OpenSkillIndex← back to search
claude-code

Marketplace security-audit

Detect common security vulnerabilities in code. Covers OWASP patterns, SQL injection, bare excepts, shell injection. Framework-agnostic.

install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/consiliency/security-audit" ~/.claude/skills/aiskillstore-marketplace-security-audit-4858d1 && rm -rf "$T"
manifest: skills/consiliency/security-audit/SKILL.md
source content

Security Audit Skill

Detect common security vulnerabilities during code review and development. Based on OWASP guidelines and common vulnerability patterns.

Design Principle

This skill is framework-generic. It provides universal security patterns:

  • Covers OWASP Top 10 and common CWEs
  • Works with Python, TypeScript, and other languages
  • Project-specific security requirements go in project-specific skills

Variables

VariableDefaultDescription
SEVERITY_THRESHOLDmediumMinimum severity to report
SCAN_DEPTH3Directory depth for scanning
INCLUDE_TESTSfalseInclude test files in scan

Instructions

MANDATORY - Follow the Workflow steps below in order.

  1. Identify security-sensitive code areas
  2. Check for common vulnerability patterns
  3. Report findings with severity
  4. Suggest remediation

Red Flags - STOP and Reconsider

If you're about to:

  • Write SQL with string concatenation
  • Use bare 
    except:
    blocks
  • Execute shell commands with user input
  • Store secrets in code
  • Disable security features "temporarily"

STOP -> Use parameterized queries -> Add specific exception handling -> Then proceed

Cookbook

SQL Injection Prevention

  • IF: Writing database queries
  • THEN: Read and execute 
    ./cookbook/sql-injection.md

Bare Except Handling

  • IF: Writing exception handlers
  • THEN: Read and execute 
    ./cookbook/bare-except.md

Shell Injection Prevention

  • IF: Executing shell commands
  • THEN: Read and execute 
    ./cookbook/shell-injection.md

Vulnerability Patterns

SQL Injection (CWE-89)

BAD - String concatenation:

# VULNERABLE
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)

query = "SELECT * FROM users WHERE name = '" + name + "'"

GOOD - Parameterized queries:

# SAFE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

# SQLAlchemy
session.query(User).filter(User.id == user_id).first()

# Prisma
await prisma.user.findUnique({ where: { id: userId } })

Bare Except (CWE-754)

BAD - Catches everything:

# VULNERABLE - hides bugs, catches KeyboardInterrupt
try:
    risky_operation()
except:
    pass

# VULNERABLE - too broad
except Exception:
    log.error("Something failed")

GOOD - Specific exceptions:

# SAFE - specific exceptions
try:
    risky_operation()
except ValueError as e:
    log.warning(f"Invalid value: {e}")
except ConnectionError as e:
    log.error(f"Connection failed: {e}")
    raise

Shell Injection (CWE-78)

BAD - User input in shell:

# VULNERABLE
os.system(f"grep {user_input} /var/log/app.log")

import subprocess
subprocess.run(f"ls {directory}", shell=True)

GOOD - Avoid shell, use lists:

# SAFE - no shell
subprocess.run(["grep", user_input, "/var/log/app.log"])

# SAFE - validated input
if not re.match(r'^[a-zA-Z0-9_-]+$', directory):
    raise ValueError("Invalid directory name")
subprocess.run(["ls", directory])

Path Traversal (CWE-22)

BAD - User input in paths:

# VULNERABLE
path = f"/uploads/{user_filename}"
with open(path) as f:
    return f.read()

GOOD - Validate and sanitize:

# SAFE
from pathlib import Path

upload_dir = Path("/uploads").resolve()
requested = (upload_dir / user_filename).resolve()

if not requested.is_relative_to(upload_dir):
    raise ValueError("Path traversal attempt")

with open(requested) as f:
    return f.read()

Hardcoded Secrets (CWE-798)

BAD - Secrets in code:

# VULNERABLE
API_KEY = "sk-1234567890abcdef"
DB_PASSWORD = "super_secret_password"

GOOD - Environment variables:

