Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

thedecipherist/security-audit

Name: security-audit
Author: thedecipherist

skills/security-audit/SKILL.md

npx skillsauth add thedecipherist/claude-code-mastery security-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

User mentions "security", "audit", "vulnerability", "CVE"
Before deployment commands
During PR reviews
User asks about dependencies
Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

No hardcoded API keys, tokens, or passwords
.env files in .gitignore
No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

No critical vulnerabilities
No high vulnerabilities > 30 days old
Dependencies updated within last 90 days

3. Input Validation

Check for:

User inputs sanitized before use
SQL queries use parameterized statements
File paths validated and sandboxed
HTML content escaped before rendering
Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
Session tokens are cryptographically random
Sessions expire appropriately
CSRF protection on state-changing endpoints
Rate limiting on auth endpoints
Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

HTTPS enforced (HSTS header)
Secure cookie flags (Secure, HttpOnly, SameSite)
No mixed content warnings
TLS 1.2+ required

6. Error Handling

Check for:

Stack traces not exposed in production
Generic error messages for users
Detailed errors only in logs
Sensitive data not in error messages

// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

Validate file type server-side (not just extension)
Limit file size
Scan for malware
Store outside webroot
Rename uploaded files

8. API Security

Authentication required on all sensitive endpoints
Authorization checks per resource
Rate limiting implemented
CORS configured restrictively
API versioning in place

Severity Levels

| Level | Description | Action Required | |-------|-------------|-----------------| | 🔴 Critical | Actively exploitable | Block deployment | | 🟠 High | Exploitable with effort | Fix within 7 days | | 🟡 Medium | Requires conditions | Fix within 30 days | | 🟢 Low | Minimal impact | Fix when convenient |

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

[ ] Fix critical and high issues before next deployment
[ ] Schedule medium issues for next sprint
[ ] Add low issues to backlog
[ ] Re-run audit after fixes


## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation

thedecipherist/security-audit

skills/security-audit/SKILL.md

Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.

499 stars

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add thedecipherist/claude-code-mastery security-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 3:26 AM8.2s1 file scanned

SKILL.md

name:: security-audit
description:: Audit code and dependencies for security vulnerabilities. Use when reviewing PRs, checking dependencies, preparing for deployment, or when user mentions security, vulnerabilities, or audit.

Security Audit Skill

Perform comprehensive security audits on codebases to identify vulnerabilities before they reach production.

When to Use This Skill

User mentions "security", "audit", "vulnerability", "CVE"
Before deployment commands
During PR reviews
User asks about dependencies
Periodic security checks

Audit Checklist

1. Secrets Exposure

Check for hardcoded secrets:

# Search for common secret patterns
grep -rn "API_KEY\|SECRET\|TOKEN\|PASSWORD" --include="*.{js,ts,py,go,rb,java}" .
grep -rn "sk-\|pk_\|api_\|secret_" --include="*.{js,ts,py,go,rb,java}" .

Verify .gitignore:

# Ensure sensitive files are ignored
cat .gitignore | grep -E "\.env|secret|credential|\.pem|\.key"

Check git history for leaked secrets:

# Search recent commits (requires git-secrets or truffleHog)
git log -p --all -S "API_KEY" --since="30 days ago"

✅ Pass criteria:

No hardcoded API keys, tokens, or passwords
.env files in .gitignore
No secrets in git history

2. Dependency Vulnerabilities

Node.js:

npm audit
# or
yarn audit
# or  
pnpm audit

Python:

pip-audit
# or
safety check

Go:

govulncheck ./...

Rust:

cargo audit

✅ Pass criteria:

No critical vulnerabilities
No high vulnerabilities > 30 days old
Dependencies updated within last 90 days

3. Input Validation

Check for:

User inputs sanitized before use
SQL queries use parameterized statements
File paths validated and sandboxed
HTML content escaped before rendering
Command injection prevention

Common vulnerable patterns:

// BAD: SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// GOOD: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId])

# BAD: Command injection
os.system(f"convert {user_file}")

# GOOD: Use subprocess with list
subprocess.run(["convert", user_file], check=True)

4. Authentication & Authorization

Check for:

Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
Session tokens are cryptographically random
Sessions expire appropriately
CSRF protection on state-changing endpoints
Rate limiting on auth endpoints
Account lockout after failed attempts

Look for:

// BAD: Weak hashing
crypto.createHash('md5').update(password)

// GOOD: Bcrypt
bcrypt.hash(password, 12)

5. HTTPS & Transport Security

Check for:

HTTPS enforced (HSTS header)
Secure cookie flags (Secure, HttpOnly, SameSite)
No mixed content warnings
TLS 1.2+ required

6. Error Handling

Check for:

Stack traces not exposed in production
Generic error messages for users
Detailed errors only in logs
Sensitive data not in error messages

// BAD: Exposes internals
res.status(500).send({ error: err.stack })

// GOOD: Generic message
res.status(500).send({ error: 'An unexpected error occurred' })

7. File Upload Security

If file uploads exist:

Validate file type server-side (not just extension)
Limit file size
Scan for malware
Store outside webroot
Rename uploaded files

8. API Security

Authentication required on all sensitive endpoints
Authorization checks per resource
Rate limiting implemented
CORS configured restrictively
API versioning in place

Severity Levels

Output Format

## Security Audit Results

**Project:** [name]
**Date:** [date]
**Auditor:** Claude (automated)

### Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 1 |
| 🟡 Medium | 2 |
| 🟢 Low | 3 |

### Findings

#### 1. [🟠 High] Hardcoded API Key

**Location:** `src/config.js:15`
**Description:** API key for payment provider is hardcoded
**Risk:** If source code is leaked, attackers gain API access
**Recommendation:** Move to environment variable

```diff
- const STRIPE_KEY = 'sk_live_abc123...'
+ const STRIPE_KEY = process.env.STRIPE_SECRET_KEY

2. [🟡 Medium] Missing Rate Limiting

Location: src/routes/auth.js Description: Login endpoint has no rate limiting Risk: Enables brute force attacks Recommendation: Add rate limiting middleware

Recommendations

[ ] Fix critical and high issues before next deployment
[ ] Schedule medium issues for next sprint
[ ] Add low issues to backlog
[ ] Re-run audit after fixes


## Commands to Run

After completing the audit, provide the user with:

1. Summary of findings
2. Prioritized fix list
3. Commands to address each issue
4. Timeline recommendation

Related Skills

thedecipherist/commit-messages

tools

VerifiedTrustedCommunity

Generate clear, conventional commit messages from git diffs. Use when writing commit messages, reviewing staged changes, or preparing releases.

499SKILL.mdUpdated Apr 16, 2026

thedecipherist/commit-messages

openclaw/openclaw-secret-scanning-maintainer

development

VerifiedTrustedCommunity

Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.

357,764SKILL.mdUpdated Apr 15, 2026

openclaw/openclaw-secret-scanning-maintainer

openclaw/openclaw-release-maintainer

development

VerifiedTrustedCommunity

Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.

357,764SKILL.mdUpdated Apr 10, 2026

openclaw/openclaw-release-maintainer

openclaw/openclaw-qa-testing

development

VerifiedTrustedCommunity

Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.

357,764SKILL.mdUpdated Apr 10, 2026

openclaw/openclaw-qa-testing

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/thedecipherist/claude-code-mastery.git

# Copy into Claude Code skills folder (global)
cp -r claude-code-mastery/skills/security-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

thedecipherist/claude-code-mastery

499 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT