eng-security-audit
Installation
SKILL.md
Security Audit Skill
Core Principle
Never trust anything from outside your control. Every external input is a potential attack vector.
Phase 1: Threat Surface Mapping
Before auditing, identify what you're protecting and where attacks can come from.
Questions to Answer
- What sensitive data does this app handle? (PII, payments, auth tokens, health data)
- What are all the entry points? (APIs, forms, file uploads, webhooks, URL params)
- What external services does it connect to? (databases, third-party APIs, cloud services)
- Who are the user types and what should each access?
- What's the deployment environment? (cloud provider, containers, serverless)