Get the FREE Ultimate OpenClaw Setup Guide →

ln-621-security-auditor

Scanned
npx machina-cli add skill levnikolaevich/claude-code-skills/ln-621-security-auditor --openclaw
Files (1)
SKILL.md
7.0 KB

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

Security Auditor (L3 Worker)

Specialized worker auditing security vulnerabilities in codebase.

Purpose & Scope

  • Worker in ln-620 coordinator pipeline - invoked by ln-620-codebase-auditor
  • Audit codebase for security vulnerabilities (Category 1: Critical Priority)
  • Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
  • Return structured findings to coordinator with severity, location, effort, recommendations
  • Calculate compliance score (X/10) for Security category

Inputs (from Coordinator)

MANDATORY READ: Load shared/references/task_delegation_pattern.md#audit-coordinator--worker-contract for contextStore structure.

Receives contextStore with: tech_stack, best_practices, principles, codebase_root, output_dir.

Workflow

  1. Parse Context: Extract tech stack, best practices, codebase root, output_dir from contextStore
  2. Scan Codebase: Run security checks using Glob/Grep patterns (see Audit Rules below)
  3. Collect Findings: Record each violation with severity, location (file:line), effort estimate (S/M/L), recommendation
  4. Calculate Score: Count violations by severity, calculate compliance score (X/10)
  5. Write Report: Build full markdown report in memory per shared/templates/audit_worker_report_template.md, write to {output_dir}/621-security.md in single Write call
  6. Return Summary: Return minimal summary to coordinator (see Output Format)

Audit Rules (Priority: CRITICAL)

1. Hardcoded Secrets

What: API keys, passwords, tokens, private keys in source code

Detection:

  • Search patterns: API_KEY = "...", password = "...", token = "...", SECRET = "..."
  • File extensions: .ts, .js, .py, .go, .java, .cs
  • Exclude: .env.example, README.md, test files with mock data

Severity:

  • CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
  • HIGH: Development/staging credentials
  • MEDIUM: Test credentials in non-test files

Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)

Effort: S (replace hardcoded value with process.env.VAR_NAME)

2. SQL Injection Patterns

What: String concatenation in SQL queries instead of parameterized queries

Detection:

  • Patterns: query = "SELECT * FROM users WHERE id=" + userId, db.execute(f"SELECT * FROM {table}"), `SELECT * FROM ${table}`
  • Languages: JavaScript, Python, PHP, Java

Severity:

  • CRITICAL: User input directly concatenated without sanitization
  • HIGH: Variable concatenation in production code
  • MEDIUM: Concatenation with internal variables only

Recommendation: Use parameterized queries (prepared statements), ORM query builders

Effort: M (refactor query to use placeholders)

3. XSS Vulnerabilities

What: Unsanitized user input rendered in HTML/templates

Detection:

  • Patterns: innerHTML = userInput, dangerouslySetInnerHTML={{__html: data}}, echo $userInput;
  • Template engines: Check for unescaped output ({{ var | safe }}, <%- var %>)

Severity:

  • CRITICAL: User input directly inserted into DOM without sanitization
  • HIGH: User input with partial sanitization (insufficient escaping)
  • MEDIUM: Internal data with potential XSS if compromised

Recommendation: Use framework escaping (React auto-escapes, use textContent), sanitize with DOMPurify

Effort: S-M (replace innerHTML with textContent or sanitize)

4. Insecure Dependencies

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)

Detection:

  • Run npm audit (Node.js), pip-audit (Python), cargo audit (Rust), dotnet list package --vulnerable (.NET)
  • Check for outdated critical dependencies

Severity:

  • CRITICAL: CVE with exploitable vulnerability in production dependencies
  • HIGH: CVE in dev dependencies or lower severity production CVEs
  • MEDIUM: Outdated packages without known CVEs but security risk

Recommendation: Update to patched versions, replace unmaintained packages

Effort: S-M (update package.json, test), L (if breaking changes)

5. Missing Input Validation

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)

Detection:

  • API routes without validation middleware
  • Form handlers without input sanitization
  • File uploads without type/size checks
  • Missing CORS configuration

Severity:

  • CRITICAL: File upload without validation, authentication bypass potential
  • HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
  • MEDIUM: Missing validation on read-only or internal endpoints

Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization

Effort: M (add validation schema and middleware)

Scoring Algorithm

MANDATORY READ: Load shared/references/audit_scoring.md for unified scoring formula.

Output Format

MANDATORY READ: Load shared/templates/audit_worker_report_template.md for file format.

Write report to {output_dir}/621-security.md with category: "Security" and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.

Return summary to coordinator:

Report written: docs/project/.audit/ln-620/{YYYY-MM-DD}/621-security.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)

Critical Rules

  • Do not auto-fix: Report violations only; coordinator creates task for user to fix
  • Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
  • False positive reduction: Exclude test files, example configs, documentation
  • Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
  • Location precision: Always include file:line for programmatic navigation

Definition of Done

  • contextStore parsed successfully (including output_dir)
  • All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
  • Findings collected with severity, location, effort, recommendation
  • Score calculated using penalty algorithm
  • Report written to {output_dir}/621-security.md (atomic single Write call)
  • Summary returned to coordinator

Reference Files

  • Worker report template: shared/templates/audit_worker_report_template.md
  • Audit scoring formula: shared/references/audit_scoring.md
  • Audit output schema: shared/references/audit_output_schema.md
  • Security audit rules: references/security_rules.md

Version: 3.0.0 Last Updated: 2025-12-23

Source

git clone https://github.com/levnikolaevich/claude-code-skills/blob/master/ln-621-security-auditor/SKILL.mdView on GitHub

Overview

An L3 worker in the codebase security pipeline, it scans for hardcoded secrets, SQL injection, XSS, insecure dependencies, and missing input validation. It reports structured findings with severity, location, effort, and remediation guidance, and computes a security compliance score.

How This Skill Works

The auditor loads the shared context, runs Glob/Grep-based checks according to Audit Rules, and collects each violation with severity, location (file:line), effort, and recommendations. It then writes a Markdown report to the output_dir (621-security.md) and returns a concise summary to the coordinator.

When to Use It

  • When you need to detect hardcoded credentials in the repository.
  • When you want to surface SQL injection and XSS patterns in source code.
  • When inspecting for insecure dependencies and outdated packages.
  • When validating input handling and data flow across the codebase.
  • When preparing a release and measuring security compliance (X/10).

Quick Start

  1. Step 1: Provide the codebase path and context via contextStore (codebase_root, output_dir).
  2. Step 2: Run the audit using Glob/Grep patterns defined in the Audit Rules to detect secrets, SQLi, XSS, and dependencies.
  3. Step 3: Open {output_dir}/621-security.md to review findings and the short summary returned to the coordinator.

Best Practices

  • Maintain explicit patterns for hardcoded secrets, SQL injection, and XSS; keep them aligned with the Audit Rules.
  • Exclude known false positives (e.g., .env.example, README.md, test mocks) to reduce noise.
  • Promote parameterized queries and proper output escaping as default fixes.
  • Integrate findings into CI/CD and remediation workflows with trackable tickets.
  • Document each finding with file:line, severity, effort, and actionable remediation steps.

Example Use Cases

  • Found API_KEY = '...' in a JavaScript file; moved to environment variables and secret vault.
  • Detected string concatenation in a SQL query (db.execute('SELECT ...' + userId)); refactored to parameterized queries.
  • Unescaped user input rendered in innerHTML in a React template; sanitized with proper escaping or DOMPurify.
  • Insecure dependency detected in package.json (outdated library with known CVE); upgraded or removed.
  • API endpoint allowed invalid data due to missing input validation; added strict schema checks.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers