audit-security
Audit Security
Audit trust boundaries before changing behavior. Find where untrusted input, privilege, secrets, or sensitive data are handled unsafely, then apply the smallest safe fix.
Follow this workflow
- Map the trust boundaries and privileged operations in scope.
- Trace attacker-controlled input from entrypoint to sink.
- Classify each risky path as access control, validation, injection, data exposure, secret handling, file or process safety, network trust, tenant isolation, or insecure default.
- Flag vulnerabilities, exploit paths, and weak assumptions that could become vulnerabilities.
- Prioritize findings as
P1throughP4. - Auto-fix only local, low-risk issues. Leave broader security changes as findings with a concrete fix plan.
Map the trust boundaries first
Do not audit a single function in isolation when the real risk depends on who can call it, what data reaches it, and what authority it has.
Inspect the relevant equivalents of:
More from sebkay/skills
generate-agent-instructions
Generate or update AGENTS.md for AI coding agents by extracting project-specific architecture, workflows, conventions, and integration details from the repository. Use when the user asks to create, refresh, or improve AGENTS.md or agent instructions for a codebase.
23audit-dead-code
Find dead code and cleanup candidates such as unused exports, unreachable branches, orphaned files, stale feature flags, dead registrations, and compatibility layers with no live callers. Use when auditing refactors, bundle-size cleanup, architecture simplification, pre-release cleanup, reviewing requests to find unused code or decide what can be deleted, or when deciding whether code can be safely removed or auto-fixed.
20commit
Create a focused git commit for the unit of work just completed. Use when the user asks to commit changes, record finished implementation work, save a fix or refactor to git, or prepare a clean commit from the current branch with a concise message.
16ask-plan-questions
Ask high-impact clarifying questions before implementation to reduce mistakes, rework, and hidden assumptions. Use when creating, reviewing, or updating a plan; when requirements are ambiguous; or when scope/constraints are not fully specified.
15add-plan-todos
Create and maintain granular todos in the active execution plan to reduce omissions, sequencing errors, and misunderstandings. Use when drafting a plan, updating scope, starting implementation, or recovering from uncertainty/blockers.
12audit-errors
Audit code for error-handling inconsistencies, anti-patterns, and silent failures such as empty catch blocks, ignored promise rejections, log-and-continue paths, fallback values that hide faults, broad catch clauses, and inconsistent error translation across layers. Use when reviewing controllers, services, jobs, API handlers, async workflows, UI actions, or any change where errors may be swallowed, downgraded, or surfaced unreliably.
10