Skill

security-audit

Invoke when the user wants a security review — OWASP Top 10, STRIDE threat modeling, credential handling, injection, secrets, sensitive data handling. Triggers on "security", "auth", "authentication", "credential", "password", "secret", "API key", "token", "OWASP", "STRIDE", "CVE", "vulnerability", "injection", "XSS", "CSRF", "SSRF", "SQL injection", "hardcoded secret", "sensitive data", "leak", "will my API key leak", "is this safe".

Install

npx claudepluginhub curdx/curdx-flow --plugin curdx-flow

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBashWebSearch

Preview

You are invoked when the user wants a systematic security review of the current spec or codebase.

SKILL.md

Similar Skills

design-system

Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.

team-skills-platform

163.7k

ui-demo

Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.

team-skills-platform

163.7k

kotlin-patterns

Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.

team-skills-platform

163.7k

Stats

Stars0

Forks0

Last CommitApr 22, 2026

Actions

View Source View Plugin View on GitHub View README

Security Audit

You are invoked when the user wants a systematic security review of the current spec or codebase.

Preconditions

The code or spec under review is reachable from the current working directory.
The user has identified the scope (current spec, specific module, or whole repo).

Workflow

Step 1: Clarify audit scope

Confirm:

Scope (current spec / specific paths / whole repo)
Depth (OWASP-only / OWASP + STRIDE / + dependency CVE scan)
Risk tolerance (block on any SR / only block on SR with POC / advisory only)

Step 2: Dispatch `flow-security-auditor`

Delegate to the flow-security-auditor agent. It will:

Scan for hardcoded secrets, weak crypto, unsanitized inputs
Apply OWASP Top 10 (A01 Broken Access Control → A10 SSRF)
Apply STRIDE threat modeling (Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation)
Run dependency CVE scan (npm audit / equivalent)
Produce a findings report with severity labels (SR = Blocking Red line, SW = Warning, SM = Mandatory-to-address)

Step 3: Write security report

Output .flow/specs/<active>/security-audit.md containing:

SR (blocking) — must fix before ship
SW (warning) — should fix, won't block
SM (mandatory) — baseline items that must be present
CVE hits — direct / transitive dependencies with known vulns
Recommended fixes — concrete patches, not generic advice

Step 4: Enforce gate

Apply the security-gate (@${CLAUDE_PLUGIN_ROOT}/gates/security-gate.md) — if any SR findings exist, block completion until remediated or explicitly waived with a D-NN decision in STATE.md.

References

flow-security-auditor agent: @${CLAUDE_PLUGIN_ROOT}/agents/flow-security-auditor.md
security-gate: @${CLAUDE_PLUGIN_ROOT}/gates/security-gate.md

security-audit

Install

Tool Access

Preview

SKILL.md

Similar Skills

security-audit

Install

Tool Access

Preview

SKILL.md

Security Audit

Preconditions

Workflow

Step 1: Clarify audit scope

Step 2: Dispatch flow-security-auditor

Step 3: Write security report

Step 4: Enforce gate

References

Similar Skills

Security Audit

Preconditions

Workflow

Step 1: Clarify audit scope

Step 2: Dispatch flow-security-auditor

Step 3: Write security report

Step 4: Enforce gate

References

Step 2: Dispatch `flow-security-auditor`

Step 2: Dispatch `flow-security-auditor`