Skill: Security Auditor

The Security Auditor skill runs Claude through a focused OWASP Top 10 checklist before it writes anything else. It's not a general code review — it's a targeted pass that looks for the specific classes of bugs that lead to breaches: injection, broken auth, data exposure, XSS, and vulnerable dependencies.

What This Skill Does

The skill forces Claude to check five categories, in order, every time you trigger it:

  1. Injection — SQL injection, command injection, code injection, and template injection. It looks for string concatenation in queries, eval() on user input, and child_process.exec with unescaped arguments.
  2. Auth — broken authentication and session management. Missing rate limits on login, predictable session tokens, passwords stored in plain text, JWTs with alg: none.
  3. Data Exposure — sensitive data in logs, error messages, or hardcoded in source. API keys committed to repos, PII written to log files, stack traces returned to clients.
  4. XSS — unsanitized user input rendered to the DOM. dangerouslySetInnerHTML in React, unescaped template interpolation in server-rendered pages, missing CSP headers.
  5. Dependencies — known vulnerable libraries. Claude flags outdated packages and suggests pinned, patched versions.

The output is a list of findings, each with a line number, a severity rating (Critical / High / Medium / Low), and a remediation snippet you can paste directly.

How to Install

  1. Create the skills directory:
    mkdir -p .claude/skills/security-auditor
    
  2. Save the template below as .claude/skills/security-auditor/SKILL.md.
  3. Trigger it with a prompt like: "Audit src/api/routes.ts using the security-auditor skill."

SKILL.md Template

# Security Auditor Skill

## Triggers
- "Audit security"
- "Check for vulnerabilities"

## Checklist (OWASP Top 10)
1.  **Injection:** SQL, Command, Code injection.
2.  **Auth:** Broken authentication or session management.
3.  **Data Exposure:** Sensitive data in logs or code.
4.  **XSS:** Unsanitized inputs.
5.  **Dependencies:** Known vulnerable libraries.

## Output
- List every potential vulnerability with line numbers.
- Rate severity: Critical, High, Medium, Low.
- Provide a remediation snippet.

Real-World Usage Example

Prompt:

Audit this file using the security-auditor skill.

app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const q = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;
  db.query(q, (err, rows) => {
    if (rows.length > 0) {
      res.cookie('session', username, { httpOnly: false });
      console.log(`User ${username} logged in with ${password}`);
      res.json({ token: username });
    } else {
      res.json({ error: err ? err.message : 'Login failed' });
    }
  });
});

Expected output:

Critical

  1. SQL Injection (line 3): username and password are concatenated directly into the query. An attacker can bypass login with ' OR '1'='1. Use parameterized queries.
    const q = 'SELECT * FROM users WHERE username = ? AND password = ?';
    db.query(q, [username, password], (err, rows) => { ... });
    
  2. Plaintext password storage (line 3): Comparing raw passwords means they're stored in plaintext. Use bcrypt or argon2 to hash and compare.
    const match = await bcrypt.compare(password, rows[0].password_hash);
    

High 3. Credentials in logs (line 7): console.log writes the password to your log aggregator. Remove it entirely or log only a redacted event. 4. Insecure cookie (line 6): httpOnly: false lets JavaScript read the session cookie, enabling XSS-based session theft. Set httpOnly: true, secure: true, sameSite: 'strict'. 5. Predictable token (line 8): The "token" is just the username. Anyone who guesses a username can impersonate them. Use a cryptographically random session ID or a signed JWT.

Medium 6. Error leakage (line 10): Returning err.message to the client exposes database internals. Return a generic message; log the full error server-side.

Customization Tips

  • Add framework-specific checks. If you use Express, add "Check for missing helmet middleware and missing CORS restrictions." For Django, add "Check for DEBUG = True in production settings."
  • Pin your dependency scanner. Add "Run npm audit / pip-audit and include the output in the report." Claude will remind you to actually run the tool rather than guessing.
  • Add a secrets-scanning step. Append "Flag any string that looks like an API key, AWS key, or private key pattern." Claude will catch hardcoded credentials that shouldn't be in source.
  • Scope it to a compliance framework. If you need HIPAA or PCI compliance, add the relevant controls to the checklist so Claude maps findings to specific requirements.

Combining With Other Skills

  • code-reviewer — Run security-auditor first for the vulnerability pass, then code-reviewer for quality, performance, and readability. They cover different ground and don't duplicate effort.
  • technical-writer — After an audit, use technical-writer to turn the findings list into a security report for stakeholders, with an executive summary and remediation timeline.
  • ux-designer — When auditing auth flows, hand the login UI to ux-designer to fix accessibility and the security-auditor to fix the backend — same flow, two perspectives.

Common Mistakes to Avoid

  • Auditing after deploy. The skill is cheap to run; run it before merge, not after a pentest finds the same issues.
  • Ignoring Low severity findings. Low-severity issues compound. Five Low findings in the same file often add up to one High.
  • Patching without re-auditing. A fix can introduce a new vulnerability (e.g., switching to parameterized queries but adding a new unsanitized path). Re-run the audit after remediation.
  • Relying on the skill alone. Claude catches patterns, not zero-days. Pair it with a real dependency scanner (npm audit, snyk) and periodic manual pentests. The skill is a first line, not the only one.