
from saas-security9
Comprehensive SaaS security audit skill: run domain-based audits, generate checklists, classify risks, and produce prioritized remediation reports.
This skill encodes a structured, enterprise-grade security audit workflow for SaaS applications. It organizes audits into reconnaissance, domain-specific analysis (covering OWASP-style domains plus race conditions and input validation), risk classification, and report generation. The skill prescribes exact reporting formats, severity scoring, and a 12-question self-check the agent must always run before delivering code. It is designed to guide agents through thorough code and architecture reviews, producing evidence-backed findings, concrete fixes, and remediation priorities suitable for engineering teams and security reviewers.
Trigger this skill whenever a user asks for a security-focused code review, vulnerability assessment, OWASP compliance check, authentication/authorization review, or when they share code and request a security perspective. Also use it proactively when the agent detects potentially risky patterns (e.g., raw SQL concatenation, missing input validation) during normal code reviews.
references/ files); these contain core principles, OWASP domains, checklists, and race condition patterns.Designed for LLM-based code reviewers and security-focused agents (Claude, OpenClaw, Codex/Copilot) that can follow procedural audit steps, read repository files, and output structured reports. The skill assumes the agent can access code snippets and reference files when present.
SaaS Security Audit skill provides a structured 4-phase audit workflow (Reconnaissance, Domain Audit, Risk Classification, Report) aligned with OWASP standards. It includes a 12-question self-check, reference files for security domains and checklists, and enforces defensive rules (refusing insecure requests). No bundled scripts — purely reference/instruction-based. Well-written with clear triggers and progressive disclosure via references/ directory.
Solid security-focused skill with no malicious patterns. Explicitly refuses insecure requests and promotes defensive coding. Architecture is good but lacks scripts/output contracts. The broad trigger ('whenever the user shares code and asks for a review — always include a security perspective') could be too aggressive for general-purpose agents.