Security Audit Skill
Purpose
Comprehensive security scanning and vulnerability detection. Includes input validation, path traversal prevention, CVE detection, and secure coding pattern enforcement.
When to Trigger
- •authentication implementation
- •authorization logic
- •payment processing
- •user data handling
- •API endpoint creation
- •file upload handling
- •database queries
- •external API integration
When to Skip
- •read-only operations on public data
- •internal development tooling
- •static documentation
- •styling changes
Commands
Full Security Scan
Run comprehensive security analysis on the codebase
bash
npx @claude-flow/cli security scan --depth full
Example:
bash
npx @claude-flow/cli security scan --depth full --output security-report.json
Input Validation Check
Check for input validation issues
bash
npx @claude-flow/cli security scan --check input-validation
Example:
bash
npx @claude-flow/cli security scan --check input-validation --path ./src/api
Path Traversal Check
Check for path traversal vulnerabilities
bash
npx @claude-flow/cli security scan --check path-traversal
SQL Injection Check
Check for SQL injection vulnerabilities
bash
npx @claude-flow/cli security scan --check sql-injection
XSS Check
Check for cross-site scripting vulnerabilities
bash
npx @claude-flow/cli security scan --check xss
CVE Scan
Scan dependencies for known CVEs
bash
npx @claude-flow/cli security cve --scan
Example:
bash
npx @claude-flow/cli security cve --scan --severity high
Security Audit Report
Generate full security audit report
bash
npx @claude-flow/cli security audit --report
Example:
bash
npx @claude-flow/cli security audit --report --format markdown --output SECURITY.md
Threat Modeling
Run threat modeling analysis
bash
npx @claude-flow/cli security threats --analyze
Validate Secrets
Check for hardcoded secrets
bash
npx @claude-flow/cli security validate --check secrets
Scripts
| Script | Path | Description |
|---|---|---|
security-scan | .agents/scripts/security-scan.sh | Run full security scan pipeline |
cve-remediate | .agents/scripts/cve-remediate.sh | Auto-remediate known CVEs |
References
| Document | Path | Description |
|---|---|---|
Security Checklist | docs/security-checklist.md | Security review checklist |
OWASP Guide | docs/owasp-top10.md | OWASP Top 10 mitigation guide |
Best Practices
- •Check memory for existing patterns before starting
- •Use hierarchical topology for coordination
- •Store successful patterns after completion
- •Document any new learnings