🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

unified security auditor

by @selimerunkut

Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...

Versionv1.0.0
Downloads370
TERMINAL
clawhub install unified-security-auditor

πŸ“– About This Skill


name: unified-security description: Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, user input, payments, database access, secrets, deployment, dependencies, or AI/agent workflows. Includes OWASP Top 10 (2025), ASVS 5.0 highlights, agentic AI security, vibe-coded pitfalls, insecure defaults detection, supply chain risk signals, and CI/CD agent action hardening. license: CC-BY-SA-4.0 metadata: sources: - name: claude-code-owasp url: https://github.com/agamm/claude-code-owasp license: MIT - name: trailofbits/skills url: https://github.com/trailofbits/skills license: CC-BY-SA-4.0 - name: vibe-security-skill url: https://github.com/raroque/vibe-security-skill license: MIT - name: VibeSec-Skill url: https://github.com/BehiSecc/VibeSec-Skill license: Apache-2.0

Unified Security Skill

Mission

Audit and harden codebases against real-world security failures, especially those introduced by fast AI-assisted development. Prioritize exploitable issues and provide concrete fixes.

Use When

  • Reviewing code for security vulnerabilities
  • Implementing authentication, authorization, sessions, or access control
  • Handling user input, file uploads, or external data
  • Working with secrets, API keys, cryptography, or tokens
  • Implementing payments, billing, or webhooks
  • Configuring databases, RLS, or security rules
  • Integrating AI/LLM services or agent tools
  • Designing CI/CD workflows that invoke AI agents
  • Evaluating dependency and supply chain risk
  • Core Principles

    1. Never trust the client. Validate all critical data server-side. 2. Defense in depth. Combine multiple controls. 3. Fail closed. Missing config should disable access, not weaken it. 4. Least privilege. Reduce access scope everywhere. 5. Validate inputs and encode outputs for the render context.

    Audit Workflow (adapt to stack)

    1. Secrets and environment variables 2. Database access control (RLS, rules, auth guards) 3. Authentication and authorization 4. Rate limiting and abuse prevention 5. Payments and webhook validation 6. Input validation and injection risks 7. XSS, output encoding, CSP, and headers 8. CSRF and session protections 9. AI/LLM integration safety 10. Deployment configuration and prod hardening 11. Insecure defaults (fail-open config) 12. Supply chain risk signals 13. CI/CD agent action hardening

    Immediate-Flag Patterns (Critical/High)

  • Secrets or service-role keys exposed client-side
  • Client-controlled price, role, or access flags
  • Disabled or overly permissive database rules
  • Missing auth on privileged routes or APIs
  • Hardcoded default credentials or weak crypto
  • Unverified webhooks or signature bypasses
  • Fail-open config that enables insecure operation
  • OWASP Top 10 (2025) Quick Map

  • A01 Broken Access Control: verify ownership and deny by default
  • A02 Security Misconfiguration: harden defaults, disable unused features
  • A03 Supply Chain Failures: lock versions and review dependencies
  • A04 Cryptographic Failures: use modern algorithms and key management
  • A05 Injection: parameterize queries, validate input
  • A06 Insecure Design: threat model, rate limit, design controls
  • A07 Auth Failures: MFA, secure sessions, breached-password checks
  • A08 Integrity Failures: verify artifacts, use SRI, avoid unsafe deserialization
  • A09 Logging Failures: log security events with alerting
  • A10 Exception Handling: fail closed, hide internals, log context
  • ASVS 5.0 Highlights

  • Level 1: 12+ char passwords, auth rate limits, HTTPS everywhere
  • Level 2: MFA for sensitive ops, encryption at rest, security logging
  • Level 3: HSMs, formal threat modeling, pen test validation
  • Agentic AI Security (OWASP 2026) Summary

  • ASI01 Goal hijack: isolate and validate inputs
  • ASI02 Tool misuse: restrict tools and verify I/O
  • ASI03 Privilege abuse: short-lived scoped tokens
  • ASI04 Supply chain: verify plugins and MCP servers
  • ASI05 Code execution: sandbox, review, approvals
  • ASI06 Memory poisoning: segment and validate context
  • ASI07 Agent comms: authenticate and encrypt
  • ASI08 Cascading failures: circuit breakers, isolation
  • ASI09 Trust exploitation: verify high-risk outputs
  • ASI10 Rogue agents: monitoring and kill switches
  • Insecure Defaults Detection

  • Fail-open is critical: SECRET = env.get('KEY') or 'default'
  • Fail-secure is acceptable: SECRET = env['KEY'] (crashes if missing)
  • Ignore test fixtures, templates, and docs
  • Verify runtime behavior before reporting
  • Supply Chain Risk Signals

    Flag dependencies with one or more of:
  • Single maintainer or anonymous owner
  • Unmaintained or archived status
  • Low popularity compared to peers
  • High-risk features (FFI, deserialization, code exec)
  • History of critical CVEs
  • No security contact or disclosure process
  • CI/CD Agent Actions Hardening

    When workflows invoke AI agents, treat all event data as attacker-controlled.

    Common AI action references:

  • anthropics/claude-code-action
  • google-github-actions/run-gemini-cli
  • openai/codex-action
  • actions/ai-inference
  • High-risk patterns:

  • pull_request_target or issue_comment with untrusted input
  • Prompt fields populated via env: intermediaries
  • Eval of AI output (eval, exec, $())
  • Dangerous sandbox configs (danger-full-access, --yolo)
  • Wildcard allowlists (allow-users: "*")
  • Safe defaults:

  • Restrict triggers to trusted contexts
  • Strip or escape untrusted inputs before prompts
  • Lock down tools and file access
  • Use least-privileged tokens and permissions
  • Require human approval for sensitive actions
  • Output Format

    Organize findings by severity: Critical, High, Medium, Low. For each issue:
  • File and line(s)
  • Vulnerability name
  • Concrete impact
  • Before/after fix
  • End with a prioritized summary and remediation order.

    When Generating Code

    Use the same checks proactively. Prefer secure patterns by default and note tradeoffs in comments when you must relax controls.

    When Generating a Security Audit Report

    Save into the folder/project where this skill was executed as a markdown file with todays date

    Final Report Format

    ## Security Audit Report
    Target: 
    Date: 
    Auditor:  OR skip and use "Automated Security Skill"

    Executive Summary

    <2-3 sentences: overall risk posture, most critical issues>

    Findings

    #### [CRITICAL/HIGH/MEDIUM/LOW] <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Location:</strong> file:line</li> <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Impact:</strong> ...</li> <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Reproduction:</strong> ...</li> <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Fix:</strong></li> </code></pre>diff - vulnerable code + secure code ```</p><p style="margin:8px 0">#### Recommendations <Prioritized action items></p><p style="margin:8px 0">#### Clean Checks <Domains with no findings></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Attribution and License</h3> This skill is a curated, adapted work derived from: <li style="color:#94a3b8;margin:3px 0">https://github.com/raroque/vibe-security-skill (MIT)</li> <li style="color:#94a3b8;margin:3px 0">https://github.com/BehiSecc/VibeSec-Skill (Apache-2.0)</li> <li style="color:#94a3b8;margin:3px 0">https://github.com/agamm/claude-code-owasp (MIT)</li> <li style="color:#94a3b8;margin:3px 0">https://github.com/trailofbits/skills (CC-BY-SA-4.0)</li></p><p style="margin:8px 0">This unified skill is licensed under CC-BY-SA-4.0 to satisfy ShareAlike requirements. </p></div></section></div><div class="two-col-side"></div></div></div><script> document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn => { btn.addEventListener('click', () => { const cmd = btn.getAttribute('data-cmd'); if (!cmd) return; navigator.clipboard.writeText(cmd).then(() => { const orig = btn.textContent; btn.textContent = 'Copied!'; setTimeout(() => btn.textContent = orig, 1500); }).catch(() => {}); }); }); </script><!--$--><!--/$--></main><footer style="background:var(--bg-primary);border-top:1px solid var(--border-secondary);margin-top:60px"><div style="border-top:1px solid var(--border-light);max-width:1200px;margin:0 auto;padding:24px 20px"><div style="display:flex;justify-content:space-between;flex-wrap:wrap;gap:24px;margin-bottom:24px"><div><div style="font-weight:700;color:var(--text-muted);margin-bottom:8px">BytesAgain</div><div style="color:var(--text-muted3);font-size:.82em;max-width:200px">Discover the best AI agent skills for your workflow.</div></div><div><div style="color:var(--text-muted);font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Explore</div><div style="margin-bottom:6px"><a href="/skills" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Skills</a></div><div style="margin-bottom:6px"><a href="/articles" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Articles</a></div><div style="margin-bottom:6px"><a href="/use-case" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Cases</a></div></div><div><div style="color:var(--text-muted);font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Company</div><div style="margin-bottom:6px"><a href="/about" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">About</a></div><div style="margin-bottom:6px"><a href="/contact" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Contact</a></div><div style="margin-bottom:6px"><a href="/privacy-policy" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Privacy Policy</a></div><div style="margin-bottom:6px"><a href="/terms" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Terms</a></div><div style="margin-bottom:6px"><a href="/feedback" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Feedback</a></div></div></div><div style="border-top:1px solid var(--border-light);padding-top:16px"><div style="color:var(--text-muted4);font-size:.8em;margin-bottom:8px">Β© <!-- -->2026<!-- --> BytesAgain. All rights reserved.</div><div style="color:var(--text-muted5);font-size:.75em;line-height:1.6;max-width:720px">BytesAgain is an independent skill directory. We index and link to third-party content (ClawHub, GitHub, LobeHub, Dify, etc.) for informational purposes only. All trademarks, skill names, and content are the property of their respective owners. BytesAgain does not claim ownership of any indexed content.</div></div></div></footer><button style="position:fixed;bottom:28px;right:28px;z-index:1000;width:48px;height:48px;border-radius:50%;border:none;cursor:pointer;background:linear-gradient(135deg,#667eea,#00d4ff);color:#fff;font-size:1.3em;box-shadow:0 4px 20px #667eea66;display:flex;align-items:center;justify-content:center;transition:transform .2s">πŸ’¬</button><script src="/_next/static/chunks/0ze4gu236oq96.