Paths: File paths (shared/ , references/ , ../ln-* ) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path} .
Security Auditor (L3 Worker)
Type: L3 Worker
Specialized worker auditing security vulnerabilities in codebase.
Purpose & Scope
-
Audit codebase for security vulnerabilities (Category 1: Critical Priority)
-
Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
-
Return structured findings to coordinator with severity, location, effort, recommendations
-
Calculate compliance score (X/10) for Security category
Inputs
MANDATORY READ: Load shared/references/audit_worker_core_contract.md . MANDATORY READ: Load shared/references/mcp_tool_preferences.md and shared/references/mcp_integration_patterns.md
Receives contextStore with: tech_stack , best_practices , principles , codebase_root , output_dir .
Use hex-graph first when dataflow or cross-file reference analysis materially improves confidence. Use hex-line first for local code reads when available. If MCP is unavailable, unsupported, or not indexed, continue with built-in Read/Grep/Glob/Bash and state the fallback in the report.
Workflow
MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.
-
Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
-
Scan Codebase (Layer 1): Run security checks using Glob/Grep patterns (see Audit Rules below)
-
Analyze Context (Layer 2): For each candidate, read surrounding code to classify:
-
Secrets: test fixture / example / template -> FP. Production code -> confirmed
-
SQL injection: ORM parameterization nearby -> FP. Raw string concat with user input -> confirmed
-
XSS: framework auto-escapes (React JSX, Go templates) -> FP. Unsafe context (innerHTML , | safe ) -> confirmed
-
Deps: vulnerable API not called in project -> downgrade. Exploitable path -> confirmed
-
Validation: internal service-to-service endpoint -> downgrade. Public API -> confirmed
-
Collect Findings: Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
-
Calculate Score: Count violations by severity, calculate compliance score (X/10)
-
Write Report: Build full markdown report in memory per shared/templates/audit_worker_report_template.md , write to {output_dir}/ln-621--global.md in single Write call
-
Return Summary: Return minimal summary to coordinator (see Output Format)
Audit Rules (Priority: CRITICAL)
- Hardcoded Secrets
What: API keys, passwords, tokens, private keys in source code
Detection:
-
Search patterns: API_KEY = "..." , password = "..." , token = "..." , SECRET = "..."
-
File extensions: .ts , .js , .py , .go , .java , .cs
-
Exclude: .env.example , README.md , test files with mock data
Severity:
-
CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
-
HIGH: Development/staging credentials
-
MEDIUM: Test credentials in non-test files
Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)
Effort: S (replace hardcoded value with process.env.VAR_NAME )
- SQL Injection Patterns
What: String concatenation in SQL queries instead of parameterized queries
Detection:
-
Patterns: query = "SELECT * FROM users WHERE id=" + userId , db.execute(f"SELECT * FROM {table}") ,
SELECT * FROM ${table} -
Languages: JavaScript, Python, PHP, Java
Severity:
-
CRITICAL: User input directly concatenated without sanitization
-
HIGH: Variable concatenation in production code
-
MEDIUM: Concatenation with internal variables only
Recommendation: Use parameterized queries (prepared statements), ORM query builders
Effort: M (refactor query to use placeholders)
- XSS Vulnerabilities
What: Unsanitized user input rendered in HTML/templates
Detection:
-
Patterns: innerHTML = userInput , dangerouslySetInnerHTML={{__html: data}} , echo $userInput;
-
Template engines: Check for unescaped output ({{ var | safe }} , <%- var %> )
Severity:
-
CRITICAL: User input directly inserted into DOM without sanitization
-
HIGH: User input with partial sanitization (insufficient escaping)
-
MEDIUM: Internal data with potential XSS if compromised
Recommendation: Use framework escaping (React auto-escapes, use textContent ), sanitize with DOMPurify
Effort: S-M (replace innerHTML with textContent or sanitize)
- Insecure Dependencies
What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)
Detection:
-
Run npm audit (Node.js), pip-audit (Python), cargo audit (Rust), dotnet list package --vulnerable (.NET)
-
Check for outdated critical dependencies
Severity:
-
CRITICAL: CVE with exploitable vulnerability in production dependencies
-
HIGH: CVE in dev dependencies or lower severity production CVEs
-
MEDIUM: Outdated packages without known CVEs but security risk
Recommendation: Update to patched versions, replace unmaintained packages
Effort: S-M (update package.json, test), L (if breaking changes)
- Missing Input Validation
What: Missing validation at system boundaries (API endpoints, user forms, file uploads)
Detection:
-
API routes without validation middleware
-
Form handlers without input sanitization
-
File uploads without type/size checks
-
Missing CORS configuration
Severity:
-
CRITICAL: File upload without validation, authentication bypass potential
-
HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
-
MEDIUM: Missing validation on read-only or internal endpoints
Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization
Effort: M (add validation schema and middleware)
Scoring Algorithm
MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/references/audit_scoring.md .
Output Format
MANDATORY READ: Load shared/references/audit_worker_core_contract.md and shared/templates/audit_worker_report_template.md .
Write JSON summary per shared/references/audit_summary_contract.md . In managed mode the caller passes both runId and summaryArtifactPath ; in standalone mode the worker generates its own run-scoped artifact path per shared contract.
Write report to {output_dir}/ln-621--global.md with category: "Security" and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.
Return summary per shared/references/audit_summary_contract.md .
Standalone mode still writes the same JSON summary to a worker-owned run-scoped artifact path per shared contract.
Critical Rules
MANDATORY READ: Load shared/references/audit_worker_core_contract.md .
-
Do not auto-fix: Report violations only; coordinator creates task for user to fix
-
Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
-
False positive reduction: Exclude test files, example configs, documentation
-
Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
-
Location precision: Always include file:line for programmatic navigation
Definition of Done
MANDATORY READ: Load shared/references/audit_worker_core_contract.md .
-
contextStore parsed successfully (including output_dir)
-
All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
-
Findings collected with severity, location, effort, recommendation
-
Score calculated using penalty algorithm
-
Report written to {output_dir}/ln-621--global.md (atomic single Write call)
-
Summary written per contract
Reference Files
-
Audit output schema: shared/references/audit_output_schema.md
-
Security audit rules: references/security_rules.md
Version: 3.0.0 Last Updated: 2025-12-23