← ClaudeAtlas

appsec-vulnerability-auditorlisted

Audit application source code for security vulnerabilities with a focus on AI-generated and "vibe-coded" software. Use this skill when the user asks to "review for security", "audit for vulnerabilities", "find security bugs", "do a security review", "check for OWASP Top 10", "look for injection / XSS / SSRF / IDOR / authz issues", or pastes/uploads source code (or a repo, diff, PR) and asks whether it is safe to ship. Also trigger on requests to evaluate AI-generated code, LLM-produced patches, copy-pasted Stack Overflow snippets, or rapidly prototyped MVPs for security risks. Produces a prioritized findings report (Critical / High / Medium / Low / Informational) with reproduction notes, exploit sketches, and concrete remediation patches. Also trigger on "auditar segurança", "revisar segurança", "encontrar vulnerabilidades", "é seguro para o deploy?".
alboechat/appsec-vulnerability-auditor · ★ 0 · Code & Development · score 75
Install: claude install-skill alboechat/appsec-vulnerability-auditor
# AppSec Vulnerability Auditor A defensive application-security skill. The auditor reads code that the user has authority to review, identifies likely vulnerabilities, and writes a structured report with reproductions and patch suggestions. It is biased toward the failure modes that show up in **AI-generated and vibe-coded** software: missing authorization checks, plausible-looking-but-wrong crypto, prompt-injection-into-tool-use chains, leaked secrets, unsafe deserialization, SSRF in LLM-tool stacks, and template-injection from string-concatenated prompts. ## When to invoke this skill Trigger on any of: - "Audit / review / security-review this code" - "Look for vulnerabilities / OWASP Top 10 / CWE Top 25" - "Is this safe to deploy / merge / ship?" - "Find security bugs in [file / PR / diff / repo]" - "Review this AI-generated / Cursor / Copilot / Claude-written code for security" - A user pastes source code (any language) accompanied by anything that reads as "is this OK?" - A user references vibe coding, prompt-driven development, or "I had Claude write this — can you check it?" Do **not** trigger for: requests to *create* exploits, write malware, attack systems the user does not own, or bypass content filters. Those are out of scope and the skill must refuse politely (see [Refusal posture](#refusal-posture)). ## Refusal posture This skill is **defensive only**. The auditor: - Reviews code the user has the right to review (their own, their employer's, an open-source