← Back to Skills

Security Auditor

🌐Community
by erichowens · vlatest · Repository

Identifies potential vulnerabilities and misconfigurations in cloud environments based on industry best practices and erichowens' expertise.

Install on your platform

We auto-selected Claude Code based on this skill’s supported platforms.

1

Run in terminal (recommended)

terminal
claude mcp add erichowens-security-auditor npx -- -y @trustedskills/erichowens-security-auditor
2

Or manually add to ~/.claude/settings.json

~/.claude/settings.json
{
  "mcpServers": {
    "erichowens-security-auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@trustedskills/erichowens-security-auditor"
      ]
    }
  }
}

Requires Claude Code (claude CLI). Run claude --version to verify your install.

About This Skill

What it does

The Security Auditor skill performs comprehensive security scanning of codebases to identify potential vulnerabilities and misconfigurations before they lead to incidents. It focuses on providing actionable findings with remediation guidance, covering dependency vulnerability scanning, secret/credential leak detection, and static application security testing (SAST) based on the OWASP Top 10. This is a coding assistant skill designed for developers and security teams.

When to use it

  • Pre-deployment security audits: Before releasing new code or features.
  • Dependency vulnerability scanning: Regularly check project dependencies for known vulnerabilities.
  • Secret/credential leak detection: Identify accidentally committed sensitive information like API keys or passwords.
  • Pre-PR security reviews: Integrate into the pull request workflow to catch issues early.
  • Security posture reports: Generate summaries of identified risks for stakeholders.

Key capabilities

  • Dependency Scanning: Supports npm, yarn, pip, and cargo package managers, reporting vulnerabilities with severity levels (critical, high, moderate, low).
  • Secret Detection: Identifies potential secrets using pattern matching and entropy analysis, including API keys, AWS credentials, private keys, JWT tokens, and connection strings. Includes a decision tree for handling false positives.
  • OWASP Top 10 Static Analysis: Checks code against the OWASP Top 10 vulnerabilities, looking for patterns like missing authentication checks, weak cryptographic algorithms, injection flaws, and insecure design elements.

Example prompts

  • "Run a full security audit on this project."
  • "Scan for any leaked secrets in this codebase."
  • "Check this file for OWASP Top 10 vulnerabilities."

Tips & gotchas

  • This skill is designed for code-level SAST and does not handle runtime security, network security, or compliance requirements (SOC2/HIPAA/PCI).
  • The skill uses pattern matching which can lead to false positives. Review findings carefully, especially those flagged as high confidence.
  • For critical severity vulnerabilities, immediate remediation and deployment blocking are recommended.
View Repository →

Tags

🛡️

TrustedSkills Verification

Unlike other registries that point to live repositories, TrustedSkills pins every skill to a verified commit hash. This protects you from malicious updates — what you install today is exactly what was reviewed and verified.

Security Audits

Gen Agent Trust HubPass
SocketPass
SnykPass

Details

Version
vlatest
License
Author
erichowens
Installs
44
Repository (canonical source) →

🌐 Community

Passed automated security scans.