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[62894,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"LangProvider\"]\n3:I[89220,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"ThemeProvider\"]\n4:I[16988,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\ne:I[68027,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\",1]\n:HL[\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"style\"]\n:HL[\"/_next/static/media/caa3a2e1cccd8315-s.p.09~u27dqhyhd6.woff2?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n5:Td5e,"])</script><script>self.__next_f.push([1,"[{\"@context\":\"https://schema.org\",\"@type\":\"WebSite\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"description\":\"Search 60,000+ verified AI agent skills via MCP API or REST. Supports 7 languages. Free, no auth required.\",\"inLanguage\":[\"en\",\"zh\",\"es\",\"fr\",\"de\",\"ja\",\"ko\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https://bytesagain.com/skills?q={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}},{\"@context\":\"https://schema.org\",\"@type\":\"Organization\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://bytesagain.com/og-image.png\"},\"description\":\"AI agent skill directory. Search 60,000+ skills, 1,000+ use cases, and community requests.\",\"foundingDate\":\"2026\",\"foundingLocation\":{\"@type\":\"Place\",\"name\":\"Global\"},\"sameAs\":[\"https://x.com/bytesagain\",\"https://github.com/bytesagain/ai-skills\",\"https://clawhub.ai/profile/bytesagain\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"email\":\"hello@bytesagain.com\",\"contactType\":\"customer support\"},\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"value\":1}},{\"@context\":\"https://schema.org\",\"@type\":\"WebApplication\",\"name\":\"BytesAgain AI Skills Search\",\"url\":\"https://bytesagain.com\",\"applicationCategory\":\"DeveloperApplication\",\"operatingSystem\":\"Web\",\"description\":\"Search engine and MCP API for 60,000+ AI agent skills. Semantic search, role recommendations, and use case packs.\",\"offers\":{\"@type\":\"Offer\",\"price\":\"0\",\"priceCurrency\":\"USD\"},\"featureList\":[\"Search 60,000+ AI agent skills\",\"Role-based recommendations for developers, creators, and traders\",\"1,000+ curated use case packs\",\"Free MCP API and REST API\",\"Multi-language search (EN, ZH, ES, FR, DE, JA, KO)\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":\"https://bytesagain.com/skills?q={search_term_string}\",\"query-input\":\"required name=search_term_string\"},\"dateModified\":\"2026-07-18\"},{\"@context\":\"https://schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"BytesAgain is a curated directory of 60,000+ AI agent skills from ClawHub, GitHub, LobeHub, and Dify. Search skills by keyword in 7 languages, browse by role (developer, creator, trader, marketer) or by use case.\"}},{\"@type\":\"Question\",\"name\":\"How do I find AI skills on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Use the search bar on BytesAgain.com to search by keyword in 7 languages. You can also browse by role (developer, creator, trader, marketer) or by use case. Each skill shows install instructions for Claude, Cursor, OpenClaw, Continue, and more.\"}},{\"@type\":\"Question\",\"name\":\"Is BytesAgain free?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes, BytesAgain is completely free. No registration required for searching skills. The MCP API is also free with rate limits.\"}},{\"@type\":\"Question\",\"name\":\"Does BytesAgain have an API for AI agents?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! BytesAgain provides a free MCP SSE endpoint at /api/mcp/sse for AI agents, plus a REST API at /api/mcp?action=search\u0026q=\u003cquery\u003e. No authentication needed.\"}},{\"@type\":\"Question\",\"name\":\"Can I request a new AI skill on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! Visit the Requests page on BytesAgain.com to submit a skill request. Your request will be visible to the community and notified to the site admin.\"}}]}]"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"c\":[\"\",\"skill\",\"unified-security-auditor\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"skill\",{\"children\":[[\"slug\",\"unified-security-auditor\",\"d\",null],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",16],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-2\",{\"src\":\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"llms\",\"href\":\"/llms.txt\"}],[\"$\",\"link\",null,{\"rel\":\"llms-full\",\"href\":\"/llms-full.txt\"}],[\"$\",\"script\",null,{\"async\":true,\"src\":\"https://www.googletagmanager.com/gtag/js?id=G-3C1MM9FWYF\"}],[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n window.dataLayer = window.dataLayer || [];\\n function gtag(){dataLayer.push(arguments);}\\n gtag('js', new Date());\\n gtag('config', 'G-3C1MM9FWYF');\\n \"}}]]}],[\"$\",\"body\",null,{\"className\":\"geist_9e050971-module__05dp7a__className\",\"style\":{\"margin\":0},\"children\":[\"$\",\"$L2\",null,{\"children\":[\"$\",\"$L3\",null,{\"children\":[[\"$\",\"div\",null,{\"style\":{\"width\":\"100%\",\"background\":\"var(--bg-subscribe)\",\"borderBottom\":\"1px solid var(--border-primary)\",\"padding\":\"8px 20px\",\"textAlign\":\"center\",\"fontSize\":\".82em\",\"color\":\"#818cf8\"},\"children\":[\"🎁 \",[\"$\",\"strong\",null,{\"style\":{\"color\":\"var(--text-primary)\"},\"children\":\"Get the FREE AI Skills Starter Guide\"}],\" β€” \",[\"$\",\"a\",null,{\"href\":\"/register\",\"style\":{\"color\":\"#00d4ff\",\"textDecoration\":\"underline\"},\"children\":\"Subscribe β†’\"}]]}],[\"$\",\"$L4\",null,{}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$5\"}}],\"$L6\",\"$L7\",\"$L8\"]}]}]}]]}]]}],{\"children\":[\"$L9\",{\"children\":[\"$La\",{\"children\":[\"$Lb\",{},null,false,null]},null,false,\"$@c\"]},null,false,\"$@c\"]},null,false,null],\"$Ld\",false]],\"m\":\"$undefined\",\"G\":[\"$e\",[\"$Lf\"]],\"S\":true,\"h\":null,\"s\":\"$undefined\",\"l\":\"$undefined\",\"p\":\"$undefined\",\"d\":\"$undefined\"}\n"])</script><script>self.