playbooks

home / skills / charon-fan / agent-playbook / security-auditor

security-auditor skill

/skills/security-auditor

npx playbooks add skill charon-fan/agent-playbook --skill security-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (7)
SKILL.md
5.4 KB
---
name: security-auditor
description: Security vulnerability expert covering OWASP Top 10 and common security issues. Use when conducting security audits or reviewing code for vulnerabilities.
allowed-tools: Read, Grep, Glob, Bash, WebSearch
metadata:
  hooks:
    after_complete:
      - trigger: self-improving-agent
        mode: background
        reason: "Learn from security patterns"
      - trigger: session-logger
        mode: auto
        reason: "Log security audit"
---

# Security Auditor

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

## When This Skill Activates

Activates when you:
- Request a security audit
- Mention "security" or "vulnerability"
- Need security review
- Ask about OWASP

## OWASP Top 10 Coverage

### A01: Broken Access Control

**Checks:**
```bash
# Check for missing auth on protected routes
grep -r "@RequireAuth\|@Protected" src/

# Check for IDOR vulnerabilities
grep -r "req.params.id\|req.query.id" src/

# Check for role-based access
grep -r "if.*role.*===" src/
```

**Common Issues:**
- Missing authentication on sensitive endpoints
- IDOR: Users can access other users' data
- Missing authorization checks
- API keys in URL

### A02: Cryptographic Failures

**Checks:**
```bash
# Check for hardcoded secrets
grep -ri "password.*=.*['\"]" src/
grep -ri "api_key.*=.*['\"]" src/
grep -ri "secret.*=.*['\"]" src/

# Check for weak hashing
grep -r "md5\|sha1" src/

# Check for http URLs
grep -r "http:\/\/" src/
```

**Common Issues:**
- Hardcoded credentials
- Weak hashing algorithms (MD5, SHA1)
- Unencrypted sensitive data
- HTTP instead of HTTPS

### A03: Injection

**Checks:**
```bash
# SQL injection patterns
grep -r "\".*SELECT.*+.*\"" src/
grep -r "\".*UPDATE.*SET.*+.*\"" src/

# Command injection
grep -r "exec(\|system(\|spawn(" src/
grep -r "child_process.exec" src/

# Template injection
grep -r "render.*req\." src/
```

**Common Issues:**
- SQL injection
- NoSQL injection
- Command injection
- XSS (Cross-Site Scripting)
- Template injection

### A04: Insecure Design

**Checks:**
```bash
# Check for rate limiting
grep -r "rateLimit\|rate-limit\|throttle" src/

# Check for 2FA
grep -r "twoFactor\|2fa\|mfa" src/

# Check for session timeout
grep -r "maxAge\|expires\|timeout" src/
```

**Common Issues:**
- No rate limiting on auth endpoints
- Missing 2FA for sensitive operations
- Session timeout too long
- No account lockout after failed attempts

### A05: Security Misconfiguration

**Checks:**
```bash
# Check for debug mode
grep -r "DEBUG.*=.*True\|debug.*=.*true" src/

# Check for CORS configuration
grep -r "origin.*\*" src/

# Check for error messages
grep -r "console\.log.*error\|console\.error" src/
```

**Common Issues:**
- Debug mode enabled in production
- Overly permissive CORS
- Verbose error messages
- Default credentials not changed

### A06: Vulnerable Components

**Checks:**
```bash
# Check package files
cat package.json | grep -E "\"dependencies\"|\"devDependencies\""
cat requirements.txt
cat go.mod

# Run vulnerability scanner
npm audit
pip-audit
```

**Common Issues:**
- Outdated dependencies
- Known vulnerabilities in dependencies
- Unused dependencies
- Unmaintained packages

### A07: Authentication Failures

**Checks:**
```bash
# Check password hashing
grep -r "bcrypt\|argon2\|scrypt" src/

# Check password requirements
grep -r "password.*length\|password.*complex" src/

# Check for password in URL
grep -r "password.*req\." src/
```

**Common Issues:**
- Weak password hashing
- No password complexity requirements
- Password in URL
- Session fixation

### A08: Software/Data Integrity

**Checks:**
```bash
# Check for subresource integrity
grep -r "integrity\|crossorigin" src/

# Check for signature verification
grep -r "verify.*signature\|validate.*token" src/
```

**Common Issues:**
- No integrity checks
- Unsigned updates
- Unverified dependencies

### A09: Logging Failures

**Checks:**
```bash
# Check for sensitive data in logs
grep -r "log.*password\|log.*token\|log.*secret" src/

# Check for audit trail
grep -r "audit\|activity.*log" src/
```

**Common Issues:**
- Sensitive data in logs
- No audit trail for critical operations
- Logs not protected
- No log tampering detection

### A10: SSRF (Server-Side Request Forgery)

**Checks:**
```bash
# Check for arbitrary URL fetching
grep -r "fetch(\|axios(\|request(\|http\\.get" src/

# Check for webhook URLs
grep -r "webhook.*url\|callback.*url" src/
```

**Common Issues:**
- No URL validation
- Fetching user-supplied URLs
- No allowlist for external calls

## Security Audit Checklist

### Code Review
- [ ] No hardcoded secrets
- [ ] Input validation on all inputs
- [ ] Output encoding for XSS prevention
- [ ] Parameterized queries for SQL
- [ ] Proper error handling
- [ ] Authentication on protected routes
- [ ] Authorization checks
- [ ] Rate limiting on public APIs

### Configuration
- [ ] Debug mode off
- [ ) HTTPS enforced
- [ ] CORS configured correctly
- [ ] Security headers set
- [ ] Environment variables for secrets
- [ ] Database not exposed

### Dependencies
- [ ] No known vulnerabilities
- [ ] Dependencies up to date
- [ ] Unused dependencies removed

## Scripts

Run security audit:
```bash
python scripts/security_audit.py
```

Check for secrets:
```bash
python scripts/find_secrets.py
```

## References

- `references/owasp.md` - OWASP Top 10 details
- `references/checklist.md` - Security audit checklist
- `references/remediation.md` - Vulnerability remediation guide