Security Audit

Perform comprehensive security audits on codebases by scanning for OWASP Top 10 vulnerabilities, checking dependencies for known CVEs, detecting leaked secrets and API keys, and generating prioritized fix recommendations. This skill combines static analysis patterns with dependency auditing tools.

Overview

The Security Audit skill, hosted in the TerminalSkills/skills repository, provides automated security assessment capabilities for AI agents like Codex and Claude. It facilitates codebase reviews by identifying common security risks aligned with the OWASP Top 10 framework. The tool integrates static analysis patterns to detect vulnerabilities and scans project dependencies against databases of known CVEs. Additionally, it identifies exposed sensitive information such as API keys and secrets within the source code. Upon completion of an audit, the skill generates a list of prioritized recommendations to assist developers in remediating discovered issues. This utility is maintained within a repository that has garnered 72 stars, reflecting its utility for developers seeking to integrate security validation into their automated workflows.

Use Cases

Identifying OWASP Top 10 vulnerabilities within application source code.
Auditing project dependencies to detect and report known CVEs.
Scanning repositories for accidentally committed API keys or credentials.

Install Notes

# Review source first
open https://github.com/TerminalSkills/skills/blob/main/skills/security-audit/SKILL.md

Copy or clone the skill folder into your agent skills directory after reviewing its instructions and scripts.

Security Notes

This skill performs analysis of codebases and dependencies to identify potential vulnerabilities. Users should ensure the AI agent has appropriate read permissions for the target directory and be aware that automated scans may require manual verification to confirm findings and mitigate false positives.

Related Skills

Skill Improver

trailofbits/skills

Security

Iteratively reviews and fixes Claude Code skill quality issues until they meet standards. Runs automated fix-review cycles using the skill-reviewer agent. Use to fix skill quality issues, improve skill descriptions, run automated skill review loops, or iteratively refine a skill. Triggers on 'fix my skill', 'improve sk

Claude CodeClaude
securityreview
5,853 starsSource linked

Sarif Parsing

trailofbits/skills

Security

Parses and processes SARIF files from static analysis tools like CodeQL, Semgrep, or other scanners. Triggers on "parse sarif", "read scan results", "aggregate findings", "deduplicate alerts", or "process sarif output". Handles filtering, deduplication, format conversion, and CI/CD integration of SARIF data. Does NOT r

Claude CodeClaude
pythonsecurity
5,853 starsSource linked

Semgrep

trailofbits/skills

Security

Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for v

Claude CodeClaude
pythonsecurity
5,853 starsSource linked

Supply Chain Risk Auditor

trailofbits/skills

Security

Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.

Claude CodeClaude
securityresearch
5,853 starsSource linked

Cargo Fuzz

trailofbits/skills

Security

cargo-fuzz is the de facto fuzzing tool for Rust projects using Cargo. Use for fuzzing Rust code with libFuzzer backend.

Claude CodeClaude
securityresearch
5,853 starsSource linked

Fuzzing Obstacles

trailofbits/skills

Security

Techniques for patching code to overcome fuzzing obstacles. Use when checksums, global state, or other barriers block fuzzer progress.

Claude CodeClaude
securitytesting
5,853 starsSource linked