skill-security-auditor
- Repo stars 14,101
- License Complete terms in LICENSE.txt
- Author updated Live
- Author repo eigent
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 94 / 100 · audit passed
- Author / version / license
- @eigent-ai · Complete terms in LICENSE.txt
- Token usage
- Lean
- Setup complexity
- Manual integration
- External API key
- Required · Vendor-specific
- Operating systems
- macOS · Linux · Windows
- Runtime requirements
- Node.js · Python
- Permissions
-
- Read-only
- Shell exec
- Env read
- Write / modify
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-security-auditor
description: Security auditing for code, configs, and infrastructure. Use when the user wants to audit or imp…
category: security
runtime: Node.js / Python
---
# skill-security-auditor output preview
## PART A: Task fit
- Use case: Security auditing for code, configs, and infrastructure. Use when the user wants to audit or improve security: scan for vulnerabilities (SQL injection, XSS, command injection, path traversal), detect hardcoded secrets and credentials, review auth and authorization, check dependencies for known CVEs, audit config files for insecure defaults, or generate security reports. Trigger on \"security audit\", \"vulnerability scan\", \"code review for security\", \"find secrets\", \"check for vulnerabilities\", \"OWASP\", \"CVE\", or questions about code security..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / Quick Start / Testing the scripts” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Security auditing for code, configs, and infrastructure. Use when the user wants to audit or improve security: scan for vulnerabilities (SQL injection, XSS, command injection, path traversal), detect hardcoded secrets and credentials, review auth and authorization, check dependencies for known CVEs, audit config files for insecure defaults, or generate security reports. Trigger on \"security audit\", \"vulnerability scan\", \"code review for security\", \"find secrets\", \"check for vulnerabilities\", \"OWASP\", \"CVE\", or questions about code security.”.
- **02** When the source has headings, the agent prioritizes “Overview / Quick Start / Testing the scripts” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, run shell commands, read environment variables, write/modify files; may access external network resources; requires Vendor-specific API keys.
## Running Rules
- read files, run shell commands, read environment variables, write/modify files; may access external network resources; requires Vendor-specific API keys.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/path`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, run shell commands, read environment variables, write/modify files.
Start with a small task and check whether the result follows “Overview / Quick Start / Testing the scripts”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: skill-security-auditor
description: Security auditing for code, configs, and infrastructure. Use when the user wants to audit or imp…
category: security
source: eigent-ai/eigent
---
# skill-security-auditor
## When to use
- Security auditing for code, configs, and infrastructure. Use when the user wants to audit or improve security: scan fo…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / Quick Start / Testing the scripts” and keep inference separate from source facts.
- read files, run shell commands, read environment variables, write/modify files; may access external network resources; requires Vendor-specific API keys.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "skill-security-auditor" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / Quick Start / Testing the scripts
rules -> SKILL.md triggers / order / output contract
runtime -> Node.js / Python | read files, run shell commands, read environment variables, write/modify files | may access external network resources
guardrails -> requires Vendor-specific API keys + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Security Auditor Guide
Overview
This guide covers security auditing workflows for source code, dependencies, and configurations. For detailed vulnerability patterns and detection rules, see references/vulnerability-patterns.md. For secrets detection patterns, see references/secrets-patterns.md.
Quick Start
Run the bundled scan script against a project directory:
python scripts/scan_project.py /path/to/project
This performs a lightweight scan for common issues: hardcoded secrets, dangerous function calls, and insecure patterns. For deeper analysis, follow the workflows below.
Testing the scripts
python scripts/scan_project.py /path/to/some/project --format text
python scripts/scan_secrets.py /path/to/some/project --format text
Audit Workflow
1. Reconnaissance
Before auditing, understand the project:
# Identify languages, frameworks, and entry points
find . -type f -name "*.py" -o -name "*.js" -o -name "*.ts" -o -name "*.go" -o -name "*.java" | head -20
cat package.json pyproject.toml requirements.txt go.mod pom.xml 2>/dev/null
Key questions:
- What frameworks are used? (Express, Django, Flask, Spring, etc.)
- Where are the entry points? (routes, controllers, API handlers)
- How is authentication handled?
- What external services are called?
- Is user input accepted? Where?