__next_f.push([1,"10:I[39756,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n11:I[37457,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n12:I[22016,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0ka051yepewro.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"\"]\n13:I[90940,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n14:I[16397,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n16:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"OutletBoundary\"]\n17:\"$Sreact.suspense\"\n1a:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"ViewportBoundary\"]\n1c:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"MetadataBoundary\"]\n"])</script><script>self.__next_f.push([1,"6:[\"$\",\"main\",null,{\"children\":[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"main\",null,{\"style\":{\"minHeight\":\"100vh\",\"display\":\"flex\",\"alignItems\":\"center\",\"justifyContent\":\"center\",\"background\":\"#050611\",\"color\":\"#e5e7eb\"},\"children\":[[\"$\",\"style\",null,{\"children\":\"\\n .nf-box { text-align: center; padding: 60px 32px; }\\n .nf-code { font-size: 6rem; font-weight: 900; color: #22d3ee; line-height: 1; margin: 0; }\\n .nf-title { font-size: 1.8rem; font-weight: 800; margin: 12px 0 8px; }\\n .nf-desc { color: var(--text-muted2); font-size: 1rem; margin-bottom: 32px; max-width: 440px; }\\n .nf-link { display: inline-block; padding: 12px 28px; background: linear-gradient(135deg,#34d399,#22d3ee); color: #000; font-weight: 900; border-radius: 12px; text-decoration: none; }\\n \"}],[\"$\",\"div\",null,{\"className\":\"nf-box\",\"children\":[[\"$\",\"p\",null,{\"className\":\"nf-code\",\"children\":\"404\"}],[\"$\",\"h1\",null,{\"className\":\"nf-title\",\"children\":\"Page Not Found\"}],[\"$\",\"p\",null,{\"className\":\"nf-desc\",\"children\":\"The skill or page you're looking for doesn't exist or has been moved.\"}],[\"$\",\"$L12\",null,{\"className\":\"nf-link\",\"href\":\"/\",\"children\":\"Back to BytesAgain\"}]]}]]}],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}]\n"])</script><script>self.__next_f.push([1,"7:[\"$\",\"$L13\",null,{}]\n8:[\"$\",\"$L14\",null,{}]\n9:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\na:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\nb:[\"$\",\"$1\",\"c\",{\"children\":[\"$L15\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L16\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@18\"}]}]]}]\n19:[]\nc:\"$W19\"\nd:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L1a\",null,{\"children\":\"$L1b\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L1c\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L1d\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\nf:[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n"])</script><script>self.__next_f.push([1,"1b:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"1e:I[27201,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"IconMark\"]\n18:null\n"])</script><script>self.__next_f.push([1,"1d:[[\"$\",\"title\",\"0\",{\"children\":\"unified security auditor β€” AI Agent Skill | BytesAgain | BytesAgain\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...\"}],[\"$\",\"meta\",\"2\",{\"name\":\"robots\",\"content\":\"index, follow\"}],[\"$\",\"meta\",\"3\",{\"name\":\"googlebot\",\"content\":\"index, follow, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"meta\",\"4\",{\"name\":\"llms-txt\",\"content\":\"https://bytesagain.com/llms.txt\"}],[\"$\",\"meta\",\"5\",{\"name\":\"llms-full-txt\",\"content\":\"https://bytesagain.com/llms-full.txt\"}],[\"$\",\"link\",\"6\",{\"rel\":\"canonical\",\"href\":\"https://bytesagain.com/skill/unified-security-auditor\"}],[\"$\",\"meta\",\"7\",{\"name\":\"baidu-site-verification\",\"content\":\"codeva-0evUqX1TFs\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:title\",\"content\":\"unified security auditor β€” AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:description\",\"content\":\"Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:url\",\"content\":\"https://bytesagain.com/skill/unified-security-auditor\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:site_name\",\"content\":\"BytesAgain\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"14\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"15\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:title\",\"content\":\"unified security auditor β€” AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:description\",\"content\":\"Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"21\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"link\",\"22\",{\"rel\":\"icon\",\"href\":\"/favicon.ico?favicon.0x3dzn~oxb6tn.ico\",\"sizes\":\"256x256\",\"type\":\"image/x-icon\"}],[\"$\",\"$L1e\",\"23\",{}]]\n"])</script><script>self.__next_f.push([1,"1f:T1562,"])</script><script>self.__next_f.push([1,"\n .skill-page { max-width: 1100px; margin: 0 auto; padding: 32px 20px 80px; }\n .two-col { display: flex; gap: 32px; align-items: flex-start; }\n .two-col-main { flex: 1; min-width: 0; }\n .two-col-side { width: 300px; flex-shrink: 0; }\n @media (max-width: 860px) {\n .two-col { flex-direction: column; }\n .two-col-side { width: 100%; }\n }\n .breadcrumb { font-size: .82em; color: var(--text-muted2); margin-bottom: 28px; }\n .breadcrumb a { color: #818cf8; text-decoration: none; }\n .breadcrumb a:hover { text-decoration: underline; }\n .skill-card { background: var(--bg-card); border: 1px solid var(--border-card); border-radius: 20px; padding: 28px; margin-bottom: 24px; }\n .skill-header { display: flex; align-items: flex-start; justify-content: space-between; gap: 16px; margin-bottom: 20px; flex-wrap: wrap; }\n .skill-badges { display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }\n .skill-top-actions { display: flex; align-items: center; gap: 10px; margin-left: auto; }\n .badge { display: inline-flex; align-items: center; gap: 5px; font-size: .75em; font-weight: 600; padding: 4px 12px; border-radius: 999px; border: 1px solid transparent; }\n .skill-title { font-size: 1.6em; font-weight: 800; color: var(--text-primary); margin: 0 0 4px; line-height: 1.2; }\n .skill-owner { font-size: .82em; color: var(--text-muted2); margin: 0 0 14px; }\n .skill-owner span { color: #818cf8; }\n .skill-desc { font-size: .92em; color: var(--text-secondary); line-height: 1.65; margin: 0 0 16px; }\n .skill-meta { display: flex; gap: 16px; flex-wrap: wrap; margin-bottom: 18px; padding-bottom: 16px; border-bottom: 1px solid var(--border-card); }\n .meta-item { display: flex; flex-direction: column; gap: 2px; }\n .meta-label { font-size: .7em; color: var(--text-muted5); text-transform: uppercase; letter-spacing: 1px; font-weight: 600; }\n .meta-value { font-size: .92em; color: var(--text-muted2); font-weight: 600; }\n .tags-row { display: flex; gap: 6px; flex-wrap: wrap; }\n .tag { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 3px 10px; text-decoration: none; }\n .tag:hover { background: #6366f125; }\n .install-box { background: var(--bg-deep); border: 1px solid var(--border-card); border-radius: 12px; overflow: hidden; margin-bottom: 24px; }\n .install-header { display: flex; align-items: center; justify-content: space-between; padding: 10px 16px; border-bottom: 1px solid var(--border-card); }\n .install-dots { display: flex; gap: 6px; }\n .dot { width: 10px; height: 10px; border-radius: 50%; }\n .install-label { font-size: .72em; color: var(--text-muted5); font-family: monospace; letter-spacing: 1px; }\n .install-body { padding: 16px 20px; display: flex; align-items: center; justify-content: space-between; gap: 12px; }\n .install-cmd { color: var(--text-code);\n font-family: 'Courier New', monospace; font-size: 1em; }\n .copy-btn { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 5px 12px; cursor: pointer; white-space: nowrap; transition: all .15s; }\n .copy-btn:hover { background: #6366f125; }\n .btn-secondary { display: inline-flex; align-items: center; gap: 8px; padding: 13px 24px; background: transparent; border: 1px solid var(--border-card); border-radius: 10px; color: #6b7280; text-decoration: none; font-weight: 600; font-size: .95em; transition: all .15s; }\n .btn-secondary:hover { border-color: #818cf8; color: #818cf8; }\n .ours-badge { display: inline-flex; align-items: center; gap: 6px; font-size: .72em; font-weight: 700; color: #22d3ee; background: #22d3ee10; border: 1px solid #22d3ee30; border-radius: 999px; padding: 4px 14px; }\n .section-card { background: var(--bg-card); border: 1px solid var(--border-card); border-radius: 16px; padding: 22px 24px; margin-bottom: 20px; }\n .section-title { color: var(--text-primary); font-size: 1.08em; font-weight: 800; margin: 0 0 12px; display: flex; align-items: center; gap: 8px; }\n /* Script box */\n .script-header { display: flex; align-items: center; justify-content: space-between; padding: 8px 14px; background: var(--bg-input); border-bottom: 1px solid var(--border-card); }\n .script-filename { font-size: .72em; color: var(--text-muted2); font-family: 'Courier New', monospace; }\n .script-copy-btn { font-size: .72em; color: #6366f1; background: none; border: 1px solid #6366f130; border-radius: 4px; padding: 2px 10px; cursor: pointer; }\n .script-copy-btn:hover { background: #6366f115; }\n .script-body { padding: 14px 16px; font-family: 'Courier New', monospace; font-size: .82em; line-height: 1.6; color: var(--text-code); overflow-x: auto; max-height: 420px; overflow-y: auto; white-space: pre; }\n /* Articles */\n .article-card { display: block; background: var(--bg-secondary); border: 1px solid var(--border-primary); border-radius: 10px; padding: 14px 16px; text-decoration: none; transition: border-color .15s; }\n .article-card:hover { border-color: #6366f1; }\n @media (max-width: 600px) {\n .skill-card { padding: 20px; }\n .skill-title { font-size: 1.5em; }\n }\n "])</script><script>self.__next_f.push([1,"15:[[\"$\",\"style\",null,{\"children\":\"$1f\"}],\"$L20\",\"$L21\"]\n"])</script><script>self.__next_f.push([1,"22:I[78297,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n23:T3821,"])</script><script>self.__next_f.push([1,"\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\nname: unified-security\ndescription: Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, user input, payments, database access, secrets, deployment, dependencies, or AI/agent workflows. Includes OWASP Top 10 (2025), ASVS 5.0 highlights, agentic AI security, vibe-coded pitfalls, insecure defaults detection, supply chain risk signals, and CI/CD agent action hardening.\nlicense: CC-BY-SA-4.0\nmetadata:\n sources:\n - name: claude-code-owasp\n url: https://github.com/agamm/claude-code-owasp\n license: MIT\n - name: trailofbits/skills\n url: https://github.com/trailofbits/skills\n license: CC-BY-SA-4.0\n - name: vibe-security-skill\n url: https://github.com/raroque/vibe-security-skill\n license: MIT\n - name: VibeSec-Skill\n url: https://github.com/BehiSecc/VibeSec-Skill\n license: Apache-2.0\n\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch2 style=\"color:#f3f4f6;margin:20px 0 10px;font-size:1.15em\"\u003eUnified Security Skill\u003c/h2\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eMission\u003c/h3\u003e\nAudit and harden codebases against real-world security failures, especially those introduced by fast AI-assisted development. Prioritize exploitable issues and provide concrete fixes.