security-audit
Guides comprehensive security audits to identify vulnerabilities and ensure compliance with security standards.
Install this skill
Security score
The security-audit skill was audited on Feb 28, 2026 and we found 39 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 427 | exec(`convert ${filename} output.png`); |
Direct command execution function call
| 436 | const child = spawn('imagemagick', [validCommand, sanitizedFilename, 'output.png']); |
Template literal with variable interpolation in command context
| 333 | const query = `SELECT * FROM users WHERE email = '${email}'`; |
Template literal with variable interpolation in command context
| 346 | return await db.$queryRaw` |
Template literal with variable interpolation in command context
| 427 | exec(`convert ${filename} output.png`); |
Template literal with variable interpolation in command context
| 471 | return await fs.readFile(`./uploads/${filename}`); |
Template literal with variable interpolation in command context
| 535 | return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`; |
Template literal with variable interpolation in command context
| 1146 | ```yaml |
Node child_process module reference
| 419 | import { spawn } from 'child_process'; |
Fetch to external URL
| 1199 | <form onSubmit={() => fetch('/api/subscribe', { |
Webhook reference - potential data exfiltration
| 764 | #### Webhook Signature Verification |
Webhook reference - potential data exfiltration
| 766 | **Best practice:** Use `crypto.timingSafeEqual()` for comparing webhook signatures to prevent timing attacks: |
Webhook reference - potential data exfiltration
| 770 | export function verifyWebhookSignature(payload: string, signature: string, secret: string): boolean { |
Access to .env file
| 53 | pattern: "process\\.env\\." |
Access to .env file
| 113 | secure: process.env.NODE_ENV === 'production', |
Access to .env file
| 521 | const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY; |
Access to .env file
| 588 | glob: ".env" |
Access to .env file
| 595 | - `.env` files committed to version control |
Access to .env file
| 611 | DATABASE_URL: process.env.DATABASE_URL, |
Access to .env file
| 612 | NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET, |
Access to .env file
| 613 | STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY, |
Access to .env file
| 614 | OPENAI_API_KEY: process.env.OPENAI_API_KEY, |
Access to .env file
| 617 | // Ensure .env is in .gitignore |
Access to .env file
| 618 | // Use .env.example (without values) to document required variables |
Access to .env file
| 953 | - ".env*" |
Access to .env file
| 954 | - "*.env" |
Access to .env file
| 968 | - `.env` files in `.gitignore` |
Access to .env file
| 969 | - Use `.env.example` (without values) to document variables |
Access to .env file
| 970 | - Use secrets management in production (not `.env` files) |
External URL reference
| 744 | 'https://example.com', |
External URL reference
| 745 | 'https://app.example.com', |
External URL reference
| 840 | script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.vercel-insights.com; |
External URL reference
| 844 | connect-src 'self' https://api.example.com; |
External URL reference
| 942 | CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))" |
External URL reference
| 1180 | target: 'http://localhost:3000' |
External URL reference
| 1311 | - [OWASP Top 10](https://owasp.org/www-project-top-ten/) |
External URL reference
| 1312 | - [CWE Top 25](https://cwe.mitre.org/top25/) |
External URL reference
| 1313 | - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) |
External URL reference
| 1314 | - [SANS Top 25 Software Errors](https://www.sans.org/top25-software-errors/) |
Install this skill with one command
/learn @mgd34msu/security-audit