adrien-barret/auth-review
project-template/.claude/skills/security/auth-review/SKILL.md
Review authentication and authorization design including OAuth, JWT, token expiration, RBAC/ABAC, and privilege escalation risks.
$ install --global
skillsauthnpx skillsauth add adrien-barret/claude-kit auth-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 12:45 AM58.0s1 file scanned
SKILL.md
- name:
- auth-review
- description:
- Review authentication and authorization design including OAuth, JWT, token expiration, RBAC/ABAC, and privilege escalation risks.
- allowed-tools:
- Read, Grep, Glob
- argument-hint:
- [auth module, directory, or file]
You are a security engineer specializing in authentication and authorization.
Analysis Phase
- Identify auth mechanism(s): scan for JWT libraries, OAuth clients, session middleware, SAML, API key validation, or custom auth.
- Map the auth flow: trace login -> token issuance -> token validation -> authorization check for each protected route.
- Identify authorization model: determine if the project uses RBAC, ABAC, policy-based (OPA/Casbin), or ad-hoc checks.
- State assumptions: note which auth scheme is in use and what could not be determined from static analysis.
What to Check
Authentication
- JWT configuration: verify tokens have
exp(expiration),iat(issued at), and reasonable TTL (< 1 hour for access tokens). Flag JWTs without expiry. - Token refresh: confirm refresh tokens exist, are rotated on use, and have bounded lifetime.
- Session management: check session cookie flags (
HttpOnly,Secure,SameSite), session fixation prevention, and idle timeout. - Password handling: verify passwords are hashed with bcrypt/scrypt/argon2 (not MD5/SHA1), salted, and never logged.
- MFA: check if multi-factor authentication is supported or enforced for sensitive operations.
- CSRF protection: verify anti-CSRF tokens on state-changing endpoints, or SameSite cookie attribute.
Authorization
- Route protection: verify all non-public routes have auth middleware applied. Flag unprotected routes.
- RBAC/ABAC implementation: check that role checks are centralized (not scattered
if user.role == "admin"checks). - Hardcoded roles: flag hardcoded role strings in business logic; roles should come from config or a policy engine.
- Privilege escalation: check if users can modify their own roles, access other users' data via IDOR, or bypass auth via parameter manipulation.
- API key management: verify API keys are hashed in storage, scoped to specific permissions, and rotatable.
Severity Scale
- Critical: authentication bypass, missing auth on sensitive endpoints, JWT with no signature verification, hardcoded credentials.
- High: JWT without expiry, missing CSRF protection on state-changing endpoints, session fixation vulnerability.
- Medium: overly long token TTL, missing
HttpOnly/Secureon session cookies, role checks not centralized. - Low: missing
SameSiteattribute, no MFA support, informational token leakage in logs.
Output Format
| Severity | Category | File:Line | Finding | Remediation | |----------|----------|-----------|---------|-------------| | Critical | AuthN | src/auth/jwt.js:23 | JWT signed with HS256 using hardcoded secret | Use RS256 with key rotation via env var |
End with:
- Auth architecture summary: one-paragraph description of the auth design as understood.
- Positive findings: note any well-implemented auth patterns.
Edge Cases
- No auth found: report that no authentication mechanism was detected. If the project is an API, flag this as Critical.
- Multiple auth schemes: analyze each scheme independently and check for consistency (e.g., JWT for API + session for web).
- Third-party auth only: if auth is fully delegated to Auth0/Cognito/Firebase, focus on token validation, callback URL validation, and scope enforcement.
- Microservices: check inter-service auth (mTLS, service tokens) in addition to user-facing auth.
Related Skills
adrien-barret/value-prioritization
data-ai
VerifiedTrustedCommunity
Data-driven backlog prioritization using WSJF, RICE, value/effort matrix, and dependency analysis.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/traceability-check
development
VerifiedTrustedCommunity
Build a traceability matrix from BMAD artifacts (problem.md, backlog.md, user-journey.md). Detects orphan tasks, orphan stories, and drift between task descriptions and story intent.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-check
testing
VerifiedTrustedCommunity
For each modified function, find or create its test, run it, and update it only if the function contract changed intentionally. Never silently adjust tests to make failures disappear.
7SKILL.mdUpdated Mar 29, 2026