π¦ ClawHub
unified security auditor
by @selimerunkut
Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...
TERMINAL
clawhub install unified-security-auditorπ About This Skill
name: unified-security description: Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, user input, payments, database access, secrets, deployment, dependencies, or AI/agent workflows. Includes OWASP Top 10 (2025), ASVS 5.0 highlights, agentic AI security, vibe-coded pitfalls, insecure defaults detection, supply chain risk signals, and CI/CD agent action hardening. license: CC-BY-SA-4.0 metadata: sources: - name: claude-code-owasp url: https://github.com/agamm/claude-code-owasp license: MIT - name: trailofbits/skills url: https://github.com/trailofbits/skills license: CC-BY-SA-4.0 - name: vibe-security-skill url: https://github.com/raroque/vibe-security-skill license: MIT - name: VibeSec-Skill url: https://github.com/BehiSecc/VibeSec-Skill license: Apache-2.0
Unified Security Skill
Mission
Audit and harden codebases against real-world security failures, especially those introduced by fast AI-assisted development. Prioritize exploitable issues and provide concrete fixes.Use When
Core Principles
1. Never trust the client. Validate all critical data server-side. 2. Defense in depth. Combine multiple controls. 3. Fail closed. Missing config should disable access, not weaken it. 4. Least privilege. Reduce access scope everywhere. 5. Validate inputs and encode outputs for the render context.Audit Workflow (adapt to stack)
1. Secrets and environment variables 2. Database access control (RLS, rules, auth guards) 3. Authentication and authorization 4. Rate limiting and abuse prevention 5. Payments and webhook validation 6. Input validation and injection risks 7. XSS, output encoding, CSP, and headers 8. CSRF and session protections 9. AI/LLM integration safety 10. Deployment configuration and prod hardening 11. Insecure defaults (fail-open config) 12. Supply chain risk signals 13. CI/CD agent action hardeningImmediate-Flag Patterns (Critical/High)
OWASP Top 10 (2025) Quick Map
ASVS 5.0 Highlights
Agentic AI Security (OWASP 2026) Summary
Insecure Defaults Detection
SECRET = env.get('KEY') or 'default'SECRET = env['KEY'] (crashes if missing)Supply Chain Risk Signals
Flag dependencies with one or more of:CI/CD Agent Actions Hardening
When workflows invoke AI agents, treat all event data as attacker-controlled.Common AI action references:
anthropics/claude-code-actiongoogle-github-actions/run-gemini-cliopenai/codex-actionactions/ai-inferenceHigh-risk patterns:
pull_request_target or issue_comment with untrusted inputenv: intermediarieseval, exec, $())danger-full-access, --yolo)allow-users: "*")Safe defaults:
Output Format
Organize findings by severity: Critical, High, Medium, Low. For each issue:End with a prioritized summary and remediation order.
When Generating Code
Use the same checks proactively. Prefer secure patterns by default and note tradeoffs in comments when you must relax controls.When Generating a Security Audit Report
Save into the folder/project where this skill was executed as a markdown file with todays dateFinal Report Format
## Security Audit Report
Target:
Date:
Auditor: OR skip and use "Automated Security Skill"Executive Summary
<2-3 sentences: overall risk posture, most critical issues>Findings
#### [CRITICAL/HIGH/MEDIUM/LOW]
Location: file:line
Impact: ...
Reproduction: ...
Fix:
diff
- vulnerable code
+ secure code
```#### Recommendations
#### Clean Checks
Attribution and License
This skill is a curated, adapted work derived from:This unified skill is licensed under CC-BY-SA-4.0 to satisfy ShareAlike requirements.