/security-audit
Source: ~/.claude/skills/security-audit/SKILL.md
name: security-audit version: 2.0 description: > Run comprehensive security audit following OWASP and ALAI LAWS. Use for: "security review", "audit this code", "check for vulnerabilities", "OWASP check", "before deploying", "security scan", "/security-audit". level: 3 company: Securion
/security-audit — Security Review
Purpose
Systematic security review covering OWASP Top 10, ALAI internal LAWS, and code-specific vulnerabilities.
Variables
| Variable | Type | Description | Default |
|---|---|---|---|
target |
path/scope | File, directory, or "full system" | current project |
depth |
string | quick | standard | deep | standard |
focus |
string | owasp | laws | auth | api | all | all |
Workflow
Step 1: Scope
- Read $ARGUMENTS to determine target and depth
- if no target → audit current working directory
- if depth=quick → run only LAWS + auth checks
- if depth=deep → run all + tob-* skill checks
Step 2: ALAI LAWS Compliance
Check each LAW:
- ZAKON 0 (Tajnost): No secrets in code, no internal URLs exposed, no employee data hardcoded
- ZAKON 1 (Ne škodi): No destructive ops without confirm, backups exist for critical data
- ZAKON 2 (Slušaj): Auth on all endpoints, RBAC, admin routes protected
- ZAKON 3 (Čuvaj sebe): Error handling, graceful degradation, no crash on bad input
Step 3: OWASP Top 10 Check
For each category, scan target:
- Injection (SQL, NoSQL, command injection)
- Broken Authentication (weak JWT, no rate limit, session issues)
- Sensitive Data Exposure (logs, responses, hardcoded secrets)
- Security Misconfiguration (CORS, headers, default credentials)
- XSS (reflected, stored, DOM-based)
- Broken Access Control (IDOR, privilege escalation)
- Vulnerable Dependencies (
npm auditor equivalent) - Insecure Deserialization
- Logging & Monitoring gaps
- SSRF
Step 4: Run Available Tools
- if tob-static-analysis available → run on target
- if tob-insecure-defaults available → check configs
- if tob-sharp-edges available → check dangerous patterns
npm audit --audit-level=highif package.json exists
Step 5: Report
- if CRITICAL found → flag for immediate fix, offer to create MC task
- if HIGH found → list with recommended fixes
- if depth=deep → include code snippets for each finding
Report Format
SECURITY AUDIT REPORT
Target: [scope]
Depth: [quick|standard|deep]
Date: [timestamp]
CRITICAL (block deployment):
[C1] [finding] — [file:line] — [fix]
HIGH (fix before next release):
[H1] [finding] — [fix]
MEDIUM:
[M1] [finding]
LAWS: [PASS|FAIL — list failures]
OWASP: [X/10 categories clean]
Tools run: [list]
$ARGUMENTS
No comments to display
No comments to display