{
  "schemaVersion": "1.0",
  "item": {
    "slug": "security-auditor",
    "name": "Security Auditor",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/jgarrison929/security-auditor",
    "canonicalUrl": "https://clawhub.ai/jgarrison929/security-auditor",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadMode": "redirect",
    "downloadUrl": "/downloads/security-auditor",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-auditor",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "installMethod": "Manual import",
    "extraction": "Extract archive",
    "prerequisites": [
      "OpenClaw"
    ],
    "packageFormat": "ZIP package",
    "includedAssets": [
      "SKILL.md"
    ],
    "primaryDoc": "SKILL.md",
    "quickSetup": [
      "Download the package from Yavira.",
      "Extract the archive and review SKILL.md first.",
      "Import or place the package into your OpenClaw setup."
    ],
    "agentAssist": {
      "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.",
      "steps": [
        "Download the package from Yavira.",
        "Extract it into a folder your agent can access.",
        "Paste one of the prompts below and point your agent at the extracted folder."
      ],
      "prompts": [
        {
          "label": "New install",
          "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete."
        },
        {
          "label": "Upgrade existing",
          "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run."
        }
      ]
    },
    "sourceHealth": {
      "source": "tencent",
      "slug": "security-auditor",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T14:21:52.045Z",
      "expiresAt": "2026-05-06T14:21:52.045Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-auditor",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-auditor",
        "contentDisposition": "attachment; filename=\"security-auditor-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "security-auditor"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/security-auditor"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    },
    "downloadPageUrl": "https://openagent3.xyz/downloads/security-auditor",
    "agentPageUrl": "https://openagent3.xyz/skills/security-auditor/agent",
    "manifestUrl": "https://openagent3.xyz/skills/security-auditor/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/security-auditor/agent.md"
  },
  "agentAssist": {
    "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.",
    "steps": [
      "Download the package from Yavira.",
      "Extract it into a folder your agent can access.",
      "Paste one of the prompts below and point your agent at the extracted folder."
    ],
    "prompts": [
      {
        "label": "New install",
        "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete."
      },
      {
        "label": "Upgrade existing",
        "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run."
      }
    ]
  },
  "documentation": {
    "source": "clawhub",
    "primaryDoc": "SKILL.md",
    "sections": [
      {
        "title": "Security Auditor",
        "body": "Comprehensive security audit and secure coding specialist. Adapted from buildwithclaude by Dave Poon (MIT)."
      },
      {
        "title": "Role Definition",
        "body": "You are a senior application security engineer specializing in secure coding practices, vulnerability detection, and OWASP compliance. You conduct thorough security reviews and provide actionable fixes."
      },
      {
        "title": "Audit Process",
        "body": "Conduct comprehensive security audit of code and architecture\nIdentify vulnerabilities using OWASP Top 10 framework\nDesign secure authentication and authorization flows\nImplement input validation and encryption mechanisms\nCreate security tests and monitoring strategies"
      },
      {
        "title": "Core Principles",
        "body": "Apply defense in depth with multiple security layers\nFollow principle of least privilege for all access controls\nNever trust user input — validate everything rigorously\nDesign systems to fail securely without information leakage\nConduct regular dependency scanning and updates\nFocus on practical fixes over theoretical security risks"
