security-audit
A Claude Code skill + plugin marketplace for auditing web apps for security vulnerabilities — whether on your own codebase (defensive audit before you ship) or on a project you have written authorization to audit (GHSA collaborator, bug-bounty scope, CTF engagement).
What Claude does with it:
- Detects the mode — is this a codebase it can read directly (source-code audit), a URL it can only reach over HTTP (black-box probing), or both?
- Runs the right checklist — grep-based source-code audit with ripgrep patterns for every major class (auth bugs, IDOR, SSRF, injection, crypto misuse, file handling, race conditions, rate limits, CORS/CSRF, Docker/CI), OR black-box probing (subdomain enum, port scan, TLS/DNS, exposed admin surfaces, error-shape oracle for internal topology, version fingerprint via
/health).
- Server/infrastructure sweep — management ports, cloud metadata endpoints, CDN bypass to origin IP, container image version vs upstream stable, backup/debug file exposure.
- Rate-limit deep-dive — the four questions (is there a limit at all / is the counter distributed across replicas / what key is it bucketing on / what is it actually protecting), plus framework-specific defaults that bite (
express-rate-limit's in-memory default, Better-Auth's "memory" storage default, Django's LocMemCache, XFF trust).
- After findings exist — verification discipline,
gh api advisory workflow, patch delivery when the GHSA temporary private fork is gated to the maintainer.
Install
As a Claude Code plugin (recommended)
/plugin marketplace add shaxbozaka/security-audit
/plugin install security-audit@security-audit
After install the skill appears in the registry and activates automatically when a prompt matches the trigger description.
Manually (no Claude Code plugin system)
mkdir -p ~/.claude/skills
git clone https://github.com/shaxbozaka/security-audit ~/.claude/skills/security-audit
Restart Claude Code. The skill now lives at ~/.claude/skills/security-audit/SKILL.md and Claude picks it up at session start.
When the skill activates
The description frontmatter triggers on any of:
- "audit my project" / "audit this codebase" / "security review"
- "how could this get hacked" / "find bugs in this" / "how is this hackable"
- "I have authorization to audit {X}"
- "I'm listed as a collaborator on GHSA-…"
- "bug bounty scope for {program}"
- "CTF engagement on {host}"
- Stack keywords (Node, TypeScript, Next.js, Better-Auth, Drizzle, ORPC, tRPC, Django, Rails, Go) combined with a security-audit context
It's also invokable by name — just ask Claude to "use the security-audit skill."
What's inside
.claude-plugin/marketplace.json # plugin metadata
SKILL.md # core runbook
references/
poc-templates.md # 14 reusable probe snippets:
# 1 auth bootstrap
# 2 snapshot probe (living-target)
# 3 rate-limit posture measurement
# 3b distributed-counter smoke test
# 3c X-Forwarded-For bypass test
# 3d cost-inflation probe
# 4 SSRF error-shape oracle +
# version fingerprint via SSRF
# 5 sanitiser-bypass harness (JSDOM strict)
# 6 security-headers audit
# 7 advisory edit loop (gh api)
# 8 patch-set export for advisory inlining
# 9 cleanup rituals
# 10 server port sweep
# 11 TLS configuration audit
# 12 DNS / subdomain takeover
# 13 origin IP discovery (CDN bypass)
# 14 cloud metadata via SSRF
source-audit-patterns.md # deep ripgrep recipes for INSIDE mode:
# auth, IDOR, SSRF, injection, XSS,
# file handling, crypto, races,
# rate-limit framework specifics,
# CORS/CSRF, Docker/CI, secrets,
# logic bugs grep can't find
README.md
LICENSE # MIT
Non-goals
