Claude-code-skills ln-621-security-auditor

Checks hardcoded secrets, SQL injection, XSS, insecure deps, input validation. Use when auditing security.

install

source · Clone the upstream repo

git clone https://github.com/levnikolaevich/claude-code-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/levnikolaevich/claude-code-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills-catalog/ln-621-security-auditor" ~/.claude/skills/levnikolaevich-claude-code-skills-ln-621-security-auditor && rm -rf "$T"

manifest: skills-catalog/ln-621-security-auditor/SKILL.md

source content

Paths: File paths (
shared/
,
references/
,
../ln-*
) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If
shared/
is missing, fetch files via WebFetch from
https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}
.

Security Auditor (L3 Worker)

Type: L3 Worker

Specialized worker auditing security vulnerabilities in codebase.

Purpose & Scope

Audit codebase for security vulnerabilities (Category 1: Critical Priority)
Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
Return structured findings to coordinator with severity, location, effort, recommendations
Calculate compliance score (X/10) for Security category

Inputs

MANDATORY READ: Load

shared/references/audit_worker_core_contract.md

Receives

contextStore

with:

tech_stack

best_practices

principles

codebase_root

output_dir

Workflow

MANDATORY READ: Load

shared/references/two_layer_detection.md

for detection methodology.

Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
Scan Codebase (Layer 1): Run security checks using Glob/Grep patterns (see Audit Rules below)
Analyze Context (Layer 2): For each candidate, read surrounding code to classify:
- Secrets: test fixture / example / template -> FP. Production code -> confirmed
- SQL injection: ORM parameterization nearby -> FP. Raw string concat with user input -> confirmed
- XSS: framework auto-escapes (React JSX, Go templates) -> FP. Unsafe context (
```
innerHTML
```
  ,
```
| safe
```
  ) -> confirmed
- Deps: vulnerable API not called in project -> downgrade. Exploitable path -> confirmed
- Validation: internal service-to-service endpoint -> downgrade. Public API -> confirmed
Collect Findings: Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
Calculate Score: Count violations by severity, calculate compliance score (X/10)
Write Report: Build full markdown report in memory per
```
shared/templates/audit_worker_report_template.md
```
, write to
```
{output_dir}/ln-621--global.md
```
in single Write call
Return Summary: Return minimal summary to coordinator (see Output Format)

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

What: API keys, passwords, tokens, private keys in source code

Detection:

Search patterns:

API_KEY = "..."

password = "..."

token = "..."

SECRET = "..."

File extensions:
```
.ts
```
,
```
.js
```
,
```
.py
```
,
```
.go
```
,
```
.java
```
,
```
.cs
```
Exclude:
```
.env.example
```
,
```
README.md
```
, test files with mock data

Severity:

CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
HIGH: Development/staging credentials
MEDIUM: Test credentials in non-test files

Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

Effort: S (replace hardcoded value with

process.env.VAR_NAME

)

2. SQL Injection Patterns

What: String concatenation in SQL queries instead of parameterized queries

Detection:

Patterns:

query = "SELECT * FROM users WHERE id=" + userId

db.execute(f"SELECT * FROM {table}")

`SELECT * FROM ${table}`

Languages: JavaScript, Python, PHP, Java

Severity:

CRITICAL: User input directly concatenated without sanitization
HIGH: Variable concatenation in production code
MEDIUM: Concatenation with internal variables only

Recommendation: Use parameterized queries (prepared statements), ORM query builders

Effort: M (refactor query to use placeholders)

3. XSS Vulnerabilities

What: Unsanitized user input rendered in HTML/templates

Detection:

Patterns:

innerHTML = userInput

dangerouslySetInnerHTML={{__html: data}}

echo $userInput;

Template engines: Check for unescaped output (
```
{{ var | safe }}
```
,
```
<%- var %>
```
)

Severity:

CRITICAL: User input directly inserted into DOM without sanitization
HIGH: User input with partial sanitization (insufficient escaping)
MEDIUM: Internal data with potential XSS if compromised

Recommendation: Use framework escaping (React auto-escapes, use

textContent

), sanitize with DOMPurify

Effort: S-M (replace

innerHTML

with

textContent

or sanitize)

4. Insecure Dependencies

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)

Detection:

Run

npm audit

(Node.js),

pip-audit

(Python),

cargo audit

(Rust),

dotnet list package --vulnerable

(.NET)

Check for outdated critical dependencies

Severity:

CRITICAL: CVE with exploitable vulnerability in production dependencies
HIGH: CVE in dev dependencies or lower severity production CVEs
MEDIUM: Outdated packages without known CVEs but security risk

Recommendation: Update to patched versions, replace unmaintained packages

Effort: S-M (update package.json, test), L (if breaking changes)

5. Missing Input Validation

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)

Detection:

API routes without validation middleware
Form handlers without input sanitization
File uploads without type/size checks
Missing CORS configuration

Severity:

CRITICAL: File upload without validation, authentication bypass potential
HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
MEDIUM: Missing validation on read-only or internal endpoints

Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization

Effort: M (add validation schema and middleware)

Scoring Algorithm

MANDATORY READ: Load

shared/references/audit_worker_core_contract.md

and

shared/references/audit_scoring.md

Output Format

MANDATORY READ: Load

shared/references/audit_worker_core_contract.md

and

shared/templates/audit_worker_report_template.md

Write JSON summary per

shared/references/audit_summary_contract.md

. In managed mode the caller passes both

runId

and

summaryArtifactPath

; in standalone mode the worker generates its own run-scoped artifact path per shared contract.

Write report to

{output_dir}/ln-621--global.md

with

category: "Security"

and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.

Return summary per

shared/references/audit_summary_contract.md

Standalone mode still writes the same JSON summary to a worker-owned run-scoped artifact path per shared contract.

Critical Rules

MANDATORY READ: Load

shared/references/audit_worker_core_contract.md

Do not auto-fix: Report violations only; coordinator creates task for user to fix
Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
False positive reduction: Exclude test files, example configs, documentation
Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
Location precision: Always include
```
file:line
```
for programmatic navigation

Definition of Done

MANDATORY READ: Load

shared/references/audit_worker_core_contract.md

contextStore parsed successfully (including output_dir)
All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
Findings collected with severity, location, effort, recommendation
Score calculated using penalty algorithm
Report written to
```
{output_dir}/ln-621--global.md
```
(atomic single Write call)
Summary written per contract

Reference Files

Audit output schema:

shared/references/audit_output_schema.md

Security audit rules: references/security_rules.md

Version: 3.0.0 Last Updated: 2025-12-23