The-Utopia-Studio/security-auditor
plugins/utopia-azraq-engagement/skills/security-auditor/SKILL.md
Audits repository security — hardcoded secrets, dependency vulnerabilities, environment variable management, and authentication patterns. Use when the user asks to "check security", "find secrets", "audit dependencies", or "secure my repo". Don't use for code review, deployment, or monitoring.
development
Updated Apr 30, 2026
$ install --global
skillsauthnpx skillsauth add The-Utopia-Studio/skills security-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 4:13 PM54.5s1 file scanned
SKILL.md
- name:
- security-auditor
- description:
- Audits repository security — hardcoded secrets, dependency vulnerabilities, environment variable management, and authentication patterns. Use when the user asks to "check security", "find secrets", "audit dependencies", or "secure my repo". Don't use for code review, deployment, or monitoring.
Security Auditor
Finds and fixes common security issues in repositories built by solo founders and small teams.
How It Works
- Scan for hardcoded secrets and credentials
- Check environment variable management
- Audit dependencies for known vulnerabilities
- Review authentication and authorization patterns
- Check for common security misconfigurations
Step-by-Step Procedure
Step 1: Scan for Hardcoded Secrets
# Check for common secret patterns
grep -rn --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" --include="*.py" --include="*.env" \
-E "(sk-[a-zA-Z0-9]{20,}|api_key\s*=\s*['\"][^'\"]+|password\s*=\s*['\"][^'\"]+|secret\s*=\s*['\"][^'\"]+|AWS_ACCESS_KEY|PRIVATE_KEY)" . \
| grep -v node_modules | grep -v '.env.example' | head -30
If matches found: flag as critical and recommend moving to environment variables.
Step 2: Check Environment Variable Management
.envshould be in.gitignore(if not: critical).env.exampleshould exist listing all required variables- No
.envfiles committed to git history - Check for
process.env.oros.environusage without defaults
Step 3: Audit Dependencies
For Node.js:
npm audit --production 2>/dev/null || echo "npm audit not available"
For Python:
pip-audit 2>/dev/null || echo "pip-audit not available"
Flag: critical and high severity vulnerabilities.
Step 4: Review Auth Patterns
- Is there authentication? (NextAuth, Clerk, Auth0, Supabase Auth, custom JWT)
- Are API routes protected? Check for middleware/guards
- Are admin routes separated from public routes?
- Is CSRF protection in place for forms?
Step 5: Check Common Misconfigurations
- CORS: Is it set to
*in production? (flag as warning) - Rate limiting: Any on API routes?
- Input validation: Are user inputs sanitized?
- HTTPS: Is the app enforcing HTTPS?
Output Format
## 🔒 Security Audit
### Critical Issues
- {issue}: {location} — {fix}
### Warnings
- {issue}: {location} — {recommendation}
### Good Practices Found
- {practice already in place}
Important
- NEVER print or expose actual secret values in output
- Always recommend
.env+.env.examplepattern - Prioritize: hardcoded secrets > dependency vulns > auth gaps > misconfigs
Related Skills
The-Utopia-Studio/earnings-analysis
development
VerifiedTrustedCommunity
Create professional equity research earnings update reports (8-12 pages, 3,000-5,000 words) analyzing quarterly results for companies already under coverage. Fast-turnaround format focusing on beat/miss analysis, key metrics, updated estimates, and revised thesis. Includes 1-3 summary tables and 8-12 charts. Use when user requests "earnings update", "quarterly update", "earnings analysis", "Q1/Q2/Q3/Q4 results", or post-earnings report.
2SKILL.mdUpdated Jun 4, 2026
The-Utopia-Studio/deck-refresh
development
VerifiedTrustedCommunity
Updates a presentation with new numbers — quarterly refreshes, earnings updates, comp rolls, rebased market data. Use whenever the user asks to "update the deck with Q4 numbers", "refresh the comps", "roll this forward", "swap in the new earnings", "change all the $485M to $512M", or any request to swap figures across an existing deck without rebuilding it.
2SKILL.mdUpdated Jun 4, 2026
The-Utopia-Studio/dcf-model
development
VerifiedTrustedCommunity
Real DCF (Discounted Cash Flow) model creation for equity valuation. Retrieves financial data from SEC filings and analyst reports, builds comprehensive cash flow projections with proper WACC calculations, performs sensitivity analysis, and outputs professional Excel models with executive summaries. Use when users need to value a company using DCF methodology, request intrinsic value analysis, or ask for detailed financial modeling with growth projections and terminal value calculations.
2SKILL.mdUpdated Jun 4, 2026
The-Utopia-Studio/datapack-builder
tools
VerifiedTrustedCommunity
Build professional financial services data packs from various sources including CIMs, offering memorandums, SEC filings, web search, or MCP servers. Extract, normalize, and standardize financial data into investment committee-ready Excel workbooks with consistent structure, proper formatting, and documented assumptions. Use for M&A due diligence, private equity analysis, investment committee materials, and standardizing financial reporting across portfolio companies. Do not use for simple financial calculations or working with already-completed data packs.
2SKILL.mdUpdated Jun 4, 2026