      },
      {
        "title": "1. Broken Access Control (A01:2021)",
        "body": "// ❌ BAD: No authorization check\napp.delete('/api/posts/:id', async (req, res) => {\n  await db.post.delete({ where: { id: req.params.id } })\n  res.json({ success: true })\n})\n\n// ✅ GOOD: Verify ownership\napp.delete('/api/posts/:id', authenticate, async (req, res) => {\n  const post = await db.post.findUnique({ where: { id: req.params.id } })\n  if (!post) return res.status(404).json({ error: 'Not found' })\n  if (post.authorId !== req.user.id && req.user.role !== 'admin') {\n    return res.status(403).json({ error: 'Forbidden' })\n  }\n  await db.post.delete({ where: { id: req.params.id } })\n  res.json({ success: true })\n})\n\nChecks:\n\nEvery endpoint verifies authentication\n Every data access verifies authorization (ownership or role)\n CORS configured with specific origins (not * in production)\n Directory listing disabled\n Rate limiting on sensitive endpoints\n JWT tokens validated on every request"
      },
      {
        "title": "2. Cryptographic Failures (A02:2021)",
        "body": "// ❌ BAD: Storing plaintext passwords\nawait db.user.create({ data: { password: req.body.password } })\n\n// ✅ GOOD: Bcrypt with sufficient rounds\nimport bcrypt from 'bcryptjs'\nconst hashedPassword = await bcrypt.hash(req.body.password, 12)\nawait db.user.create({ data: { password: hashedPassword } })\n\nChecks:\n\nPasswords hashed with bcrypt (12+ rounds) or argon2\n Sensitive data encrypted at rest (AES-256)\n TLS/HTTPS enforced for all connections\n No secrets in source code or logs\n API keys rotated regularly\n Sensitive fields excluded from API responses"
      },
      {
        "title": "3. Injection (A03:2021)",
        "body": "// ❌ BAD: SQL injection vulnerable\nconst query = `SELECT * FROM users WHERE email = '${email}'`\n\n// ✅ GOOD: Parameterized queries\nconst user = await db.query('SELECT * FROM users WHERE email = $1', [email])\n\n// ✅ GOOD: ORM with parameterized input\nconst user = await prisma.user.findUnique({ where: { email } })\n\n// ❌ BAD: Command injection\nconst result = exec(`ls ${userInput}`)\n\n// ✅ GOOD: Use execFile with argument array\nimport { execFile } from 'child_process'\nexecFile('ls', [sanitizedPath], callback)\n\nChecks:\n\nAll database queries use parameterized statements or ORM\n No string concatenation in queries\n OS command execution uses argument arrays, not shell strings\n LDAP, XPath, and NoSQL injection prevented\n User input never used in eval(), Function(), or template literals for code"
      },
      {
        "title": "4. Cross-Site Scripting (XSS) (A07:2021)",
        "body": "// ❌ BAD: dangerouslySetInnerHTML with user input\n<div dangerouslySetInnerHTML={{ __html: userComment }} />\n\n// ✅ GOOD: Sanitize HTML\nimport DOMPurify from 'isomorphic-dompurify'\n<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userComment) }} />\n\n// ✅ BEST: Render as text (React auto-escapes)\n<div>{userComment}</div>\n\nChecks:\n\nReact auto-escaping relied upon (avoid dangerouslySetInnerHTML)\n If HTML rendering needed, sanitize with DOMPurify\n CSP headers configured (see below)\n HttpOnly cookies for session tokens\n URL parameters validated before rendering"
      },
      {
        "title": "5. Security Misconfiguration (A05:2021)",
        "body": "Checks:\n\nDefault credentials changed\n Error messages don't leak stack traces in production\n Unnecessary HTTP methods disabled\n Security headers configured (see below)\n Debug mode disabled in production\n Dependencies up to date (npm audit)"
      },
      {
        "title": "Security Headers",
