dirien/security-audit
.claude/skills/security-audit/SKILL.md
Comprehensive security audit covering OWASP Top 10, secrets detection, supply chain security, threat modeling, and language-specific vulnerability patterns. Investigates actual code paths rather than grep-matching keywords. Generates a scored SECURITY_AUDIT.md with prioritized remediation. Use when assessing application security, preparing for a security review, or onboarding to a codebase with security concerns.
$ install --global
skillsauthnpx skillsauth add dirien/yet-another-agent-harness security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 2:52 AM28.2s6 files scanned
SKILL.md
- name:
- security-audit
- description:
- >
- compatibility:
- >
- scanning tools:
- gitleaks, semgrep, trivy, govulncheck, npm audit.
<!-- Copyright 2025-2026 Richard Shade. Licensed under Apache-2.0. -->
<!-- SPDX-License-Identifier: Apache-2.0 -->
Security Audit
Investigate the codebase for security vulnerabilities across OWASP Top 10 categories, secrets exposure, supply chain risks, and language-specific patterns. Produces a scored SECURITY_AUDIT.md with prioritized remediation actions.
Core principle: Investigate, do not just grep. Read surrounding code to determine if a match is a genuine vulnerability, a false positive, or already mitigated. Only flag findings with specific file:line evidence and confirmed risk.
Prerequisite check
git --version 2>/dev/null && git rev-parse --is-inside-work-tree 2>/dev/null
Check for available security tools (optional but enhance analysis):
command -v gitleaks 2>/dev/null && echo "gitleaks: available"
command -v semgrep 2>/dev/null && echo "semgrep: available"
command -v trivy 2>/dev/null && echo "trivy: available"
command -v govulncheck 2>/dev/null && echo "govulncheck: available"
Proceed without tools — manual investigation still works. Note which tools are missing in the report.
Step 1: Scope and context
Determine what to audit and understand the application:
- Detect tech stack — scan for go.mod, package.json, pyproject.toml, Cargo.toml, *.csproj to identify languages
- Identify security-sensitive areas — search for files related to authentication, authorization, database access, API endpoints, cryptography, file handling
- Determine scope — full codebase audit, specific module, or recent changes only (based on user input)
- Read project docs — CLAUDE.md, README.md, CONTEXT.md for architectural context and known boundaries
Step 2: Automated scanning
Run available security tools before manual investigation. Tool findings guide where to focus manual review.
# Secrets in current code and git history
gitleaks detect -v 2>&1
# Static analysis (language-aware rule sets)
semgrep --config=auto --severity=ERROR . 2>&1
# Dependency vulnerabilities
trivy fs --severity HIGH,CRITICAL . 2>&1
# or: govulncheck ./... / npm audit / pip-audit / cargo audit
If tools find issues, verify each one — automated scanners produce false positives. Read the flagged code in context before including in the report.
Step 3: OWASP Top 10 analysis
Systematically investigate each OWASP category relevant to the project. Not all categories apply to all projects — a CLI tool does not need XSS checks; a library does not need CSRF protection.
For each applicable category:
- Identify the code paths where this vulnerability could exist
- Read the actual implementation (not just grep for keywords)
- Check if mitigations are in place
- Flag only confirmed or strongly suspected vulnerabilities
For detailed investigation patterns per OWASP category, see
references/owasp-patterns.md.
Step 4: Secrets and supply chain
Secrets: Scan current code AND git history for hardcoded credentials, API keys, tokens, and connection strings. A secret removed from current code but present in git history is still compromised — flag as CRITICAL.
Supply chain: Check lockfile integrity, dependency vulnerabilities, dependency confusion risk, and maintenance signals for critical dependencies.
For detailed scanning commands and analysis patterns, see
references/secrets-and-supply-chain.md.
Step 5: Threat modeling
Apply STRIDE to the actual codebase:
- Map entry points — every way data enters the application
- Identify trust boundaries — where untrusted data crosses into trusted zones
- Apply STRIDE categories — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
- Score threats using DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)
For detailed threat modeling steps and DREAD scoring, see
references/threat-model.md.
Step 6: Language-specific review
Check for vulnerability patterns specific to the detected languages. Load only the relevant language sections.
For Go, JavaScript/TypeScript, Python, Rust, and .NET patterns, see
references/language-security.md.
Step 7: Score and classify findings
For each finding, assign:
- Severity: CRITICAL / HIGH / MEDIUM / LOW
- CRITICAL: exploitable now, data breach or RCE risk
- HIGH: exploitable with moderate effort, significant impact
- MEDIUM: requires specific conditions, moderate impact
- LOW: theoretical risk, minimal impact
- Effort to fix: S (< 1 day) / M (1-5 days) / L (1-2 weeks)
- Evidence: specific file:line reference and explanation
Step 8: Generate SECURITY_AUDIT.md
Write the report using the template in
references/report-template.md. Include executive summary, detailed
findings with evidence, threat model summary, and prioritized
remediation actions.
Run markdownlint on the generated file.
Step 9: Present summary
Show the user:
- Finding counts by severity
- Top 3 most critical items with evidence
- Tools that were available vs missing
- Remediation priority list
- Ask which findings to address first
Related Skills
dirien/typescript-pro
tools
VerifiedTrustedCommunity
Implements advanced TypeScript type systems, creates custom type guards, utility types, and branded types, and configures tRPC for end-to-end type safety. Use when building TypeScript applications requiring advanced generics, conditional or mapped types, discriminated unions, monorepo setup, or full-stack type safety with tRPC.
13SKILL.mdUpdated Apr 17, 2026
dirien/the-fool
development
VerifiedTrustedCommunity
Use when challenging ideas, plans, decisions, or proposals using structured critical reasoning. Invoke to play devil's advocate, run a pre-mortem, red team, or audit evidence and assumptions.
13SKILL.mdUpdated Apr 17, 2026
dirien/tech-debt
development
VerifiedTrustedCommunity
Systematic technical debt analysis across architecture, testing, documentation, and infrastructure. Investigates the codebase, scores findings by impact and effort, and generates a prioritized TECH_DEBT.md remediation plan. Delegates to specialized skills for code quality (scout) and linting (lint-fix). Use when assessing overall project health, planning cleanup sprints, or onboarding to an unfamiliar codebase.
13SKILL.mdUpdated Apr 17, 2026
dirien/tailscale-install
testing
VerifiedTrustedCommunity
Install and configure Tailscale across platforms. Detects OS, distro, and environment (including WSL2 and containers). Verifies existing installations, performs platform-appropriate install, and guides initial connection. Use when setting up Tailscale on a new machine, onboarding a server to a tailnet, or verifying an existing install.
13SKILL.mdUpdated Apr 17, 2026