# SAFE
import os

API_KEY = os.environ["API_KEY"]
DB_PASSWORD = os.environ["DB_PASSWORD"]

# Or with defaults for development
API_KEY = os.getenv("API_KEY", "dev-key-only")

XSS (CWE-79)

BAD - Unsanitized output:

<!-- VULNERABLE -->
<div>{{ user_input }}</div>

GOOD - Proper escaping:

<!-- SAFE - auto-escaped in most frameworks -->
<div>{{ user_input | e }}</div>

<!-- Or use textContent in JS -->
element.textContent = userInput;  // Safe

Severity Levels

SeverityImpactExamples
CRITICALData breach, RCESQL injection, shell injection
HIGHData exposure, privilege escalationPath traversal, hardcoded secrets
MEDIUMInformation disclosureVerbose errors, bare excepts
LOWBest practice violationMissing input validation

Detection Patterns

Python Patterns to Search

VULNERABLE_PATTERNS = {
    "sql_injection": [
        r'execute\([\'"].*%s.*[\'"].*%',  # % formatting in SQL
        r'execute\(f[\'"]',                 # f-string in SQL
        r'execute\([\'"].*\+',              # String concat in SQL
    ],
    "shell_injection": [
        r'os\.system\(',                    # os.system
        r'subprocess\..*shell=True',        # shell=True
        r'eval\(',                          # eval
        r'exec\(',                          # exec
    ],
    "bare_except": [
        r'except\s*:',                      # bare except
    ],
    "hardcoded_secrets": [
        r'password\s*=\s*[\'"]',            # password = "..."
        r'api_key\s*=\s*[\'"]',             # api_key = "..."
        r'secret\s*=\s*[\'"]',              # secret = "..."
    ],
}

TypeScript Patterns to Search

const VULNERABLE_PATTERNS = {
  sqlInjection: [
    /`SELECT.*\$\{/,        // Template literal in SQL
    /"SELECT.*" \+ /,       // String concat in SQL
  ],
  xss: [
    /innerHTML\s*=/,        // innerHTML assignment
    /dangerouslySetInnerHTML/, // React dangerous prop
  ],
  shellInjection: [
    /exec\([`'"]/,          // child_process.exec
    /spawn\(.*shell:\s*true/, // shell: true
  ],
};

Audit Workflow

Step 1: Identify Sensitive Areas

Check these high-risk areas first:
- Authentication/authorization code
- Database queries
- File operations
- External API calls
- User input handling
- Serialization/deserialization

Step 2: Run Pattern Scan

For each source file:
  Match against vulnerability patterns
  Record file, line, pattern matched
  Assess severity

Step 3: Generate Report

# Security Audit Report

## Summary
- CRITICAL: 2
- HIGH: 5
- MEDIUM: 12

## Critical Issues

### 1. SQL Injection in user_service.py:45
Pattern: f-string in execute()
```python
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

Fix: Use parameterized query

cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))


## Integration

### With /ai-dev-kit:execute-lane

Run security audit in code-related lanes:

```markdown
Lane: SL-API

Post-implementation checks:
1. ✓ Tests pass
2. ✓ Lint clean
3. ⚠️ Security audit: 2 MEDIUM issues

Review security findings before merge.

CI Integration

- name: Security Audit
  run: |
    # Check for vulnerable patterns
    grep -rn "execute(f" --include="*.py" && exit 1 || true
    grep -rn "shell=True" --include="*.py" && exit 1 || true
    grep -rn "except:" --include="*.py" && echo "Warning: bare except found"

Best Practices

  1. Defense in depth: Multiple layers of security
  2. Least privilege: Minimum permissions needed
  3. Input validation: Validate all external input
  4. Output encoding: Escape output appropriately
  5. Secrets management: Never hardcode secrets
  6. Error handling: Don't expose internal details
  7. Logging: Log security events (not sensitive data)
  8. Updates: Keep dependencies updated