[Skill] security-audit — audit web apps for vulnerabilities (inside-codebase or external authorized)

[shaxbozaka]

Hi all 👋

I published a Claude Code skill for auditing web apps for security vulnerabilities — works both on your own codebase (defensive pre-audit) and on projects you have written authorization to audit (GHSA collaborator, bug-bounty scope, CTF).

Repo: https://github.com/shaxbozaka/security-audit

Install:

/plugin marketplace add shaxbozaka/security-audit
/plugin install security-audit@security-audit

What it does

First it detects the mode — can Claude read your filesystem (INSIDE audit) or does it only have a URL (OUTSIDE black-box), or both. Then it runs the right checklist:

• INSIDE — 15-step ripgrep-backed source-code audit: auth bugs, IDOR, SSRF, injection, XSS, file handling, crypto misuse, race conditions, rate limits, CORS/CSRF, Docker/CI, secrets, logic bugs grep can't find.
• OUTSIDE — 8-step black-box probing: subdomain enum via CT logs, port scan, TLS config, DNS/SPF/DMARC/CAA, exposed admin surfaces, auth posture, error-shape oracle for internal topology, version fingerprint via /health.
• Server sweep (applies to both) — management ports (2375/2377, 6443/10250, 5432, 6379, 27017, 9200, 11211), cloud metadata endpoints, origin IP discovery / CDN bypass, container image version lag, per-framework backup/debug-file exposure (Rails /rails/info/routes, Laravel /telescope, Spring /actuator, Django traceback pages, Next.js _next/static/chunks).
• Rate-limit deep-dive — the four questions (is there a limit / is the counter distributed across replicas / what key is it bucketing on / what is it actually protecting). Framework-specific defaults that bite (express-rate-limit's in-memory default = per-process behind LB, Better-Auth's "memory" storage default, Django LocMemCache). Smoke tests for distributed-counter behaviour, X-Forwarded-For trust, and cost-inflation DoS.
• After findings exist — advisory writing via gh api, patch delivery when the GHSA temporary private fork isn't reachable (spoiler: for anyone except the fork's creator, it's always Repository not found — inline the patches as folded <details> blocks).

The skill is ~500 lines + 14 reusable Python/Node probe snippets + ~500 lines of deep ripgrep recipes.

Things broader-interest for skill authors

1. Context-detection as a first-class decision. The skill's opening is a small flowchart that asks "can I read the source / do I have a URL / both?" and sends Claude down different paths. It's the single change that made the skill actually useful — without it Claude would apply the wrong toolchain.
2. description frontmatter is load-bearing for auto-activation. Writing just "security audit skill" wasn't enough; I ended up with ~780 characters of explicit trigger phrases + stack keywords to get reliable auto-loading. Would love to compare notes with other skill authors on how you tune these.
3. The .claude-plugin/marketplace.json format worked well — ~20 minutes to turn a plain skill folder into something /plugin marketplace add installs. Thanks for shipping a clean spec and example repos.
4. Calibration sections are underrated. The skill ends with "on a second verification pass over 10 findings expect ~1 retraction, ~1–2 downgrades, ~1 upgrade, ~1 new adjacent finding." That single paragraph sets expectations and prevents the "I found zero movement → I'm done" failure mode.

Deliberately not included

• Offensive tooling, hacking guides, anything that assumes unauthorized targets. Every outside-mode pattern starts with "you have written scope from the maintainer."

Feedback + PRs welcome. Especially:

• Audit patterns for stacks not yet covered (Django, Rails, Go, Elixir, PHP, Java Spring)
• Additional sanitiser-bypass payload libraries
• Platform-specific disclosure workflows (HackerOne, Bugcrowd, huntr)
• Better maintainer-communication timing heuristics (when to ping, how long to wait, how to ask about CVE credit)

Happy to answer questions about the design choices or specific technique recipes.