AI 安全审计 — OWASP 与漏洞扫描 Skill
安装安全审计 Skill,将 Claude Code 变成专注安全的代码审查员。OWASP Top 10 检查、依赖漏洞扫描、密钥泄露检测和威胁建模——全部在编辑器本地运行。
安装 Security Auditor Skill
# Install the Security Auditor agent skill
curl -s https://api.tokrepo.com/raw/security-auditor-agent \
> ~/.claude/skills/security-auditor/SKILL.md
# Or install via TokRepo CLI
npx tokrepo install security-auditor-agent
Antigravity Awesome Skills — 1,340+ Agentic Skills Library
Installable library of 1,340+ agentic skills for Claude Code, Cursor, Codex CLI, and Gemini CLI. One command installs skills like brainstorming, security auditing, frontend design, and API design.
Nuxt + Go-Zero Quality Audit Skill — 30 Checks from 250 Real Bugs
Production-tested quality check skill for Nuxt SSR + Go-Zero + MySQL projects. 30 automated checks across 7 dimensions (security, race conditions, transactions, frontend SSR, dependencies, API contracts, ops) — distilled from 10 rounds of Codex audit that found ~250 real issues in a live SaaS product.
Claude Code Agent: Security Auditor — OWASP & Dependency Scan
Claude Code agent that audits your codebase for OWASP top 10 vulnerabilities, dependency issues, and security anti-patterns.
Claude Code Agent: Smart Contract Auditor — Web3 Security
Claude Code agent for auditing Solidity smart contracts. Reentrancy, overflow, access control, gas optimization, and best practices.
ModSecurity — Open Source Web Application Firewall Engine
ModSecurity is a cross-platform web application firewall engine that inspects HTTP traffic in real time. Originally an Apache module, it now runs as a standalone library (libmodsecurity) embeddable in Nginx, Apache, and IIS, with rule sets like OWASP CRS providing out-of-the-box protection against SQL injection, XSS, and other OWASP Top 10 threats.
Amass — In-Depth Attack Surface Mapping and Asset Discovery
An OWASP project for network mapping and external asset discovery using open source intelligence gathering and active reconnaissance techniques.
MCP ZAP Server — OWASP ZAP for Agents (Safe)
MCP ZAP Server exposes OWASP ZAP through MCP with operator guardrails (auth, policies, scopes) and Docker Compose setup for guided scans and reports.
用 AI 实现安全左移
The AI security auditor brings professional penetration testing patterns into your daily coding workflow. Instead of running security scans after deployment — when fixes are expensive and risky — these skills check for vulnerabilities as you write code. Every commit gets checked for SQL injection, XSS, CSRF, insecure deserialization, broken authentication, and the rest of the OWASP Top 10.
What makes AI-powered security auditing different from traditional SAST (Static Application Security Testing) tools is contextual understanding. A regex-based scanner flags every eval() call; an AI auditor understands that eval(JSON.stringify(config)) with a trusted input is safe while eval(userInput) is critical. This dramatically reduces false positives — the noise that makes teams ignore security tools entirely.
The skills below also cover areas traditional scanners miss: secrets detection (API keys, tokens, passwords committed to git), dependency analysis (known CVEs in your package.json/go.mod), threat modeling (identifying attack surfaces in your architecture), and smart contract auditing for Web3 projects. Pair with AI code review skills for a complete quality gate, or browse the full security tools directory for dedicated scanners. For CI/CD integration, check DevOps tools that run these checks automatically on every PR.
The cheapest vulnerability fix is the one your AI catches before you hit commit.
常见问题
What does the AI security auditor check for?+
The skill audits for: OWASP Top 10 vulnerabilities (injection, XSS, CSRF, broken auth, etc.), hardcoded secrets and API keys, known CVEs in dependencies, insecure cryptographic implementations, path traversal vulnerabilities, insecure deserialization, server-side request forgery (SSRF), and misconfigured security headers. It produces a severity-ranked report with specific file locations and fix suggestions.
How is this different from Snyk or SonarQube?+
Traditional SAST tools use pattern matching and rule engines — they're fast but produce many false positives and miss complex vulnerabilities that require understanding code flow. AI security auditors understand context: they can trace data flow from user input to database query, understand authentication middleware, and assess whether a flagged pattern is actually exploitable. They complement traditional scanners — use both for defense in depth.
Can the AI fix the vulnerabilities it finds?+
Yes. After identifying a vulnerability, Claude Code can propose a fix — for example, replacing string concatenation in SQL with parameterized queries, adding input sanitization for XSS, or implementing CSRF tokens. Always review security fixes carefully before applying — AI can introduce subtle regressions in security-critical code. The safest workflow: AI identifies and proposes, human reviews and approves.
Does it work for smart contracts?+
Yes. TokRepo includes a dedicated Smart Contract Auditor skill that checks Solidity and other EVM languages for reentrancy attacks, integer overflow, access control issues, gas optimization, and common DeFi vulnerabilities. It's specifically trained on known Web3 exploit patterns and audit report formats.
How do I integrate security auditing into CI/CD?+
Run Claude Code in headless mode as a CI step: 'claude --headless audit-security' with appropriate flags. Some teams use Claude Code Hooks to trigger security scans on every commit. For GitHub-native solutions, several tools in TokRepo's DevOps directory provide GitHub Actions that run AI security scans on every PR and block merge if critical issues are found.