kunthawat/opencode-skill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
014f60b4af14c02b6cfd9cfc27382fe23bd4e090
opencode-skill/skills/security-auditor/SKILL.md
Kunthawat Greethong 7edf5bc4d0 feat: Import 35+ skills, merge duplicates, add openclaw installer 
Major updates:
- Added 35+ new skills from awesome-opencode-skills and antigravity repos
- Merged SEO skills into seo-master
- Merged architecture skills into architecture
- Merged security skills into security-auditor and security-coder
- Merged testing skills into testing-master and testing-patterns
- Merged pentesting skills into pentesting
- Renamed website-creator to thai-frontend-dev
- Replaced skill-creator with github version
- Removed Chutes references (use MiniMax API instead)
- Added install-openclaw-skills.sh for cross-platform installation
- Updated .env.example with MiniMax API credentials
2026-03-26 11:37:39 +07:00

6.2 KiB
Raw Blame History

name, description
name description
security-auditor Master security auditor combining vulnerability scanning, web security testing, DevSecOps, and compliance frameworks. Use when auditing security, performing vulnerability assessments, or testing for OWASP Top 10.

Security Auditor

Comprehensive security skill combining: vulnerability scanning, web security testing, DevSecOps, OWASP Top 10, and compliance frameworks.

Quick Reference

Task Use Section
Scan for vulnerabilities Vulnerability Scanning
Test web application Web Security Testing
Audit security controls Security Audit
Check compliance Compliance Frameworks
Review authentication Auth Security
DevSecOps integration Security Automation

Vulnerability Scanning

Core Principles:

Principle Application
Assume Breach Design as if attacker already inside
Zero Trust Never trust, always verify
Defense in Depth Multiple layers, no single point
Least Privilege Minimum required access only
Fail Secure On error, deny access

OWASP Top 10 (2025)

  1. A01 - Broken Access Control
  2. A02 - Cryptographic Failures
  3. A03 - Injection
  4. A04 - Insecure Design
  5. A05 - Security Misconfiguration
  6. A06 - Vulnerable Components
  7. A07 - Auth Failures
  8. A08 - Data Integrity Failures
  9. A09 - Logging Failures
  10. A10 - SSRF

Scanning Process

  1. Reconnaissance - Map attack surface
  2. Enumeration - Identify vulnerabilities
  3. Exploitation - Verify findings
  4. Documentation - Report findings
  5. Remediation - Suggest fixes

Web Security Testing

OWASP Top 10 Testing Checklist

A01 - Broken Access Control

  • Horizontal/vertical privilege escalation
  • IDOR (Insecure Direct Object Reference)
  • CORS misconfiguration
  • JWT token manipulation
  • Missing function-level access control

A02 - Cryptographic Failures

  • Sensitive data exposure (PII, credentials)
  • Weak encryption algorithms
  • Default/hardcoded credentials
  • Insufficient key rotation
  • Client-side encryption only

A03 - Injection

  • SQL injection (error-based, blind, time-based)
  • NoSQL injection
  • Command injection
  • LDAP injection
  • XPath injection
  • ORM injection

A04 - Insecure Design

  • Business logic flaws
  • Rate limiting bypass
  • Workflow bypasses
  • Race conditions
  • Mass assignment

A05 - Security Misconfiguration

  • Default credentials
  • Unnecessary features enabled
  • Error handling (stack traces)
  • Cloud misconfigurations
  • Missing security headers

A06 - Vulnerable Components

  • Outdated dependencies
  • Unpatched vulnerabilities
  • License compliance
  • Component integrity

A07 - Auth Failures

  • Weak password policies
  • Credential stuffing
  • Session fixation/hijacking
  • Missing MFA
  • Password reset flaws

A08 - Data Integrity Failures

  • SSRF (Server-Side Request Forgery)
  • XXE (XML External Entities)
  • Deserialization attacks
  • Supply chain attacks

A09 - Logging Failures

  • Insufficient logging
  • Missing alerts
  • Undetected breaches
  • Audit trail gaps

A10 - SSRF

  • URL validation bypass
  • Cloud metadata access
  • Internal port scanning

Security Audit

Audit Checklist

  1. Scope Definition - Assets, systems, boundaries
  2. Threat Modeling - Attack vectors, likelihood, impact
  3. Control Review - Technical and administrative controls
  4. Vulnerability Assessment - Automated + manual testing
  5. Risk Prioritization - CVSS scoring, business impact
  6. Remediation Planning - Short-term and long-term fixes
  7. Report Generation - Executive summary, technical details

Security Headers Checklist

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

DevSecOps & Security Automation

CI/CD Security Pipeline

  1. SAST - Static Application Security Testing
  2. DAST - Dynamic Application Security Testing
  3. SCA - Software Composition Analysis
  4. Secrets Scanning - Detect credentials in code
  5. Container Scanning - Image vulnerability scanning
  6. Infrastructure Scanning - Cloud configuration

Tools

  • SAST: SonarQube, Semgrep, Bandit
  • DAST: OWASP ZAP, Burp Suite, Nuclei
  • SCA: Snyk, Dependabot, Renovate
  • Secrets: GitLeaks, TruffleHog
  • Containers: Trivy, Clair, Anchore

Authentication & Authorization Security

Auth Patterns to Audit

  • Password hashing (bcrypt, Argon2)
  • MFA implementation
  • Session management
  • Token handling (JWT, OAuth)
  • Password reset flows
  • Account lockout policies

OAuth 2.0 Security

  • Authorization code flow (not implicit)
  • PKCE for public clients
  • State parameter validation
  • Redirect URI validation
  • Token expiration and rotation
  • Scope minimization

Compliance Frameworks

Framework Focus
SOC 2 Security, Availability, Confidentiality
ISO 27001 Information Security
GDPR EU Data Protection
HIPAA Healthcare Data
PCI DSS Payment Card Data
NIST Cybersecurity Framework

Remediation Priorities

Critical (P0)

  • RCE, SQL injection, authentication bypass
  • Fix within 24-48 hours

High (P1)

  • XSS, CSRF, IDOR
  • Fix within 1-2 weeks

Medium (P2)

  • Security misconfiguration, weak crypto
  • Fix within 1 month

Low (P3)

  • Missing headers, info disclosure
  • Fix within 3 months

Best Practices

  1. Shift Left - Security testing early in SDLC
  2. Defense in Depth - Multiple security layers
  3. Zero Trust - Never trust, always verify
  4. Least Privilege - Minimum required permissions
  5. Secure Defaults - Safe out-of-the-box
  6. Fail Securely - Errors should deny access
  7. Defense in Depth - No single control is enough
Reference in New Issue View Git Blame Copy Permalink