social-engineering-audit

Assess social engineering attack surface in applications and organizations. Identifies pretexting vectors, OSINT exposure, phishing susceptibility in authentication flows, and human-factor vulnerabilities in security architecture. Use when auditing auth flows, help desk procedures, password reset mechanisms, or organizational security posture.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "social-engineering-audit" with this command: npx skills add plurigrid/asi/plurigrid-asi-social-engineering-audit

Social Engineering Audit

When to Use

Invoke this skill when assessing:

  • Authentication and authorization flows (login, MFA, password reset, account recovery)
  • Help desk and customer support procedures
  • Identity verification and onboarding processes
  • Organizational security posture against targeted attacks
  • Account takeover risk via non-technical channels
  • Physical access control and personnel security

This is not a penetration test. This is a structured assessment of the human-factor attack surface -- the seams where process, trust, and technology meet.

Attack Surface Taxonomy

1. Pretexting Vectors

  • Support channels: phone, email, chat, social media DMs. Each is an identity verification boundary. Map them all. Determine what each channel can do (password reset, account unlock, PII disclosure, plan changes).
  • Internal help desk: IT support desks are high-value targets. Assess what credentials or verification they require before acting on requests.
  • Vendor/contractor impersonation: third-party relationships create implicit trust. Identify which vendors have elevated access or bypass normal auth.
  • Authority exploitation: executive impersonation, "urgent" escalation paths, out-of-band requests that skip normal verification.

2. Authentication Bypass via Social Channels

  • Password reset: Does the reset flow rely on email alone? Is there a fallback path through support? Can support override MFA?
  • Account recovery: What happens when a user "loses everything"? The recovery path is the weakest authentication path.
  • SIM swap / number porting: If SMS is used for 2FA or recovery, the phone carrier is part of your authentication chain.
  • Session hijacking via support: Can support generate magic links, session tokens, or bypass codes? Under what verification?

3. OSINT Exposure

  • Breached credentials: Check paste sites, breach databases. Credential reuse is the simplest attack.
  • Social media: Employee roles, org charts, technology stack, office photos (badges, screens, whiteboards).
  • Public records: Domain registrations, DNS records, job postings (reveal internal tooling), SEC filings, patent applications.
  • Code repositories: Leaked secrets, internal URLs, employee emails in commit history, CI/CD configurations.
  • Metadata: Document metadata (author names, software versions, internal paths) in public PDFs, images, office documents.

4. Phishing Surface

  • Email authentication: Check SPF, DKIM, DMARC records. A missing or permissive DMARC policy (p=none) means anyone can spoof the domain.
  • Lookalike domains: Check for registered typosquats and homoglyph domains. Use dnstwist or similar.
  • Link handling: How does the application handle links in emails, chat, notifications? Are URLs previewed, sandboxed, or blindly followed?
  • OAuth consent phishing: Can an attacker register an OAuth app with a deceptive name and request broad scopes?

5. Physical Social Engineering

  • Tailgating: Badge-controlled entrances without mantraps or visual verification.
  • Badge cloning: Proximity card technology (125kHz HID is trivially cloned).
  • Impersonation: Delivery, maintenance, IT support pretexts for physical access.
  • Dumpster diving: Document disposal procedures, shredding policy.

Audit Methodology

Execute in order. Each step informs the next.

Step 1: Map human-mediated authentication paths. Enumerate every path where a human (support agent, IT admin, manager) can override, bypass, or supplement automated authentication. Document what each path can do and what verification it requires.

Step 2: Identify identity verification procedures. For each human-mediated path: what questions are asked? What constitutes "sufficient" proof of identity? Is it documented or ad hoc? Can the answers be obtained via OSINT?

Step 3: Assess OSINT exposure. Gather publicly available information that could be used to answer verification questions or craft targeted pretexts. Focus on: employee names and roles, email formats, technology stack, org structure, breached credentials.

Step 4: Evaluate phishing controls. Check email authentication records (SPF/DKIM/DMARC). Enumerate registered lookalike domains. Review whether the organization has phishing-resistant MFA (WebAuthn/FIDO2) or phishable MFA (TOTP/SMS).

Step 5: Review account recovery flows. Walk through every account recovery path as an attacker who controls only public information. Identify which paths leak user existence, accept guessable answers, or defer to a human who can be pretexted.

Step 6: Test help desk resistance. Design pretext scenarios based on Steps 2-3. Assess (or recommend testing) whether support staff follow verification procedures under pressure, urgency, or authority cues.

Code Review Patterns

When reviewing application source, flag these patterns:

User Enumeration

# BAD: Different responses for valid vs invalid users
if not user_exists(email):
    return "No account found"     # Leaks existence
return "Reset link sent"

Fix: Return the same response regardless. Send email only if account exists.

Security Questions for Recovery

Any use of security questions (mother's maiden name, first pet, etc.) is a finding. These are OSINT-retrievable and not secrets.

Support Tooling Without Verification Audit Trail

# BAD: Support action with no identity verification logged
@admin_required
def reset_user_password(user_id):
    user.set_random_password()    # No record of what verification was performed

Fix: Require and log the verification method used before any support action.

OAuth/SSO Misconfigurations

  • Open redirect in OAuth callback URLs (enables token theft)
  • Wildcard or overly broad redirect URI matching
  • Missing state parameter validation (CSRF in OAuth flow)
  • Auto-approval of OAuth consent for internal apps (can be abused if app registration is open)

Rate Limiting Gaps

# BAD: No rate limit on verification code endpoint
@app.route("/verify-code", methods=["POST"])
def verify_code():
    if request.form["code"] == stored_code:
        grant_access()

Fix: Rate limit by IP and account. Lock after N failures. Use longer codes.

MFA Bypass in Recovery

Look for code paths where MFA is enforced at login but skipped during account recovery, password reset, or support-initiated access.

Output Format

Structure findings as:

### [SE-001] Finding Title

Severity: Critical / High / Medium / Low / Informational
Category: Pretexting | Auth Bypass | OSINT Exposure | Phishing | Physical
Attack Scenario: Concrete, step-by-step description of how an attacker
  exploits this. Name the pretext. Name the channel. Name what they obtain.
Evidence: What was observed (code path, policy gap, DNS record, etc.)
Remediation: Specific, actionable fix. Not "improve training."
References: Relevant standards (NIST 800-63B, OWASP, etc.)

Severity calibration:

  • Critical: Direct account takeover via social channel, no technical skill required.
  • High: Account takeover possible with moderate OSINT gathering.
  • Medium: Information disclosure that enables targeted attacks.
  • Low: Weak controls that increase attack surface but require chaining.
  • Informational: Observations that inform security posture but lack direct exploit path.

Related Skills

  • entry-point-analyzer -- map technical entry points before assessing human ones
  • webapp-testing -- complement social engineering audit with technical testing
  • audit-context-building -- establish organizational context and threat model

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

tizen-security-compliance

No summary provided by upstream source.

Repository SourceNeeds Review
7-plurigrid
Security

audit-context-building

No summary provided by upstream source.

Repository SourceNeeds Review
7-plurigrid
Security

audit-prep-assistant

No summary provided by upstream source.

Repository SourceNeeds Review
7-plurigrid
Security

solana-vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
6-plurigrid