Use this skill when the user asks to audit security, check for vulnerabilities, review code for security issues, or harden an application.
-
Scan for hardcoded secrets — search for API keys, tokens, passwords, and connection strings in source files. Check for patterns like:
- , , ,
- Base64-encoded credentials
- AWS keys (), Stripe keys (), GitHub tokens ()
- Files: committed to git, with credentials
-
Check authentication & authorization
- Verify all API routes check authentication before processing.
- Ensure role-based access control is enforced server-side, not just in the UI.
- Check that password hashing uses bcrypt/argon2 (not MD5/SHA1).
- Verify session tokens are HTTP-only, secure, and have reasonable expiry.
-
Check for injection vulnerabilities
- SQL injection: look for string concatenation in SQL queries instead of parameterized queries.
- XSS: look for , , or unescaped user input rendered in templates.
- Command injection: look for , , with user input.
- Path traversal: check file operations for unsanitized user input in paths.
-
Review dependency security
- Run or to check for known vulnerabilities.
- Flag outdated dependencies with known CVEs.
- Check for overly permissive dependency ranges.
-
Check CORS and CSP configuration
- Verify CORS doesn't use
Access-Control-Allow-Origin: *
- Check for Content Security Policy headers.
- Verify , , and
Strict-Transport-Security
-
Review data exposure
- Check API responses for leaking sensitive fields (password hashes, internal IDs, PII).
- Verify error messages don't expose stack traces or internal details in production.
- Check logging for sensitive data being written to logs.
-
Generate report — produce a summary with severity ratings (Critical / High / Medium / Low) for each finding, with the file path, line number, and recommended fix.