Security Audit

Professional security audit skill for web apps and APIs with structured severity-based findings and remediation plans.

Install
cmdop skills install agensi-security-audit

The Security Audit skill is a framework for reviewing web applications, backend services, and APIs for critical security vulnerabilities. It is compatible with Claude Code, Codex, and OpenCode. The skill systematically analyzes entry points, trust boundaries, and data paths, covering authentication and authorization flows, session management, input validation, output safety (including XSS and SQL injection prevention), dependency hygiene, configuration hardening, and API transport security and exposure.

Rather than producing generic observations, the skill follows a structured methodology focused on defensible, high-impact risks. It applies a red-teaming approach to surface insecure defaults and missing hardening steps that are commonly overlooked during standard code reviews.

Output takes the form of a structured security report organized by severity level. Each finding includes a concise risk statement, specific evidence drawn from the codebase under review, and a concrete remediation plan. This makes findings immediately actionable rather than requiring further interpretation.

This is a skill, not an MCP server, so it has no tool list and does not integrate via MCP transport. It is suitable when an agent workflow needs a repeatable, structured pass over application code to identify security issues across the coverage areas listed above.

Use cases

  • Audit a web application's authentication and authorization logic for common flaws before a production release
  • Identify SQL injection and XSS risks in an API's input validation and output handling
  • Review infrastructure and service configuration for insecure defaults and missing hardening
  • Check dependency hygiene for known vulnerable or misconfigured packages
  • Generate a severity-categorized security report with per-finding remediation steps for a backend service
  • Automate a red-teaming pass over a codebase within a Claude Code, Codex, or OpenCode workflow

When to use it

  • When an agent workflow requires a structured, repeatable security review of web app or API code
  • When findings must be organized by severity and accompanied by specific evidence and remediation guidance
  • When the target environment runs Claude Code, Codex, or OpenCode
  • When the goal is to catch authentication, session, input validation, or configuration issues before deployment

When not to use it

  • When the runtime is not Claude Code, Codex, or OpenCode, as those are the only supported tools
  • When MCP server integration or tool-call-based access to live systems is required — this is a skill, not an MCP server
  • When the scope is infrastructure vulnerability scanning or network-level penetration testing rather than code and configuration review
  • When a formal compliance certification or human penetration test sign-off is required