kcenon/security-audit
plugin/skills/security-audit/SKILL.md
Comprehensive security audit covering OWASP Top 10, input validation, authentication, authorization, secret management, dependency vulnerabilities, and injection attack prevention. Use when reviewing security posture, implementing auth flows, handling user input, auditing dependencies, conducting penetration test prep, or before production deployment.
$ install --global
skillsauthnpx skillsauth add kcenon/claude-config security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 9, 2026, 8:20 AM179.4s4 files scanned
SKILL.md
- name:
- security-audit
- description:
- Comprehensive security audit covering OWASP Top 10, input validation, authentication, authorization, secret management, dependency vulnerabilities, and injection attack prevention. Use when reviewing security posture, implementing auth flows, handling user input, auditing dependencies, conducting penetration test prep, or before production deployment.
- allowed-tools:
- Read, Grep, Glob
- model:
- sonnet
- context:
- fork
- agent:
- Explore
- argument-hint:
- <file-or-directory>
- finding_levels:
- [S1, S2, S3]
- iso_class:
- none
Security Audit Skill
When to Use
- Implementing authentication/authorization
- Handling user input
- Working with sensitive data (passwords, tokens, keys)
- Security review requests
- Designing API endpoints
Security Checklist
Input Validation
- [ ] Validate all user input
- [ ] Prevent SQL Injection
- [ ] Prevent XSS
- [ ] Prevent Command Injection
Authentication
- [ ] Secure password hashing
- [ ] Session management
- [ ] JWT security settings
Authorization
- [ ] Permission verification
- [ ] Resource access control
Reference Documents (Import Syntax)
@./reference/security.md @./reference/error-handling.md @./reference/api-design.md
OWASP Top 10 Reference
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Output
This skill runs in a forked context (context: fork) using the read-only Explore agent. It does not have access to the calling conversation's history — operate entirely from the supplied <file-or-directory> argument.
Return a structured report at the end of analysis:
## Security Audit Report
| Severity | Findings |
|----------|----------|
| S1 (block-merge) | N items |
| S2 (review-required) | N items |
| S3 (advisory) | N items |
### S1 Findings
1. `file.ext:line` — severity: S1 — finding + recommended fix
2. ...
### S2 Findings
1. `file.ext:line` — severity: S2 — finding + recommended fix
### Coverage
- Files inspected: N
- OWASP categories evaluated: 1, 2, 3, ...
- Categories not applicable: ...
Each finding MUST include a severity: field (S1, S2, or S3). When a finding's severity is ambiguous, default to S3 (advisory) per the false-positive playbook.
Related Skills
kcenon/traceability
development
VerifiedTrustedCommunity
Generate and validate the bidirectional traceability matrix linking requirements, design, code, tests, risk records, and standard clauses. Consumes docs/.index/{manifest,bundles,graph,router}.yaml plus an optional compliance/ directory and produces docs/.index/traceability.yaml (machine-readable) and docs/.index/traceability.md (human-readable). Read-mostly: writes only the two trace artifacts and never mutates source documents. Opt-in — no-op when docs/.index/graph.yaml is absent so non-regulated repos are unaffected.
2SKILL.mdUpdated Jun 9, 2026
kcenon/soup-inventory
development
VerifiedTrustedCommunity
Maintain a SOUP (Software Of Unknown Provenance) register for every third-party software item the project depends on. Discovers candidates from lockfiles (package-lock.json, go.sum, Cargo.lock, requirements.txt, pyproject.toml, pom.xml, packages.lock.json), enriches with human-supplied risk class and verification refs, validates against a license allow-list and the requirements catalogue, and emits a per-supplier report. Outputs docs/.index/soup.yaml plus docs/.index/soup.md. Subcommands: discover | enrich | validate | list | report. Bidirectional linking with traceability via the soup_ids[] field on requirement rows. Opt-in: no-op when no lockfile is detected and docs/.index/soup.yaml is absent. Atomic writes (*.tmp + rename); idempotent (records sorted by id). Implements IEC 62304 sections 5.3.3 (SOUP requirements) and 8.1.1 (configuration items).
2SKILL.mdUpdated Jun 9, 2026
kcenon/sonar-fix
devops
VerifiedTrustedCommunity
Parse sonarcloud[bot] PR comments, classify findings, codify whitelisted auto-fixes, escalate the rest.
2SKILL.mdUpdated Jun 9, 2026
kcenon/risk-control
testing
VerifiedTrustedCommunity
Manage Hazard and Risk records for projects on the regulated-industry track. Maintains a single normalized risk file (docs/.index/risk-file.yaml) holding hazard identification, initial and residual risk estimates, control measures with verification links, and bidirectional Risk<->Requirement linking via the requirements[] field. Subcommands: add | edit | evaluate | validate | list. Output is consumed by the traceability skill (matrix risk_ids[] field) and the evidence-pack skill (risk_file kind). Opt-in: no-op when docs/.index/manifest.yaml is absent so non-regulated repos are unaffected. Atomic writes via *.tmp + rename; idempotent for diffability. Implements ISO 14971 sections 5-9 operationally.
2SKILL.mdUpdated Jun 9, 2026