{ "schemaVersion": "1.0", "item": { "slug": "security-audit-toolkit", "name": "Security Audit Toolkit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/gitgoodordietrying/security-audit-toolkit", "canonicalUrl": "https://clawhub.ai/gitgoodordietrying/security-audit-toolkit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/security-audit-toolkit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-audit-toolkit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/security-audit-toolkit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/security-audit-toolkit", "agentPageUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent", "manifestUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Audit", "body": "Scan, detect, and fix security issues in codebases and infrastructure. Covers dependency vulnerabilities, secret detection, OWASP top 10, SSL/TLS verification, file permissions, and secure coding patterns." }, { "title": "When to Use", "body": "Scanning project dependencies for known vulnerabilities\nDetecting hardcoded secrets, API keys, or credentials in source code\nReviewing code for OWASP top 10 vulnerabilities (injection, XSS, CSRF, etc.)\nVerifying SSL/TLS configuration for endpoints\nAuditing file and directory permissions\nChecking authentication and authorization patterns\nPreparing for a security review or compliance audit" }, { "title": "Node.js", "body": "# Built-in npm audit\nnpm audit\nnpm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, via: .value.via[0]}'\n\n# Fix automatically where possible\nnpm audit fix\n\n# Show only high and critical\nnpm audit --audit-level=high\n\n# Check a specific package\nnpm audit --package-lock-only\n\n# Alternative: use npx to scan without installing\nnpx audit-ci --high" }, { "title": "Python", "body": "# pip-audit (recommended)\npip install pip-audit\npip-audit\npip-audit -r requirements.txt\npip-audit --format=json\n\n# safety (alternative)\npip install safety\nsafety check\nsafety check -r requirements.txt --json\n\n# Check a specific package\npip-audit --requirement=- <<< \"requests==2.25.0\"" }, { "title": "Go", "body": "# Built-in vuln checker\ngo install golang.org/x/vuln/cmd/govulncheck@latest\ngovulncheck ./...\n\n# Check specific binary\ngovulncheck -mode=binary ./myapp" }, { "title": "Rust", "body": "# cargo-audit\ncargo install cargo-audit\ncargo audit\n\n# With fix suggestions\ncargo audit fix" }, { "title": "Universal: Trivy (scans any project)", "body": "# Install: https://aquasecurity.github.io/trivy\n# Scan filesystem\ntrivy fs .\n\n# Scan specific language\ntrivy fs --scanners vuln --severity HIGH,CRITICAL .\n\n# Scan Docker image\ntrivy image myapp:latest\n\n# JSON output\ntrivy fs --format json -o results.json ." }, { "title": "Manual grep patterns", "body": "# AWS keys\ngrep -rn 'AKIA[0-9A-Z]\\{16\\}' --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml,cfg,conf,ini}' .\n\n# Generic API keys and tokens\ngrep -rn -i 'api[_-]\\?key\\|api[_-]\\?secret\\|access[_-]\\?token\\|auth[_-]\\?token\\|bearer ' \\\n --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json}' .\n\n# Private keys\ngrep -rn 'BEGIN.*PRIVATE KEY' .\n\n# Passwords in config\ngrep -rn -i 'password\\s*[:=]' --include='*.{env,yml,yaml,json,xml,cfg,conf,ini,toml}' .\n\n# Connection strings with credentials\ngrep -rn -i 'mongodb://\\|mysql://\\|postgres://\\|redis://' --include='*.{js,ts,py,go,env,yml,yaml,json}' . | grep -v 'localhost\\|127.0.0.1\\|example'\n\n# JWT tokens (three base64 segments separated by dots)\ngrep -rn 'eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.' --include='*.{js,ts,py,go,log,json}' ." }, { "title": "Automated scanning with git", "body": "# Scan git history for secrets (not just current files)\n# Using git log + grep\ngit log -p --all | grep -n -i 'api.key\\|password\\|secret\\|token' | head -50\n\n# Check staged files before commit\ngit diff --cached --name-only | xargs grep -l -i 'api.key\\|password\\|secret\\|token' 2>/dev/null" }, { "title": "Pre-commit hook for secrets", "body": "#!