auditing-security
Installation
SKILL.md
Security Audit
Use this skill when the user asks to audit security, check for vulnerabilities, review code for security issues, or harden an application.
Steps
-
Scan for hardcoded secrets — search for API keys, tokens, passwords, and connection strings in source files. Check for patterns like:
password=,secret=,token=,api_key=- Base64-encoded credentials
- AWS keys (
AKIA...), Stripe keys (sk_live_...), GitHub tokens (ghp_...) - Files:
.envcommitted to git,config.jsonwith credentials
-
Check authentication & authorization
- Verify all API routes check authentication before processing.
- Ensure role-based access control is enforced server-side, not just in the UI.
- Check that password hashing uses bcrypt/argon2 (not MD5/SHA1).
- Verify session tokens are HTTP-only, secure, and have reasonable expiry.