Security Posture Analysis Skill | Skills Pool
Security Posture Analysis Skill Performs comprehensive security posture analysis of web applications. Audits authentication, authorization, secrets management, input validation, dependency vulnerabilities, CORS, CSRF, XSS, SQL injection, SSRF, and infrastructure configuration. Maps findings to OWASP Top 10 (2021) categories with severity ratings and actionable remediation steps. Use when asked to "analyze security", "audit security", "check security posture", "find vulnerabilities", or "security review".
jeansfeir07 0 星标 2026年3月12日
A comprehensive security auditing skill that analyzes web application codebases for vulnerabilities, misconfigurations, and security anti-patterns. Produces a structured report mapped to OWASP Top 10 categories with severity ratings and actionable remediation.
When to Use This Skill
Use this skill when you need to:
Perform a full security audit of a web application
Identify authentication and authorization vulnerabilities
Check for hardcoded secrets and credential exposure
Analyze input validation gaps and injection risks
Review dependency security and known CVEs
Assess CORS, CSRF, and session management
Evaluate infrastructure security (Docker, environment, TLS)
Generate an OWASP Top 10-mapped security report, sorted by severity
Prerequisites
Access to the project source code (backend + frontend)
Node.js and npm/yarn available for dependency auditing
Terminal access for running audit commands
Audit Pipeline
快速安装
Security Posture Analysis Skill npx skills add jeansfeir07/collab-code-editor
作者 jeansfeir07
星标 0
更新时间 2026年3月12日
职业 ┌───────────────────────────────────────────────────────────┐
│ SECURITY POSTURE ANALYZER │
│ Orchestrates full audit across all domains │
└────────────────────┬──────────────────────────────────────┘
│
┌─────────────────┼─────────────────────┐
▼ ▼ ▼
┌──────────┐ ┌────────────┐ ┌──────────────────┐
│ RECON │ │ ANALYZE │ │ REPORT │
│ │ │ │ │ │
│ Discover │ │ Evaluate │ │ Classify by │
│ attack │→ │ each │→ │ OWASP Top 10 │
│ surface │ │ domain │ │ + severity │
└──────────┘ └────────────┘ └──────────────────┘
The 12 Security Audit Domains
Domain 1: Secrets & Credential Management 🔴 OWASP: A02 - Cryptographic Failures
Hardcoded passwords, API keys, tokens in source code
Secrets in docker-compose.yml, Dockerfiles, config files
Default credentials (admin/admin, postgres/postgres)
Secrets committed to version control (.env not in .gitignore)
Plaintext token storage in databases
Empty or weak default values for critical secrets (JWT_SECRET)
# Search for hardcoded secrets
grep -rn "password\|secret\|token\|api_key\|apikey\|credential" --include="*.ts" --include="*.js" --include="*.yml" --include="*.yaml" --include="*.json" --include="*.env" . | grep -v node_modules | grep -v ".git/"
# Check .gitignore for .env
grep "\.env" .gitignore
# Check for .env files committed
git ls-files | grep -i "\.env"
Domain 2: Authentication Security 🔴 OWASP: A07 - Identification and Authentication Failures
Password hashing algorithm and cost factor (bcrypt ≥10 rounds, argon2id preferred)
JWT implementation: signing algorithm (HS256 vs RS256), expiration, secret strength
Token storage: HttpOnly cookies vs localStorage (XSS risk)
Token refresh/rotation mechanism
Rate limiting on login/register endpoints
Account lockout after failed attempts
Password complexity requirements
Email verification on registration
Session invalidation on password change
Multi-factor authentication support
Domain 3: Authorization & Access Control 🔴 OWASP: A01 - Broken Access Control
Role-based access control (RBAC) implementation
Horizontal privilege escalation (user A accessing user B's data)
Vertical privilege escalation (viewer → editor → owner)
IDOR (Insecure Direct Object Reference) via sequential/guessable IDs
Resource ownership verification in every handler
Admin function exposure to non-admin users
WebSocket authorization enforcement
Cache-based authorization staleness windows
Domain 4: Input Validation & Injection 🟠
SQL injection (raw queries, string interpolation in queries)
NoSQL injection (MongoDB operator injection)
Command injection (exec, spawn with user input)
Path traversal (../../../etc/passwd in file paths)
XSS vectors (reflected, stored, DOM-based)
Template injection (server-side template rendering)
LDAP injection
URL validation (SSRF via user-supplied URLs)
Git URL sanitization (credential injection in URLs)
# Find potential command injection
grep -rn "exec\|spawn\|execSync\|execFile" --include="*.ts" --include="*.js" . | grep -v node_modules
# Find raw SQL
grep -rn "\$queryRaw\|\$executeRaw\|\.query(" --include="*.ts" --include="*.js" . | grep -v node_modules
# Find path operations with user input
grep -rn "path\.join\|path\.resolve\|readFile\|writeFile\|readdir" --include="*.ts" --include="*.js" . | grep -v node_modules
Domain 5: API Security 🟠 OWASP: A04 - Insecure Design
Rate limiting on all endpoints (especially auth, file, git)
Request size limits (body parser limits)
Pagination on list endpoints (query amplification)
Error responses leaking internal details (stack traces, DB errors)
HTTP methods restricted appropriately
API versioning and deprecation
Content-Type validation
Response headers (X-Content-Type-Options, X-Frame-Options, CSP)
Domain 6: CORS & CSRF Protection 🟠 OWASP: A05 - Security Misconfiguration
CORS origin whitelist (not wildcard with credentials)
CORS methods and headers restrictions
CSRF tokens for state-changing operations (POST/PUT/DELETE)
SameSite cookie attribute
Origin/Referer header validation
Preflight caching duration
Domain 7: Dependency Security 🟠 OWASP: A06 - Vulnerable and Outdated Components
# NPM audit
cd backend && npm audit --json 2>/dev/null | head -100
cd frontend && npm audit --json 2>/dev/null | head -100
# Check for outdated packages
npm outdated 2>/dev/null
# Check lockfile integrity
ls package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null
Domain 8: Transport Security (TLS/SSL) 🔴 OWASP: A02 - Cryptographic Failures
NODE_TLS_REJECT_UNAUTHORIZED=0 anywhere (disables SSL verification)HTTP vs HTTPS in production URLs
SSL certificate validation in API calls
WebSocket WSS vs WS
Database connection encryption (sslmode)
Redis connection encryption
HSTS headers
Domain 9: Logging & Monitoring 🟡 OWASP: A09 - Security Logging and Monitoring Failures
Authentication events logged (login, logout, failed attempts)
Authorization failures logged
Input validation failures logged
Sensitive data NOT logged (passwords, tokens, PII)
Log injection prevention (newline sanitization)
Audit trail for critical operations
Log retention policy
Alerting on suspicious activity
Domain 10: Infrastructure Security 🟠 OWASP: A05 - Security Misconfiguration
Docker image pinning (specific versions vs latest)
Non-root container user
Docker secrets vs environment variables
Health check configuration
Port exposure (minimal required only)
Volume mount permissions
Network segmentation (internal vs external)
Dockerfile best practices (multi-stage builds, .dockerignore)
Domain 11: Data Protection 🟡 OWASP: A02 - Cryptographic Failures
Sensitive data at rest (encryption of tokens, PII)
Sensitive data in transit (TLS everywhere)
Data retention and deletion policies
Backup encryption
PII handling (GDPR readiness)
Database field-level encryption for sensitive columns
Domain 12: Server-Side Request Forgery (SSRF) 🟠
User-controlled URLs in server-side requests (fetch, axios, http.get)
Git clone with user-supplied URLs (internal network probing)
URL schema validation (block file://, gopher://, etc.)
IP allowlist/blocklist for outbound requests
DNS rebinding protection
Severity Classification Level Label Color Criteria 1 CRITICAL 🔴 Actively exploitable, data breach risk, requires immediate fix 2 HIGH 🟠 Exploitable with moderate effort, significant impact 3 MEDIUM 🟡 Requires specific conditions, moderate impact 4 LOW 🟢 Minimal impact, defense-in-depth improvement 5 INFO 🔵 Best practice recommendation, no direct vulnerability
Generate the report as a markdown document with:
Executive Summary — Overall risk rating, critical finding count, most urgent actionsOWASP Top 10 Coverage Matrix — Which categories were assessed and findings per categoryFindings Table — Severity, domain, finding title, file location, OWASP mappingDetailed Findings — Each finding with description, evidence (code snippets), impact, and remediationDependency Audit Results — npm audit output summaryRemediation Roadmap — Prioritized fix list (Immediate / Short-term / Medium-term)Security Scorecard — Numeric score per domain (0-10) and overall grade
Execution Steps
Discovery Phase : Identify all entry points (routes, WebSocket handlers, middleware chain)Static Analysis : Read and analyze all source files for each domainDependency Audit : Run npm audit on backend and frontendSecret Scanning : Search for hardcoded credentials and exposed secretsConfiguration Review : Analyze Docker, environment, CORS, TLS settingsReport Generation : Produce structured findings mapped to OWASP Top 10
Automated Checks Run these commands to gather data:
# 1. Dependency vulnerabilities
cd backend && npm audit 2>/dev/null; cd ..
cd frontend && npm audit 2>/dev/null; cd ..
# 2. Secret patterns in source
grep -rn --include="*.ts" --include="*.js" --include="*.yml" --include="*.env" \
-E "(password|secret|token|api.?key|private.?key)\s*[:=]" . \
| grep -v node_modules | grep -v ".git/"
# 3. Dangerous functions
grep -rn --include="*.ts" --include="*.js" \
-E "(eval|exec|execSync|spawn|child_process|Function\(|innerHTML|dangerouslySetInnerHTML)" . \
| grep -v node_modules
# 4. TLS/SSL issues
grep -rn "NODE_TLS_REJECT_UNAUTHORIZED\|rejectUnauthorized\|sslVerify.*false\|ssl.*false" . \
| grep -v node_modules | grep -v ".git/"
# 5. Hardcoded URLs with credentials
grep -rn --include="*.ts" --include="*.js" --include="*.yml" \
-E "(https?://[^:]+:[^@]+@)" . \
| grep -v node_modules
# 6. Missing security headers
grep -rn "helmet\|X-Content-Type-Options\|X-Frame-Options\|Content-Security-Policy\|Strict-Transport-Security" . \
| grep -v node_modules
Prerequisites