/bin/bash\n# .git/hooks/pre-commit - Block commits containing potential secrets\n\nPATTERNS=(\n 'AKIA[0-9A-Z]{16}'\n 'BEGIN.*PRIVATE KEY'\n 'password\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'api[_-]?key\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'sk-[A-Za-z0-9]{20,}'\n 'ghp_[A-Za-z0-9]{36}'\n 'xox[bpoas]-[A-Za-z0-9-]+'\n)\n\nSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)\n[ -z \"$STAGED_FILES\" ] && exit 0\n\nEXIT_CODE=0\nfor pattern in \"${PATTERNS[@]}\"; do\n matches=$(echo \"$STAGED_FILES\" | xargs grep -Pn \"$pattern\" 2>/dev/null)\n if [ -n \"$matches\" ]; then\n echo \"BLOCKED: Potential secret detected matching pattern: $pattern\"\n echo \"$matches\"\n EXIT_CODE=1\n fi\ndone\n\nif [ $EXIT_CODE -ne 0 ]; then\n echo \"\"\n echo \"To proceed anyway: git commit --no-verify\"\n echo \"To remove secrets: replace with environment variables\"\nfi\nexit $EXIT_CODE" }, { "title": ".gitignore audit", "body": "# Check if sensitive files are tracked\necho \"--- Files that should probably be gitignored ---\"\nfor pattern in '.env' '.env.*' '*.pem' '*.key' '*.p12' '*.pfx' 'credentials.json' \\\n 'service-account*.json' '*.keystore' 'id_rsa' 'id_ed25519'; do\n found=$(git ls-files \"$pattern\" 2>/dev/null)\n [ -n \"$found\" ] && echo \" TRACKED: $found\"\ndone\n\n# Check if .gitignore exists and has common patterns\nif [ ! -f .gitignore ]; then\n echo \"WARNING: No .gitignore file found\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem'; do\n grep -q \"$entry\" .gitignore || echo \" MISSING from .gitignore: $entry\"\n done\nfi" }, { "title": "1. Injection (SQL, Command, LDAP)", "body": "# SQL injection: string concatenation in queries\ngrep -rn \"query\\|execute\\|cursor\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"f\\\"\\|format(\\|%s\\|\\${\\|+ \\\"\\|concat\\|sprintf\" | \\\n grep -iv \"parameterized\\|placeholder\\|prepared\"\n\n# Command injection: user input in shell commands\ngrep -rn \"exec(\\|spawn(\\|system(\\|popen(\\|subprocess\\|os\\.system\\|child_process\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Check for parameterized queries (good)\ngrep -rn \"\\\\$[0-9]\\|\\\\?\\|%s\\|:param\\|@param\\|prepared\" --include='*.{py,js,ts,go,java,rb}' ." }, { "title": "2. Broken Authentication", "body": "# Weak password hashing (MD5, SHA1 used for passwords)\ngrep -rn \"md5\\|sha1\\|sha256\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"password\\|passwd\"\n\n# Hardcoded credentials\ngrep -rn -i \"admin.*password\\|password.*admin\\|default.*password\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml,json}' .\n\n# Session tokens in URLs\ngrep -rn \"session\\|token\\|jwt\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"url\\|query\\|param\\|GET\"\n\n# Check for rate limiting on auth endpoints\ngrep -rn -i \"rate.limit\\|throttle\\|brute\" --include='*.{py,js,ts,go,java,rb}' ." }, { "title": "3. Cross-Site Scripting (XSS)", "body": "# Unescaped output in templates\ngrep -rn \"innerHTML\\|dangerouslySetInnerHTML\\|v-html\\|\\|html(\" \\\n --include='*.{js,ts,jsx,tsx,vue,html}' .\n\n# Template injection\ngrep -rn \"{{{.*}}}\\|<%=\\|<%-\\|\\$\\!{\" --include='*.{html,ejs,hbs,pug,erb}' .\n\n# Document.write\ngrep -rn \"document\\.write\\|document\\.writeln\" --include='*.{js,ts,html}' .\n\n# eval with user input\ngrep -rn \"eval(\\|new Function(\\|setTimeout.*string\\|setInterval.*string\" \\\n --include='*.{js,ts}' ." }, { "title": "4. Insecure Direct Object References", "body": "# Direct ID usage in routes without authz check\ngrep -rn \"params\\.id\\|params\\[.id.\\]\\|req\\.params\\.\\|request\\.args\\.\\|request\\.GET\\.\" \\\n --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"user\\|account\\|profile\\|order\\|document\"" }, { "title": "5. Security Misconfiguration", "body": "# CORS wildcard\ngrep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\\|cors()\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Debug mode in production configs\ngrep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\\|NODE_ENV.