安全审计器
ln-621-security-auditor
by levnikolaevich
面向代码库做安全审计,扫描硬编码密钥、SQL 注入、XSS、不安全依赖和缺失校验,输出带严重级别、定位、修复建议与合规评分的结构化结果。
安装
claude skill add --url github.com/levnikolaevich/claude-code-skills/tree/master/ln-621-security-auditor文档
Paths: File paths (
shared/,references/,../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
Security Auditor (L3 Worker)
Specialized worker auditing security vulnerabilities in codebase.
Purpose & Scope
- Worker in ln-620 coordinator pipeline - invoked by ln-620-codebase-auditor
- Audit codebase for security vulnerabilities (Category 1: Critical Priority)
- Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
- Return structured findings to coordinator with severity, location, effort, recommendations
- Calculate compliance score (X/10) for Security category
Inputs (from Coordinator)
MANDATORY READ: Load shared/references/task_delegation_pattern.md#audit-coordinator--worker-contract for contextStore structure.
Receives contextStore with: tech_stack, best_practices, principles, codebase_root, output_dir.
Workflow
MANDATORY READ: Load shared/references/two_layer_detection.md for detection methodology.
- Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
- Scan Codebase (Layer 1): Run security checks using Glob/Grep patterns (see Audit Rules below)
- Analyze Context (Layer 2): For each candidate, read surrounding code to classify:
- Secrets: test fixture / example / template → FP. Production code → confirmed
- SQL injection: ORM parameterization nearby → FP. Raw string concat with user input → confirmed
- XSS: framework auto-escapes (React JSX, Go templates) → FP. Unsafe context (
innerHTML,| safe) → confirmed - Deps: vulnerable API not called in project → downgrade. Exploitable path → confirmed
- Validation: internal service-to-service endpoint → downgrade. Public API → confirmed
- Collect Findings: Record confirmed violations with severity, location (file:line), effort estimate (S/M/L), recommendation
- Calculate Score: Count violations by severity, calculate compliance score (X/10)
- Write Report: Build full markdown report in memory per
shared/templates/audit_worker_report_template.md, write to{output_dir}/621-security.mdin single Write call - Return Summary: Return minimal summary to coordinator (see Output Format)
Audit Rules (Priority: CRITICAL)
1. Hardcoded Secrets
What: API keys, passwords, tokens, private keys in source code
Detection:
- Search patterns:
API_KEY = "...",password = "...",token = "...",SECRET = "..." - File extensions:
.ts,.js,.py,.go,.java,.cs - Exclude:
.env.example,README.md, test files with mock data
Severity:
- CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
- HIGH: Development/staging credentials
- MEDIUM: Test credentials in non-test files
Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)
Effort: S (replace hardcoded value with process.env.VAR_NAME)
2. SQL Injection Patterns
What: String concatenation in SQL queries instead of parameterized queries
Detection:
- Patterns:
query = "SELECT * FROM users WHERE id=" + userId,db.execute(f"SELECT * FROM {table}"),`SELECT * FROM ${table}` - Languages: JavaScript, Python, PHP, Java
Severity:
- CRITICAL: User input directly concatenated without sanitization
- HIGH: Variable concatenation in production code
- MEDIUM: Concatenation with internal variables only
Recommendation: Use parameterized queries (prepared statements), ORM query builders
Effort: M (refactor query to use placeholders)
3. XSS Vulnerabilities
What: Unsanitized user input rendered in HTML/templates
Detection:
- Patterns:
innerHTML = userInput,dangerouslySetInnerHTML={{__html: data}},echo $userInput; - Template engines: Check for unescaped output (
{{ var | safe }},<%- var %>)
Severity:
- CRITICAL: User input directly inserted into DOM without sanitization
- HIGH: User input with partial sanitization (insufficient escaping)
- MEDIUM: Internal data with potential XSS if compromised
Recommendation: Use framework escaping (React auto-escapes, use textContent), sanitize with DOMPurify
Effort: S-M (replace innerHTML with textContent or sanitize)
4. Insecure Dependencies
What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)
Detection:
- Run
npm audit(Node.js),pip-audit(Python),cargo audit(Rust),dotnet list package --vulnerable(.NET) - Check for outdated critical dependencies
Severity:
- CRITICAL: CVE with exploitable vulnerability in production dependencies
- HIGH: CVE in dev dependencies or lower severity production CVEs
- MEDIUM: Outdated packages without known CVEs but security risk
Recommendation: Update to patched versions, replace unmaintained packages
Effort: S-M (update package.json, test), L (if breaking changes)
5. Missing Input Validation
What: Missing validation at system boundaries (API endpoints, user forms, file uploads)
Detection:
- API routes without validation middleware
- Form handlers without input sanitization
- File uploads without type/size checks
- Missing CORS configuration
Severity:
- CRITICAL: File upload without validation, authentication bypass potential
- HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
- MEDIUM: Missing validation on read-only or internal endpoints
Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization
Effort: M (add validation schema and middleware)
Scoring Algorithm
MANDATORY READ: Load shared/references/audit_scoring.md for unified scoring formula.
Output Format
MANDATORY READ: Load shared/templates/audit_worker_report_template.md for file format.
Write report to {output_dir}/621-security.md with category: "Security" and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.
Return summary to coordinator:
Report written: docs/project/.audit/ln-620/{YYYY-MM-DD}/621-security.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)
Critical Rules
- Do not auto-fix: Report violations only; coordinator creates task for user to fix
- Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
- False positive reduction: Exclude test files, example configs, documentation
- Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
- Location precision: Always include
file:linefor programmatic navigation
Definition of Done
- contextStore parsed successfully (including output_dir)
- All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
- Findings collected with severity, location, effort, recommendation
- Score calculated using penalty algorithm
- Report written to
{output_dir}/621-security.md(atomic single Write call) - Summary returned to coordinator
Reference Files
- Worker report template:
shared/templates/audit_worker_report_template.md - Audit scoring formula:
shared/references/audit_scoring.md - Audit output schema:
shared/references/audit_output_schema.md - Security audit rules: references/security_rules.md
Version: 3.0.0 Last Updated: 2025-12-23
相关 Skills
依赖审计
by alirezarezvani
面向多语言项目做依赖体检,扫描漏洞与 CVE、排查许可证冲突、梳理传递依赖和过时版本,给出安全升级与合规治理建议。
✎ 依赖审计能快速揪出项目依赖中的漏洞与合规风险,把安全扫描和审计合在一起,适合依赖链复杂的团队持续把关。
安全审计
by alirezarezvani
安装前审计 Claude Code Skill 的代码执行、Prompt 注入和依赖供应链风险,支持本地目录或 Git 仓库扫描,输出 PASS/WARN/FAIL 结论及修复建议
✎ 把代码审查、漏洞扫描和合规检查串成一条线,帮团队更早发现风险,做安全治理更省心。
安全运营
by alirezarezvani
覆盖应用安全、漏洞管理与合规审计,支持代码/依赖扫描、CVE 评估、Secrets 检测和安全自动化,适合做安全基线落地、漏洞响应、审计检查与安全开发治理。
✎ 应用安全、漏洞管理和合规检查一套打通,还能自动化扫描与响应,帮团队更早发现并收敛风险。
相关 MCP 服务
by Sentry
搜索和分析 Sentry 错误报告,辅助调试。
✎ 把零散的 Sentry 错误报告变成可检索线索,帮你在海量报错里更快定位线上故障,排障调试明显省时。
by sinewaveai
为 AI agents 提供安全层:拦截 prompt injection、识别伪造 packages,并扫描漏洞风险。
✎ 给 AI Agent 补上关键安全层,能拦截 prompt 注入、识别伪造包并扫描漏洞风险,把防护前置更省心。
by pantheon-security
强化安全性的 NotebookLM MCP,集成 post-quantum encryption,提升数据防护能力。