Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From project
This skill should be used when the user says "security audit", "check for vulnerabilities", "security review", "harden project", "dependency audit", "credential scan", "check for secrets", "scan for secrets", "OWASP review", "security checklist", "audit dependencies", "find vulnerabilities", or wants to review their project for security issues, exposed credentials, or vulnerable dependencies.
npx claudepluginhub neuromechanist/research-skills --plugin projectHow this skill is triggered — by the user, by Claude, or both
Slash command
/project:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Systematic security review of a project covering dependency vulnerabilities, credential exposure, common code vulnerabilities, and configuration hardening.
Security audit workflow with dependency scanning, code review checklist, and vulnerability remediation. Covers injection, auth, data protection, and dependency checks.
Runs security audits: dependency vulnerabilities (npm/pnpm/yarn/Ruby/Python), secret scanning, OWASP patterns (eval/innerHTML/SQL inj), auth reviews (CORS/rate limiting/JWT). Harden projects.
Orchestrates parallel agents for security code audits (OWASP/CWE), secrets scanning, and dependency CVE checks on codebases, staged changes, or PRs.
Share bugs, ideas, or general feedback.
Systematic security review of a project covering dependency vulnerabilities, credential exposure, common code vulnerabilities, and configuration hardening.
Check for exposed secrets in the codebase:
# Check for common secret patterns in tracked files
git grep -n -i -E '(api_key|apikey|secret|password|token|credential|private_key)\s*[:=]' -- ':!*.md' ':!*.lock'
# Check for .env files tracked in git
git ls-files | grep -i '\.env'
# Check .gitignore covers sensitive files
for f in .env .env.local credentials.json secrets.yaml; do
git check-ignore "$f" 2>/dev/null || echo "WARNING: $f not in .gitignore"
done
Files that must never be committed:
.env, .env.* (environment variables)credentials.json, service-account.json (cloud credentials)*.pem, *.key (private keys)*.p12, *.pfx (certificates with private keys)Python:
uv run pip-audit
JavaScript/TypeScript:
bun pm audit
# or check with npm for broader database
npm audit --omit=dev
Go:
govulncheck ./...
Review results for:
Scan for common vulnerability patterns:
SQL Injection:
# Look for string interpolation in SQL
grep -rn 'f".*SELECT\|f".*INSERT\|f".*UPDATE\|f".*DELETE' --include='*.py'
grep -rn "format.*SELECT\|format.*INSERT" --include='*.py'
Command Injection:
# Look for shell=True or unsanitized subprocess calls
grep -rn 'shell=True\|os\.system\|subprocess\.call.*shell' --include='*.py'
grep -rn 'exec(\|eval(' --include='*.py' --include='*.js' --include='*.ts'
XSS (Cross-Site Scripting):
# Look for dangerouslySetInnerHTML or unescaped output
grep -rn 'dangerouslySetInnerHTML\|innerHTML\s*=' --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js'
Path Traversal:
grep -rn 'open(.*\+\|os\.path\.join.*input\|req\.\(params\|query\|body\)' --include='*.py' --include='*.js'
Review:
* in production)latest)permissions: blockpull_request_target with actions/checkout of PR headPresent findings as a prioritized list:
## Security Audit Results
### Critical (must fix)
1. [CRED] API key found in src/config.py:42 - move to environment variable
2. [DEP] lodash 4.17.20 has prototype pollution (CVE-2021-23337)
### High (fix before release)
3. [CODE] SQL injection risk in src/db.py:88 - use parameterized queries
### Medium (fix within sprint)
4. [CONFIG] CORS allows * origin in production config
### Low (backlog)
5. [STYLE] Error responses include stack traces in non-debug mode
### Passed
- [x] No .env files in git
- [x] Docker runs as non-root
- [x] Dependencies up to date