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eUse When\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eReviewing code for security vulnerabilities\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eImplementing authentication, authorization, sessions, or access control\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eHandling user input, file uploads, or external data\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eWorking with secrets, API keys, cryptography, or tokens\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eImplementing payments, billing, or webhooks\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eConfiguring databases, RLS, or security rules\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eIntegrating AI/LLM services or agent tools\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eDesigning CI/CD workflows that invoke AI agents\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eEvaluating dependency and supply chain risk\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eCore Principles\u003c/h3\u003e\n1. Never trust the client. Validate all critical data server-side.\n2. Defense in depth. Combine multiple controls.\n3. Fail closed. Missing config should disable access, not weaken it.\n4. Least privilege. Reduce access scope everywhere.\n5. Validate inputs and encode outputs for the render context.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eAudit Workflow (adapt to stack)\u003c/h3\u003e\n1. Secrets and environment variables\n2. Database access control (RLS, rules, auth guards)\n3. Authentication and authorization\n4. Rate limiting and abuse prevention\n5. Payments and webhook validation\n6. Input validation and injection risks\n7. XSS, output encoding, CSP, and headers\n8. CSRF and session protections\n9. AI/LLM integration safety\n10. Deployment configuration and prod hardening\n11. Insecure defaults (fail-open config)\n12. Supply chain risk signals\n13. CI/CD agent action hardening\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eImmediate-Flag Patterns (Critical/High)\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eSecrets or service-role keys exposed client-side\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eClient-controlled price, role, or access flags\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eDisabled or overly permissive database rules\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eMissing auth on privileged routes or APIs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eHardcoded default credentials or weak crypto\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eUnverified webhooks or signature bypasses\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eFail-open config that enables insecure operation\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eOWASP Top 10 (2025) Quick Map\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA01 Broken Access Control: verify ownership and deny by default\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA02 Security Misconfiguration: harden defaults, disable unused features\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA03 Supply Chain Failures: lock versions and review dependencies\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA04 Cryptographic Failures: use modern algorithms and key management\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA05 Injection: parameterize queries, validate input\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA06 Insecure Design: threat model, rate limit, design controls\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA07 Auth Failures: MFA, secure sessions, breached-password checks\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA08 Integrity Failures: verify artifacts, use SRI, avoid unsafe deserialization\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA09 Logging Failures: log security events with alerting\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA10 Exception Handling: fail closed, hide internals, log context\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eASVS 5.0 Highlights\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLevel 1: 12+ char passwords, auth rate limits, HTTPS everywhere\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLevel 2: MFA for sensitive ops, encryption at rest, security logging\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLevel 3: HSMs, formal threat modeling, pen test validation\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eAgentic AI Security (OWASP 2026) Summary\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI01 Goal hijack: isolate and validate inputs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI02 Tool misuse: restrict tools and verify I/O\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI03 Privilege abuse: short-lived scoped tokens\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI04 Supply chain: verify plugins and MCP servers\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI05 Code execution: sandbox, review, approvals\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI06 Memory poisoning: segment and validate context\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI07 Agent comms: authenticate and encrypt\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI08 Cascading failures: circuit breakers, isolation\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI09 Trust exploitation: verify high-risk outputs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eASI10 Rogue agents: monitoring and kill switches\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eInsecure Defaults Detection\u003c/h3\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eFail-open is critical: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eSECRET = env.get('KEY') or 'default'\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eFail-secure is acceptable: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eSECRET = env['KEY']\u003c/code\u003e (crashes if missing)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eIgnore test fixtures, templates, and docs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eVerify runtime behavior before reporting\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eSupply Chain Risk Signals\u003c/h3\u003e\nFlag dependencies with one or more of:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eSingle maintainer or anonymous owner\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eUnmaintained or archived status\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLow popularity compared to peers\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eHigh-risk features (FFI, deserialization, code exec)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eHistory of critical CVEs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eNo security contact or disclosure process\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eCI/CD Agent Actions Hardening\u003c/h3\u003e\nWhen workflows invoke AI agents, treat all event data as attacker-controlled.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eCommon AI action references:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eanthropics/claude-code-action\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003egoogle-github-actions/run-gemini-cli\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eopenai/codex-action\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eactions/ai-inference\u003c/code\u003e\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eHigh-risk patterns:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003epull_request_target\u003c/code\u003e or \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eissue_comment\u003c/code\u003e with untrusted input\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePrompt fields populated via \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eenv:\u003c/code\u003e intermediaries\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eEval of AI output (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eeval\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eexec\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$()\u003c/code\u003e)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eDangerous sandbox configs (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edanger-full-access\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e--yolo\u003c/code\u003e)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eWildcard allowlists (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow-users: \"*\"\u003c/code\u003e)\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eSafe defaults:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eRestrict triggers to trusted contexts\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eStrip or escape untrusted inputs before prompts\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLock down tools and file access\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eUse least-privileged tokens and permissions\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eRequire human approval for sensitive actions\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eOutput Format\u003c/h3\u003e\nOrganize findings by severity: Critical, High, Medium, Low.\nFor each issue:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eFile and line(s)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eVulnerability name\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eConcrete impact\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eBefore/after fix\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eEnd with a prioritized summary and remediation order.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eWhen Generating Code\u003c/h3\u003e\nUse the same checks proactively. Prefer secure patterns by default and note tradeoffs in comments when you must relax controls.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eWhen Generating a Security Audit Report\u003c/h3\u003e\nSave into the folder/project where this skill was executed as a markdown file with todays date\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eFinal Report Format\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e## Security Audit Report\n\u003cstrong style=\"color:#e5e7eb\"\u003eTarget:\u003c/strong\u003e \u003cfiles/component\u003e\n\u003cstrong style=\"color:#e5e7eb\"\u003eDate:\u003c/strong\u003e \u003ctoday\u003e\n\u003cstrong style=\"color:#e5e7eb\"\u003eAuditor:\u003c/strong\u003e \u003cask the user for a name\u003e OR skip and use \"Automated Security Skill\"\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eExecutive Summary\u003c/h4\u003e\n\u003c2-3 sentences: overall risk posture, most critical issues\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eFindings\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### [CRITICAL/HIGH/MEDIUM/LOW] \u003cTitle\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eLocation:\u003c/strong\u003e file:line\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eImpact:\u003c/strong\u003e ...\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eReproduction:\u003c/strong\u003e ...\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eFix:\u003c/strong\u003e\u003c/li\u003e\n \u003c/code\u003e\u003c/pre\u003ediff\n - vulnerable code\n + secure code\n ```\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### Recommendations\n\u003cPrioritized action items\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### Clean Checks\n\u003cDomains with no findings\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eAttribution and License\u003c/h3\u003e\nThis skill is a curated, adapted work derived from:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ehttps://github.com/raroque/vibe-security-skill (MIT)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ehttps://github.com/BehiSecc/VibeSec-Skill (Apache-2.0)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ehttps://github.com/agamm/claude-code-owasp (MIT)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ehttps://github.com/trailofbits/skills (CC-BY-SA-4.0)\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eThis unified skill is licensed under CC-BY-SA-4.0 to satisfy ShareAlike requirements.