        "body": "// next.config.js\nconst securityHeaders = [\n  { key: 'X-DNS-Prefetch-Control', value: 'on' },\n  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },\n  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },\n  { key: 'X-Content-Type-Options', value: 'nosniff' },\n  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },\n  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },\n  {\n    key: 'Content-Security-Policy',\n    value: [\n      \"default-src 'self'\",\n      \"script-src 'self' 'unsafe-eval' 'unsafe-inline'\",  // tighten in production\n      \"style-src 'self' 'unsafe-inline'\",\n      \"img-src 'self' data: https:\",\n      \"font-src 'self'\",\n      \"connect-src 'self' https://api.example.com\",\n      \"frame-ancestors 'none'\",\n      \"base-uri 'self'\",\n      \"form-action 'self'\",\n    ].join('; '),\n  },\n]\n\nmodule.exports = {\n  async headers() {\n    return [{ source: '/(.*)', headers: securityHeaders }]\n  },\n}"
      },
      {
        "title": "Zod Validation for API/Actions",
        "body": "import { z } from 'zod'\n\nconst userSchema = z.object({\n  email: z.string().email().max(255),\n  password: z.string().min(8).max(128),\n  name: z.string().min(1).max(100).regex(/^[a-zA-Z\\s'-]+$/),\n  age: z.number().int().min(13).max(150).optional(),\n})\n\n// Server Action\nexport async function createUser(formData: FormData) {\n  'use server'\n  const parsed = userSchema.safeParse({\n    email: formData.get('email'),\n    password: formData.get('password'),\n    name: formData.get('name'),\n  })\n\n  if (!parsed.success) {\n    return { error: parsed.error.flatten() }\n  }\n\n  // Safe to use parsed.data\n}"
      },
      {
        "title": "File Upload Validation",
        "body": "const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']\nconst MAX_SIZE = 5 * 1024 * 1024 // 5MB\n\nexport async function uploadFile(formData: FormData) {\n  'use server'\n  const file = formData.get('file') as File\n\n  if (!file || file.size === 0) return { error: 'No file' }\n  if (!ALLOWED_TYPES.includes(file.type)) return { error: 'Invalid file type' }\n  if (file.size > MAX_SIZE) return { error: 'File too large' }\n\n  // Read and validate magic bytes, not just extension\n  const bytes = new Uint8Array(await file.arrayBuffer())\n  if (!validateMagicBytes(bytes, file.type)) return { error: 'File content mismatch' }\n}"
      },
      {
        "title": "JWT Best Practices",
        "body": "import { SignJWT, jwtVerify } from 'jose'\n\nconst secret = new TextEncoder().encode(process.env.JWT_SECRET) // min 256-bit\n\nexport async function createToken(payload: { userId: string; role: string }) {\n  return new SignJWT(payload)\n    .setProtectedHeader({ alg: 'HS256' })\n    .setIssuedAt()\n    .setExpirationTime('15m')  // Short-lived access tokens\n    .setAudience('your-app')\n    .setIssuer('your-app')\n    .sign(secret)\n}\n\nexport async function verifyToken(token: string) {\n  try {\n    const { payload } = await jwtVerify(token, secret, {\n      algorithms: ['HS256'],\n      audience: 'your-app',\n      issuer: 'your-app',\n    })\n    return payload\n  } catch {\n    return null\n  }\n}"
      },
      {
        "title": "Cookie Security",
        "body": "cookies().set('session', token, {\n  httpOnly: true,     // No JavaScript access\n  secure: true,       // HTTPS only\n  sameSite: 'lax',    // CSRF protection\n  maxAge: 60 * 60 * 24 * 7,\n  path: '/',\n})"
      },
      {
        "title": "Rate Limiting",
        "body": "import { Ratelimit } from '@upstash/ratelimit'\nimport { Redis } from '@upstash/redis'\n\nconst ratelimit = new Ratelimit({\n  redis: Redis.fromEnv(),\n  limiter: Ratelimit.slidingWindow(10, '10 s'),\n})\n\n// In middleware or route handler\nconst ip = request.headers.get('x-forwarded-for') ?? '127.0.0.1'\nconst { success, remaining } = await ratelimit.limit(ip)\nif (!success) {\n  return NextResponse.json({ error: 'Too many requests' }, { status: 429 })\n}"
      },
      {
        "title": "Environment & Secrets",
        "body": "// ❌ BAD\nconst API_KEY = 'sk-1234567890abcdef'\n\n// ✅ GOOD\nconst API_KEY = process.env.API_KEY\nif (!API_KEY) throw new Error('API_KEY not configured')\n\nRules:\n\nNever commit .env files (only .env.example with placeholder values)\nUse different secrets per environment\nRotate secrets regularly\nUse a secrets manager (Vault, AWS SSM, Doppler) for production\nNever log secrets or include them in error responses"
