How do I install security-auditor?

Run `npx skills add https://github.com/charon-fan/agent-playbook --skill security-auditor` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does security-auditor support?

security-auditor works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is security-auditor free to use?

Yes. security-auditor is free to install and use. It is available from the open explainx.ai skill registry published by charon-fan.

Where can I read ratings and reviews for security-auditor?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

security-auditor▌

charon-fan/agent-playbook · updated Apr 8, 2026

$npx skills add https://github.com/charon-fan/agent-playbook --skill security-auditor

0 commentsdiscussion

summary

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

skill.md

Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

When This Skill Activates

Activates when you:

Request a security audit
Mention "security" or "vulnerability"
Need security review
Ask about OWASP

OWASP Top 10 Coverage

A01: Broken Access Control

Checks:

# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/

Common Issues:

Missing authentication on sensitive endpoints
IDOR: Users can access other users' data
Missing authorization checks
API keys in URL

A02: Cryptographic Failures

Checks:

# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/

Common Issues:

Hardcoded credentials
Weak hashing algorithms (MD5, SHA1)
Unencrypted sensitive data
HTTP instead of HTTPS

A03: Injection

Checks:

# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/

Common Issues:

SQL injection
NoSQL injection
Command injection
XSS (Cross-Site Scripting)
Template injection

A04: Insecure Design

Checks:

# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/

Common Issues:

No rate limiting on auth endpoints
Missing 2FA for sensitive operations
Session timeout too long
No account lockout after failed attempts

A05: Security Misconfiguration

Checks:

# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/

Common Issues:

Debug mode enabled in production
Overly permissive CORS
Verbose error messages
Default credentials not changed

A06: Vulnerable Components

Checks:

# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit

Common Issues:

Outdated dependencies
Known vulnerabilities in dependencies
Unused dependencies
Unmaintained packages

A07: Authentication Failures

Checks:

# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/

Common Issues:

Weak password hashing
No password complexity requirements
Password in URL
Session fixation

A08: Software/Data Integrity

Checks:

# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/

Common Issues:

No integrity checks
Unsigned updates
Unverified dependencies

A09: Logging Failures

Checks:

# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/

Common Issues:

Sensitive data in logs
No audit trail for critical operations
Logs not protected
No log tampering detection

A10: SSRF (Server-Side Request Forgery)

Checks:

# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/

Common Issues:

No URL validation
Fetching user-supplied URLs
No allowlist for external calls

Security Audit Checklist

Code Review

Configuration

Dependencies

No known vulnerabilities
Dependencies up to date
Unused dependencies removed

Scripts

Run security audit:

python scripts/security_audit.py

Check for secrets:

python scripts/find_secrets.py

References

references/owasp.md - OWASP Top 10 details
references/checklist.md - Security audit checklist
references/remediation.md - Vulnerability remediation guide

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.5★★★★★75 reviews

★★★★★Chaitanya Patil· Dec 28, 2024
We added security-auditor from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Chen Jain· Dec 16, 2024
Solid pick for teams standardizing on skills: security-auditor is focused, and the summary matches what you get after install.
★★★★★Isabella Iyer· Dec 16, 2024
security-auditor reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Isabella Liu· Dec 12, 2024
Registry listing for security-auditor matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Arya Ghosh· Dec 12, 2024
security-auditor has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Piyush G· Nov 19, 2024
Useful defaults in security-auditor — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Daniel Flores· Nov 7, 2024
security-auditor has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Isabella Li· Nov 7, 2024
Registry listing for security-auditor matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Isabella Malhotra· Nov 3, 2024
security-auditor reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Amelia Ndlovu· Nov 3, 2024
Solid pick for teams standardizing on skills: security-auditor is focused, and the summary matches what you get after install.

showing 1-10 of 75

1 / 8