Is this skill a replacement for manual pentesting?

It serves as a powerful automated first-line of defense to catch common errors during development, though it should complement manual professional security audits.

Does it support modern web security checks?

Absolutely. It checks for XSS, CSRF, CORS settings, and secure session management to protect web applications.

How does the Security Review skill find vulnerabilities?

It uses advanced pattern matching and structural analysis via tools like Grep and Read to identify risky code patterns, missing validation, and insecure configurations.

Can it detect hardcoded secrets?

Yes, the skill specifically scans for hardcoded API keys, passwords, and tokens stored within the codebase.

Security Code Auditor

Name: Security Code Auditor
Author: Doarakko

byDoarakko

安全与测试

Conducts comprehensive security audits and vulnerability checks to identify potential threats and compliance issues in source code.

关于

The Security Code Auditor skill empowers Claude to perform deep-dive security reviews by systematically analyzing codebases for common vulnerabilities. It follows a rigorous set of criteria including authentication flows, injection risks (SQL, NoSQL, Command), input sanitization, and data protection. By leveraging tools like Grep and Glob, it identifies hardcoded secrets, insecure API configurations, and outdated dependencies, ensuring that your application adheres to modern security best practices and is resilient against exploits like XSS, CSRF, and SSRF.

主要功能

Detects hardcoded credentials, API keys, and sensitive tokens
0 GitHub stars
Analyzes authentication and authorization implementation flaws
Identifies injection vulnerabilities including SQL, NoSQL, and XSS
Scans for API risks like CSRF, CORS misconfigurations, and missing rate limits
Evaluates data protection measures and encryption standards

使用场景

Performing a pre-merge security audit on a pull request
Validating input sanitization and validation logic in web controllers
Scanning legacy codebases for hidden vulnerabilities and technical debt

关于

主要功能

Detects hardcoded credentials, API keys, and sensitive tokens
0 GitHub stars
Analyzes authentication and authorization implementation flaws
Identifies injection vulnerabilities including SQL, NoSQL, and XSS
Scans for API risks like CSRF, CORS misconfigurations, and missing rate limits
Evaluates data protection measures and encryption standards

使用场景

Performing a pre-merge security audit on a pull request
Validating input sanitization and validation logic in web controllers
Scanning legacy codebases for hidden vulnerabilities and technical debt