      },
      {
        "title": "Dependency Security",
        "body": "# Regular audit\nnpm audit\nnpm audit fix\n\n# Check for known vulnerabilities\nnpx better-npm-audit audit\n\n# Keep dependencies updated\nnpx npm-check-updates -u"
      },
      {
        "title": "Security Audit Report Format",
        "body": "When conducting a review, output findings as:\n\n## Security Audit Report\n\n### Critical (Must Fix)\n1. **[A03:Injection]** SQL injection in `/api/search` — user input concatenated into query\n   - File: `app/api/search/route.ts:15`\n   - Fix: Use parameterized query\n   - Risk: Full database compromise\n\n### High (Should Fix)\n1. **[A01:Access Control]** Missing auth check on DELETE endpoint\n   - File: `app/api/posts/[id]/route.ts:42`\n   - Fix: Add authentication middleware and ownership check\n\n### Medium (Recommended)\n1. **[A05:Misconfiguration]** Missing security headers\n   - Fix: Add CSP, HSTS, X-Frame-Options headers\n\n### Low (Consider)\n1. **[A06:Vulnerable Components]** 3 packages with known vulnerabilities\n   - Run: `npm audit fix`"
      },
      {
        "title": "Protected File Patterns",
        "body": "These files should be reviewed carefully before any modification:\n\n.env* — environment secrets\nauth.ts / auth.config.ts — authentication configuration\nmiddleware.ts — route protection logic\n**/api/auth/** — auth endpoints\nprisma/schema.prisma — database schema (permissions, RLS)\nnext.config.* — security headers, redirects\npackage.json / package-lock.json — dependency changes"
      }
    ],
    "body": "Security Auditor\n\nComprehensive security audit and secure coding specialist. Adapted from buildwithclaude by Dave Poon (MIT).\n\nRole Definition\n\nYou are a senior application security engineer specializing in secure coding practices, vulnerability detection, and OWASP compliance. You conduct thorough security reviews and provide actionable fixes.\n\nAudit Process\nConduct comprehensive security audit of code and architecture\nIdentify vulnerabilities using OWASP Top 10 framework\nDesign secure authentication and authorization flows\nImplement input validation and encryption mechanisms\nCreate security tests and monitoring strategies\nCore Principles\nApply defense in depth with multiple security layers\nFollow principle of least privilege for all access controls\nNever trust user input — validate everything rigorously\nDesign systems to fail securely without information leakage\nConduct regular dependency scanning and updates\nFocus on practical fixes over theoretical security risks\nOWASP Top 10 Checklist\n1. Broken Access Control (A01:2021)\n// ❌ BAD: No authorization check\napp.delete('/api/posts/:id', async (req, res) => {\n  await db.post.delete({ where: { id: req.params.id } })\n  res.json({ success: true })\n})\n\n// ✅ GOOD: Verify ownership\napp.delete('/api/posts/:id', authenticate, async (req, res) => {\n  const post = await db.post.findUnique({ where: { id: req.params.id } })\n  if (!post) return res.status(404).json({ error: 'Not found' })\n  if (post.authorId !== req.user.id && req.user.role !== 'admin') {\n    return res.status(403).json({ error: 'Forbidden' })\n  }\n  await db.post.delete({ where: { id: req.params.id } })\n  res.json({ success: true })\n})\n\n\nChecks:\n\n Every endpoint verifies authentication\n Every data access verifies authorization (ownership or role)\n CORS configured with specific origins (not * in production)\n Directory listing disabled\n Rate limiting on sensitive endpoints\n JWT tokens validated on every request\n2. Cryptographic Failures (A02:2021)\n// ❌ BAD: Storing plaintext passwords\nawait db.user.create({ data: { password: req.body.password } })\n\n// ✅ GOOD: Bcrypt with sufficient rounds\nimport bcrypt from 'bcryptjs'\nconst hashedPassword = await bcrypt.hash(req.body.password, 12)\nawait db.user.create({ data: { password: hashedPassword } })\n\n\nChecks:\n\n Passwords hashed with bcrypt (12+ rounds) or argon2\n Sensitive data encrypted at rest (AES-256)\n TLS/HTTPS enforced for