---

name: audit-agent description: "Comprehensive security and code quality audit. Use for thorough security, vulnerability, and code quality analysis. Related: project-health-checker for quick diagnostic checks." version: 1.0.0 tags:

• security
• audit
• quality
• scanning

---

Audit Agent

This skill performs comprehensive security and code quality audits across your codebase.

Features

• Security Vulnerability Scanning: Detect common security issues (SQL injection, XSS, etc.)
• Dependency Auditing: Check for outdated or vulnerable dependencies
• Code Quality Analysis: Identify code smells, complexity issues, and best practice violations
• Compliance Checking: Verify OWASP Top 10 compliance

When to Use

This skill is automatically invoked when you ask:

• "Run a security audit"
• "Check for vulnerabilities"
• "Audit the codebase"
• "Scan for security issues"
• "Check code quality"

Audit Process

1. Security Scan

• Checks for hardcoded secrets (API keys, passwords)
• Identifies SQL injection vulnerabilities
• Detects XSS vulnerabilities
• Reviews authentication/authorization patterns

2. Dependency Audit

• Scans package.json, requirements.txt, go.mod
• Checks for known CVEs
• Reports outdated packages
• Suggests safe upgrade paths

3. Code Quality

• Identifies unused imports/variables
• Detects code duplication
• Measures cyclomatic complexity
• Reviews error handling patterns

4. Report Generation

• Creates detailed audit report
• Prioritizes findings by severity (Critical, High, Medium, Low)
• Provides remediation steps
• Includes code examples for fixes

Example Usage

User Request:

"Run a security audit on the backend API"

Skill Actions:

1. Scans backend/ directory for security issues
2. Audits Python dependencies in requirements.txt
3. Checks FastAPI endpoints for common vulnerabilities
4. Generates comprehensive report with findings

Output Format:

# Security Audit Report

## Summary

- 🔴 Critical: 2
- 🟠 High: 5
- 🟡 Medium: 8
- 🟢 Low: 12

## Critical Findings

### 1. Hardcoded API Key Detected

**File:** `backend/app/config.py:23`
**Issue:** API key hardcoded in source code
**Risk:** Credential exposure if code is leaked
**Fix:** Move to environment variable or Secret Manager

### 2. SQL Injection Vulnerability

**File:** `backend/app/api/users.py:45`
**Issue:** Unsanitized user input in SQL query
**Risk:** Database compromise
**Fix:** Use parameterized queries

Configuration

No configuration required. The skill automatically:

• Detects project type (Python, Node.js, Go, etc.)
• Selects appropriate scanners
• Adapts to codebase structure

Limitations

• Does not execute actual security testing tools (Bandit, OWASP ZAP)
• Provides static analysis recommendations only
• Requires user to run suggested tools for deep scanning

Related Skills

• security-analyst - Deep security architecture review
• project-health-checker - Overall project health validation
• dependency-updater - Automated dependency updates