Stats
Actions
Tags
From pm-ai-shipping
Static security audit of AI-built code — map trust boundaries, cross-reference documented intent, self-refute every finding, and report only evidence-backed risks
How this command is triggered — by the user, by Claude, or both
Slash command
/pm-ai-shipping:security-audit-static <repo path or area; defaults to the whole repository>The summary Claude sees in its command listing — used to decide when to auto-load this command
# /security-audit-static -- Audit the Code You Already Have A focused, self-contained security audit for AI-built code. It keeps a small, durable engine — map the boundaries, check intent against implementation, refute before reporting — and refuses to emit anything it can't back with cited evidence. This is a review, not a guarantee: it produces code-review findings, not confirmed exploits. > Method adapted from the public, Apache-2.0 `security-guidance` plugin in Anthropic's > `claude-plugins-official` repository. Not affiliated with or endorsed by Anthropic. ## Invocation ## Scope...
A focused, self-contained security audit for AI-built code. It keeps a small, durable engine — map the boundaries, check intent against implementation, refute before reporting — and refuses to emit anything it can't back with cited evidence.
This is a review, not a guarantee: it produces code-review findings, not confirmed exploits.
Method adapted from the public, Apache-2.0
security-guidanceplugin in Anthropic'sclaude-plugins-officialrepository. Not affiliated with or endorsed by Anthropic.
/security-audit-static
/security-audit-static supabase/functions
Audit $ARGUMENTS. If empty, audit the whole repository, prioritizing request handlers, auth, data access, background jobs, and anything that renders, fetches, executes, logs, or stores user-controlled data. For non-trivial scopes, fan out with parallel subagents — one per function/module cluster, each running the mapping and inspection (steps 1–3); then merge candidates and run the self-refute (step 4) yourself over the full set.
Optimize for recall first — read every file in scope in full, then grep for handler, route, RPC, and shared-helper names to find callers and downstream sinks. Reading the file that contains the bug is what prevents missing it.
Entry points: HTTP/RPC handlers, edge/serverless functions, webhooks, queue consumers, upload handlers, auth callbacks, cron-triggered endpoints. Sinks: raw SQL / query filters, shell/exec, eval / new Function / dynamic imports, HTML render and templates, outbound fetches, filesystem paths, IAM/role writes, logs and analytics, deserializers (incl. YAML/XML and archive extraction), response headers / cache-control, and LLM prompts and tool calls (prompt injection). For every value reaching a sink, decide whether an attacker can influence it and trace it back to its source.
Authorization, data access, session/identity, and input→output encoding. Compare sibling handlers — if one enforces a check another omits, the omission is a finding. Follow cross-file flows; input in module A reaching a dangerous operation in module B is where the real bugs hide.
Apply the intended-vs-implemented skill against /documentation/*.md. A rule documented but not enforced in code is a finding on its own. If the docs are absent, note it and recommend /document-app first — an intent audit needs intent on record.
For each finding, try to disprove it. Default to keep unless you find cited evidence (file + line) for one of: a real sanitizer/encoder/validator/authorization check stops the exploit at the sink; the sink is non-dangerous (typed, hardcoded, isolated, schema-decoded); a frontend gate is independently re-enforced on the backend; an unvalidated credential is immediately forwarded to an upstream system that validates it; a config/flag gates the path and users can't influence it per request; or the path isn't reachable in production.
Name the attacker and the victim: refute if the only victim is the attacker on their own machine/account/tenant/data and no shared system or privilege boundary is crossed; keep if the impact reaches other users, tenants, shared infrastructure, billing, email reputation, secrets, or compliance-sensitive data. Never apply attacker-equals-victim refutation to SSRF/outbound-network sinks, shared billing or quota sinks, data-exposure findings, cross-tenant or cross-principal flows, or server-side execution/rendering — those harm someone other than the attacker by definition. Never refute a finding merely because the code is pre-existing — pre-existing bugs are the point. Do not speculate.
Apply these — they're where AI-built apps most often fail:
?source=cron, ?bot=1, guessable headers, or unsigned webhook-like payloads instead of real auth. Raise severity when the endpoint mutates data, sends email, or triggers paid usage.<title>, attributes, JSON-LD, SQL, or Markdown must be encoded for that sink; input validation doesn't count. (XSS, CSP gaps.)startsWith/substring allowlists, URL-parser disagreement, encoding/case/slash/path-normalization mismatch, or validation on one representation and execution on another.catch, timeout, cancellation, cache-miss, stale-cache, feature-flag, or boundary-value branches that default to allow. AI code loves a permissive fallback.Group surviving findings by file, sorted by severity, in the standard format:
Security Audit: [scope]
<file>:
N. [SEVERITY] [Category] <location>
Risk Level: Critical | High | Medium | Low
Attack Scenario: <attacker -> sink -> impact, step by step>
Impact: <what data or functionality is compromised>
Solution: <concrete code change>
End with: the root-cause theme across findings; what is well-built — say it explicitly; and what you could not verify and the user should double-check. Optionally write the report to /reports/security_audit_{timestamp}.md.
/performance-audit-static./ship-check.npx claudepluginhub gaoflyx-ux/rpg-0.1 --plugin pm-ai-shipping