Skip to content
/security-auditStable

Scans code for OWASP Top 10 vulnerabilities, hardcoded secrets, insecure dependencies, and auth bypass risks.

SecurityQualityΒ· 3 min read

Quick import: Download the .md file and save it to .claude/commands/ (Claude Code), .cursorrules (Cursor), or paste as a system prompt in ChatGPT, Gemini, or any LLM API.

#What it does

The /security-audit skill performs a thorough security review of your codebase, checking for the OWASP Top 10 vulnerabilities, hardcoded secrets, insecure dependency patterns, authentication bypasses, and data exposure risks. It scans source code, configuration files, environment handling, and API endpoints to produce an actionable security report with severity ratings.

#How to use

bash
/security-audit
bash
/security-audit src/api/
bash
/security-audit --focus auth

#What it checks

#Injection (OWASP A03)

  • SQL queries built with string concatenation instead of parameterized statements
  • Command injection through unsanitized exec() or spawn() calls
  • Template injection in server-rendered HTML
  • NoSQL injection in MongoDB queries using $where or unvalidated operators

#Authentication & Authorization (OWASP A01, A07)

  • Endpoints missing authentication middleware
  • Broken access control (users accessing other users' resources)
  • Weak password policies, missing rate limiting on login
  • JWT secrets hardcoded or using weak algorithms (HS256 with short keys)

#Sensitive Data Exposure (OWASP A02)

  • Hardcoded API keys, tokens, passwords, and connection strings
  • Secrets logged to console or included in error responses
  • Missing HTTPS enforcement, insecure cookie flags
  • Sensitive fields returned in API responses (password hashes, internal IDs)

#Configuration & Dependencies (OWASP A05, A06)

  • Debug mode enabled in production configuration
  • Overly permissive CORS policies (Access-Control-Allow-Origin: *)
  • Dependencies with known CVEs (cross-references npm audit / pip audit)
  • Missing security headers (CSP, HSTS, X-Frame-Options)

#Example

bash
> /security-audit src/api/
 
## Security Audit: 5 findings
 
### [CRITICAL] SQL Injection β€” src/api/users.ts:42
Query built with template literal: `SELECT * FROM users WHERE id = '${userId}'`
Fix: Use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [userId])
 
### [CRITICAL] Hardcoded Secret β€” src/api/auth.ts:8
JWT_SECRET = "super-secret-key-123" is hardcoded in source.
Fix: Move to environment variable: process.env.JWT_SECRET
 
### [HIGH] Missing Auth Check β€” src/api/admin/reports.ts:15
GET /api/admin/reports has no authentication middleware.
Fix: Add requireAuth("admin") middleware to the route.
 
### [MEDIUM] Overly Permissive CORS β€” src/middleware/cors.ts:3
origin: "*" allows any domain to make authenticated requests.
Fix: Restrict to known origins: ["https://app.example.com"]
 
### [LOW] Missing Rate Limiting β€” src/api/auth.ts:25
POST /api/login has no rate limiting. Vulnerable to brute force.
Fix: Add rate limiter: max 5 attempts per IP per 15 minutes.

#Severity levels

  • CRITICAL -- Exploitable vulnerability, fix immediately before shipping
  • HIGH -- Serious risk, fix before next deploy
  • MEDIUM -- Defense-in-depth issue, schedule fix this sprint
  • LOW -- Best practice recommendation, add to backlog
Orel OhayonΒ·
View all skills