\n\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:[\"$\",\"div\",null,{\"className\":\"skill-page\",\"children\":[[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"SoftwareApplication\\\",\\\"name\\\":\\\"unified security auditor\\\",\\\"description\\\":\\\"Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...\\\",\\\"url\\\":\\\"https://bytesagain.com/skill/unified-security-auditor\\\",\\\"applicationCategory\\\":\\\"clawhub\\\",\\\"operatingSystem\\\":\\\"Any\\\",\\\"offers\\\":{\\\"@type\\\":\\\"Offer\\\",\\\"price\\\":\\\"0\\\",\\\"priceCurrency\\\":\\\"USD\\\"},\\\"publisher\\\":{\\\"@type\\\":\\\"Organization\\\",\\\"name\\\":\\\"BytesAgain\\\",\\\"url\\\":\\\"https://bytesagain.com\\\"}}\"}}],[\"$\",\"div\",null,{\"className\":\"breadcrumb\",\"children\":[[\"$\",\"a\",null,{\"href\":\"/\",\"children\":\"BytesAgain\"}],\" β€Ί \",[\"$\",\"a\",null,{\"href\":\"/skills\",\"children\":\"Skills\"}],\" β€Ί \",\"unified security auditor\"]}],[\"$\",\"div\",null,{\"className\":\"two-col\",\"children\":[[\"$\",\"div\",null,{\"className\":\"two-col-main\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-card\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-badges\",\"children\":[[\"$\",\"span\",null,{\"className\":\"badge\",\"style\":{\"color\":\"#818cf8\",\"background\":\"#818cf822\",\"borderColor\":\"#818cf844\"},\"children\":[\"πŸ¦€\",\" \",\"ClawHub\"]}],false]}],[\"$\",\"div\",null,{\"className\":\"skill-top-actions\",\"children\":[\"$\",\"$L22\",null,{\"slug\":\"unified-security-auditor\"}]}]]}],[\"$\",\"h1\",null,{\"className\":\"skill-title\",\"children\":\"unified security auditor\"}],[\"$\",\"p\",null,{\"className\":\"skill-owner\",\"children\":[\"by \",[\"$\",\"span\",null,{\"children\":[\"@\",\"selimerunkut\"]}]]}],[\"$\",\"p\",null,{\"className\":\"skill-desc\",\"children\":\"Unified application security skill for Coding Agent systems like OpenCode. Use when reviewing or writing code that touches authentication, authorization, use...\"}],[\"$\",\"div\",null,{\"className\":\"skill-meta\",\"children\":[[\"$\",\"div\",null,{\"className\":\"meta-item\",\"children\":[[\"$\",\"span\",null,{\"className\":\"meta-label\",\"children\":\"Version\"}],[\"$\",\"span\",null,{\"className\":\"meta-value\",\"children\":[\"v\",\"1.0.0\"]}]]}],[\"$\",\"div\",null,{\"className\":\"meta-item\",\"children\":[[\"$\",\"span\",null,{\"className\":\"meta-label\",\"children\":\"Downloads\"}],[\"$\",\"span\",null,{\"className\":\"meta-value\",\"children\":\"370\"}]]}],false,false,false,[\"$\",\"div\",null,{\"className\":\"meta-item\",\"style\":{\"flexDirection\":\"row\",\"gap\":6,\"alignItems\":\"center\"},\"children\":[[\"$\",\"a\",\"clawhub\",{\"href\":\"/?q=clawhub\",\"className\":\"tag\",\"children\":[\"#\",\"clawhub\"]}]]}]]}],[\"$\",\"div\",null,{\"style\":{\"marginTop\":6},\"children\":[\"$\",\"a\",null,{\"href\":\"https://clawhub.ai/selimerunkut/unified-security-auditor\",\"target\":\"_blank\",\"rel\":\"noopener\",\"className\":\"btn-secondary\",\"style\":{\"padding\":\"6px 12px\",\"fontSize\":\".82em\",\"borderRadius\":8,\"background\":\"transparent\",\"border\":\"1px solid var(--border-card)\",\"color\":\"var(--text-muted2)\",\"textDecoration\":\"none\",\"whiteSpace\":\"nowrap\"},\"children\":[\"View on \",\"ClawHub\",\" β†’\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"install-box\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-dots\",\"children\":[[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#ef4444\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#eab308\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#22c55e\"}}]]}],[\"$\",\"span\",null,{\"className\":\"install-label\",\"children\":\"TERMINAL\"}]]}],[\"$\",\"div\",null,{\"className\":\"install-body\",\"style\":{\"flexWrap\":\"wrap\"},\"children\":[[\"$\",\"code\",null,{\"className\":\"install-cmd\",\"children\":\"clawhub install unified-security-auditor\"}],[\"$\",\"button\",null,{\"className\":\"copy-btn\",\"data-cmd\":\"clawhub install unified-security-auditor\",\"style\":{\"fontWeight\":700},\"children\":\"Copy\"}]]}]]}],[\"$\",\"section\",null,{\"className\":\"skill-card\",\"style\":{\"marginBottom\":20},\"children\":[[\"$\",\"h2\",null,{\"style\":{\"color\":\"#f8fafc\",\"fontSize\":\"1.2em\",\"fontWeight\":800,\"margin\":\"0 0 16px\",\"display\":\"flex\",\"alignItems\":\"center\",\"gap\":8},\"children\":\"πŸ“– About This Skill\"}],[\"$\",\"div\",null,{\"style\":{\"fontSize\":\".92em\",\"color\":\"#94a3b8\",\"lineHeight\":1.75},\"dangerouslySetInnerHTML\":{\"__html\":\"$23\"}}]]}],null,null,null,null,null,null,null,false,false]}],\"$L24\"]}]]}]\n"])</script><script>self.__next_f.push([1,"21:[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn =\u003e {\\n btn.addEventListener('click', () =\u003e {\\n const cmd = btn.getAttribute('data-cmd');\\n if (!cmd) return;\\n navigator.clipboard.writeText(cmd).then(() =\u003e {\\n const orig = btn.textContent;\\n btn.textContent = 'Copied!';\\n setTimeout(() =\u003e btn.textContent = orig, 1500);\\n }).catch(() =\u003e {});\\n });\\n });\\n \"}}]\n"])</script><script>self.__next_f.push([1,"25:I[71521,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n24:[\"$\",\"div\",null,{\"className\":\"two-col-side\",\"children\":[\"$\",\"$L25\",null,{\"category\":\"clawhub\",\"currentSlug\":\"unified-security-auditor\",\"name\":\"unified security auditor\",\"tags\":[\"clawhub\"]}]}]\n"])</script></body></html>