hoangnguyen0403/common-security-audit
agents/skills/common/common-security-audit/SKILL.md
Probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across Node, Go, Dart, Java, Python, and Rust codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard common-security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 7:59 AM55.9s4 files scanned
SKILL.md
- name:
- common-security-audit
- description:
- Probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across Node, Go, Dart, Java, Python, and Rust codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.
Security Audit
Priority: P0 (CRITICAL)
1. Scan for Hardcoded Secrets
See implementation examples for secrets scanning commands.
2. Detect Data Leakage in Logs
Identify sensitive info printed to logs or stdout.
- Node/TS:
grep -rE "console\.(log|error|warn)" . --include="*.ts" --include="*.js" | grep -iE "password|token|secret" - Go:
grep -rE "log\.(Print|Printf|Println|Fatal)" . --include="*.go" | grep -iE "password|token|secret" - Dart/Flutter:
grep -rE "print\(|debugPrint\(" . --include="*.dart" | grep -iE "password|token|secret" - Java/Spring:
grep -rE "log(ger)?\.(info|debug|warn|error)" . --include="*.java" | grep -iE "password|token|secret"
3. Map Injection Surfaces
Detect raw string concatenation in queries or system commands.
See implementation examples for injection surface detection.
4. Measure Auth Coverage vs Exposure
Compare total routes against protected endpoints.
- NestJS:
total=$(grep -r "@(Get|Post|Put|Delete|Patch)" . | wc -l); guarded=$(grep -r "@(UseGuards|Auth)" . | wc -l) - Spring:
total=$(grep -r "@(GetMapping|PostMapping|PutMapping)" . | wc -l); guarded=$(grep -r "@(PreAuthorize|Secured)" . | wc -l) - Go:
total=$(grep -rE "(GET|POST|PUT|DELETE)" . | wc -l); guarded=$(grep -rE "(middleware|auth|jwt|guard)" . | wc -l)
5. Run Dependency CVE Scans
- Node:
npm audit --audit-level=high - Dart/Flutter:
dart pub outdated --json - Go:
go list -m -u all | grep "\[" - Java:
mvn dependency:listor./gradlew dependencies - Python:
pip-audit - Rust:
cargo audit
6. Audit Infrastructure Hardening
See implementation examples for infrastructure hardening checks.
7. Detect Adversarial Entry Points (RCE/SSRF/Path Traversal)
Identify where user input reaches dangerous sinks without sanitization.
- Path Traversal:
grep -rE "path\.join\(|os\.path\.join\(" . | grep -vE "path\.resolve|path\.normalize" - SSRF:
grep -rE "axios\.get\(|http\.Get\(|fetch\(" . | grep -vE "['\"]https?://" - BOLA/IDOR:
grep -rE "findById\(|findOne\(" . | grep -viE "tenant|owner|user_id"
Scoring Impact
| Finding | Threshold | Severity | Deduction | | ------------------------ | --------- | -------- | --------- | | Hardcoded Secrets | Any match | P0 | -25 | | Plain-text PII in Logs | Any match | P0 | -20 | | Unguarded Routes > 20% | > 0.2 | P0 | -15 | | Raw SQL Concatenation | Any match | P1 | -10 | | Response Leakage (Stack) | > 0 | P1 | -10 |
CAUTION: P0 finding immediately caps Security score at 40/100.
Anti-Patterns
- No applying generic patterns over project-specific rules: Respect existing security constraints.
- No ignoring error handling or edge cases: Audit must cover boundary conditions.
References
- Vulnerability Remediation Protocols
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026