*development\" \\\n --include='*.{py,js,ts,yml,yaml,json,env}' .\n\n# Verbose error messages exposed to clients\ngrep -rn \"stack\\|traceback\\|stackTrace\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"response\\|send\\|return\\|res\\.\"" }, { "title": "Check endpoint SSL", "body": "# Full SSL check\nopenssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \\\n openssl x509 -noout -subject -issuer -dates -fingerprint\n\n# Check certificate expiry\necho | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \\\n openssl x509 -noout -enddate\n\n# Check supported TLS versions\nfor v in tls1 tls1_1 tls1_2 tls1_3; do\n result=$(openssl s_client -connect example.com:443 -$v < /dev/null 2>&1)\n if echo \"$result\" | grep -q \"Cipher is\"; then\n echo \"$v: SUPPORTED\"\n else\n echo \"$v: NOT SUPPORTED\"\n fi\ndone\n\n# Check cipher suites\nopenssl s_client -connect example.com:443 -cipher 'ALL' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\n# Check for weak ciphers\nopenssl s_client -connect example.com:443 -cipher 'NULL:EXPORT:DES:RC4:MD5' < /dev/null 2>&1 | \\\n grep \"Cipher :\"" }, { "title": "Verify certificate chain", "body": "# Download and verify full chain\nopenssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \\\n awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' > chain.pem\n\n# Verify chain\nopenssl verify -CAfile /etc/ssl/certs/ca-certificates.crt chain.pem\n\n# Check certificate details\nopenssl x509 -in chain.pem -noout -text | grep -A2 \"Subject:\\|Issuer:\\|Not Before\\|Not After\\|DNS:\"" }, { "title": "Check SSL from code", "body": "# Verify SSL isn't disabled in code\ngrep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\\|CURLOPT_SSL_VERIFYPEER.*false\\|NODE_TLS_REJECT_UNAUTHORIZED.*0\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml}' ." }, { "title": "File Permission Audit", "body": "# Find world-writable files\nfind . -type f -perm -o=w -not -path '*/node_modules/*' -not -path '*/.git/*' 2>/dev/null\n\n# Find executable files that shouldn't be\nfind . -type f -perm -u=x -not -name '*.sh' -not -name '*.py' -not -path '*/node_modules/*' \\\n -not -path '*/.git/*' -not -path '*/bin/*' 2>/dev/null\n\n# Check sensitive file permissions\nfor f in .env .env.* *.pem *.key *.p12 id_rsa id_ed25519; do\n [ -f \"$f\" ] && ls -la \"$f\"\ndone\n\n# Find files with SUID/SGID bits (Linux)\nfind / -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null | head -20\n\n# Check SSH key permissions\nif [ -d ~/.ssh ]; then\n echo \"--- SSH directory permissions ---\"\n ls -la ~/.ssh/\n echo \"\"\n # Should be: dir=700, private keys=600, public keys=644, config=600\n [ \"$(stat -c %a ~/.ssh 2>/dev/null || stat -f %Lp ~/.ssh)\" != \"700\" ] && echo \"WARNING: ~/.ssh should be 700\"\nfi" }, { "title": "Full Project Security Audit Script", "body": "#!/bin/bash\n# security-audit.sh - Run a comprehensive security check on a project\nset -euo pipefail\n\nPROJECT_DIR=\"${1:-.}\"\ncd \"$PROJECT_DIR\"\n\necho \"=========================================\"\necho \"Security Audit: $(basename \"$(pwd)\")\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nwarn() { echo \" [!] $1\"; ((ISSUES++)); }\nok() { echo \" [OK] $1\"; }\nsection() { echo \"\"; echo \"--- $1 ---\"; }\n\n# 1. Secrets detection\nsection \"Secret Detection\"\nfor pattern in 'AKIA[0-9A-Z]\\{16\\}' 'BEGIN.*PRIVATE KEY' 'sk-[A-Za-z0-9]\\{20,\\}' \\\n 'ghp_[A-Za-z0-9]\\{36\\}' 'xox[bpoas]-'; do\n count=$(grep -rn \"$pattern\" --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|vendor\\|__pycache__' | wc -l)\n if [ \"$count\" -gt 0 ]; then\n warn \"Found $count matches for pattern: $pattern\"\n fi\ndone\ngrep -rn -i 'password\\s*[:=]\\s*[\"'\"'\"'][^\"'\"'\"']*[\"'\"'\"']' \\\n --include='*.{js,ts,py,go,yml,yaml,json,env}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|example\\|test\\|mock\\|placeholder\\|changeme\\|xxxx' | \\\n while read -r line; do warn \"Hardcoded password: $line\"; done\n\n# 2. Dependency audit\nsection \"Dependency Vulnerabilities\"\nif [ -f package-lock.json ] || [ -f package.json ]; then\n npm audit --audit-level=high 2>/dev/null && ok \"npm: no high/critical vulns\" || warn \"npm audit found issues\"\nfi\nif [ -f requirements.txt ]; then\n pip-audit -r requirements.txt 2>/dev/null && ok \"pip: no known vulns\" || warn \"pip-audit found issues\"\nfi\nif [ -f go.sum ]; then\n govulncheck ./... 2>/dev/null && ok \"Go: no known vulns\" || warn \"govulncheck found issues\"\nfi\n\n# 3. Gitignore check\nsection \".gitignore Coverage\"\nif [ ! -f .gitignore ]; then\n warn \"No .gitignore file\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem' '.DS_Store'; do\n grep -q \"$entry\" .gitignore 2>/dev/null && ok \".gitignore has $entry\" || warn \".gitignore missing: $entry\"\n done\nfi\n\n# 4. SSL verification disabled\nsection \"SSL Verification\"\ndisabled=$(grep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|spec\\|mock' | wc -l)\n[ \"$disabled\" -gt 0 ] && warn \"SSL verification disabled in $disabled location(s)\" || ok \"No SSL bypasses found\"\n\n# 5. CORS wildcard\nsection \"CORS Configuration\"\ncors=$(grep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git' | wc -l)\n[ \"$cors\" -gt 0 ] && warn \"CORS wildcard found in $cors location(s)\" || ok \"No CORS wildcard\"\n\n# 6. Debug mode\nsection \"Debug/Development Settings\"\ndebug=$(grep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\" \\\n --include='*.{py,yml,yaml,json}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|jest\\|vitest' | wc -l)\n[ \"$debug\" -gt 0 ] && warn \"Debug mode enabled in $debug location(s)\" || ok \"No debug flags found\"\n\necho \"\"\necho \"=========================================\"\necho \"Audit complete. Issues found: $ISSUES\"\necho \"=========================================\"\n[ \"$ISSUES\" -eq 0 ] && exit 0 || exit 1" }, { "title": "Environment variables instead of hardcoded secrets", "body": "# Bad: hardcoded in source\nAPI_KEY=\"sk-abc123...\"\n\n# Good: from environment\nAPI_KEY=\"${API_KEY:?Error: API_KEY not set}\"\n\n# Good: from .env file (loaded at startup, never committed)\n# .env\nAPI_KEY=sk-abc123...\n# .gitignore\n.env" }, { "title": "Input validation checklist", "body": "- [ ] All user input validated (type, length, format)\n- [ ] SQL queries use parameterized statements (never string concat)\n- [ ] Shell commands never include user input directly\n- [ ] File paths validated (no path traversal: ../)\n- [ ] URLs validated (no SSRF: restrict to expected domains)\n- [ ] HTML output escaped (no XSS: use framework auto-escaping)\n- [ ] JSON parsing has error handling (no crash on malformed input)\n- [ ] File uploads checked (type, size, no executable content)" }, { "title": "HTTP security headers", "body": "# Check security headers on a URL\ncurl -sI https://example.com | grep -i 'strict-transport\\|content-security\\|x-frame\\|x-content-type\\|referrer-policy\\|permissions-policy'\n\n# Expected headers:\n# Strict-Transport-Security: max-age=31536000; includeSubDomains\n# Content-Security-Policy: default-src 'self'\n# X-Frame-Options: DENY\n# X-Content-Type-Options: nosniff\n# Referrer-Policy: strict-origin-when-cross-origin\n# Permissions-Policy: camera=(), microphone=(), geolocation=()" }, { "title": "Tips", "body": "Run npm audit / pip-audit / govulncheck in CI on every pull request, not just occasionally.\nSecret detection in git history matters: even if a secret is removed from HEAD, it exists in git history. Use git filter-branch or git-filter-repo to purge, then rotate the credential.\nThe most dangerous vulnerabilities are often the simplest: SQL injection via string concatenation, command injection via unsanitized input, XSS via innerHTML.\nCORS Access-Control-Allow-Origin: * is safe for truly public, read-only APIs. It's dangerous for anything that uses cookies or auth tokens.