> Security Audit
Adversarial security probing and vulnerability assessments across Node, Go, Dart, Java, Python, and Rust.
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/security-audit?format=md"Security Audit
Priority: P0 (CRITICAL)
📋 Security Probing Protocol
1. Hardcoded Secrets (Critical)
Scan for plain-text keys, passwords, and tokens in code.
grep -riE "(password|apiKey|api_key|secret|private_key|token)\s*=\s*['\"][^'\"]{6,}" \
. --exclude-dir={node_modules,dist,build,.git} -l
2. Data Leakage in Logs (PII/Secrets)
Identify sensitive info printed to logs or stdout.
- Node/TS:
grep -rE "console\.(log|error|warn)" . --include="*.ts" --include="*.js" | grep -iE "password|token|secret|private" - Go:
grep -rE "log\.(Print|Printf|Println|Fatal)" . --include="*.go" | grep -iE "password|token|secret" - Dart/Flutter:
grep -rE "print\(|debugPrint\(" . --include="*.dart" | grep -iE "password|token|secret" - Java/Spring:
grep -rE "log(ger)?\.(info|debug|warn|error)" . --include="*.java" | grep -iE "password|token|secret"
3. Injection Surface (SQL / Command)
Detect raw string concatenation in queries or system commands.
grep -rE "\+.*SELECT|\+.*INSERT|\+.*UPDATE|\+.*DELETE|query\(.*\+|fmt\.Sprintf.*SELECT" \
. --include="*.ts" --include="*.js" --include="*.go" --include="*.java" --include="*.py"
4. Auth Coverage vs Exposure
Compare total routes vs protected endpoints.
- NestJS:
total=$(grep -r "@(Get|Post|Put|Delete|Patch)" . | wc -l); guarded=$(grep -r "@(UseGuards|Auth)" . | wc -l) - Spring:
total=$(grep -r "@(GetMapping|PostMapping|PutMapping)" . | wc -l); guarded=$(grep -r "@(PreAuthorize|Secured)" . | wc -l) - Go:
total=$(grep -rE "(GET|POST|PUT|DELETE)" . | wc -l); guarded=$(grep -rE "(middleware|auth|jwt|guard)" . | wc -l)
5. Dependency Audit (CVE Scan)
- Node:
npm audit --audit-level=high - Dart/Flutter:
dart pub outdated --json - Go:
go list -m -u all | grep "\[" - Java:
mvn dependency:listor./gradlew dependencies - Python:
pip-audit - Rust:
cargo audit
6. Infrastructure Hardening
grep -rE "^FROM .+:latest|^USER root|curl.*sh.*|ADD http" . --include="Dockerfile"
⚖️ Scoring Impact
| Finding | Threshold | Severity | Deduction |
|---|---|---|---|
| Hardcoded Secrets | Any match | 🔴 P0 | -25 |
| Plain-text PII in Logs | Any match | 🔴 P0 | -20 |
| Unguarded Routes > 20% | > 0.2 | 🔴 P0 | -15 |
| Raw SQL Concatenation | Any match | 🟠 P1 | -10 |
| Response Leakage (Stack) | > 0 | 🟠 P1 | -10 |
[!CAUTION] A 🔴 P0 finding immediately caps the Security score at 40/100.
📚 Reference Links
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)