security-audit-toolkit_skill

This skill helps you identify and fix security issues in code and infrastructure by scanning dependencies, secrets, and configurations for best practices.
  • Python

2.6k

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill security-audit-toolkit

  • _meta.json308 B
  • SKILL.md15.4 KB

Overview

This skill audits codebases and infrastructure for common security issues and misconfigurations. It automates scanning of dependencies, secret detection, OWASP Top 10 code patterns, SSL/TLS checks, and file permission reviews. The goal is to produce actionable findings and suggested fixes to reduce attack surface and prepare for audits.

How this skill works

The skill runs language-specific vulnerability scanners (npm audit, pip-audit, govulncheck, cargo-audit, Trivy) and greps code and git history for risky patterns and hardcoded secrets. It inspects SSL/TLS with openssl, checks .gitignore coverage, evaluates file permissions and SUID/SGID bits, and looks for insecure code patterns tied to OWASP Top 10 issues. Results are summarized with counts and example locations to prioritize remediation.

When to use it

  • Before a release or deployment to catch regressions and leaked secrets
  • During a security review or compliance preparation to generate evidence and findings
  • When integrating third-party dependencies or upgrading package versions
  • After onboarding a new codebase to quickly map risky areas and misconfigurations
  • As a pre-commit or CI gating step to block obvious secret leaks and critical vulns

Best practices

  • Run automated scans regularly in CI and on pull requests, not only locally
  • Treat scanner output as prioritized guidance: fix critical/high first and suppress false positives with documentation
  • Enforce environment variables and .gitignore rules; rotate any secrets found in commits
  • Use parameterized queries, input validation, and framework escaping to prevent injection/XSS
  • Keep TLS verification enabled and monitor certificate expiry and supported protocols

Example use cases

  • Scan a Node.js repo before deployment: npm audit, check .env handling, and find hardcoded keys
  • Run pip-audit on a Python service and grep for SSL verification bypass patterns in HTTP clients
  • Audit a mixed-language monorepo with Trivy to surface high/critical vulnerabilities across files and images
  • Add a pre-commit hook to block commits containing private keys, API keys, or obvious password patterns
  • Perform an SSL/TLS sweep of external endpoints to detect expired certs and weak protocol support

FAQ

Some package managers offer automated fixes (e.g., npm audit fix, cargo audit fix) but fixes should be reviewed. The skill reports issues and recommends remediation steps rather than applying changes without review.

Does secret detection search git history?

Yes. The inspection includes git history searches to find secrets that were committed previously, and it recommends rotation for any discovered secrets.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational