Get the FREE Ultimate OpenClaw Setup Guide →

security-audit

npx machina-cli add skill netresearch/security-audit-skill/security-audit --openclaw
Files (1)
SKILL.md
3.2 KB

Security Audit Skill

Security audit patterns (OWASP Top 10, CWE Top 25 2025, CVSS v4.0) and GitHub project security checks for any project. Deep automated PHP/TYPO3 code scanning with 80+ checkpoints and 19 reference guides.

Expertise Areas

  • Vulnerabilities: XXE, SQL injection, XSS, CSRF, command injection, path traversal, file upload, deserialization, SSRF, type juggling, SSTI, JWT flaws
  • Risk Scoring: CVSS v3.1 and v4.0 methodology
  • Secure Coding: Input validation, output encoding, cryptography, session management, authentication
  • Standards: OWASP Top 10, CWE Top 25, OWASP ASVS, Proactive Controls

Reference Files

  • Core: owasp-top10.md, cwe-top25.md, xxe-prevention.md, cvss-scoring.md, api-key-encryption.md
  • Vulnerability Prevention: deserialization-prevention.md, path-traversal-prevention.md, file-upload-security.md, input-validation.md
  • Secure Architecture: authentication-patterns.md, security-headers.md, security-logging.md, cryptography-guide.md
  • Framework Security: framework-security.md (TYPO3, Symfony, Laravel)
  • Modern Threats: modern-attacks.md, cve-patterns.md, php-security-features.md
  • DevSecOps: ci-security-pipeline.md, supply-chain-security.md, automated-scanning.md

All files located in references/.

Quick Patterns

XML parsing (prevent XXE):

$doc->loadXML($input, LIBXML_NONET);

SQL (prevent injection):

$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);

Output (prevent XSS):

echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

API keys (encrypt at rest):

$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));

Password hashing:

$hash = password_hash($password, PASSWORD_ARGON2ID);

For automated scanning tools (semgrep, trivy, gitleaks), see references/automated-scanning.md.

Security Checklist

  • semgrep --config auto passes with no high-severity findings
  • trivy fs --severity HIGH,CRITICAL reports no unpatched CVEs
  • gitleaks detect finds no leaked secrets
  • bcrypt/Argon2 for passwords, CSRF tokens on state changes
  • All input validated server-side, parameterized SQL
  • XML external entities disabled (LIBXML_NONET only)
  • Context-appropriate output encoding, CSP configured
  • API keys encrypted at rest (sodium_crypto_secretbox)
  • TLS 1.2+, secrets not in VCS, audit logging
  • No unserialize() with user input, use json_decode()
  • File uploads validated, renamed, stored outside web root
  • Security headers: HSTS, CSP, X-Content-Type-Options
  • Dependencies scanned (composer audit), Dependabot enabled

Verification

# PHP project security audit
./scripts/security-audit.sh /path/to/project

# GitHub repository security audit
./scripts/github-security-audit.sh owner/repo

Contributing: https://github.com/netresearch/security-audit-skill

Source

git clone https://github.com/netresearch/security-audit-skill/blob/main/skills/security-audit/SKILL.mdView on GitHub

Overview

This Skill applies security audit patterns (OWASP Top 10, CWE Top 25 2025, CVSS v4.0) and GitHub project security checks to any PHP/TYPO3 project. It enables deep automated scanning with 80+ checkpoints and 19 reference guides to drive secure coding and risk reduction.

How This Skill Works

It leverages automated scanning tools (semgrep, trivy, gitleaks) against a curated set of references under references/ and applies 80+ PHP/TYPO3 security checkpoints. It outputs a structured checklist covering vulnerabilities, secure coding practices, and architecture guidance to prioritize remediation.

When to Use It

  • When auditing a PHP or TYPO3 project for OWASP Top 10 and CWE Top 25 coverage
  • When scoring vulnerabilities using CVSS v3.1/v4.0 methods
  • When performing a fast, automated security sweep in CI/CD or local development
  • When validating input handling, output encoding, and cryptography practices
  • When validating secure configuration, dependencies, and secure headers

Quick Start

  1. Step 1: Run the security audit script on your project (e.g., ./scripts/security-audit.sh /path/to/project)
  2. Step 2: Review outputs from semgrep, trivy, and gitleaks; prioritize high-severity items
  3. Step 3: Remediate issues (input validation, parameterized SQL, key encryption), then re-run checks

Best Practices

  • Run semgrep config auto and trivy scans, then address high-severity findings first
  • Validate all input server-side and use parameterized queries to prevent injections
  • Use proper output encoding and implement CSP and security headers
  • Hash passwords with Argon2id and ensure CSRF protections on state-changing actions
  • Encrypt API keys at rest (e.g., sodium_crypto_secretbox) and keep secrets out of VCS

Example Use Cases

  • Auditing a TYPO3 project for XXE, SQL injection, and insecure file uploads using 80+ checks
  • CI pipeline flags a critical CVE via trivy and blocks deployment until fixed
  • semgrep detects insecure deserialization patterns and prompts remediation
  • Gitleaks flags leaked API keys in a PHP project and enforces secret rotation
  • Framework security guidance applied to TYPO3/Symfony/Laravel to harden auth and headers

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers