Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From predicate
Runs a phased, risk-centric security assessment of source code. Useful when auditing for SQL injection, access control flaws, or buffer overflows using taint analysis and trust models.
How this skill is triggered — by the user, by Claude, or both
Slash command
/predicate:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
A structured, risk-centric framework for software security assessment. Designed for iterative human engagement with explicit checkpoints at each phase.
A structured, risk-centric framework for software security assessment. Designed for iterative human engagement with explicit checkpoints at each phase.
Adversarial path anchor. This lens is invoked on the Verification Dual's adversarial path (rules.md §2 Invariant 1): when no deterministic evaluator can close a security-correctness condition, context-free agents using this protocol supply the decorrelated review. See skills/refine/SKILL.md AUDIT §"Sibling Skills Consultation" for the wiring point.
Core Principle: The goal is not to maximize bug count, but to identify business risk, architectural flaws, and exploitable logic errors.
Before beginning, internalize these cognitive framings:
Risk > Findings: A bug is only a finding if it poses risk to business logic or data integrity. Context determines severity.
Adversarial Mindset: Analyze every input, endpoint, and public function assuming a capable adversary is attempting to subvert the system.
Taint Analysis Model: For every potential vulnerability, trace:
eval(), HTML render, shell)Assurance Spectrum:
Objective: Define boundaries and establish the security context before analyzing code.
package.json, Cargo.toml, go.mod, requirements.txt)Establish the security context before analyzing code. Identify and document:
Checkpoint: Present scope and trust model. Await user approval before proceeding.
Objective: Establish security baseline through breadth-first automated analysis.
Search for high-entropy strings and credential patterns:
AWS_ACCESS_KEY, AZURE_, GCP_Bearer , Authorization:-----BEGIN)Search for risky function calls:
| Language | Dangerous Patterns |
|---|---|
| Python | eval(), exec(), subprocess.call(shell=True), os.system() |
| JavaScript | eval(), Function(), innerHTML, dangerouslySetInnerHTML |
| Go | os/exec without validation, template.HTML() |
| Rust | unsafe, .unwrap() in library paths, raw pointer manipulation |
| C/C++ | strcpy, sprintf, gets, system(), raw malloc |
| SQL | String concatenation in queries, missing parameterization |
DEBUG=False, no dev endpoints)0.0.0.0 in production)Checkpoint: Present baseline findings. Await acknowledgment before deep review.
Objective: Deep analysis of logic, access control, and architectural patterns that tools miss.
Coherence Strategy: Analyze ONE component at a time. Present findings. Await acknowledgment before proceeding.
IDOR Trace Pattern:
API Endpoint → Extract resource_id from request
→ Verify current_user owns/can_access resource_id
→ If not verified: VULNERABILITY
../ exploitation)pickle, yaml.load() on user input)Apply state machine analysis:
For each component, produce:
## Audit: [Component Name]
### Attack Surface
- Entry points: [list]
- Data handled: [list]
### Findings
| Category | Rating | Notes |
|:---------|:-------|:------|
| AuthN/AuthZ | PASS/WARN/FAIL | — |
| Input Validation | PASS/WARN/FAIL | — |
| Crypto | N/A/PASS/WARN/FAIL | — |
| Error Handling | PASS/WARN/FAIL | — |
### Vulnerabilities
1. **[SEVERITY]** Brief description — Location
### Questions for User
1. [Clarifying question if needed]
Checkpoint: Present findings for this component. Await acknowledgment before next component.
Trigger: Apply ONLY to crown jewels—smart contracts, cryptographic primitives, safety-critical logic.
Define mathematical properties that must always hold:
total_supply == sum(all_balances)user_balance >= 0session.expires_at > now() implies session.validCheckpoint: Present formal verification scope and findings.
Objective: Produce actionable, prioritized findings.
| Level | Definition | Example |
|---|---|---|
| Critical | Immediate exploitation possible; complete compromise | RCE, auth bypass, SQLi with admin access |
| High | Significant impact; exploitation requires minimal effort | Stored XSS, privilege escalation, IDOR on sensitive data |
| Medium | Moderate impact or requires specific conditions | CSRF, information disclosure, weak crypto |
| Low | Minor impact; defense in depth issue | Missing headers, verbose errors, weak rate limiting |
# Security Audit Report: [Project Name]
## Executive Summary
- **Overall Risk:** [Critical / High / Medium / Low]
- **Summary:** [3-4 sentences, non-technical]
- **Priority Action:** [Single most important fix]
## Threat Model
- **Attack Surface:** [Entry points]
- **Crown Jewels:** [What's at risk]
- **Trust Boundaries:** [Where validation is critical]
## Findings
### [ID-001] [Vulnerability Name]
- **Severity:** Critical/High/Medium/Low
- **Location:** `file:line`
- **Description:** [Technical explanation]
- **Impact:** [Business consequence]
- **Proof of Concept:**
> [Steps or payload to trigger]
- **Remediation:**
- _Root Cause:_ [Why this happened]
- _Fix:_ [Specific code change]
### [ID-002] ... (repeat)
## False Positives
- [Pattern investigated, determined safe, explanation]
## Recommendations (Systemic)
1. [Process or architectural improvement]
Cross-reference all findings against these controls:
During Phase 0 (Scope), identify the tech stack and leverage the appropriate section of the unified security-audit skill (skills/security-audit/SKILL.md). These provide specialized checklists and vulnerability patterns.
Apply Web3 section if:
Apply Embedded section if:
Apply Web section if:
Note: Multiple sections may apply. A Web3 project with a backend API might require auditing against both Web3 and Web sections of the
security-auditskill.
This protocol enforces iterative human engagement. Never skip checkpoints. If findings accumulate beyond trackable scope, pause and summarize before continuing.
The goal is not a comprehensive bug list, but accurate risk assessment that enables informed remediation decisions.
This section provides domain-specific security checklists and threat models to guide code audits across different platforms, referencing the target stack identified in Phase 0.
.raw() with unvalidated user input).innerHTML, dangerouslySetInnerHTML) are avoided.realpath) to prevent directory traversal (../).argon2, bcrypt, or scrypt. Plaintext passwords never stored or logged.HttpOnly, Secure, and SameSite flags; sessions invalidated on logout.http/https, internal IP ranges blocked, DNS rebinding prevented, and redirects limited.*) origin prohibited on credentialed endpoints.strcpy, sprintf, gets) replaced with safe alternatives (strncpy, snprintf, fgets); stack protection enabled.free(); no dangling references to stack variables.ReentrancyGuard / nonReentrant modifiers.SafeMath library); bounds checks on user inputs.You can run automated checks using the script located in scripts/run_audit.py. It automatically detects project files in the target path and runs the corresponding security audit tools (providing setup commands for missing tools):
bandit.slither.cargo clippy (denying warnings) and cargo audit.govulncheck.npm audit, yarn audit, or pnpm audit.python3 skills/security-audit/scripts/run_audit.py <path-to-audit-target>
npx claudepluginhub nrdxp/predicate --plugin predicateAudits code for security vulnerabilities including OWASP Top 10, auth flaws, injection, data exposure, and dependency risks using STRIDE threat modeling and phased reviews.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.
Performs comprehensive code security audits across 8 dimensions: OWASP Top 10/CWE vulns, secrets, deps/supply chain, IaC, threats/MITRE ATT&CK, auth, AI code, compliance via 8 parallel agents.