Audit access control implementations for security vulnerabilities and misconfigurations. Use when reviewing authentication and authorization. Trigger with 'audit access control', 'check permissions', or 'validate authorization'.
npx claudepluginhub flight505/skill-forge --plugin access-control-auditorThis skill is limited to using the following tools:
Audit access control implementations across codebases, cloud configurations, and
Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.
Share bugs, ideas, or general feedback.
Audit access control implementations across codebases, cloud configurations, and application layers for security vulnerabilities and policy violations. This skill targets IAM policies, ACLs, RBAC configurations, file permissions, and API authorization logic to identify privilege escalation paths, overly permissive grants, and violations of the principle of least privilege.
${CLAUDE_SKILL_DIR}/grep, find, and standard shell utilities available via Bashaws iam, gcloud, or az role installed and authenticated${CLAUDE_SKILL_DIR}/references/README.md for IAM best practices, ACL vulnerability patterns, and NIST/GDPR access control standards.htaccess or equivalent files using Glob and Grep.*), overly broad resource scopes, or administrative access granted to non-admin roles.| Error | Cause | Solution |
|---|---|---|
| Permission denied reading config files | Insufficient filesystem access | Run with elevated permissions or request read access to the target directory |
| IAM CLI command not found | Cloud CLI tools not installed | Install aws-cli, gcloud, or az and authenticate before running cloud audits |
| Empty role/permission scan results | Incorrect glob patterns for the framework | Adjust search patterns to match the target framework (e.g., @Roles() for NestJS, [Authorize] for .NET) |
| Timeout scanning large codebases | Too many files in scope | Narrow the scan scope with --exclude patterns for node_modules, vendor, or dist directories |
| Inconsistent policy format | Mixed IAM policy versions or formats | Normalize policies to a single format before analysis; flag format inconsistencies in the report |
Scan route definitions in ${CLAUDE_SKILL_DIR}/src/routes/ for missing authorization
middleware. Grep for router.post, router.put, router.delete and verify
each has a corresponding authMiddleware or requireRole() call. Flag any
state-changing endpoint lacking authorization as CWE-862 (Missing Authorization),
severity high.
Parse all JSON policy files in ${CLAUDE_SKILL_DIR}/infra/iam/. Flag policies containing
"Effect": "Allow" with "Resource": "*" or "Action": "*" as CWE-269
(Improper Privilege Management), severity critical. Recommend scoping to specific
ARNs and actions per the principle of least privilege.
Analyze role definitions in ${CLAUDE_SKILL_DIR}/config/roles.yaml. Build a permission
matrix, identify roles with overlapping admin-level privileges, and flag any role
that can both create and approve its own resources as a separation-of-duties
violation (NIST AC-5), severity medium.