Repository inventory

sergiodxa/agent-skills

Skills indexed from this repository, with install-style signals scoped to the repo.
7 skills476 GitHub stars0 weekly installsGitHubOwner profile

Overview

This skill provides concise security audit guidelines for web applications and REST APIs based on OWASP Top 10 and common web security best practices. It organizes 20 practical rules across authentication, data protection, input/output safety, configuration, and API monitoring to guide code reviews and pre-production checks. Use it to prioritize fixes, produce clear findings, and recommend concrete remediations.

How this skill works

Identify the application type (web app, SPA, SSR, REST API) and scan rules by priority: CRITICAL, HIGH, then MEDIUM. For each finding record severity, category, file/line, impact, and a specific fix including code examples where appropriate. Focus on authentication/authorization, cryptography and secrets, input/output validation, security headers/configuration, and API/monitoring controls.

When to use it

  • During a security-focused code review or pull request review
  • Before production deployment or after a major feature release
  • When auditing authentication, authorization, or session logic
  • When evaluating REST API endpoints for mass assignment, rate limits, and input validation
  • When checking configuration: headers, CORS, CSRF, and cookie flags

Best practices

  • Start with CRITICAL issues (auth, crypto, injection) and remediate before others
  • Report each issue with severity, exact location, impact, and a minimal reproducible fix
  • Prefer secure defaults: parameterized queries, strong password policies, and least privilege
  • Never log secrets or return sensitive fields in responses; log safe metadata instead
  • Enforce security headers, strict cookie flags, and validated CORS origins

Example use cases

  • Scan a new API endpoint for IDOR, mass assignment, and missing auth checks
  • Audit file upload handlers for mime/type validation and path traversal protections
  • Review deployment configs for exposed debug output, missing HSTS/CSP, or permissive CORS
  • Assess authentication flows for weak passwords, missing MFA, and session cookie issues
  • Check dependency lists for outdated packages and run automated vulnerability audits

FAQ

Fix CRITICAL issues immediately (injection, broken auth, secrets). Address HIGH issues next (CSRF, headers, session management). Treat MEDIUM/LOW based on exposure and attack surface.

What minimal information should a report include?

Severity, category/rule, file path and line, a short description of the issue, impact, and a concrete remediation with a code example if possible.

7 skills

More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational