Skill: Security Auditor
The Security Auditor skill runs Claude through a focused OWASP Top 10 checklist before it writes anything else. It's not a general code review — it's a targeted pass that looks for the specific classes of bugs that lead to breaches: injection, broken auth, data exposure, XSS, and vulnerable dependencies.
What This Skill Does
The skill forces Claude to check five categories, in order, every time you trigger it:
- Injection — SQL injection, command injection, code injection, and template injection. It looks for string concatenation in queries,
eval()on user input, andchild_process.execwith unescaped arguments. - Auth — broken authentication and session management. Missing rate limits on login, predictable session tokens, passwords stored in plain text, JWTs with
alg: none. - Data Exposure — sensitive data in logs, error messages, or hardcoded in source. API keys committed to repos, PII written to log files, stack traces returned to clients.
- XSS — unsanitized user input rendered to the DOM.
dangerouslySetInnerHTMLin React, unescaped template interpolation in server-rendered pages, missing CSP headers. - Dependencies — known vulnerable libraries. Claude flags outdated packages and suggests pinned, patched versions.
The output is a list of findings, each with a line number, a severity rating (Critical / High / Medium / Low), and a remediation snippet you can paste directly.
How to Install
- Create the skills directory:
mkdir -p .claude/skills/security-auditor - Save the template below as
.claude/skills/security-auditor/SKILL.md. - Trigger it with a prompt like: "Audit
src/api/routes.tsusing the security-auditor skill."
SKILL.md Template
# Security Auditor Skill
## Triggers
- "Audit security"
- "Check for vulnerabilities"
## Checklist (OWASP Top 10)
1. **Injection:** SQL, Command, Code injection.
2. **Auth:** Broken authentication or session management.
3. **Data Exposure:** Sensitive data in logs or code.
4. **XSS:** Unsanitized inputs.
5. **Dependencies:** Known vulnerable libraries.
## Output
- List every potential vulnerability with line numbers.
- Rate severity: Critical, High, Medium, Low.
- Provide a remediation snippet.
Real-World Usage Example
Prompt:
Audit this file using the security-auditor skill.
app.post('/login', (req, res) => { const { username, password } = req.body; const q = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`; db.query(q, (err, rows) => { if (rows.length > 0) { res.cookie('session', username, { httpOnly: false }); console.log(`User ${username} logged in with ${password}`); res.json({ token: username }); } else { res.json({ error: err ? err.message : 'Login failed' }); } }); });
Expected output:
Critical
- SQL Injection (line 3):
usernameandpasswordare concatenated directly into the query. An attacker can bypass login with' OR '1'='1. Use parameterized queries.const q = 'SELECT * FROM users WHERE username = ? AND password = ?'; db.query(q, [username, password], (err, rows) => { ... });- Plaintext password storage (line 3): Comparing raw passwords means they're stored in plaintext. Use bcrypt or argon2 to hash and compare.
const match = await bcrypt.compare(password, rows[0].password_hash);High 3. Credentials in logs (line 7):
console.logwrites the password to your log aggregator. Remove it entirely or log only a redacted event. 4. Insecure cookie (line 6):httpOnly: falselets JavaScript read the session cookie, enabling XSS-based session theft. SethttpOnly: true,secure: true,sameSite: 'strict'. 5. Predictable token (line 8): The "token" is just the username. Anyone who guesses a username can impersonate them. Use a cryptographically random session ID or a signed JWT.Medium 6. Error leakage (line 10): Returning
err.messageto the client exposes database internals. Return a generic message; log the full error server-side.
Customization Tips
- Add framework-specific checks. If you use Express, add "Check for missing helmet middleware and missing CORS restrictions." For Django, add "Check for
DEBUG = Truein production settings." - Pin your dependency scanner. Add "Run
npm audit/pip-auditand include the output in the report." Claude will remind you to actually run the tool rather than guessing. - Add a secrets-scanning step. Append "Flag any string that looks like an API key, AWS key, or private key pattern." Claude will catch hardcoded credentials that shouldn't be in source.
- Scope it to a compliance framework. If you need HIPAA or PCI compliance, add the relevant controls to the checklist so Claude maps findings to specific requirements.
Combining With Other Skills
- code-reviewer — Run security-auditor first for the vulnerability pass, then code-reviewer for quality, performance, and readability. They cover different ground and don't duplicate effort.
- technical-writer — After an audit, use technical-writer to turn the findings list into a security report for stakeholders, with an executive summary and remediation timeline.
- ux-designer — When auditing auth flows, hand the login UI to ux-designer to fix accessibility and the security-auditor to fix the backend — same flow, two perspectives.
Common Mistakes to Avoid
- Auditing after deploy. The skill is cheap to run; run it before merge, not after a pentest finds the same issues.
- Ignoring Low severity findings. Low-severity issues compound. Five Low findings in the same file often add up to one High.
- Patching without re-auditing. A fix can introduce a new vulnerability (e.g., switching to parameterized queries but adding a new unsanitized path). Re-run the audit after remediation.
- Relying on the skill alone. Claude catches patterns, not zero-days. Pair it with a real dependency scanner (
npm audit,snyk) and periodic manual pentests. The skill is a first line, not the only one.