陌讯skills聚合平台

security-audit

📁 elliottrjacobs/bench-skills 📅 1 day ago
0
总安装量
1
周安装量
安装命令
npx skills add https://github.com/elliottrjacobs/bench-skills --skill security-audit

Agent 安装分布

mcpjam 1
claude-code 1
junie 1
windsurf 1
zencoder 1
crush 1

Skill 文档

/security-audit — Deep Security Audit

Thorough security audit using 3-4 parallel agents, each focused on a specific security domain. More comprehensive than the security reviewer in /engineer-review — use this for pre-launch audits or when security is the primary concern.

When to Use

  • Pre-launch security review
  • User says “security audit”, “check for vulnerabilities”
  • After significant auth/data changes
  • Periodic codebase security check

Process

Step 1: Scope the Audit

Determine what to audit:

  • If $ARGUMENTS specifies files or features: scope to those
  • If no arguments: audit the entire codebase

Read package.json, config files, and directory structure to understand the tech stack. This determines which agents to launch and what they focus on.

Step 2: Detect Tech Stack

Check for:

  • next.config.* → server actions, middleware, API routes, CSRF
  • app.json or expo in package.json → deep linking, secure storage, certificate pinning
  • supabase/ directory → RLS, auth config, storage policies (suggest /security-supabase for deep Supabase audit)
  • tsconfig.json → type safety as security boundary
  • .env* files → environment variable handling

Step 3: Launch Parallel Security Agents

Spawn ALL agents IN PARALLEL using the Task tool. Send all Task calls in a single message.

Agent 1: Auth & Access Control

prompt: Perform a security audit focused on authentication and authorization.
  Examine: authentication flows, session management, token handling, password
  policies, OAuth configuration, middleware/route guards, privilege escalation
  paths, RBAC/permission checks, protected route coverage.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Agent 2: Input Validation & Injection

prompt: Perform a security audit focused on injection vulnerabilities.
  Examine: SQL injection (especially raw queries), XSS (user content rendering,
  dangerouslySetInnerHTML), command injection, path traversal, SSRF, template
  injection, header injection, open redirects.
  Check all system boundaries: API routes, server actions, form handlers, URL
  parameters, file uploads.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  proof of concept, remediation steps.

Agent 3: Data Protection & Secrets

prompt: Perform a security audit focused on data handling and secrets.
  Examine: hardcoded secrets/API keys, exposed environment variables,
  sensitive data in logs, PII exposure in API responses, insecure data storage,
  missing encryption, overly permissive CORS, data leak through error messages,
  client-side exposure of server-only data.
  Check: .env files, git history for leaked secrets, client bundles for
  server-only values, API response payloads for over-fetching.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Agent 4: Infrastructure & Configuration (conditional)

Launch this agent if the project has API routes, middleware, or deployment configuration:

prompt: Perform a security audit focused on infrastructure and configuration.
  Examine: CORS configuration, CSP headers, rate limiting, dependency
  vulnerabilities (check package.json for known vulnerable packages),
  security headers (X-Frame-Options, HSTS, etc.), API rate limiting,
  file upload size limits, error handling that leaks stack traces.
  For each finding: file, line, severity (P1-P4), vulnerability description,
  remediation steps.

Step 4: Synthesize Security Report

Collect all agent findings and produce a prioritized report:

## Security Audit Report

**Scope:** [what was audited]
**Tech Stack:** [detected frameworks]
**Date:** [current date]

### Executive Summary
[1-2 sentence overall assessment]

### P1 — Critical (fix immediately)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P2 — Important (fix before merge/launch)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P3 — Moderate (fix soon)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### P4 — Low (consider fixing)
| # | Category | File | Line | Vulnerability | Remediation |
|---|----------|------|------|---------------|-------------|

### Positive Security Patterns
[Good security practices found in the codebase]

### Recommendations
[General security improvements not tied to specific findings]

### Auditors Run
[List which agents were launched]

Deduplicate findings across agents. Escalate any finding involving user data or authentication to at minimum P2.

Output

Security report presented inline. Save to docs/audits/ if requested.

Next Steps

  • P1 findings? Fix immediately
  • Supabase project? Run /security-supabase for deep Supabase audit
  • Want to track fixes? Create a plan with /engineer-plan
  • Fixed issues? Re-run /security-audit to verify
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。