High signalMITCommunity

Security Audit

Sweeps a repo for OWASP-top-10 issues, hardcoded secrets, insecure dependencies, and auth logic gaps.

Entry verified April 20, 2026

The short answer

A pragmatic security pass for indie projects that can't afford a real audit. Catches the stuff that actually shows up in breaches — leaked secrets, SQL injection, missing auth on admin routes.

When to use it

Before every public launch. Before adding third-party integrations. Quarterly on anything that handles user data.

Setup

  1. 1

    Save the skill in ~/.claude/agents/security-auditor.md (it runs as a subagent).

  2. 2

    Configure scan paths in a .securityrc or inline — exclude tests/, docs/, migrations that intentionally show placeholder secrets.

  3. 3

    Run /security-review or invoke directly from Claude Code.

Example

You: /security-review
Claude: 3 findings.
       HIGH: .env.example contains a real-looking AWS key (leak risk if copied).
       MED: Contact form /api/contact lacks rate limiting.
       LOW: Next.js headers config missing strict-transport-security.

Source & attribution

Author
VoltAgent
Licence
MIT
Source
VoltAgent/awesome-claude-code-subagents
Type
Community

Reused under a permissive licence. Preserve attribution when forking.

Caveats

Not a pen-test. Rule-based scanner with LLM judgement — can miss logic-level exploits.

Related skills

PR Review

Runs a multi-angle review on an open PR: correctness, style, tests, security, and docs.

Dependency Audit

Checks every dependency's licence — flags GPL contamination, commercial-incompatible licences, missing attribution.

Legal Sweep

Audits a site for a legal disclaimer page + footer link; creates and wires up if missing.

Browse more skills

47 skills across 10 categories, all licence-verified.

Back to catalogueMore in QA, review, security
Read the guide