automatically suggest tests for new functions and components. Use when new code is written, functions added, or user mentions testing. Creates test scaffolding with Jest, Vitest, Pytest patterns. Triggers on new functions, components, test requests, testing mentions.
Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.
Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.
Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
| name | security-auditor |
| description | Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep. |
| allowed-tools | Read, Grep, Bash |
Automatic security vulnerability detection.
1. SQL Injection
// CRITICAL: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
2. XSS (Cross-Site Scripting)
// CRITICAL: XSS vulnerability
element.innerHTML = userInput;
// SECURE: Use textContent or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
3. Authentication Issues
// CRITICAL: Weak JWT secret
const token = jwt.sign(payload, 'secret123');
// SECURE: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET);
4. Sensitive Data Exposure
# CRITICAL: Exposed password
password = "admin123"
# SECURE: Environment variable
password = os.getenv("DB_PASSWORD")
5. Broken Access Control
// CRITICAL: No authorization check
app.delete('/api/users/:id', (req, res) => {
User.delete(req.params.id);
});
// SECURE: Authorization check
app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {
User.delete(req.params.id);
});
🚨 CRITICAL: [Vulnerability type]
📍 Location: file.js:42
🔧 Fix: [Specific remediation]
📖 Reference: [OWASP/CWE link]
// You write:
app.get('/users', (req, res) => {
const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;
db.query(sql, (err, results) => res.json(results));
});
// I alert:
🚨 CRITICAL: SQL injection vulnerability (line 2)
📍 File: routes/users.js, Line 2
🔧 Fix: Use parameterized queries
const sql = 'SELECT * FROM users WHERE name = ?';
db.query(sql, [req.query.name], ...);
📖 https://owasp.org/www-community/attacks/SQL_Injection
# You write:
def create_user(username, password):
user = User(username=username, password=password)
user.save()
# I alert:
🚨 CRITICAL: Storing plain text password (line 2)
📍 File: models.py, Line 2
🔧 Fix: Hash passwords before storing
from bcrypt import hashpw, gensalt
hashed = hashpw(password.encode(), gensalt())
user = User(username=username, password=hashed)
📖 Use bcrypt, scrypt, or argon2 for password hashing
// You write:
const stripe = require('stripe')('sk_live_abc123...');
// I alert:
🚨 CRITICAL: Hardcoded API key detected (line 1)
📍 File: payment.js, Line 1
🔧 Fix: Use environment variables
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
📖 Never commit API keys to version control
I can run security audits on dependencies:
# Node.js
npm audit
# Python
pip-audit
# Results flagged with severity
Me (Skill): Quick vulnerability pattern detection @code-reviewer (Sub-Agent): Deep security audit with threat modeling
Works without sandboxing: ✅ Yes Works with sandboxing: ✅ Yes
Optional: For dependency scanning
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"api.github.com"
]
}
}
security-auditor: Checks code patterns
secret-scanner: Checks for exposed secrets
Together: Comprehensive security coverage
/review --scope staged --checks security
# Workflow:
# 1. My automatic security findings
# 2. @code-reviewer sub-agent deep audit
# 3. Comprehensive security report
Add company-specific security patterns:
cp -r ~/.claude/skills/security/security-auditor \
~/.claude/skills/security/company-security-auditor
# Edit SKILL.md to add:
# - Internal API patterns
# - Company security policies
# - Custom vulnerability checks