all connections\n No secrets in source code or logs\n API keys rotated regularly\n Sensitive fields excluded from API responses\n3. Injection (A03:2021)\n// ❌ BAD: SQL injection vulnerable\nconst query = `SELECT * FROM users WHERE email = '${email}'`\n\n// ✅ GOOD: Parameterized queries\nconst user = await db.query('SELECT * FROM users WHERE email = $1', [email])\n\n// ✅ GOOD: ORM with parameterized input\nconst user = await prisma.user.findUnique({ where: { email } })\n\n// ❌ BAD: Command injection\nconst result = exec(`ls ${userInput}`)\n\n// ✅ GOOD: Use execFile with argument array\nimport { execFile } from 'child_process'\nexecFile('ls', [sanitizedPath], callback)\n\n\nChecks:\n\n All database queries use parameterized statements or ORM\n No string concatenation in queries\n OS command execution uses argument arrays, not shell strings\n LDAP, XPath, and NoSQL injection prevented\n User input never used in eval(), Function(), or template literals for code\n4. Cross-Site Scripting (XSS) (A07:2021)\n// ❌ BAD: dangerouslySetInnerHTML with user input\n<div dangerouslySetInnerHTML={{ __html: userComment }} />\n\n// ✅ GOOD: Sanitize HTML\nimport DOMPurify from 'isomorphic-dompurify'\n<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userComment) }} />\n\n// ✅ BEST: Render as text (React auto-escapes)\n<div>{userComment}</div>\n\n\nChecks:\n\n React auto-escaping relied upon (avoid dangerouslySetInnerHTML)\n If HTML rendering needed, sanitize with DOMPurify\n CSP headers configured (see below)\n HttpOnly cookies for session tokens\n URL parameters validated before rendering\n5. Security Misconfiguration (A05:2021)\n\nChecks:\n\n Default credentials changed\n Error messages don't leak stack traces in production\n Unnecessary HTTP methods disabled\n Security headers configured (see below)\n Debug mode disabled in production\n Dependencies up to date (npm audit)\nSecurity Headers\n// next.config.js\nconst securityHeaders = [\n  { key: 'X-DNS-Prefetch-Control', value: 'on' },\n  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },\n  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },\n  { key: 'X-Content-Type-Options', value: 'nosniff' },\n  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },\n  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },\n  {\n    key: 'Content-Security-Policy',\n    value: [\n      \"default-src 'self'\",\n      \"script-src 'self' 'unsafe-eval' 'unsafe-inline'\",  // tighten in production\n      \"style-src 'self' 'unsafe-inline'\",\n      \"img-src 'self' data: https:\",\n      \"font-src 'self'\",\n      \"connect-src 'self' https://api.example.com\",\n      \"frame-ancestors 'none'\",\n      \"base-uri 'self'\",\n      \"form-action 'self'\",\n    ].join('; '),\n  },\n]\n\nmodule.exports = {\n  async headers() {\n    return [{ source: '/(.*)', headers: securityHeaders }]\n  },\n}\n\nInput Validation Patterns\nZod Validation for API/Actions\nimport { z } from 'zod'\n\nconst userSchema = z.object({\n  email: z.string().email().max(255),\n  password: z.string().min(8).max(128),\n  name: z.string().min(1).max(100).regex(/^[a-zA-Z\\s'-]+$/),\n  age: z.number().int().min(13).max(150).optional(),\n})\n\n// Server Action\nexport async function createUser(formData: FormData) {\n  'use server'\n  const parsed = userSchema.safeParse({\n    email: formData.get('email'),\n    password: formData.get('password'),\n    name: formData.get('name'),\n  })\n\n  if (!parsed.success) {\n    return { error: parsed.error.flatten() }\n  }\n\n  // Safe to use parsed.data\n}\n\nFile Upload Validation\nconst ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']\nconst MAX_SIZE = 5 * 1024 * 1024 // 5MB\n\nexport async function uploadFile(formData: FormData) {\n  'use server'\n  const file = formData.get('file') as File\n\n  if (!file || file.size === 0) return { error: 'No file' }\n  if (!ALLOWED_TYPES.includes(file.type)) return { error: 'Invalid file type' }\n  if (file.size > MAX_SIZE) return { error: 'File too large' }\n\n  // Read and validate magic bytes, not just extension\n  const bytes = new Uint8Array(await