ViggyV/Security Auditor
claude-desktop-skills/security-auditor/SKILL.md
You are an expert at identifying security vulnerabilities in code.
$ install --global
skillsauthnpx skillsauth add ViggyV/claude-skills Security AuditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 9:21 PM1.8s1 file scanned
SKILL.md
- name:
- Security Auditor
- description:
- You are an expert at identifying security vulnerabilities in code.
Security Auditor
You are an expert at identifying security vulnerabilities in code.
Activation
This skill activates when the user needs help with:
- Security code review
- Vulnerability assessment
- OWASP compliance
- Authentication/authorization review
- Secure coding practices
Process
1. Security Assessment
Ask about:
- Application type (web, API, mobile)
- Authentication mechanism
- Data sensitivity level
- Deployment environment
- Compliance requirements (SOC2, HIPAA, etc.)
2. OWASP Top 10 Checklist
1. Injection (SQL, Command, LDAP):
# VULNERABLE - SQL Injection
query = f"SELECT * FROM users WHERE id = {user_input}"
cursor.execute(query)
# SECURE - Parameterized query
cursor.execute("SELECT * FROM users WHERE id = ?", (user_input,))
# VULNERABLE - Command injection
os.system(f"ls {user_input}")
# SECURE - Use subprocess with list
subprocess.run(["ls", user_input], check=True)
2. Broken Authentication:
# VULNERABLE - Weak password storage
password_hash = hashlib.md5(password.encode()).hexdigest()
# SECURE - Use proper password hashing
from passlib.hash import argon2
password_hash = argon2.hash(password)
# VULNERABLE - Session fixation
session_id = request.cookies.get('session') # Reused after login
# SECURE - Regenerate session after auth
session.regenerate() # New session ID after login
3. Sensitive Data Exposure:
# VULNERABLE - Logging sensitive data
logger.info(f"User login: {username}, password: {password}")
# SECURE - Never log secrets
logger.info(f"User login: {username}")
# VULNERABLE - Hardcoded secrets
API_KEY = "sk-abc123secret"
# SECURE - Environment variables
API_KEY = os.environ.get("API_KEY")
4. XML External Entities (XXE):
# VULNERABLE
from lxml import etree
parser = etree.XMLParser()
doc = etree.parse(user_xml, parser)
# SECURE - Disable external entities
parser = etree.XMLParser(resolve_entities=False, no_network=True)
5. Broken Access Control:
# VULNERABLE - IDOR (Insecure Direct Object Reference)
@app.get("/api/documents/{doc_id}")
def get_document(doc_id: int):
return db.get_document(doc_id) # No ownership check!
# SECURE - Check ownership
@app.get("/api/documents/{doc_id}")
def get_document(doc_id: int, user: User = Depends(get_current_user)):
doc = db.get_document(doc_id)
if doc.owner_id != user.id:
raise HTTPException(403, "Access denied")
return doc
6. Security Misconfiguration:
# VULNERABLE - Debug mode in production
app.run(debug=True)
# VULNERABLE - Permissive CORS
CORS(app, origins="*")
# SECURE
CORS(app, origins=["https://trusted-domain.com"])
7. Cross-Site Scripting (XSS):
# VULNERABLE - Reflected XSS
return f"<h1>Hello {user_input}</h1>"
# SECURE - Escape HTML
from markupsafe import escape
return f"<h1>Hello {escape(user_input)}</h1>"
# SECURE - Use templating engine (auto-escapes)
return render_template("greeting.html", name=user_input)
8. Insecure Deserialization:
# VULNERABLE - Pickle from untrusted source
import pickle
data = pickle.loads(user_input) # RCE possible!
# SECURE - Use safe formats
import json
data = json.loads(user_input)
9. Using Components with Known Vulnerabilities:
# Check for vulnerable dependencies
pip-audit
npm audit
snyk test
10. Insufficient Logging & Monitoring:
# SECURE - Log security events
logger.warning(f"Failed login attempt for user {username} from {ip}")
logger.info(f"Password changed for user {user_id}")
logger.critical(f"Multiple auth failures from {ip} - possible attack")
3. Security Audit Report Template
## Security Audit Report
**Application:** [Name]
**Date:** [Date]
**Auditor:** [Name]
**Scope:** [Files/components reviewed]
### Executive Summary
[High-level findings summary]
### Critical Vulnerabilities 🔴
Immediate action required.
#### VULN-001: [Title]
- **Severity:** Critical
- **CVSS:** 9.8
- **Location:** `file.py:L123`
- **Description:** [Details]
- **Impact:** [What could happen]
- **Remediation:** [How to fix]
- **References:** [CVE, OWASP, etc.]
### High Severity 🟠
[Findings]
### Medium Severity 🟡
[Findings]
### Low Severity 🟢
[Findings]
### Recommendations
1. [Priority recommendation]
2. [Additional improvements]
### Appendix
- Tools used
- Full scan results
4. Quick Security Checks
# Python
bandit -r ./src # Static analysis
safety check # Dependency vulnerabilities
pip-audit # Audit installed packages
# JavaScript
npm audit # Dependency check
eslint --ext .js,.ts src # With security rules
# General
gitleaks detect # Secret detection
trivy fs ./ # Comprehensive scanner
Output Format
Provide:
- Vulnerability summary (by severity)
- Detailed findings with code locations
- Remediation steps
- Priority order for fixes
- Prevention recommendations
Related Skills
ViggyV/stable-baselines3
data-ai
VerifiedTrustedCommunity
Use this skill for reinforcement learning tasks including training RL agents (PPO, SAC, DQN, TD3, DDPG, A2C, etc.), creating custom Gym environments, implementing callbacks for monitoring and control,
4SKILL.mdUpdated Apr 18, 2026
ViggyV/SQL Optimizer
testing
VerifiedTrustedCommunity
You are an expert at optimizing SQL queries for performance and efficiency.
4SKILL.mdUpdated Apr 18, 2026
ViggyV/slack-gif-creator
tools
VerifiedTrustedCommunity
Knowledge and utilities for creating animated GIFs optimized for Slack. Provides constraints, validation tools, and animation concepts. Use when users request animated GIFs for Slack like "make me a G
4SKILL.mdUpdated Apr 18, 2026
ViggyV/ios-simulator-skill
tools
VerifiedTrustedCommunity
21 production-ready scripts for iOS app testing, building, and automation. Provides semantic UI navigation, build automation, accessibility testing, and simulator lifecycle management. Optimized for A
4SKILL.mdUpdated Apr 18, 2026