Share
## https://sploitus.com/exploit?id=4FA96075-B153-5F41-A4AF-D722A7EAD825
# security-audit

A Claude Code skill + plugin marketplace for auditing web apps for security vulnerabilities โ€” whether on your own codebase (defensive audit before you ship) or on a project you have written authorization to audit (GHSA collaborator, bug-bounty scope, CTF engagement).

**What Claude does with it:**

1. **Detects the mode** โ€” is this a codebase it can read directly (source-code audit), a URL it can only reach over HTTP (black-box probing), or both?
2. **Runs the right checklist** โ€” grep-based source-code audit with ripgrep patterns for every major class (auth bugs, IDOR, SSRF, injection, crypto misuse, file handling, race conditions, rate limits, CORS/CSRF, Docker/CI), OR black-box probing (subdomain enum, port scan, TLS/DNS, exposed admin surfaces, error-shape oracle for internal topology, version fingerprint via `/health`).
3. **Server/infrastructure sweep** โ€” management ports, cloud metadata endpoints, CDN bypass to origin IP, container image version vs upstream stable, backup/debug file exposure.
4. **Rate-limit deep-dive** โ€” the four questions (is there a limit at all / is the counter distributed across replicas / what key is it bucketing on / what is it actually protecting), plus framework-specific defaults that bite (`express-rate-limit`'s in-memory default, Better-Auth's "memory" storage default, Django's LocMemCache, XFF trust).
5. **After findings exist** โ€” verification discipline, `gh api` advisory workflow, patch delivery when the GHSA temporary private fork is gated to the maintainer.

## Install

### As a Claude Code plugin (recommended)

```
/plugin marketplace add shaxbozaka/security-audit
/plugin install security-audit@security-audit
```

After install the skill appears in the registry and activates automatically when a prompt matches the trigger description.

### Manually (no Claude Code plugin system)

```bash
mkdir -p ~/.claude/skills
git clone https://github.com/shaxbozaka/security-audit ~/.claude/skills/security-audit
```

Restart Claude Code. The skill now lives at `~/.claude/skills/security-audit/SKILL.md` and Claude picks it up at session start.

## When the skill activates

The `description` frontmatter triggers on any of:

- "audit my project" / "audit this codebase" / "security review"
- "how could this get hacked" / "find bugs in this" / "how is this hackable"
- "I have authorization to audit {X}"
- "I'm listed as a collaborator on GHSA-โ€ฆ"
- "bug bounty scope for {program}"
- "CTF engagement on {host}"
- Stack keywords (Node, TypeScript, Next.js, Better-Auth, Drizzle, ORPC, tRPC, Django, Rails, Go) combined with a security-audit context

It's also invokable by name โ€” just ask Claude to "use the security-audit skill."

## What's inside

```
.claude-plugin/marketplace.json   # plugin metadata
SKILL.md                          # core runbook
references/
  poc-templates.md                # 14 reusable probe snippets:
                                  #   1  auth bootstrap
                                  #   2  snapshot probe (living-target)
                                  #   3  rate-limit posture measurement
                                  #   3b distributed-counter smoke test
                                  #   3c X-Forwarded-For bypass test
                                  #   3d cost-inflation probe
                                  #   4  SSRF error-shape oracle +
                                  #      version fingerprint via SSRF
                                  #   5  sanitiser-bypass harness (JSDOM strict)
                                  #   6  security-headers audit
                                  #   7  advisory edit loop (gh api)
                                  #   8  patch-set export for advisory inlining
                                  #   9  cleanup rituals
                                  #   10 server port sweep
                                  #   11 TLS configuration audit
                                  #   12 DNS / subdomain takeover
                                  #   13 origin IP discovery (CDN bypass)
                                  #   14 cloud metadata via SSRF
  source-audit-patterns.md        # deep ripgrep recipes for INSIDE mode:
                                  #   auth, IDOR, SSRF, injection, XSS,
                                  #   file handling, crypto, races,
                                  #   rate-limit framework specifics,
                                  #   CORS/CSRF, Docker/CI, secrets,
                                  #   logic bugs grep can't find
README.md
LICENSE                           # MIT
```

## Non-goals

- **Not a hacking guide.** Every pattern assumes explicit written scope when probing from outside. No evasion techniques, no unauthorized targeting, no zero-day weaponisation.
- **Not a CVE knowledge base.** The skill doesn't enumerate specific vulns. It describes how to find and report them.
- **Not a replacement for funded engagements.** A good runbook beats shrugging improv; it doesn't beat a pentest firm with tooling + threat intel.

## Why this exists

Most security content online is either "101-level OWASP lists" or "obfuscated offensive tooling marketed as red-team." The gap in the middle โ€” actually running an audit on a real codebase: where to grep, which sinks matter, how to confirm a hit, how to measure rate-limit posture without DoS'ing yourself, how to read error strings as a blind port scan, how to fingerprint a container's version from `/health` โ€” is folklore you learn by doing. This skill is that folklore, written down.

## Contributing

PRs welcome, especially:

- Audit patterns for stacks not yet covered (Django, Rails, Go, Elixir, PHP, Java Spring)
- Additional payload libraries for sanitiser harnesses
- Platform-specific disclosure workflows (HackerOne, Bugcrowd, huntr)
- Better patterns for maintainer-communication timing

Please keep contributions **generic** โ€” no references to specific products, engagements, or unpublished vulnerabilities.

## License

MIT. Use it, fork it, ship it.

## Acknowledgements

Distilled from real security audits where the wrong call cost time, trust, or both.