srstomp/security-audit
plugins/pokayokay/skills/security-audit/SKILL.md
Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.
$ install --global
skillsauthnpx skillsauth add srstomp/pokayokay security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 7:05 AM61.6s6 files scanned
SKILL.md
- name:
- security-audit
- agents:
- [yokay-security-scanner]
- description:
- Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.
Security Audit
Systematic security review for application code, dependencies, and configuration.
Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.
Audit Types
| Type | Focus | When to Use | |------|-------|-------------| | Code Review | OWASP Top 10, injection, auth | New features, PRs, suspicious code | | Dependency | CVEs, outdated packages | Before deploy, periodic, CI/CD | | Configuration | Secrets, permissions, hardening | Infrastructure changes, new envs | | Architecture | Attack surface, data flow | Design phase, major refactors | | API Security | Auth, authz, rate limiting | New endpoints, public APIs |
When NOT to Use
- Designing new auth flows — Use
api-designfor designing OAuth2/JWT endpoints from scratch - Performance issues — Use
performance-optimizationeven if caused by auth overhead - CI/CD pipeline security — Use
ci-cdfor pipeline hardening (secret management, permissions)
Key Principles
- Scope first — Define audit area, depth, and constraints before scanning
- Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)
- Remediate or track — Fix critical issues immediately, create ohno tasks for the rest
- No secrets in code — Scan for hardcoded credentials, API keys, connection strings
Quick Start Checklist
- Define audit scope and type (code, dependency, config, architecture, API)
- Run automated scans (npm audit, grep patterns, secret detection)
- Review findings and classify severity using decision tree in references
- Remediate critical/high findings immediately
- Create ohno tasks for medium/low findings with appropriate priority
- Document findings in audit report
References
| Reference | Description | |-----------|-------------| | owasp-top-10.md | OWASP vulnerabilities with detection and fixes | | dependency-security.md | npm audit, pip-audit, Snyk, CI/CD integration | | auth-patterns.md | Secure authentication and authorization patterns | | api-security.md | API-specific security concerns | | secrets-management.md | Handling sensitive configuration |
Related Skills
srstomp/worktrees
development
VerifiedTrustedCommunity
Git worktree management for isolated task development
6SKILL.mdUpdated Apr 27, 2026
srstomp/work-session
development
VerifiedTrustedCommunity
Use when starting AI development sessions, resuming interrupted work, managing multi-session projects, or orchestrating work with human checkpoint control (supervised, semi-auto, auto, or unattended modes).
6SKILL.mdUpdated Apr 27, 2026
srstomp/verification-before-completion
testing
VerifiedTrustedCommunity
Use before claiming work is done, fixed, passing, ready to commit, ready to PR, or ready to mark complete. Requires fresh verification evidence and explicit command output before success claims.
6SKILL.mdUpdated Apr 27, 2026
srstomp/testing-strategy
development
VerifiedTrustedCommunity
Use when designing test architecture, building API test suites, validating API contracts, setting up component or E2E testing, managing test data, debugging flaky tests, reviewing coverage strategy, or organizing test files. Covers test pyramid, mocking (MSW), frontend (React Testing Library, Playwright), and CI integration.
6SKILL.mdUpdated Apr 27, 2026