agentskills.codes
CO

common-security-audit

Probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, and platform-specific weaknesses across backend (Node, Go, Java, Python, Rust), frontend (React, Angular, Vue), and mobile (iOS, Android, Flutter) codebases. Use when performing security audits, vulnerability sc

Install

mkdir -p .claude/skills/common-security-audit && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16605" && unzip -o skill.zip -d .claude/skills/common-security-audit && rm skill.zip

Installs to .claude/skills/common-security-audit

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Probe for hardcoded secrets, injection surfaces, unguarded routes, business logic flaws, and platform-specific weaknesses across backend (Node, Go, Java, Python, Rust), frontend (React, Angular, Vue), and mobile (iOS, Android, Flutter) codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing.
347 chars✓ has a “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

Security Audit

Priority: P0 (CRITICAL)

1. Scan for Hardcoded Secrets

See implementation examples for secrets scanning commands.

Covers: Backend source, frontend bundles (REACT_APP_, NEXT_PUBLIC_, VITE_), mobile configs (BuildConfig, iOS configurations, strings.xml).

2. Detect Data Leakage in Logs

See implementation examples for log leakage scanning commands across Node, Go, Dart, Java, Swift.

3. Map Injection Surfaces & Auth Coverage

See implementation examples for injection detection and auth coverage measurement.

4. Run Dependency CVE Scans

  • Node/Python/Rust: npm audit --audit-level=high | pip-audit | cargo audit
  • Go/Dart: go list -m -u all | dart pub outdated --json
  • Java/Mobile: mvn dependency:list / ./gradlew dependencies | pod audit / Gradle scan

5. Infrastructure & Adversarial Entry Points

See implementation examples for RCE/SSRF/Path Traversal and infrastructure hardening (Docker/K8s).

6. Frontend-Specific Audit

  • Exposed Secrets: grep -rE "(REACT_APP_|NEXT_PUBLIC_|VITE_)" . --include="*.ts*" --include="*.env*"
  • DOM Sinks & Source Maps: Check dangerouslySetInnerHTML, innerHTML, eval, and .map files in prod builds.

7. Mobile-Specific Audit

See mobile audit commands for insecure storage (credential stores/Keystore), cert pinning, debug flags, and deep links.

8. Business Logic & Advanced Attacks

  • BOLA/IDOR: Verify entity lookups always enforce tenant/owner ownership checks (e.g. any findById without an owner filter is a P0 IDOR vulnerability).
  • JWT / Mass Assignment: Check missing exp, weak keys, and uncontrolled property spread (...req.body).
  • Race / GraphQL: Verify atomic DB transactions, introspection disabled, and query depth limits.

Scoring Impact

FindingThresholdSeverityDeduction
Hardcoded SecretsAny matchP0-25
Plain-text PII in LogsAny matchP0-20
Unguarded Routes > 20%> 0.2P0-15
Raw SQL ConcatenationAny matchP1-10
Response Leakage (Stack)> 0P1-10
Insecure Mobile StorageToken in plaintextP1-15
Missing Cert PinningNo pinning detectedP2-8
DOM XSS SinksAny matchP1-10

CAUTION: P0 finding immediately caps Security score at 40/100. Immediate actions for leaked secrets: rotate the credential NOW and purge from history.

Anti-Patterns

  • No applying generic patterns over project-specific rules: Respect existing security constraints.
  • No ignoring error handling or edge cases: Audit must cover boundary conditions.
  • No backend-only audit: Always check frontend AND mobile when in-scope.

References

Search skills

Search the agent skills registry