# Audit Application Security Risks

Security reviews often miss common vulnerability patterns and weak design choices. This skill gives Claude, Codex, and Claude Code structured guidance for application security audits and remediation planning.

## Install

```bash
npx skillstore add bikach/security-guardian
```

## Metadata

- - Slug: bikach-security-guardian
- - Version: 1.0.0
- - Author: Bikach
- - GitHub username: Bikach
- - License: MIT
- - Repository: https://github.com/Bikach/skills-claude-code/tree/main/security-guardian
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, scripts, filesystem, env\_access
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/bikach-security-guardian
- - Manifest: https://skillstore.pages.dev/api/skills/bikach-security-guardian/manifest

## Capabilities

- Guides reviews for OWASP Top 10 vulnerabilities across web and API code.
- Provides checklists for authentication, authorization, secrets, cryptography, logging, and data protection.
- Helps classify security findings by severity, impact, and remediation priority.
- Documents vulnerable patterns for SQL injection, XSS, CSRF, SSRF, XXE, path traversal, and command injection.
- Suggests defensive controls such as input validation, safe token handling, rate limiting, and secure file upload checks.

## Use Cases

- Review a sensitive pull request: Check authentication, authorization, validation, and data access changes before merging high-risk code.
- Plan a secure feature design: Identify abuse cases, required controls, logging needs, and privacy risks before implementation starts.
- Prepare a remediation report: Turn discovered vulnerabilities into prioritized fixes with clear impact, owner guidance, and verification steps.

## Prompt Templates

### Basic security review

```
Review this change for application security risks. Focus on input validation, authentication, authorization, secrets, and unsafe data handling. Report findings with severity, impact, and remediation.
```

### OWASP focused audit

```
Audit this feature against the OWASP Top 10. Identify likely vulnerabilities, explain why each matters, and list concrete fixes that fit the existing codebase.
```

### Authentication and authorization review

```
Analyze this authentication and authorization flow. Check token handling, session lifecycle, MFA, RBAC or IDOR risks, brute-force protection, and audit logging.
```

### Advanced threat model and remediation plan

```
Create a threat model for this feature, then perform a security review. Prioritize exploitable risks, map each to likely impact, propose remediations, and define verification tests.
```

## Limitations

- It is guidance content, not an automated scanner with guaranteed coverage.
- It may require project context to avoid false positives and false negatives.
- It includes dual-use exploit examples for defensive testing and should be used only on authorized systems.
- It does not replace professional penetration testing or compliance review.

## Best Practices

- Run reviews on code and systems you own or are authorized to test.
- Provide the surrounding code path, framework, threat model, and deployment context.
- Ask for remediation steps and verification tests for every confirmed issue.

## Anti Patterns

- Do not use exploit examples against third-party systems without authorization.
- Do not treat every pattern match as a confirmed vulnerability without context.
- Do not paste real secrets, private keys, or production customer data into prompts.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T15:16:55.178\+00:00
- - Summary: Static analysis detected many dangerous command, network, filesystem, script, and secret patterns. Manual review found these are primarily security-training examples and audit checklists, not executable code or hidden exfiltration. The skill is publishable with a medium dual-use warning because it documents exploit payloads and sensitive target examples.

## Stats

- - Views: 180
- - Downloads: 6
- - Favorites: 0
- - Popularity score: 0