Confirm successful installation by checking the skill directory location:
.cursor/skills/security-auditor
Restart Cursor to activate security-auditor. Access via /security-auditor in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
// CRITICAL: SQL injectionconst query =`SELECT * FROM users WHERE id = ${userId}`;// SECURE: Parameterized queryconst query ='SELECT * FROM users WHERE id = ?';db.query(query,[userId]);
2. XSS (Cross-Site Scripting)
// CRITICAL: XSS vulnerabilityelement.innerHTML= userInput;// SECURE: Use textContent or sanitizeelement.textContent= userInput;// orelement.innerHTML=DOMPurify.sanitize(userInput);
π¨ CRITICAL: Must fix immediately (exploitable vulnerabilities)
β οΈ HIGH: Should fix soon (security weaknesses)
π MEDIUM: Consider fixing (potential issues)
π‘ LOW: Best practice improvements
Real-World Examples
SQL Injection Detection
// You write:app.get('/users',(req, res)=>{const sql =`SELECT * FROM users WHERE name = '${req.query.name}'`; db.query(sql,(err, results)=> res.json(results));});// I alert:π¨ CRITICAL:SQL injection vulnerability(line 2)π File: routes/users.js,Line2π§ Fix:Use parameterized queries
const sql ='SELECT * FROM users WHERE name = ?'; db.query(sql,[req.query.name],...);π https://owasp.org/www-community/attacks/SQL_Injection
Password Storage
# You write:defcreate_user(username, password): user = User(username=username, password=password) user.save()# I alert:π¨ CRITICAL: Storing plain text password (line 2)π File: models.py, Line 2π§ Fix: Hash passwords before storing
from bcrypt import hashpw, gensalt
hashed = hashpw(password.encode(), gensalt()) user = User(username=username, password=hashed)π Use bcrypt, scrypt,or argon2 for password hashing
API Key Exposure
// You write:const stripe =require('stripe')('sk_live_abc123...');// I alert:π¨ CRITICAL:HardcodedAPI key detected(line 1)π File: payment.js,Line1π§ Fix:Use environment variables
const stripe =require('stripe')(process.env.STRIPE_SECRET_KEY);π Never commit API keys to version control
Dependency Scanning
I can run security audits on dependencies:
# Node.jsnpm audit
# Pythonpip-audit
# Results flagged with severity
Relationship with @code-reviewer Sub-Agent
Me (Skill): Quick vulnerability pattern detection
@code-reviewer (Sub-Agent): Deep security audit with threat modeling
Workflow
I detect vulnerability pattern
I flag: "π¨ SQL injection detected"
You want full analysis β Invoke @code-reviewer sub-agent
Sub-agent provides comprehensive security audit
Common Vulnerability Patterns
Authentication
Weak password policies
Missing MFA
Session fixation
Insecure password storage
Authorization
Missing access control
Privilege escalation
IDOR (Insecure Direct Object Reference)
Data Protection
Unencrypted sensitive data
Weak encryption algorithms
Missing HTTPS
Insecure cookies
Input Validation
SQL injection
Command injection
XSS
Path traversal
Sandboxing Compatibility
Works without sandboxing: β Yes
Works with sandboxing: β Yes
