> common-security-audit
Probe for hardcoded secrets, injection surfaces, unguarded routes, and infrastructure weaknesses across Node, Go, Dart, Java, Python, and Rust codebases. Use when performing security audits, vulnerability scans, secrets detection, or penetration testing. (triggers: package.json, go.mod, pubspec.yaml, pom.xml, Dockerfile, security audit, vulnerability scan, secrets detection, injection probe, pentest)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/common-security-audit?format=md"Security Audit
Priority: P0 (CRITICAL)
1. Scan for Hardcoded Secrets
See implementation examples for secrets scanning commands.
2. Detect Data Leakage in Logs
Identify sensitive info printed to logs or stdout.
- Node/TS:
grep -rE "console\.(log|error|warn)" . --include="*.ts" --include="*.js" | grep -iE "password|token|secret" - Go:
grep -rE "log\.(Print|Printf|Println|Fatal)" . --include="*.go" | grep -iE "password|token|secret" - Dart/Flutter:
grep -rE "print\(|debugPrint\(" . --include="*.dart" | grep -iE "password|token|secret" - Java/Spring:
grep -rE "log(ger)?\.(info|debug|warn|error)" . --include="*.java" | grep -iE "password|token|secret"
3. Map Injection Surfaces
Detect raw string concatenation in queries or system commands.
See implementation examples for injection surface detection.
4. Measure Auth Coverage vs Exposure
Compare total routes against protected endpoints.
- NestJS:
total=$(grep -r "@(Get|Post|Put|Delete|Patch)" . | wc -l); guarded=$(grep -r "@(UseGuards|Auth)" . | wc -l) - Spring:
total=$(grep -r "@(GetMapping|PostMapping|PutMapping)" . | wc -l); guarded=$(grep -r "@(PreAuthorize|Secured)" . | wc -l) - Go:
total=$(grep -rE "(GET|POST|PUT|DELETE)" . | wc -l); guarded=$(grep -rE "(middleware|auth|jwt|guard)" . | wc -l)
5. Run Dependency CVE Scans
- Node:
npm audit --audit-level=high - Dart/Flutter:
dart pub outdated --json - Go:
go list -m -u all | grep "\[" - Java:
mvn dependency:listor./gradlew dependencies - Python:
pip-audit - Rust:
cargo audit
6. Audit Infrastructure Hardening
See implementation examples for infrastructure hardening checks.
Scoring Impact
| Finding | Threshold | Severity | Deduction |
|---|---|---|---|
| Hardcoded Secrets | Any match | P0 | -25 |
| Plain-text PII in Logs | Any match | P0 | -20 |
| Unguarded Routes > 20% | > 0.2 | P0 | -15 |
| Raw SQL Concatenation | Any match | P1 | -10 |
| Response Leakage (Stack) | > 0 | P1 | -10 |
CAUTION: A P0 finding immediately caps the Security score at 40/100.
Anti-Patterns
- No applying generic patterns over project-specific rules: Respect existing security constraints.
- No ignoring error handling or edge cases: Audit must cover boundary conditions.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)