Security Audit

Actions

1. Identify target scope
2. Gather intelligence
3. Map attack surface
4. Identify technologies
5. Document findings

Copy-Paste Prompts

Use @scanning-tools to perform initial reconnaissance

Use @shodan-reconnaissance to find exposed services

Phase 2: Vulnerability Scanning

Skills to Invoke

• vulnerability-scanner - Vulnerability analysis
• security-scanning-security-sast - Static analysis
• security-scanning-security-dependencies - Dependency scanning

Actions

1. Run automated scanners
2. Perform static analysis
3. Scan dependencies
4. Identify misconfigurations
5. Document vulnerabilities

Copy-Paste Prompts

Use @vulnerability-scanner to scan for OWASP Top 10 vulnerabilities

Use @security-scanning-security-dependencies to audit dependencies

Phase 3: Web Application Testing

Skills to Invoke

• top-web-vulnerabilities - OWASP vulnerabilities
• sql-injection-testing - SQL injection
• xss-html-injection - XSS testing
• broken-authentication - Authentication testing
• idor-testing - IDOR testing
• file-path-traversal - Path traversal
• burp-suite-testing - Burp Suite testing

Actions

1. Test for injection flaws
2. Test authentication mechanisms
3. Test session management
4. Test access controls
5. Test input validation
6. Test security headers

Copy-Paste Prompts

Use @sql-injection-testing to test for SQL injection vulnerabilities

Use @xss-html-injection to test for cross-site scripting

Use @broken-authentication to test authentication security

Phase 4: API Security Testing

Skills to Invoke

• api-fuzzing-bug-bounty - API fuzzing
• api-security-best-practices - API security

Actions

1. Enumerate API endpoints
2. Test authentication/authorization
3. Test rate limiting
4. Test input validation
5. Test error handling
6. Document API vulnerabilities

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to fuzz API endpoints

Phase 5: Penetration Testing

Skills to Invoke

• pentest-commands - Penetration testing commands
• pentest-checklist - Pentest planning
• ethical-hacking-methodology - Ethical hacking
• metasploit-framework - Metasploit

Actions

1. Plan penetration test
2. Execute attack scenarios
3. Exploit vulnerabilities
4. Document proof of concept
5. Assess impact

Copy-Paste Prompts

Use @pentest-checklist to plan penetration test

Use @pentest-commands to execute penetration testing

Phase 6: Security Hardening

Skills to Invoke

• security-scanning-security-hardening - Security hardening
• auth-implementation-patterns - Authentication
• api-security-best-practices - API security

Actions

1. Implement security controls
2. Configure security headers
3. Set up authentication
4. Implement authorization
5. Configure logging
6. Apply patches

Copy-Paste Prompts

Use @security-scanning-security-hardening to harden application security

Phase 7: Reporting

Skills to Invoke

• reporting-standards - Security reporting

Actions

1. Document findings
2. Assess risk levels
3. Provide remediation steps
4. Create executive summary
5. Generate technical report

Security Testing Checklist

OWASP Top 10

• Injection (SQL, NoSQL, OS, LDAP)
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring

API Security

• Authentication mechanisms
• Authorization checks
• Rate limiting
• Input validation
• Error handling
• Security headers

Quality Gates

• All planned tests executed
• Vulnerabilities documented
• Proof of concepts captured
• Risk assessments completed
• Remediation steps provided
• Report generated

Related Workflow Bundles

• development - Secure development practices
• wordpress - WordPress security
• cloud-devops - Cloud security
• testing-qa - Security testing

Limitations

• Use this skill only when the task clearly matches the scope described above.
• Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
• Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.