Skills Guide

Security Audit Phase 1

VerifiedSafe

First phase of the security audit pipeline that scans the codebase (src/app) for vulnerabilities like unprotected endpoints, missing input validation, authorization gaps, and exposed secrets. Outputs a prioritized findings list in SECURITY_PLAN.md. Use after /full-security-audit or invoke directly with '/1-security-audit'.

Sby Skills Guide Bot
SecurityIntermediate
1306/2/2026
Claude Code
#security#audit#security-phase-1#vulnerability-scan#code-review

Recommended for

Claude CodeCode reviewSecurity auditSecurity engineer

Our review

Scans the codebase for security vulnerabilities and creates a SECURITY_PLAN.md with prioritized findings.

Strengths

  • Automated detection of common security issues (mutable endpoints, missing validation, authorization gaps, exposed secrets).
  • Produces a structured report with severity levels and file locations.
  • Integrates with a multi-phase pipeline for comprehensive security review.

Limitations

  • Only covers specific patterns (e.g., Supabase-specific checks may not apply to all projects).
  • Output is a static markdown file; no real-time monitoring.
  • Requires a specific folder structure (e.g., src/app).
When to use it

Use when initiating a security review of your codebase to identify and prioritize vulnerabilities before remediation.

When not to use it

Do not use if you need real-time security scanning or if your project does not follow a typical web application structure.

Security analysis

Safe
Quality score85/100

The skill only reads source files and writes a markdown file; no shell commands, network calls, or destructive operations. It poses no execution risk.

No concerns found

Examples

Start security audit phase 1
Run /1-security-audit
Security audit discovery scan
Please perform a security discovery scan on the codebase and create a SECURITY_PLAN.md.
Begin security review pipeline
Initiate phase 1 of the full security audit.

name: 1-security-audit description: "Phase 1 of security audit pipeline. Scans the codebase for vulnerabilities and creates SECURITY_PLAN.md. Use after /full-security-audit or invoke directly to start a security review. Say 'security audit phase 1' or run '/1-security-audit'." contract: tags: [security, audit, security-phase-1] state_source: security_plan inputs: params: [] gates: [] outputs: mutates: - field: "findings" sets_to: "Pending" side_effects: ["Creates SECURITY_PLAN.md"] next: [2-security-critique] human_gate: false

Phase 1: Security Discovery

What this phase does

Scan the codebase and produce a prioritized findings list. Output lives in SECURITY_PLAN.md.

Instructions

  1. Scan src/app (or configured API folder) for:

    • Mutable endpoints (POST/PUT/DELETE)
    • Missing input validation (e.g. Zod schemas)
    • Authorization gaps (missing auth checks, overly permissive RLS)
    • Exposed secrets or service role keys in client code
    • See supabase-security/SKILL.md for Supabase-specific patterns to check

  2. Output: Create or overwrite SECURITY_PLAN.md in the project root. List all findings as Pending with severity (Critical / High / Medium / Low) and file location.

  3. Stop. Display a summary of findings to the user.

The next step is Phase 2: /2-security-critique

Related skills

Security Audit Scanner

Premium

Security

Analyzes code to detect OWASP Top 10 vulnerabilities.

Claude Codeadvanced
210
87
906
Admin

OWASP Security Checklist

Security

Generates application security checklists based on the OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Threat Model Generator

Security

Generates threat model documents with STRIDE analysis.

claudeCursoradvanced
78
23
289
Admin