2. Secrets Detection
Scan for hardcoded credentials, API keys, and tokens. See references/secrets-patterns.md for the full pattern list.
python scripts/scan_secrets.py /path/to/project
Common patterns to check:
- API keys and tokens in source files
- Database connection strings with embedded passwords
- Private keys or certificates committed to the repo
.envfiles or config files with plaintext secrets- Secrets in CI/CD configuration files
3. Vulnerability Scanning
OWASP Top 10 Checklist
| # | Category | What to Look For |
|---|---|---|
| A01 | Broken Access Control | Missing auth checks, IDOR, privilege escalation |
| A02 | Cryptographic Failures | Weak algorithms, plaintext storage, missing TLS |
| A03 | Injection | SQL, NoSQL, OS command, LDAP, XSS |
| A04 | Insecure Design | Missing rate limits, business logic flaws |
| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies with known CVEs |
| A07 | Auth Failures | Weak passwords, missing MFA, session issues |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit logs, sensitive data in logs |
| A10 | SSRF | Unvalidated URLs in server-side requests |
Language-Specific Checks
Python
# Dangerous: SQL injection
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# Safe: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# Dangerous: Command injection
os.system(f"ping {hostname}")
# Safe: Use subprocess with list args
subprocess.run(["ping", hostname], capture_output=True)
# Dangerous: Path traversal
open(f"/data/{user_input}")
# Safe: Validate and resolve path
path = pathlib.Path("/data") / user_input
path.resolve().relative_to(pathlib.Path("/data").resolve())
JavaScript/TypeScript
// Dangerous: XSS via innerHTML
element.innerHTML = userInput;
// Safe: Use textContent or sanitize
element.textContent = userInput;
// Dangerous: Prototype pollution
Object.assign(target, JSON.parse(userInput));
// Safe: Validate input structure
const parsed = JSON.parse(userInput);
if (typeof parsed !== 'object' || Array.isArray(parsed)) throw new Error();
const sanitized = Object.fromEntries(
Object.entries(parsed).filter(([k]) => !k.startsWith('__'))
);
// Dangerous: eval or Function constructor
eval(userInput);
// Safe: Never use eval with user input
Go
// Dangerous: SQL injection
db.Query("SELECT * FROM users WHERE id = " + id)
// Safe: Parameterized query
db.Query("SELECT * FROM users WHERE id = $1", id)
// Dangerous: Path traversal
http.ServeFile(w, r, filepath.Join(baseDir, r.URL.Path))
// Safe: Clean and validate path
cleaned := filepath.Clean(r.URL.Path)
full := filepath.Join(baseDir, cleaned)
if !strings.HasPrefix(full, baseDir) { http.Error(...) }
4. Dependency Audit
Check for known vulnerabilities in project dependencies:
# Python
pip audit
safety check -r requirements.txt
# Node.js
npm audit
npx auditjs ossi
# Go
govulncheck ./...
# General (if Trivy is available)
trivy fs --scanners vuln /path/to/project
Review the output and categorize by severity (critical, high, medium, low). Critical and high severity findings should be addressed before deployment.
5. Configuration Review
Check for insecure defaults in configuration files:
# Common misconfigurations to flag:
DEBUG: true # Debug mode in production
ALLOWED_HOSTS: ["*"] # Unrestricted host access
CORS_ALLOW_ALL_ORIGINS: true # Open CORS policy
SECRET_KEY: "default" # Default or weak secret key
SSL_VERIFY: false # Disabled TLS verification
Check infrastructure configs:
- Dockerfiles: Running as root, exposing unnecessary ports
- CI/CD: Secrets in plaintext, overly permissive permissions
- Cloud configs: Public S3 buckets, open security groups
6. Authentication and Authorization Review
Key areas to verify:
- Password hashing uses strong algorithms (bcrypt, argon2, scrypt)
- Sessions have appropriate timeouts and rotation
- JWT tokens are validated properly (algorithm, expiry, signature)
- API endpoints enforce authorization checks
- Role-based access control is consistently applied
- Rate limiting is in place for login and sensitive endpoints
Report Format
When generating a security audit report, use this structure:
# Security Audit Report
## Summary
- **Project**: [name]
- **Date**: [date]
- **Scope**: [what was audited]
- **Risk Level**: [Critical/High/Medium/Low]
## Findings
### [SEVERITY] Finding Title
- **Category**: [OWASP category]
- **Location**: [file:line]
- **Description**: [what the issue is]
- **Impact**: [what could happen if exploited]
- **Recommendation**: [how to fix]
## Statistics
- Total findings: [count]
- Critical: [count] | High: [count] | Medium: [count] | Low: [count]
Next Steps
- For detailed vulnerability patterns and code examples, see references/vulnerability-patterns.md
- For secrets detection regex patterns, see references/secrets-patterns.md
Decide Fit First
Design Intent
How To Use It
Boundaries And Review