Skip to content

MatthewKim323/seccheck

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

seccheck

A Claude Code skill that runs a deep security audit on code changes or a codebase. Thinks like an attacker, reports like an engineer. Built for production AI products β€” gives extra weight to prompt injection, agent authorization, and LLM cost-blowup vectors that generic OWASP guides skip.

What it covers

10 domains:

  1. Injection β€” SQL, command, path, template, and prompt injection for AI features
  2. Auth & authorization β€” endpoint coverage, per-resource IDOR checks, JWT hygiene
  3. Sensitive data exposure β€” PII / PHI / secrets in logs, over-fetching, error leakage
  4. Cryptography β€” weak hashes, predictable random, TLS verification, encryption modes
  5. Dependencies & supply chain (on --full) β€” CVEs, typosquats, unpinned versions
  6. Rate limiting & abuse β€” public endpoints, LLM cost caps, auth lockouts, agent loops
  7. Secrets management β€” least privilege, rotation, git history leaks
  8. Trust boundaries β€” input validation at every system seam, webhook signatures
  9. Error handling & info leakage β€” stack traces, 404-vs-403, debug mode in prod
  10. Compliance (on --hipaa or --soc2) β€” PHI handling, audit trails, least-privilege

Install

git clone https://github.com/matthewkim323/seccheck ~/.claude/skills/seccheck

Use

seccheck                     # audit git diff HEAD
seccheck path/to/file.py     # audit a specific file/dir
seccheck --triage            # fast mode: only SEC-1/2/3 (injection, auth, data exposure)
seccheck --hipaa             # adds PHI-handling checks
seccheck --soc2              # adds audit-trail + availability checks
seccheck --full              # adds dependency CVE scan

Or just say "is this secure" / "check for prompt injection" / "security audit".

Output

Every finding is severity-tagged (πŸ”΄ Critical / 🟑 High / 🟠 Medium / ℹ️ Info), includes the file:line, an attack scenario in plain English, and a concrete before/after fix. The report leads with an "attack surface" map so the audit is grounded in the actual blast radius, not a generic checklist.

Pairs with /prodcheck

Run /prodcheck first for general production readiness. Run /seccheck for adversarial review. They overlap intentionally on secret hygiene and input validation (overlap is good β€” two angles on the most critical stuff) but cover otherwise different ground.

License

MIT.

About

Deep security audit skill for Claude Code. 10 domains, AI-product-aware (prompt injection, agent auth, LLM cost caps). Pairs with /prodcheck.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors