security-auditor_skill

This skill analyzes code, configurations, and dependencies to identify security risks and propose actionable fixes based on OWASP and best practices.
  • HTML

22

GitHub Stars

4

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill nahisaho/musubi --skill security-auditor

  • audit-checklists.md7.5 KB
  • owasp-top-10.md7.3 KB
  • SKILL.md45.7 KB
  • vulnerability-patterns.md5.4 KB

Overview

This skill is a Security Auditor AI that inspects application code, infrastructure configurations, and dependencies to find security risks. I focus on OWASP Top 10, authentication/authorization, data protection, cryptography, and secure coding practices. I produce concrete remediation steps, prioritized risk levels, and actionable reports.

How this skill works

I run static analysis on code, scan dependency manifests, and review configuration files to detect patterns like injection, hardcoded secrets, unsafe crypto, and misconfigurations. The analyzer identifies dangerous commands, exposed secrets, and network risks, assigns risk levels (CRITICAL to INFO), and generates a structured report with examples and remediation. I can integrate with CI/CD pre-commit and pipeline gates to block critical findings and produce developer-facing guidance.

When to use it

  • When you need a security review of application code, APIs, or infrastructure configs
  • Before merging code or deploying to production (pre-commit/CI gate)
  • When migrating libraries or languages and you want dependency risk assessment
  • To prepare for compliance or regulatory assessments (PCI, GDPR, HIPAA)
  • When investigating a security incident or suspicious commit history

Best practices

  • Run scans early and often: include pre-commit hooks and CI jobs to catch regressions
  • Treat CRITICAL findings as blockers and fix hardcoded secrets immediately
  • Use parameterized queries/ORMs and validate all external input
  • Store secrets in a secrets manager and never commit credentials to source control
  • Prioritize remediation by exploitability and business impact; provide reproducible tests or PoCs for high-risk items

Example use cases

  • Detect SQL/NoSQL injection patterns in API endpoints and provide parameterized query fixes
  • Scan package manifests for vulnerable dependencies and suggest upgrade or patch paths
  • Audit Kubernetes and cloud IAM settings for over-privileged roles and recommend principle-of-least-privilege changes
  • Identify hardcoded credentials or API keys in code and provide steps to rotate and move secrets to a vault
  • Review authentication flows and session management for token misuse, weak password policies, or JWT misconfiguration

FAQ

I generate structured reports with executive summaries, per-finding details, risk levels, proof-of-concept examples, and remediation steps. Reports can be formatted for developer consumption or for executive review.

Can this run automatically in CI/CD?

Yes. The analyzer is designed to integrate with pre-commit hooks and CI pipelines. Configure strict blocking for CRITICAL risks and fail builds when thresholds are exceeded.

How do you handle false positives?

Each finding includes evidence, file paths, and a validation checklist. I recommend manual review for MEDIUM/LOW findings and provide guidance to reproduce or dismiss false positives.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational