The Security Audit skill is a framework for reviewing web applications, backend services, and APIs for critical security vulnerabilities. It is compatible with Claude Code, Codex, and OpenCode. The skill systematically analyzes entry points, trust boundaries, and data paths, covering authentication and authorization flows, session management, input validation, output safety (including XSS and SQL injection prevention), dependency hygiene, configuration hardening, and API transport security and exposure.
Rather than producing generic observations, the skill follows a structured methodology focused on defensible, high-impact risks. It applies a red-teaming approach to surface insecure defaults and missing hardening steps that are commonly overlooked during standard code reviews.
Output takes the form of a structured security report organized by severity level. Each finding includes a concise risk statement, specific evidence drawn from the codebase under review, and a concrete remediation plan. This makes findings immediately actionable rather than requiring further interpretation.
This is a skill, not an MCP server, so it has no tool list and does not integrate via MCP transport. It is suitable when an agent workflow needs a repeatable, structured pass over application code to identify security issues across the coverage areas listed above.