-blue){kind=icon}
A systematic, severity-rated framework for auditing web application security. This skill provides an agentic approach to identifying, classifying, and remediating vulnerabilities based on the OWASP Top 10 (2023).
To begin a security audit, use the following prompt:
Perform a security audit of this application using the owasp-audit skill
This skill enables the agent to perform multi-dimensional security analysis:
- Automated Dependency Scanning: Checks for known vulnerabilities in third-party libraries using
npm auditor equivalent. - Secret Detection: Scans the codebase for hardcoded API keys, passwords, and sensitive configurations.
- Static Analysis (SAST): Uses high-confidence regex patterns to find injection flaws, broken access control, and insecure configurations.
- Security Header Verification: Inspects HTTP response headers for missing security protections (CSP, HSTS, etc.).
- Evidence-Based Reporting: Generates a professional PDF/Markdown report with CVSS 3.1 scoring and concrete fix examples.
Follow the 4-step process defined in our Methodology Guide:
- Step 1: Scoping & Discovery — Identify the tech stack and attack surface.
- Step 2: Automated Verification — Run scripts to catch "low-hanging fruit".
- Step 3: Targeted Code Review — Manual inspection of high-risk components (Auth, DB, IO).
- Step 4: Reporting & Prioritization — Classify findings by severity and impact.
We use a structured Severity Framework to ensure consistent reporting:
- 🔴 Critical: Urgent fix required; direct path to RCE or massive data breach.
- 🟠 High: Significant impact; broken authentication or PII exposure.
- 🟡 Medium: Harder to exploit or limited impact; IDOR, missing headers.
- 🔵 Low: Best practice violations; information disclosure.
- ⚪ Info: Hardening recommendations.
| Component | Description |
|---|---|
| Audit Checklist | Deep Dive: 30+ point verification list for manual and automated checks. |
| Vulnerability Patterns | Code Reference: Regex and examples of vulnerable code for Auth, DB, and Server. |
| Remediation Examples | Fix Library: Side-by-side "Vulnerable vs. Secure" code comparisons. |
| OWASP Reference | Knowledge Base: Detailed breakdowns of the 2023 risk categories. |
- Dependency Audit: Cross-platform scanner.
- Secret Scan: Finds hardcoded credentials.
- Header Checker: Verifies web security headers.
- Search Patterns: The engine that powers pattern discovery.
Warning
While automation is powerful, Manual Verification is critical to eliminate False Positives, particularly for complex logical issues like Broken Access Control.
Explore these examples to see the quality of output generated by this skill:
- 📑 Standard Web App Audit (Task Manager)
- 🔌 REST API Service Audit
- 🧩 Microservices Architecture Audit
You can target specific audit areas during development:
- "Audit the authentication logic for session management vulnerabilities."
- "Run a secret scan and check my security headers."
- "Explain Category A01:2021-Broken Access Control and check my codebase for it."