Slash Command

/audit-security

Audit page for security vulnerabilities and best practices

Install

Run in your terminal

npx claudepluginhub standardbeagle/agnt --plugin agnt

Allowed Tools

mcp__agnt__proxymcp__agnt__proxylog

Command Content

Audit the current page for security vulnerabilities using agnt's diagnostic tools.

Steps

Run the security audit:

proxy {action: "exec", id: "dev", code: "__devtool.auditSecurity()"}

Check for JavaScript errors (may indicate security issues):
```
proxylog {proxy_id: "dev", types: ["error"], limit: 20}
```

Capture the page state to review cookies and storage:

proxy {action: "exec", id: "dev", code: "__devtool.captureState()"}

Take a screenshot for documentation:

proxy {action: "exec", id: "dev", code: "__devtool.screenshot('security-audit')"}

What the Audit Checks

Critical Security Issues (Errors)

Issue	Description
`mixed-content`	HTTP resources loaded on HTTPS page (blocks secure content)
`insecure-form`	Form submitting to HTTP URL (credentials exposed)

Security Warnings

Issue	Description
`missing-noopener`	`target="_blank"` links without `rel="noopener"` (tabnabbing risk)
`password-autocomplete`	Password fields with autocomplete enabled

Interpreting Results

The audit returns:

issues: Array of security vulnerabilities found
count: Total number of issues
errors: Critical security issues
warnings: Non-critical security concerns

For mixed content issues, the resources array shows:

type: Resource type (script, stylesheet, image)
url: The insecure HTTP URL

State Capture Review

The captureState() function reveals:

Cookies

Check for HttpOnly flag on sensitive cookies
Verify Secure flag on HTTPS sites
Look for session tokens or sensitive data

Local/Session Storage

Identify what data is stored client-side
Look for tokens, credentials, or PII
Check for sensitive data that should be server-side

Additional Security Checks

// Check Content Security Policy
proxy {action: "exec", id: "dev", code: "document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]')?.content"}

// Find all forms and their actions
proxy {action: "exec", id: "dev", code: "Array.from(document.forms).map(f => ({action: f.action, method: f.method}))"}

// Find all scripts (check for untrusted sources)
proxy {action: "exec", id: "dev", code: "Array.from(document.scripts).map(s => s.src).filter(s => s)"}

// Check for inline event handlers (XSS risk)
proxy {action: "exec", id: "dev", code: "document.querySelectorAll('[onclick], [onerror], [onload]').length"}

Security Best Practices Checklist

Other plugins with /audit-security

/audit-security

Audits PHP projects for OWASP Top 10 and PHP-specific vulnerabilities including injection, XSS, CSRF, auth issues; reports severity, CWE IDs, attack vectors.

opusReadGrepGlob+1

acc

/audit-security

Perform comprehensive security audit of the current project.

larouex-fullstack-builder

/audit-security

Comprehensive security vulnerability scanning and compliance reporting using security specialist

TaskBash(git:*)

cms-cultivator

/audit-security

Audit page for security vulnerabilities and best practices

mcp__agnt__proxymcp__agnt__proxylog

tools

/audit-security

Perform security audit of codebase

dobeutech-claude-code-custom

/audit-security

Security audit (OWASP)

jm-adk

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitDec 19, 2025

Actions

View Source View Plugin View on GitHub View README

Audit the current page for security vulnerabilities using agnt's diagnostic tools.

Steps

Run the security audit:

proxy {action: "exec", id: "dev", code: "__devtool.auditSecurity()"}

Check for JavaScript errors (may indicate security issues):
```
proxylog {proxy_id: "dev", types: ["error"], limit: 20}
```

Capture the page state to review cookies and storage:

proxy {action: "exec", id: "dev", code: "__devtool.captureState()"}

Take a screenshot for documentation:

proxy {action: "exec", id: "dev", code: "__devtool.screenshot('security-audit')"}

What the Audit Checks

Critical Security Issues (Errors)

Issue	Description
`mixed-content`	HTTP resources loaded on HTTPS page (blocks secure content)
`insecure-form`	Form submitting to HTTP URL (credentials exposed)

Security Warnings

Issue	Description
`missing-noopener`	`target="_blank"` links without `rel="noopener"` (tabnabbing risk)
`password-autocomplete`	Password fields with autocomplete enabled

Interpreting Results

The audit returns:

issues: Array of security vulnerabilities found
count: Total number of issues
errors: Critical security issues
warnings: Non-critical security concerns

For mixed content issues, the resources array shows:

type: Resource type (script, stylesheet, image)
url: The insecure HTTP URL

State Capture Review

The captureState() function reveals:

Cookies

Check for HttpOnly flag on sensitive cookies
Verify Secure flag on HTTPS sites
Look for session tokens or sensitive data

Local/Session Storage

Identify what data is stored client-side
Look for tokens, credentials, or PII
Check for sensitive data that should be server-side

Additional Security Checks

// Check Content Security Policy
proxy {action: "exec", id: "dev", code: "document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]')?.content"}

// Find all forms and their actions
proxy {action: "exec", id: "dev", code: "Array.from(document.forms).map(f => ({action: f.action, method: f.method}))"}

// Find all scripts (check for untrusted sources)
proxy {action: "exec", id: "dev", code: "Array.from(document.scripts).map(s => s.src).filter(s => s)"}

// Check for inline event handlers (XSS risk)
proxy {action: "exec", id: "dev", code: "document.querySelectorAll('[onclick], [onerror], [onload]').length"}