Marketplace security-audit

Review security of command execution, tool permissions, and API key handling. Use when user mentions "security review", "audit", "check security", "vulnerabilities", or before deploying to production.

install

source · Clone the upstream repo

git clone https://github.com/aiskillstore/marketplace

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/applelamps/security-audit" ~/.claude/skills/aiskillstore-marketplace-security-audit-30f5f8 && rm -rf "$T"

manifest: skills/applelamps/security-audit/SKILL.md

Security Audit

Instructions

Command Execution Review (
```
backend/main.py
```
):
- Check
```
run_terminal_command()
```
  for shell injection vulnerabilities
- Verify timeout is enforced (should be 15 seconds)
- Look for dangerous command patterns
Tool Permission Review:
- Verify Chat mode only allows:
```
read_file
```
  ,
```
web_search
```
- Check Agent mode tool restrictions
- Look for permission bypass vulnerabilities
Secrets Management:
- Ensure
```
.env
```
  is in
```
.gitignore
```
- Check no API keys are hardcoded
- Verify
```
python-dotenv
```
  usage for environment variables
WebSocket Security:
- Check for authentication on
```
/ws
```
  endpoint
- Review message validation
- Look for injection points in user input
Frontend Security:
- Check for XSS in markdown rendering
- Review image upload handling (base64 encoding)
- Verify no sensitive data in client-side code
Generate report with:
- Critical issues (immediate action required)
- Warnings (should fix before production)
- Recommendations (best practices)

Examples

"Run a security audit"
"Check for vulnerabilities"
"Review security before deploy"

Guardrails

This is a READ-ONLY audit; do not modify files
Report findings without exploiting vulnerabilities
Recommend fixes but get user approval before implementing
Never log or expose discovered secrets