security

/security - Security Audit Workflow

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security" with this command: npx skills add aleister1102/skills/aleister1102-skills-security

/security - Security Audit Workflow

Use this skill to run a security audit workflow on sensitive code, prioritizing findings that can realistically become CRITICAL or HIGH impact.

When to Use

  • The user asks for a security audit / vulnerability review ("is this secure?", "check for vulns").

  • The code touches authn/authz, payments, secrets, PII, file upload/download, webhooks, admin actions, deserialization, or command execution.

  • The user wants a scan + verification loop (audit findings → fixes → re-check).

When NOT to Use

  • The user wants a general code review, debugging, refactor, or style improvements.

  • The code is clearly non-sensitive (toy scripts, local-only utilities) and the user isn’t asking about security.

Defaults / Guardrails

  • Report CRITICAL/HIGH only. If none exist, explicitly report none.

  • Treat "possession implies compromise" as non-finding unless you show a feasible token/secret acquisition path.

  • Prefer exploit-chain depth over breadth. Drop noise that can’t reach material impact.

For deeper triage/prerequisite rules and consistent output formats, read:

  • references/triage-and-prereqs.md

  • references/report-templates.md

Workflow

  1. Confirm Scope

Determine one of:

  • Full codebase: /security

  • Area: /security auth (or similar)

  • Single file: /security path/to/file

  • Dependencies only: /security --deps

  1. Static Audit (Phase 1)

Goal: find and explain only CRITICAL/HIGH issues with clear attacker prerequisites.

Prioritize:

  • Injection: SQL/NoSQL, command/OS, template injection, SSRF, XSS.

  • Authz failures: IDOR, missing checks, privilege escalation.

  • Authn/session: token validation mistakes that increase attacker capability.

  • Secrets: hardcoded credentials, leaked tokens/keys, unsafe secret handling.

  • Insecure deserialization, unsafe file handling (path traversal), dangerous eval.

  • Supply chain: obviously vulnerable deps or unsafe install/build hooks.

Evidence required per finding:

  • Attacker-controlled source → security-sensitive sink (show the path).

  • Concrete exploit narrative and prerequisites.

  • Containment + long-term remediation steps.

  1. Runtime Verification (When Runnable)

If there is a runnable target, verify with minimal, safe steps.

Rules:

  • Only test instances you control / are authorized to test (prefer localhost ).

  • Avoid DoS-like loops, mass writes, or destructive behavior.

  • Prefer repo-native commands (README, Makefile, Docker, package scripts).

Verification checklist:

  • Find how to run: README, Dockerfile, docker-compose, Makefile, package scripts.

  • Start the service in minimal config.

  • Prove impact with 1–3 deterministic requests/steps.

  1. Fix Guidance

Recommend changes that eliminate the root cause:

  • Parameterize queries; avoid shell; escape/encode; strong allowlists for URLs/paths.

  • Enforce deny-by-default authorization.

  • Remove secrets from repo; use env/secret store; rotate compromised keys.

  1. Re-Verify (Phase 2)

After fixes, re-run minimal repros and any relevant security checks.

Triage Rules (Noise to Skip Unless Chained)

Skip by default unless you can chain to data loss/auth bypass/priv-esc with evidence:

  • CORS/OPTIONS “bypass” without protected response body or state change.

  • Missing rate limiting/lockout by itself.

  • Account enumeration without a takeover/privileged action path.

  • Timing side-channels without a feasible remote measurement model.

  • Swagger/UI exposure gated to non-prod.

  • Token-type confusion unless it meaningfully increases capability beyond intended flows.

If a borderline issue is showing up repeatedly, apply the stricter escalation criteria in references/triage-and-prereqs.md .

Subagent Prompts

Phase 1: aegis (Audit)

Security audit: [SCOPE]

Find CRITICAL/HIGH only. For each finding include:

  • severity (CRITICAL/HIGH)
  • attacker prerequisites
  • source → sink evidence (file/function references)
  • minimal repro steps (safe)
  • remediation (containment first, then long-term)

If no CRITICAL/HIGH exist, explicitly output: NONE.

Deprioritize noise categories unless chained to material impact.

Phase 2: arbiter (Verify)

Verify security fixes: [SCOPE]

  • Re-run minimal repro steps for each previously reported CRITICAL/HIGH
  • Run the repo’s test/build checks relevant to the changed area
  • Run dependency audit appropriate to stack (e.g., npm/pip/go)

Output: verification report (fixed/not fixed) and any regressions.

Flags

  • --deps : dependencies-only audit

  • --verify : post-fix verification run

  • --secrets : prioritize secret detection and leakage paths

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security

No summary provided by upstream source.

Repository SourceNeeds Review
66-tartinerlabs
Security

security

No summary provided by upstream source.

Repository SourceNeeds Review
35-openhands
Security

security

No summary provided by upstream source.

Repository SourceNeeds Review
29-scientiacapital
Security

security-audit

No summary provided by upstream source.

Repository SourceNeeds Review
7-aleister1102