A Claude Code skill that runs a deep security audit on code changes or a codebase. Thinks like an attacker, reports like an engineer. Built for production AI products β gives extra weight to prompt injection, agent authorization, and LLM cost-blowup vectors that generic OWASP guides skip.
10 domains:
- Injection β SQL, command, path, template, and prompt injection for AI features
- Auth & authorization β endpoint coverage, per-resource IDOR checks, JWT hygiene
- Sensitive data exposure β PII / PHI / secrets in logs, over-fetching, error leakage
- Cryptography β weak hashes, predictable random, TLS verification, encryption modes
- Dependencies & supply chain (on
--full) β CVEs, typosquats, unpinned versions - Rate limiting & abuse β public endpoints, LLM cost caps, auth lockouts, agent loops
- Secrets management β least privilege, rotation, git history leaks
- Trust boundaries β input validation at every system seam, webhook signatures
- Error handling & info leakage β stack traces, 404-vs-403, debug mode in prod
- Compliance (on
--hipaaor--soc2) β PHI handling, audit trails, least-privilege
git clone https://github.com/matthewkim323/seccheck ~/.claude/skills/seccheckseccheck # audit git diff HEAD
seccheck path/to/file.py # audit a specific file/dir
seccheck --triage # fast mode: only SEC-1/2/3 (injection, auth, data exposure)
seccheck --hipaa # adds PHI-handling checks
seccheck --soc2 # adds audit-trail + availability checks
seccheck --full # adds dependency CVE scan
Or just say "is this secure" / "check for prompt injection" / "security audit".
Every finding is severity-tagged (π΄ Critical / π‘ High / π Medium / βΉοΈ Info), includes the file:line, an attack scenario in plain English, and a concrete before/after fix. The report leads with an "attack surface" map so the audit is grounded in the actual blast radius, not a generic checklist.
Run /prodcheck first for general production readiness. Run /seccheck for adversarial review. They overlap intentionally on secret hygiene and input validation (overlap is good β two angles on the most critical stuff) but cover otherwise different ground.
MIT.