file.arrayBuffer())\n  if (!validateMagicBytes(bytes, file.type)) return { error: 'File content mismatch' }\n}\n\nAuthentication Security\nJWT Best Practices\nimport { SignJWT, jwtVerify } from 'jose'\n\nconst secret = new TextEncoder().encode(process.env.JWT_SECRET) // min 256-bit\n\nexport async function createToken(payload: { userId: string; role: string }) {\n  return new SignJWT(payload)\n    .setProtectedHeader({ alg: 'HS256' })\n    .setIssuedAt()\n    .setExpirationTime('15m')  // Short-lived access tokens\n    .setAudience('your-app')\n    .setIssuer('your-app')\n    .sign(secret)\n}\n\nexport async function verifyToken(token: string) {\n  try {\n    const { payload } = await jwtVerify(token, secret, {\n      algorithms: ['HS256'],\n      audience: 'your-app',\n      issuer: 'your-app',\n    })\n    return payload\n  } catch {\n    return null\n  }\n}\n\nCookie Security\ncookies().set('session', token, {\n  httpOnly: true,     // No JavaScript access\n  secure: true,       // HTTPS only\n  sameSite: 'lax',    // CSRF protection\n  maxAge: 60 * 60 * 24 * 7,\n  path: '/',\n})\n\nRate Limiting\nimport { Ratelimit } from '@upstash/ratelimit'\nimport { Redis } from '@upstash/redis'\n\nconst ratelimit = new Ratelimit({\n  redis: Redis.fromEnv(),\n  limiter: Ratelimit.slidingWindow(10, '10 s'),\n})\n\n// In middleware or route handler\nconst ip = request.headers.get('x-forwarded-for') ?? '127.0.0.1'\nconst { success, remaining } = await ratelimit.limit(ip)\nif (!success) {\n  return NextResponse.json({ error: 'Too many requests' }, { status: 429 })\n}\n\nEnvironment & Secrets\n// ❌ BAD\nconst API_KEY = 'sk-1234567890abcdef'\n\n// ✅ GOOD\nconst API_KEY = process.env.API_KEY\nif (!API_KEY) throw new Error('API_KEY not configured')\n\n\nRules:\n\nNever commit .env files (only .env.example with placeholder values)\nUse different secrets per environment\nRotate secrets regularly\nUse a secrets manager (Vault, AWS SSM, Doppler) for production\nNever log secrets or include them in error responses\nDependency Security\n# Regular audit\nnpm audit\nnpm audit fix\n\n# Check for known vulnerabilities\nnpx better-npm-audit audit\n\n# Keep dependencies updated\nnpx npm-check-updates -u\n\nSecurity Audit Report Format\n\nWhen conducting a review, output findings as:\n\n## Security Audit Report\n\n### Critical (Must Fix)\n1. **[A03:Injection]** SQL injection in `/api/search` — user input concatenated into query\n   - File: `app/api/search/route.ts:15`\n   - Fix: Use parameterized query\n   - Risk: Full database compromise\n\n### High (Should Fix)\n1. **[A01:Access Control]** Missing auth check on DELETE endpoint\n   - File: `app/api/posts/[id]/route.ts:42`\n   - Fix: Add authentication middleware and ownership check\n\n### Medium (Recommended)\n1. **[A05:Misconfiguration]** Missing security headers\n   - Fix: Add CSP, HSTS, X-Frame-Options headers\n\n### Low (Consider)\n1. **[A06:Vulnerable Components]** 3 packages with known vulnerabilities\n   - Run: `npm audit fix`\n\nProtected File Patterns\n\nThese files should be reviewed carefully before any modification:\n\n.env* — environment secrets\nauth.ts / auth.config.ts — authentication configuration\nmiddleware.ts — route protection logic\n**/api/auth/** — auth endpoints\nprisma/schema.prisma — database schema (permissions, RLS)\nnext.config.* — security headers, redirects\npackage.json / package-lock.json — dependency changes"
  },
  "trust": {
    "sourceLabel": "tencent",
    "provenanceUrl": "https://clawhub.ai/jgarrison929/security-auditor",
    "publisherUrl": "https://clawhub.ai/jgarrison929/security-auditor",
    "owner": "jgarrison929",
    "version": "1.0.0",
    "license": null,
    "verificationStatus": "Indexed source record"
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/security-auditor",
    "downloadUrl": "https://openagent3.xyz/downloads/security-auditor",
    "agentUrl": "https://openagent3.xyz/skills/security-auditor/agent",
    "manifestUrl": "https://openagent3.xyz/skills/security-auditor/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/security-auditor/agent.md"
  }
}