How do I install security-auditor?

Run `npx skills add https://github.com/charon-fan/agent-playbook --skill security-auditor` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does security-auditor support?

security-auditor works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is security-auditor free to use?

Yes. security-auditor is free to install and use. It is available from the open Skills registry published by charon-fan.

Productivity

security-auditor▌

Name: security-auditor
Availability: InStock
Author: charon-fan

charon-fan/agent-playbook · updated Apr 8, 2026

$npx skills add https://github.com/charon-fan/agent-playbook --skill security-auditor

summary

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

skill.md

Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

When This Skill Activates

Activates when you:

Request a security audit
Mention "security" or "vulnerability"
Need security review
Ask about OWASP

OWASP Top 10 Coverage

A01: Broken Access Control

Checks:

# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/

Common Issues:

Missing authentication on sensitive endpoints
IDOR: Users can access other users' data
Missing authorization checks
API keys in URL

A02: Cryptographic Failures

Checks:

# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/

Common Issues:

Hardcoded credentials
Weak hashing algorithms (MD5, SHA1)
Unencrypted sensitive data
HTTP instead of HTTPS

A03: Injection

Checks:

# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/

Common Issues:

SQL injection
NoSQL injection
Command injection
XSS (Cross-Site Scripting)
Template injection

A04: Insecure Design

Checks:

# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/

Common Issues:

No rate limiting on auth endpoints
Missing 2FA for sensitive operations
Session timeout too long
No account lockout after failed attempts

A05: Security Misconfiguration

Checks:

# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/

Common Issues:

Debug mode enabled in production
Overly permissive CORS
Verbose error messages
Default credentials not changed

A06: Vulnerable Components

Checks:

# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit

Common Issues:

Outdated dependencies
Known vulnerabilities in dependencies
Unused dependencies
Unmaintained packages

A07: Authentication Failures

Checks:

# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/

Common Issues:

Weak password hashing
No password complexity requirements
Password in URL
Session fixation

A08: Software/Data Integrity

Checks:

# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/

Common Issues:

No integrity checks
Unsigned updates
Unverified dependencies

A09: Logging Failures

Checks:

# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/

Common Issues:

Sensitive data in logs
No audit trail for critical operations
Logs not protected
No log tampering detection

A10: SSRF (Server-Side Request Forgery)

Checks:

# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/

Common Issues:

No URL validation
Fetching user-supplied URLs
No allowlist for external calls

Security Audit Checklist

Code Review

Configuration

Dependencies

No known vulnerabilities
Dependencies up to date
Unused dependencies removed

Scripts

Run security audit:

python scripts/security_audit.py

Check for secrets:

python scripts/find_secrets.py

References

references/owasp.md - OWASP Top 10 details
references/checklist.md - Security audit checklist
references/remediation.md - Vulnerability remediation guide