charon-fan/security-auditor
skills/security-auditor/SKILL.md
Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.
$ install --global
skillsauthnpx skillsauth add charon-fan/agent-playbook security-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 2:18 PM11.7s7 files scanned
SKILL.md
- name:
- security-auditor
- description:
- Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.
- allowed-tools:
- Read, Grep, Glob, Bash, WebSearch
- - trigger:
- session-logger
- mode:
- auto
- reason:
- Log security audit
Security Auditor
Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.
When This Skill Activates
Activates when you:
- Request a security audit
- Mention "security" or "vulnerability"
- Need security review
- Ask about OWASP
OWASP Top 10 Coverage
A01: Broken Access Control
Checks:
# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/
# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/
# Check for role-based access
grep -r "if.*role.*===" src/
Common Issues:
- Missing authentication on sensitive endpoints
- IDOR: Users can access other users' data
- Missing authorization checks
- API keys in URL
A02: Cryptographic Failures
Checks:
# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/
# Check for weak hashing
grep -r "md5\|sha1" src/
# Check for http URLs
grep -r "http:\/\/" src/
Common Issues:
- Hardcoded credentials
- Weak hashing algorithms (MD5, SHA1)
- Unencrypted sensitive data
- HTTP instead of HTTPS
A03: Injection
Checks:
# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/
# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/
# Template injection
grep -r "render.*req\." src/
Common Issues:
- SQL injection
- NoSQL injection
- Command injection
- XSS (Cross-Site Scripting)
- Template injection
A04: Insecure Design
Checks:
# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/
# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/
# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/
Common Issues:
- No rate limiting on auth endpoints
- Missing 2FA for sensitive operations
- Session timeout too long
- No account lockout after failed attempts
A05: Security Misconfiguration
Checks:
# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/
# Check for CORS configuration
grep -r "origin.*\*" src/
# Check for error messages
grep -r "console\.log.*error\|console\.error" src/
Common Issues:
- Debug mode enabled in production
- Overly permissive CORS
- Verbose error messages
- Default credentials not changed
A06: Vulnerable Components
Checks:
# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod
# Run vulnerability scanner
npm audit
pip-audit
Common Issues:
- Outdated dependencies
- Known vulnerabilities in dependencies
- Unused dependencies
- Unmaintained packages
A07: Authentication Failures
Checks:
# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/
# Check password requirements
grep -r "password.*length\|password.*complex" src/
# Check for password in URL
grep -r "password.*req\." src/
Common Issues:
- Weak password hashing
- No password complexity requirements
- Password in URL
- Session fixation
A08: Software/Data Integrity
Checks:
# Check for subresource integrity
grep -r "integrity\|crossorigin" src/
# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/
Common Issues:
- No integrity checks
- Unsigned updates
- Unverified dependencies
A09: Logging Failures
Checks:
# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/
# Check for audit trail
grep -r "audit\|activity.*log" src/
Common Issues:
- Sensitive data in logs
- No audit trail for critical operations
- Logs not protected
- No log tampering detection
A10: SSRF (Server-Side Request Forgery)
Checks:
# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/
# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/
Common Issues:
- No URL validation
- Fetching user-supplied URLs
- No allowlist for external calls
Security Audit Checklist
Code Review
- [ ] No hardcoded secrets
- [ ] Input validation on all inputs
- [ ] Output encoding for XSS prevention
- [ ] Parameterized queries for SQL
- [ ] Proper error handling
- [ ] Authentication on protected routes
- [ ] Authorization checks
- [ ] Rate limiting on public APIs
Configuration
- [ ] Debug mode off
- [ ) HTTPS enforced
- [ ] CORS configured correctly
- [ ] Security headers set
- [ ] Environment variables for secrets
- [ ] Database not exposed
Dependencies
- [ ] No known vulnerabilities
- [ ] Dependencies up to date
- [ ] Unused dependencies removed
Scripts
Run security audit:
python scripts/security_audit.py
Check for secrets:
python scripts/find_secrets.py
References
references/owasp.md- OWASP Top 10 detailsreferences/checklist.md- Security audit checklistreferences/remediation.md- Vulnerability remediation guide
Related Skills
charon-fan/workflow-orchestrator
data-ai
VerifiedTrustedCommunity
Automatically coordinates multi-skill workflows and triggers follow-up actions. Use when completing PRD creation, implementation, or any milestone that should trigger additional skills. This skill reads the auto-trigger configuration and executes the workflow chain.
57SKILL.mdUpdated Apr 17, 2026
charon-fan/skill-router
development
VerifiedTrustedCommunity
Intelligently routes user requests to the most appropriate Claude Code skill. ALWAYS use this skill FIRST when user asks for help, mentions "skill", "which", "how to", or seems unsure about which approach to take. This is the default entry point for all skill-related requests.
57SKILL.mdUpdated Apr 17, 2026
charon-fan/session-logger
tools
VerifiedTrustedCommunity
Saves conversation history to session log files. Use when user says "保存对话", "保存对话信息", "记录会话", "save session", or "save conversation". Automatically creates timestamped session log in sessions/ directory.
57SKILL.mdUpdated Apr 17, 2026
charon-fan/self-improving-agent
development
VerifiedTrustedCommunity
A universal self-improving agent that learns from ALL skill experiences. Uses multi-memory architecture (semantic + episodic + working) to continuously evolve the codebase. Auto-triggers on skill completion/error with hooks-based self-correction.
57SKILL.mdUpdated Apr 17, 2026