Skill

security-audit

Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.

Install

npx claudepluginhub srstomp/pokayokay --plugin pokayokay

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Systematic security review for application code, dependencies, and configuration.

Supporting Assets

references/api-security.mdreferences/auth-patterns.mdreferences/dependency-security.mdreferences/owasp-top-10.mdreferences/secrets-management.md

SKILL.md

Similar Skills

kotlin-ktor-patterns

Provides Ktor server patterns for routing DSL, plugins (auth, CORS, serialization), Koin DI, WebSockets, services, and testApplication testing.

everything-claude-code

163.2k

deep-research

Conducts multi-source web research with firecrawl and exa MCPs: searches, scrapes pages, synthesizes cited reports. For deep dives, competitive analysis, tech evaluations, or due diligence.

everything-claude-code

163.2k

inventory-demand-planning

Provides demand forecasting, safety stock optimization, replenishment planning, and promotional lift estimation for multi-location retailers managing 300-800 SKUs.

everything-claude-code

163.2k

Stats

Parent Repo Stars4

Parent Repo Forks0

Last CommitFeb 8, 2026

Actions

View Source View Plugin View on GitHub View README

Security Audit

Systematic security review for application code, dependencies, and configuration.

Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.

Audit Types

Type

Focus

When to Use

Code Review

OWASP Top 10, injection, auth

New features, PRs, suspicious code

Dependency

CVEs, outdated packages

Before deploy, periodic, CI/CD

Configuration

Secrets, permissions, hardening

Infrastructure changes, new envs

Architecture

Attack surface, data flow

Design phase, major refactors

API Security

Auth, authz, rate limiting

New endpoints, public APIs

When NOT to Use

Designing new auth flows — Use api-design for designing OAuth2/JWT endpoints from scratch

Performance issues — Use performance-optimization even if caused by auth overhead

CI/CD pipeline security — Use ci-cd for pipeline hardening (secret management, permissions)

Key Principles

Scope first — Define audit area, depth, and constraints before scanning

Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)

Remediate or track — Fix critical issues immediately, create ohno tasks for the rest

No secrets in code — Scan for hardcoded credentials, API keys, connection strings

Quick Start Checklist

Define audit scope and type (code, dependency, config, architecture, API)

Run automated scans (npm audit, grep patterns, secret detection)

Review findings and classify severity using decision tree in references

Remediate critical/high findings immediately

Create ohno tasks for medium/low findings with appropriate priority

Document findings in audit report

References

Reference

Description

owasp-top-10.md

OWASP vulnerabilities with detection and fixes

dependency-security.md

npm audit, pip-audit, Snyk, CI/CD integration

auth-patterns.md

Secure authentication and authorization patterns

api-security.md

API-specific security concerns

secrets-management.md

Handling sensitive configuration

Security Audit

Systematic security review for application code, dependencies, and configuration.

Not a replacement for professional penetration testing. Identifies common vulnerabilities within scope of code review.

Audit Types

Type	Focus	When to Use
Code Review	OWASP Top 10, injection, auth	New features, PRs, suspicious code
Dependency	CVEs, outdated packages	Before deploy, periodic, CI/CD
Configuration	Secrets, permissions, hardening	Infrastructure changes, new envs
Architecture	Attack surface, data flow	Design phase, major refactors
API Security	Auth, authz, rate limiting	New endpoints, public APIs

When NOT to Use

Designing new auth flows — Use api-design for designing OAuth2/JWT endpoints from scratch
Performance issues — Use performance-optimization even if caused by auth overhead
CI/CD pipeline security — Use ci-cd for pipeline hardening (secret management, permissions)

Key Principles

Scope first — Define audit area, depth, and constraints before scanning
Classify severity — Critical (24-48h), High (1 week), Medium (2-4 weeks), Low (backlog)
Remediate or track — Fix critical issues immediately, create ohno tasks for the rest
No secrets in code — Scan for hardcoded credentials, API keys, connection strings

Quick Start Checklist

Define audit scope and type (code, dependency, config, architecture, API)
Run automated scans (npm audit, grep patterns, secret detection)
Review findings and classify severity using decision tree in references
Remediate critical/high findings immediately
Create ohno tasks for medium/low findings with appropriate priority
Document findings in audit report

References

Reference	Description
owasp-top-10.md	OWASP vulnerabilities with detection and fixes
dependency-security.md	npm audit, pip-audit, Snyk, CI/CD integration
auth-patterns.md	Secure authentication and authorization patterns
api-security.md	API-specific security concerns
secrets-management.md	Handling sensitive configuration