{'>'}_
English 繁體中文 日本語 한국어 Deutsch Español Français
Login

Agent Skill: Security audit patterns for PHP/OWASP. Use when conducting security assessments, identifying vulnerabilities (XXE, SQL injection, XSS), or CVSS scoring. By Netresearch.

1 stars
0 forks
Shell
7 views
View on GitHub Add to Favorites

SKILL.md

name: security-audit description: "Agent Skill: Security audit patterns for PHP/OWASP. Use when conducting security assessments, identifying vulnerabilities (XXE, SQL injection, XSS), or CVSS scoring. By Netresearch."

Security Audit Skill

Security audits, vulnerability assessment, and secure coding patterns aligned with OWASP.

Expertise Areas

  • Vulnerabilities: XXE, SQL injection, XSS, CSRF, auth flaws, insecure deserialization
  • Risk Scoring: CVSS v3.1 methodology
  • Secure Coding: Input validation, output encoding, cryptography, session management

Reference Files

  • references/xxe-prevention.md - XXE detection and prevention
  • references/owasp-top10.md - OWASP Top 10 patterns
  • references/cvss-scoring.md - CVSS scoring methodology
  • references/api-key-encryption.md - API key encryption at rest (sodium)
  • references/secure-php.md - PHP-specific security patterns
  • references/secure-config.md - Secure configuration checklists

Quick Patterns

XML parsing (prevent XXE):

$doc->loadXML($input, LIBXML_NONET | LIBXML_NOENT | LIBXML_DTDLOAD);

SQL (prevent injection):

$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);

Output (prevent XSS):

echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

API keys (encrypt at rest):

$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));

Security Checklist

  • bcrypt/Argon2 for passwords, CSRF tokens on state changes
  • All input validated server-side, parameterized SQL
  • XML external entities disabled, file uploads restricted
  • Context-appropriate output encoding, CSP configured
  • API keys encrypted at rest (sodium_crypto_secretbox)
  • TLS 1.2+, secrets not in VCS, audit logging

Verification

./scripts/security-audit.sh /path/to/project

Contributing: https://github.com/netresearch/security-audit-skill

README

Security Audit Skill

Expert patterns for conducting security audits, vulnerability assessment, and implementing secure coding practices aligned with OWASP guidelines.

🔌 Compatibility

This is an Agent Skill following the open standard originally developed by Anthropic and released for cross-platform use.

Supported Platforms:

  • ✅ Claude Code (Anthropic)
  • ✅ Cursor
  • ✅ GitHub Copilot
  • ✅ Other skills-compatible AI agents

Skills are portable packages of procedural knowledge that work across any AI agent supporting the Agent Skills specification.

Features

  • Vulnerability Assessment: XXE (XML External Entity) injection detection, SQL injection pattern recognition, XSS (Cross-Site Scripting) analysis, CSRF protection verification, authentication/authorization flaws, insecure deserialization
  • Risk Scoring: CVSS v3.1 scoring methodology, risk matrix assessment, impact and likelihood analysis, prioritization frameworks
  • Secure Coding: Input validation patterns, output encoding strategies, secure configuration, cryptographic best practices, session management
  • OWASP Compliance: OWASP Top 10 vulnerability detection and remediation patterns
  • PHP Security: PHP-specific security patterns and hardening techniques

Installation

Option 1: Via Netresearch Marketplace (Recommended)

/plugin marketplace add netresearch/claude-code-marketplace

Option 2: Download Release

Download the latest release and extract to ~/.claude/skills/security-audit-skill/

Option 3: Composer (PHP projects)

composer require netresearch/agent-security-audit-skill

Requires: netresearch/composer-agent-skill-plugin

Usage

This skill is automatically triggered when:

  • Conducting security assessments
  • Identifying vulnerabilities (XXE, SQL injection, XSS, CSRF)
  • Scoring security risks with CVSS v3.1
  • Implementing secure coding practices
  • Auditing PHP applications for security issues
  • Reviewing code for OWASP Top 10 vulnerabilities

Example queries:

  • "Audit this code for XXE vulnerabilities"
  • "Check for SQL injection risks"
  • "Score this vulnerability using CVSS v3.1"
  • "Review authentication implementation for security flaws"
  • "Implement secure XML parsing"

Structure

security-audit-skill/
├── SKILL.md                              # Skill metadata and core patterns
├── references/
│   ├── xxe-prevention.md                 # XXE vulnerability detection and prevention
│   ├── owasp-top10.md                    # OWASP Top 10 vulnerability patterns
│   ├── cvss-scoring.md                   # CVSS scoring methodology and examples
│   ├── secure-php.md                     # PHP-specific security patterns
│   └── secure-config.md                  # Secure configuration checklists
└── scripts/
    └── security-audit.sh                 # Security audit script

Expertise Areas

Vulnerability Assessment

  • XXE (XML External Entity) injection detection
  • SQL injection pattern recognition
  • XSS (Cross-Site Scripting) analysis
  • CSRF protection verification
  • Authentication/authorization flaws
  • Insecure deserialization

Risk Scoring

  • CVSS v3.1 scoring methodology
  • Risk matrix assessment
  • Impact and likelihood analysis
  • Prioritization frameworks

Secure Coding

  • Input validation patterns
  • Output encoding strategies
  • Secure configuration
  • Cryptographic best practices
  • Session management

Security Audit Checklist

Authentication & Authorization

  • Password hashing uses bcrypt/Argon2
  • Session tokens are cryptographically random
  • Session fixation protection enabled
  • CSRF tokens on all state-changing operations
  • Authorization checks on all protected resources
  • Rate limiting on authentication endpoints

Input Handling

  • All input validated server-side
  • Parameterized queries for all SQL
  • XML parsing with external entities disabled
  • File uploads restricted by type and size
  • Path traversal prevention on file operations

Output Handling

  • Context-appropriate output encoding
  • Content-Type headers set correctly
  • X-Content-Type-Options: nosniff
  • Content-Security-Policy configured
  • X-Frame-Options set

Data Protection

  • Sensitive data encrypted at rest
  • TLS 1.2+ for data in transit
  • Secrets not in version control
  • PII handling compliant with regulations
  • Audit logging for sensitive operations

Related Skills

  • enterprise-readiness-skill: References this skill for security assessment
  • php-modernization-skill: Type safety enhances security
  • typo3-testing-skill: Security test patterns

License

MIT License - See LICENSE for details.

Credits

Developed and maintained by Netresearch DTT GmbH.

Made with ❤️ for Open Source by Netresearch