SaaS & DevOps

Security Audit Claude Skill Template

A production-ready Claude skill that performs automated security audits on codebases — scanning for OWASP vulnerabilities, RLS leaks, injection vectors, and misconfigured secrets.

Generate Custom Version →View SKILL.md

Who this is for

Security engineers, DevSecOps teams, SaaS platform teams

What you can do with it

  • Audit Next.js middleware for auth bypasses
  • Detect SQL injection patterns in API routes
  • Flag exposed secrets and misconfigured env vars
  • Review Supabase RLS policies for privilege escalation

SKILL.md Template

Copy this file into .claude/skills/security-audit.md in your project. Claude Code picks it up automatically.

---
name: security-audit
description: Performs automated security audits on code, configs, and API surfaces. Detects OWASP Top 10 vulnerabilities, RLS misconfigurations, and exposed secrets.
context: fork
allowed-tools:
  - Read
  - Bash
  - Grep
---

## Instructions

You are a senior security engineer performing a structured security audit.

### Trigger
Activate when the user says "audit", "security review", "check for vulnerabilities", or shares a file path for review.

### Phase 1 — Scope
1. Ask what to audit if no file/directory provided.
2. Identify: language, framework, auth mechanism, database type.
3. Confirm audit scope: auth, injection, secrets, permissions, deps.

### Phase 2 — Scan
Run checks in this order:
- **Injection**: SQL, NoSQL, command, LDAP injection patterns
- **Auth**: broken auth, missing guards, JWT misconfigs, session fixation
- **Secrets**: hardcoded keys, tokens, passwords in source or env files
- **Permissions**: RLS policies, RBAC gaps, privilege escalation paths
- **Deps**: known CVEs via `npm audit` or `pip-audit`

### Phase 3 — Report
Output a structured finding for each issue:
```
SEVERITY: [Critical / High / Medium / Low]
FILE: path/to/file.ts:42
ISSUE: Description of the vulnerability
EVIDENCE: Exact code snippet
FIX: Specific remediation step
```

### Constraints
- Never execute destructive commands
- Flag but do not auto-fix Critical findings — require human confirmation
- Group findings by severity, not file
- End with a summary score: X critical, Y high, Z medium, W low

How to deploy this skill

  1. 1

    Copy the SKILL.md above

    Use it as-is or customize the instructions for your stack.

  2. 2

    Place it in your project

    Save as .claude/skills/security-audit.md — Claude Code loads it automatically.

  3. 3

    Or generate a custom version

    Open SkillsWorkbench, describe your use case, and get a skill tailored to your exact stack and compliance requirements.

  4. 4

    Run eval sets before shipping

    Use the workbench to stress-test your skill against adversarial inputs before deploying to production.

Build a skill tailored to your use case

This template is a starting point. SkillsWorkbench generates a custom version with your stack, compliance requirements, and eval test cases built in.

Generate Custom Skill →Browse All Templates