octopus-security-audit

Host: Codex CLI — This skill was designed for Claude Code and adapted for Codex. Cross-reference commands use installed skill names in Codex rather than /octo:* slash commands. Use the active Codex shell and subagent tools. Do not claim a provider, model, or host subagent is available until the current session exposes it. For host tool equivalents, see skills/blocks/codex-host-adapter.md.

Execution Contract (MANDATORY - CANNOT SKIP)

This generated Codex skill preserves an enforced workflow contract from the source skill.

PROHIBITED:

• Do not summarize, simulate, or skip the referenced workflow command when this skill requires execution.
• Do not claim provider output or validation artifacts exist without checking the actual files or command output.
• Do not continue silently when a required provider, command, or host capability is unavailable; report the unavailable dependency and use a supported fallback.

Security Audit Skill

Your first output line MUST be: 🐙 **CLAUDE OCTOPUS ACTIVATED** - Security Audit

Invokes the security-auditor persona for thorough security analysis during the ink (deliver) phase. Supports both quick OWASP scanning and full adversarial red/blue team testing.

Usage

# Quick scan via security-auditor persona
${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh spawn security-auditor "Scan for SQL injection vulnerabilities"

# Adversarial red team via squeeze workflow
${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh squeeze "Security audit the authentication module"

# Via auto-routing (detects security intent)
${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh auto "security audit the payment processing module"

Modes (Auto-Detected)

Mode	Auto-Trigger	Confidence Gate	Scope
Quick (default)	Standard security scan, no sensitive files in diff	8/10 — only high-confidence findings	Changed files only
Deep (auto-escalated)	Diff touches auth/security/CI files, OR explicit request	2/10 — flag anything suspicious	Entire codebase

Auto-escalation to Deep mode: The skill automatically switches to Deep mode when ANY of these are true:

• Diff includes files matching: *auth*, *login*, *password*, *session*, *token*, *secret*, *crypt*, *oauth*, *saml*, *jwt*, *permission*, *rbac*, *acl*
• Diff includes CI/CD files: .github/workflows/*, Dockerfile*, docker-compose*, .gitlab-ci*
• Diff includes dependency files: package-lock.json, yarn.lock, Gemfile.lock, requirements.txt, go.sum
• The user explicitly says "deep", "full", "comprehensive", or "CSO"

No user action needed — mode detection happens automatically from the git diff context.

Capabilities

Core (both modes)

• OWASP Top 10 vulnerability detection
• SQL injection and XSS scanning
• Authentication/authorization review
• Secrets and credential detection
• Dependency vulnerability assessment
• Security configuration review

Secrets Archaeology (Deep mode)

Scan git history for leaked credentials that may have been "deleted" but remain in commits:

# Search git history for common secret patterns
git log --all -p --diff-filter=D -- '*.env' '*.key' '*.pem' 2>/dev/null | head -200
git log --all -p -S 'AKIA' --pickaxe-regex 2>/dev/null | head -100  # AWS keys
git log --all -p -S 'sk-[a-zA-Z0-9]{20,}' --pickaxe-regex 2>/dev/null | head -100  # API keys
git log --all -p -S 'ghp_|gho_|github_pat_' --pickaxe-regex 2>/dev/null | head -100  # GitHub tokens
git log --all -p -S 'password\s*[:=]' --pickaxe-regex 2>/dev/null | head -100  # Passwords

Report any findings with the commit SHA, file, and recommendation to rotate the credential.

CI/CD Pipeline Security (Deep mode)

Audit GitHub Actions and CI configuration for injection and privilege escalation:

# Find all workflow files
find .github/workflows -name '*.yml' -o -name '*.yaml' 2>/dev/null

# Check for dangerous patterns:
# 1. Untrusted input in run: blocks (command injection via PR titles/branch names)
# 2. pull_request_target with checkout of PR code (code execution from forks)
# 3. Overly broad permissions (write-all, contents: write)
# 4. Missing pinned action versions (uses: actions/checkout vs actions/checkout@v4)
# 5. Secrets exposed to pull_request events (accessible to forks)

Flag each finding with severity (CRITICAL/HIGH/MEDIUM/LOW).

Skill & Plugin Supply Chain (Deep mode)

Verify integrity of installed Claude Code skills and plugins:

# List installed plugins
ls -la ~/.claude/plugins/ 2>/dev/null

# Check for skills that execute arbitrary bash
grep -r 'exec\|eval\|bash -c' ~/.claude/skills/*/SKILL.md 2>/dev/null | head -20

# Verify plugin sources (are they from known registries?)
cat ~/.claude/plugins/*/plugin.json 2>/dev/null | grep -E '"source"|"registry"'

STRIDE Threat Modeling (Deep mode)

For the target component, enumerate threats across all 6 STRIDE categories:

Category	Question
Spoofing	Can an attacker impersonate a user or component?
Tampering	Can data be modified in transit or at rest?
Repudiation	Can actions be denied without audit trail?
Information Disclosure	Can sensitive data leak through logs, errors, or side channels?
Denial of Service	Can the service be overwhelmed or starved?
Elevation of Privilege	Can a low-privilege user gain admin access?

Persona Reference

This skill wraps the security-auditor persona defined in:

• agents/personas/security-auditor.md
• CLI: codex-review
• Model: gpt-5.2-codex
• Phases: ink
• Expertise: owasp, vulnerability-scanning, security-review

Example Prompts

"Scan for hardcoded credentials in the codebase"
"Check for CSRF vulnerabilities in form handlers"
"Review the API authentication implementation"
"Red team review the payment API"

Adversarial Mode (squeeze workflow)

For comprehensive security testing, use the squeeze workflow which runs a 4-phase adversarial cycle:

1. Blue Team (Defense): Codex reviews code, identifies attack surface, proposes defenses
2. Red Team (Attack): Gemini attempts to break defenses, generates exploit PoCs
3. Remediation (Fix): Codex patches all vulnerabilities found
4. Validation (Verify): Gemini re-tests, confirms fixes or fails

${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh squeeze "[user's security request]"

OWASP Top 10 Coverage

• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable Components
• Authentication Failures
• Software Integrity Failures
• Logging & Monitoring Failures
• Server-Side Request Forgery

Additional Attack Patterns

• Race conditions, business logic flaws
• Denial of service, information disclosure
• Client-side attacks (XSS, CSRF)

Advanced Options

# Focus on specific vulnerabilities
${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh squeeze --principles security "Audit for auth bypass only"

# Loop until all vulnerabilities fixed
${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh squeeze --loop --quality 100 "Zero tolerance audit"

When to Use Adversarial Mode

Aspect	Quick Scan (spawn)	Adversarial (squeeze)
Speed	1-2 min	5-10 min
Depth	Single perspective	Blue + Red team
Output	Issue list	Exploit PoCs + fixes
Best for	Pre-commit checks	Pre-deployment review

When NOT to Use This

• Production systems (use real pentest tools)
• Compliance audits (use certified auditors)
• Legal verification (consult security lawyers)

Do use for: pre-commit security checks, development-phase testing, architecture security review, CI/CD security gates.