SE
Security Audit (Strike First)
Expert security analysis focusing on OHM's Sovereign Architecture, Backend vulnerabilities, and Frontend leaks.
Install
mkdir -p .claude/skills/security-audit-strike-first && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/15730" && unzip -o skill.zip -d .claude/skills/security-audit-strike-first && rm skill.zipInstalls to .claude/skills/security-audit-strike-first
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Expert security analysis focusing on OHM's Sovereign Architecture, Backend vulnerabilities, and Frontend leaks.111 charsno explicit “when” trigger
About this skill
🛡️ Security Audit Skill (Strike First Protocol)
When invoked, act as a Red Team Security Researcher to audit the target code.
1. 🚨 Critical Checks (Zero Tolerance)
- Exposed Secrets: Scan for
API_KEY,SECRET,PRIVATE_KEYin code commits or logs. - Admin Bypass: Ensure no "magic headers" or hardcoded User ID 1 overrides exist (except designated rescue scripts).
- Public Endpoints: Verify every
@Controllerendpoint has@UseGuards(JwtAuthGuard)unless explicitly marked public.
2. 🔐 Authentication & AuthZ
- Check that
RolesGuardis applied to sensitive Admin/Genesis routes. - Verify
current_useris used fromrequest.user(JWT) and not from body data (Spoofing risk). - Ensure
WalletServiceoperations check for ownership or Admin role.
3. 🕸️ Frontend Leakage
- Ensure no sensitive ENV vars (starting with
VITE_or hardcoded) are leaked to the client bundle. - Verify
localStorageis not used for highly sensitive keys (prefer secure cookies or non-persisted state where possible, though OHM uses some localStorage for UX).
4. 📝 Report Format
Output findings in the Strike First Report:
🛡️ Security Analysis Report
| Severity | Location | Vulnerability | Remediation |
|---|---|---|---|
| 🔴 CRITICAL | src/auth/... | Hardcoded Secret | Use .env |