\nAlways verify SSL in production. verify=False or rejectUnauthorized: false should only appear in test code, never in production paths.\nDefense in depth: validate input, escape output, use parameterized queries, enforce least privilege, and assume every layer might be bypassed." } ], "body": "Security Audit\n\nScan, detect, and fix security issues in codebases and infrastructure. Covers dependency vulnerabilities, secret detection, OWASP top 10, SSL/TLS verification, file permissions, and secure coding patterns.\n\nWhen to Use\nScanning project dependencies for known vulnerabilities\nDetecting hardcoded secrets, API keys, or credentials in source code\nReviewing code for OWASP top 10 vulnerabilities (injection, XSS, CSRF, etc.)\nVerifying SSL/TLS configuration for endpoints\nAuditing file and directory permissions\nChecking authentication and authorization patterns\nPreparing for a security review or compliance audit\nDependency Vulnerability Scanning\nNode.js\n# Built-in npm audit\nnpm audit\nnpm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, via: .value.via[0]}'\n\n# Fix automatically where possible\nnpm audit fix\n\n# Show only high and critical\nnpm audit --audit-level=high\n\n# Check a specific package\nnpm audit --package-lock-only\n\n# Alternative: use npx to scan without installing\nnpx audit-ci --high\n\nPython\n# pip-audit (recommended)\npip install pip-audit\npip-audit\npip-audit -r requirements.txt\npip-audit --format=json\n\n# safety (alternative)\npip install safety\nsafety check\nsafety check -r requirements.txt --json\n\n# Check a specific package\npip-audit --requirement=- <<< \"requests==2.25.0\"\n\nGo\n# Built-in vuln checker\ngo install golang.org/x/vuln/cmd/govulncheck@latest\ngovulncheck ./...\n\n# Check specific binary\ngovulncheck -mode=binary ./myapp\n\nRust\n# cargo-audit\ncargo install cargo-audit\ncargo audit\n\n# With fix suggestions\ncargo audit fix\n\nUniversal: Trivy (scans any project)\n# Install: https://aquasecurity.github.io/trivy\n# Scan filesystem\ntrivy fs .\n\n# Scan specific language\ntrivy fs --scanners vuln --severity HIGH,CRITICAL .\n\n# Scan Docker image\ntrivy image myapp:latest\n\n# JSON output\ntrivy fs --format json -o results.json .\n\nSecret Detection\nManual grep patterns\n# AWS keys\ngrep -rn 'AKIA[0-9A-Z]\\{16\\}' --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml,cfg,conf,ini}' .\n\n# Generic API keys and tokens\ngrep -rn -i 'api[_-]\\?key\\|api[_-]\\?secret\\|access[_-]\\?token\\|auth[_-]\\?token\\|bearer ' \\\n --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json}' .\n\n# Private keys\ngrep -rn 'BEGIN.*PRIVATE KEY' .\n\n# Passwords in config\ngrep -rn -i 'password\\s*[:=]' --include='*.{env,yml,yaml,json,xml,cfg,conf,ini,toml}' .\n\n# Connection strings with credentials\ngrep -rn -i 'mongodb://\\|mysql://\\|postgres://\\|redis://' --include='*.{js,ts,py,go,env,yml,yaml,json}' . | grep -v 'localhost\\|127.0.0.1\\|example'\n\n# JWT tokens (three base64 segments separated by dots)\ngrep -rn 'eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.' --include='*.{js,ts,py,go,log,json}' .\n\nAutomated scanning with git\n# Scan git history for secrets (not just current files)\n# Using git log + grep\ngit log -p --all | grep -n -i 'api.key\\|password\\|secret\\|token' | head -50\n\n# Check staged files before commit\ngit diff --cached --name-only | xargs grep -l -i 'api.key\\|password\\|secret\\|token' 2>/dev/null\n\nPre-commit hook for secrets\n#!/bin/bash\n# .git/hooks/pre-commit - Block commits containing potential secrets\n\nPATTERNS=(\n 'AKIA[0-9A-Z]{16}'\n 'BEGIN.*PRIVATE KEY'\n 'password\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'api[_-]?key\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'sk-[A-Za-z0-9]{20,}'\n 'ghp_[A-Za-z0-9]{36}'\n 'xox[bpoas]-[A-Za-z0-9-]+'\n)\n\nSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)\n[ -z \"$STAGED_FILES\" ] && exit 0\n\nEXIT_CODE=0\nfor pattern in \"${PATTERNS[@]}\"; do\n matches=$(echo \"$STAGED_FILES\" | xargs grep -Pn \"$pattern\" 2>/dev/null)\n if [ -n \"$matches\" ]; then\n echo \"BLOCKED: Potential secret detected matching pattern: $pattern\"\n echo \"$matches\"\n EXIT_CODE=1\n fi\ndone\n\nif [ $EXIT_CODE -ne 0 ]; then\n echo \"\"\n echo \"To proceed anyway: git commit --no-verify\"\n echo \"To remove secrets: replace with environment variables\"\nfi\nexit $EXIT_CODE\n\n.gitignore audit\n# Check if sensitive files are tracked\necho \"--- Files that should probably be gitignored ---\"\nfor pattern in '.env' '.env.*' '*.pem' '*.key' '*.p12' '*.pfx' 'credentials.json' \\\n 'service-account*.json' '*.keystore' 'id_rsa' 'id_ed25519'; do\n found=$(git ls-files \"$pattern\" 2>/dev/null)\n [ -n \"$found\" ] && echo \" TRACKED: $found\"\ndone\n\n# Check if .gitignore exists and has common patterns\nif [ ! -f .gitignore ]; then\n echo \"WARNING: No .gitignore file found\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem'; do\n grep -q \"$entry\" .gitignore || echo \" MISSING from .gitignore: $entry\"\n done\nfi\n\nOWASP Top 10 Code Patterns\n1. Injection (SQL, Command, LDAP)\n# SQL injection: string concatenation in queries\ngrep -rn \"query\\|execute\\|cursor\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"f\\\"\\|format(\\|%s\\|\\${\\|+ \\\"\\|concat\\|sprintf\" | \\\n grep -iv \"parameterized\\|placeholder\\|prepared\"\n\n# Command injection: user input in shell commands\ngrep -rn \"exec(\\|spawn(\\|system(\\|popen(\\|subprocess\\|os\\.system\\|child_process\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Check for parameterized queries (good)\ngrep -rn \"\\\\$[0-9]\\|\\\\?\\|%s\\|:param\\|@param\\|prepared\" --include='*.{py,js,ts,go,java,rb}' .\n\n2. Broken Authentication\n# Weak password hashing (MD5, SHA1 used for passwords)\ngrep -rn \"md5\\|sha1\\|sha256\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"password\\|passwd\"\n\n# Hardcoded credentials\ngrep -rn -i \"admin.*password\\|password.*admin\\|default.*password\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml,json}' .\n\n# Session tokens in URLs\ngrep -rn \"session\\|token\\|jwt\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"url\\|query\\|param\\|GET\"\n\n# Check for rate limiting on auth endpoints\ngrep -rn -i \"rate.limit\\|throttle\\|brute\" --include='*.{py,js,ts,go,java,rb}' .\n\n3. Cross-Site Scripting (XSS)\n# Unescaped output in templates\ngrep -rn \"innerHTML\\|dangerouslySetInnerHTML\\|v-html\\|\\|html(\" \\\n --include='*.{js,ts,jsx,tsx,vue,html}' .\n\n# Template injection\ngrep -rn \"{{{.*}}}\\|<%=\\|<%-\\|\\$\\!{\" --include='*.{html,ejs,hbs,pug,erb}' .\n\n# Document.write\ngrep -rn \"document\\.write\\|document\\.writeln\" --include='*.{js,ts,html}' .\n\n# eval with user input\ngrep -rn \"eval(\\|new Function(\\|setTimeout.*string\\|setInterval.*string\" \\\n --include='*.{js,ts}' .\n\n4. Insecure Direct Object References\n# Direct ID usage in routes without authz check\ngrep -rn \"params\\.id\\|params\\[.id.\\]\\|req\\.params\\.\\|request\\.args\\.\\|request\\.GET\\.\" \\\n --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"user\\|account\\|profile\\|order\\|document\"\n\n5. Security Misconfiguration\n# CORS wildcard\ngrep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\\|cors()\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Debug mode in production configs\ngrep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\\|NODE_ENV.*development\" \\\n --include='*.{py,js,ts,yml,yaml,json,env}' .\n\n# Verbose error messages exposed to clients\ngrep -rn \"stack\\|traceback\\|stackTrace\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"response\\|send\\|return\\|res\\.\"\n\nSSL/TLS Verification\nCheck endpoint SSL\n# Full SSL check\nopenssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \\\n openssl x509 -noout -subject -issuer -dates -fingerprint\n\n# Check certificate expiry\necho | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \\\n openssl x509 -noout -enddate\n\n# Check supported TLS versions\nfor v in tls1 tls1_1 tls1_2 tls1_3; do\n result=$(openssl s_client -connect example.com:443 -$v < /dev/null 2>&1)\n if echo \"$result\" | grep -q \"Cipher is\"; then\n echo \"$v: SUPPORTED\"\n else\n echo \"$v: NOT SUPPORTED\"\n fi\ndone\n\n# Check cipher suites\nopenssl s_client -connect example.com:443 -cipher 'ALL' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\n# Check for weak ciphers\nopenssl s_client -connect example.com:443 -cipher 'NULL:EXPORT:DES:RC4:MD5' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\nVerify certificate chain\n# Download and verify full chain\nopenssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \\\n awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' > chain.pem\n\n# Verify chain\nopenssl verify -CAfile /etc/ssl/certs/ca-certificates.crt chain.pem\n\n# Check certificate details\nopenssl x509 -in chain.pem -noout -text | grep -A2 \"Subject:\\|Issuer:\\|Not Before\\|Not After\\|DNS:\"\n\nCheck SSL from code\n# Verify SSL isn't disabled in code\ngrep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\\|CURLOPT_SSL_VERIFYPEER.*false\\|NODE_TLS_REJECT_UNAUTHORIZED.*0\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml}' .\n\nFile Permission Audit\n# Find world-writable files\nfind . -type f -perm -o=w -not -path '*/node_modules/*' -not -path '*/.git/*' 2>/dev/null\n\n# Find executable files that shouldn't be\nfind . -type f -perm -u=x -not -name '*.sh' -not -name '*.py' -not -path '*/node_modules/*' \\\n -not -path '*/.git/*' -not -path '*/bin/*' 2>/dev/null\n\n# Check sensitive file permissions\nfor f in .env .env.* *.pem *.key *.p12 id_rsa id_ed25519; do\n [ -f \"$f\" ] && ls -la \"$f\"\ndone\n\n# Find files with SUID/SGID bits (Linux)\nfind / -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null | head -20\n\n# Check SSH key permissions\nif [ -d ~/.ssh ]; then\n echo \"--- SSH directory permissions ---\"\n ls -la ~/.ssh/\n echo \"\"\n # Should be: dir=700, private keys=600, public keys=644, config=600\n [ \"$(stat -c %a ~/.ssh 2>/dev/null || stat -f %Lp ~/.ssh)\" != \"700\" ] && echo \"WARNING: ~/.ssh should be 700\"\nfi\n\nFull Project Security Audit Script\n#!/bin/bash\n# security-audit.sh - Run a comprehensive security check on a project\nset -euo pipefail\n\nPROJECT_DIR=\"${1:-.}\"\ncd \"$PROJECT_DIR\"\n\necho \"=========================================\"\necho \"Security Audit: $(basename \"$(pwd)\")\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nwarn() { echo \" [!] $1\"; ((ISSUES++)); }\nok() { echo \" [OK] $1\"; }\nsection() { echo \"\"; echo \"--- $1 ---\"; }\n\n# 1. Secrets detection\nsection \"Secret Detection\"\nfor pattern in 'AKIA[0-9A-Z]\\{16\\}' 'BEGIN.*PRIVATE KEY' 'sk-[A-Za-z0-9]\\{20,\\}' \\\n 'ghp_[A-Za-z0-9]\\{36\\}' 'xox[bpoas]-'; do\n count=$(grep -rn \"$pattern\" --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|vendor\\|__pycache__' | wc -l)\n if [ \"$count\" -gt 0 ]; then\n warn \"Found $count matches for pattern: $pattern\"\n fi\ndone\ngrep -rn -i 'password\\s*[:=]\\s*[\"'\"'\"'][^\"'\"'\"']*[\"'\"'\"']' \\\n --include='*.{js,ts,py,go,yml,yaml,json,env}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|example\\|test\\|mock\\|placeholder\\|changeme\\|xxxx' | \\\n while read -r line; do warn \"Hardcoded password: $line\"; done\n\n# 2. Dependency audit\nsection \"Dependency Vulnerabilities\"\nif [ -f package-lock.json ] || [ -f package.json ]; then\n npm audit --audit-level=high 2>/dev/null && ok \"npm: no high/critical vulns\" || warn \"npm audit found issues\"\nfi\nif [ -f requirements.txt ]; then\n pip-audit -r requirements.txt 2>/dev/null && ok \"pip: no known vulns\" || warn \"pip-audit found issues\"\nfi\nif [ -f go.sum ]; then\n govulncheck ./... 2>/dev/null && ok \"Go: no known vulns\" || warn \"govulncheck found issues\"\nfi\n\n# 3. Gitignore check\nsection \".gitignore Coverage\"\nif [ ! -f .gitignore ]; then\n warn \"No .gitignore file\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem' '.DS_Store'; do\n grep -q \"$entry\" .gitignore 2>/dev/null && ok \".gitignore has $entry\" || warn \".gitignore missing: $entry\"\n done\nfi\n\n# 4. SSL verification disabled\nsection \"SSL Verification\"\ndisabled=$(grep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|spec\\|mock' | wc -l)\n[ \"$disabled\" -gt 0 ] && warn \"SSL verification disabled in $disabled location(s)\" || ok \"No SSL bypasses found\"\n\n# 5. CORS wildcard\nsection \"CORS Configuration\"\ncors=$(grep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git' | wc -l)\n[ \"$cors\" -gt 0 ] && warn \"CORS wildcard found in $cors location(s)\" || ok \"No CORS wildcard\"\n\n# 6. Debug mode\nsection \"Debug/Development Settings\"\ndebug=$(grep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\" \\\n --include='*.{py,yml,yaml,json}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|jest\\|vitest' | wc -l)\n[ \"$debug\" -gt 0 ] && warn \"Debug mode enabled in $debug location(s)\" || ok \"No debug flags found\"\n\necho \"\"\necho \"=========================================\"\necho \"Audit complete. Issues found: $ISSUES\"\necho \"=========================================\"\n[ \"$ISSUES\" -eq 0 ] && exit 0 || exit 1\n\nSecure Coding Quick Reference\nEnvironment variables instead of hardcoded secrets\n# Bad: hardcoded in source\nAPI_KEY=\"sk-abc123...\"\n\n# Good: from environment\nAPI_KEY=\"${API_KEY:?Error: API_KEY not set}\"\n\n# Good: from .env file (loaded at startup, never committed)\n# .env\nAPI_KEY=sk-abc123...\n# .gitignore\n.env\n\nInput validation checklist\n- [ ] All user input validated (type, length, format)\n- [ ] SQL queries use parameterized statements (never string concat)\n- [ ] Shell commands never include user input directly\n- [ ] File paths validated (no path traversal: ../)\n- [ ] URLs validated (no SSRF: restrict to expected domains)\n- [ ] HTML output escaped (no XSS: use framework auto-escaping)\n- [ ] JSON parsing has error handling (no crash on malformed input)\n- [ ] File uploads checked (type, size, no executable content)\n\nHTTP security headers\n# Check security headers on a URL\ncurl -sI https://example.com | grep -i 'strict-transport\\|content-security\\|x-frame\\|x-content-type\\|referrer-policy\\|permissions-policy'\n\n# Expected headers:\n# Strict-Transport-Security: max-age=31536000; includeSubDomains\n# Content-Security-Policy: default-src 'self'\n# X-Frame-Options: DENY\n# X-Content-Type-Options: nosniff\n# Referrer-Policy: strict-origin-when-cross-origin\n# Permissions-Policy: camera=(), microphone=(), geolocation=()\n\nTips\nRun npm audit / pip-audit / govulncheck in CI on every pull request, not just occasionally.\nSecret detection in git history matters: even if a secret is removed from HEAD, it exists in git history. Use git filter-branch or git-filter-repo to purge, then rotate the credential.\nThe most dangerous vulnerabilities are often the simplest: SQL injection via string concatenation, command injection via unsanitized input, XSS via innerHTML.\nCORS Access-Control-Allow-Origin: * is safe for truly public, read-only APIs. It's dangerous for anything that uses cookies or auth tokens.\nAlways verify SSL in production. verify=False or rejectUnauthorized: false should only appear in test code, never in production paths.\nDefense in depth: validate input, escape output, use parameterized queries, enforce least privilege, and assume every layer might be bypassed." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/gitgoodordietrying/security-audit-toolkit", "publisherUrl": "https://clawhub.ai/gitgoodordietrying/security-audit-toolkit", "owner": "gitgoodordietrying", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/security-audit-toolkit", "downloadUrl": "https://openagent3.xyz/downloads/security-audit-toolkit", "agentUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent", "manifestUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-audit-toolkit/agent.md" } }