Security audit workflow - vulnerability scan โ verification
Security Auditor Skill
3
0
# Install this skill:
npx skills add wrsmith108/claude-skill-security-auditor
Or install specific skill: npx add-skill https://github.com/wrsmith108/claude-skill-security-auditor
# Description
Claude Code skill for running structured security audits with actionable remediation plans
# SKILL.md
Security Auditor Skill
Run structured security audits with actionable remediation plans.
Trigger Phrases
- "npm audit"
- "security vulnerability"
- "dependency vulnerability"
- "CVE"
- "security check"
- "audit dependencies"
- "check vulnerabilities"
Description
This skill performs comprehensive security audits on npm projects, parsing vulnerability data and generating actionable remediation plans with prioritized fixes.
Capabilities
- Execute
npm audit --jsonand parse structured output - Classify vulnerabilities by severity (critical, high, medium, low)
- Extract CVE identifiers, affected versions, and fix versions
- Distinguish direct vs transitive dependencies
- Generate markdown reports with remediation commands
- Support risk acceptance via
security-exceptions.json - Provide CI-friendly exit codes
Usage
Basic Audit
npx tsx scripts/index.ts
JSON Output
npx tsx scripts/index.ts --json
Fail on High+ Severity (for CI)
npx tsx scripts/index.ts --fail-on high
Fail on Critical Only
npx tsx scripts/index.ts --fail-on critical
Risk Acceptance
Create a security-exceptions.json file in your project root to accept known risks:
{
"exceptions": [
{
"id": "GHSA-xxxx-xxxx-xxxx",
"reason": "Not exploitable in our usage context",
"expires": "2025-06-01",
"approvedBy": "security-team"
}
]
}
Exit Codes
0- No vulnerabilities above threshold1- Vulnerabilities found above threshold (with--fail-on)2- Error running audit
Requirements
- Node.js and npm installed
- Valid
package.jsonin target directory - Optional:
package-lock.jsonfor accurate audit
# README.md
Security Auditor
A Claude Code skill for running structured security audits with actionable remediation plans.
Installation
As a Claude Code Skill
# Clone to your Claude skills directory
git clone https://github.com/wrsmith108/claude-skill-security-auditor.git ~/.claude/skills/security-auditor
Standalone Usage
npx tsx ~/.claude/skills/security-auditor/scripts/index.ts [options]
Trigger Phrases
This skill activates when you mention:
- "npm audit"
- "security vulnerability"
- "dependency vulnerability"
- "CVE"
- "security check"
- "audit dependencies"
- "check vulnerabilities"
Capabilities
- Execute
npm audit --jsonand parse structured output - Classify vulnerabilities by severity (critical, high, medium, low)
- Extract CVE identifiers, affected versions, and fix versions
- Distinguish direct vs transitive dependencies
- Generate markdown reports with remediation commands
- Support risk acceptance via
security-exceptions.json - Provide CI-friendly exit codes
Usage
Basic Audit
npx tsx scripts/index.ts
JSON Output
npx tsx scripts/index.ts --json
Fail on High+ Severity (for CI)
npx tsx scripts/index.ts --fail-on high
Fail on Critical Only
npx tsx scripts/index.ts --fail-on critical
Audit a Specific Project
npx tsx scripts/index.ts --cwd /path/to/project
Risk Acceptance
Create a security-exceptions.json file in your project root to accept known risks:
{
"exceptions": [
{
"id": "GHSA-xxxx-xxxx-xxxx",
"reason": "Not exploitable in our usage context",
"expires": "2025-06-01",
"approvedBy": "security-team"
}
]
}
Accepted vulnerabilities are tracked separately in the report.
Output Format
The skill generates a markdown report with:
- Summary table by severity
- Detailed breakdown of high+ severity issues
- Transitive dependency analysis
- Copy-paste remediation commands
- List of accepted risks (if any)
Exit Codes
| Code | Meaning |
|---|---|
0 |
No vulnerabilities above threshold |
1 |
Vulnerabilities found above threshold (with --fail-on) |
2 |
Error running audit |
CI Integration
- name: Security Audit
run: npx tsx ~/.claude/skills/security-auditor/scripts/index.ts --fail-on high
Requirements
- Node.js and npm installed
- Valid
package.jsonin target directory - Optional:
package-lock.jsonfor accurate audit
License
MIT
Related Skills
- ci-doctor - Diagnose CI/CD pipeline issues
- version-sync - Sync Node.js versions
- flaky-test-detector - Detect flaky tests
- docker-optimizer - Optimize Dockerfiles
# Related Skills
Security-first PR review checklist for this repo. Use when reviewing diffs/PRs, especially...
Professional network reconnaissance and port scanning using nmap. Supports various scan types...
ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.