AI-powered system-level security audit skill for Codex, Claude Code, and other coding agents.
Security Auditor is a reusable AI skill for running a full project and deployment security review before production release.
It helps Codex, Claude Code, and other AI coding agents inspect source code, deployment files, environment examples, dependency manifests, Docker configuration, CI/CD files, cloud platform settings, and application security controls, then produce a structured security report with concrete remediation advice.
The skill is especially useful before exposing a web app, API backend, SaaS tool, admin panel, or AI application to the public internet.
Install with the standard GitHub skill path:
https://github.com/MonkeyNull/security-auditor/tree/main/security-auditor
In Codex, ask:
Install the skill from https://github.com/MonkeyNull/security-auditor/tree/main/security-auditor
Or install with the helper script:
curl -fsSL https://raw.githubusercontent.com/MonkeyNull/security-auditor/main/install.sh | shOr install manually:
git clone https://github.com/MonkeyNull/security-auditor.git
cd security-auditor
mkdir -p ~/.codex/skills
cp -R security-auditor ~/.codex/skills/security-auditorThen restart Codex and ask:
Use $security-auditor to audit this project before production deployment and produce a severity-based security report.
Security Auditor guides the AI agent through a system-level security checklist:
- Secrets and credentials management
.env.examplesafety- Cloud environment variable references
- Production vs preview environment separation
- CORS and public network exposure
- Internal service communication and private networking
- Security headers such as CSP, HSTS, X-Frame-Options, and X-Content-Type-Options
- SQL injection, command injection, SSRF, XSS, unsafe redirects, and validation gaps
- Authentication, authorization, JWT/session handling, password hashing, MFA, and IDOR risks
- Dockerfile and container hardening
- Logging and production error handling
- Platform config such as
railway.json,Procfile, Docker Compose, and CI/CD deployment risks - DDoS/CC protection, rate limits, request body limits, timeout settings, and cost-control risks
- Cloud spend caps, WAF/CDN, public networking, preview variables, and dashboard-only checks
- Compliance and data protection items such as privacy policy, TLS, encryption, and file uploads
See examples/sample-report.md for a sample security review report.
The generated audit report is organized into four sections:
**高危风险**
**中危风险**
**低危风险**
**需人工在云平台/部署平台确认的检查点**Each finding includes:
- Problem description
- Risk level
- Related file or code snippet
- Concrete remediation advice
- Example code or configuration when useful
Security Auditor is published as a standard GitHub skill directory at:
https://github.com/MonkeyNull/security-auditor/tree/main/security-auditor
If your AI coding agent supports installing skills from GitHub paths, use that URL directly.
For Codex, ask:
Install the skill from https://github.com/MonkeyNull/security-auditor/tree/main/security-auditor
The equivalent Codex skill-installer command is:
install-skill-from-github.py --repo MonkeyNull/security-auditor --path security-auditorYou can also install with the helper script:
curl -fsSL https://raw.githubusercontent.com/MonkeyNull/security-auditor/main/install.sh | shClone this repository:
git clone https://github.com/MonkeyNull/security-auditor.git
cd security-auditorCopy the skill into your Codex skills directory:
mkdir -p ~/.codex/skills
cp -R security-auditor ~/.codex/skills/security-auditorRestart Codex, then invoke the skill with:
Use $security-auditor to audit this project before production deployment and produce a severity-based security report.
security-auditor/
├── examples/
│ └── sample-report.md
├── install.sh
├── LICENSE
├── PROMOTION.md
├── README.md
└── security-auditor/
├── SKILL.md
├── agents/
│ └── openai.yaml
└── references/
└── checklist.md
Ask your AI coding agent:
Use $security-auditor to perform a complete system-level security review of this repository.
Or, for a more targeted review:
Use $security-auditor to review my Dockerfile, .env.example, cloud deployment config, and API routes for production security risks.
Or, if you want fixes after the report:
Use $security-auditor to audit this project, then implement safe fixes for high-risk issues only.
The skill instructs the AI agent to:
- Inventory relevant project files.
- Search for secrets, public exposure, unsafe auth patterns, risky queries, dangerous logs, missing rate limits, and deployment mistakes.
- Review cloud/platform-specific configuration and manual dashboard checkpoints.
- Run dependency audit tools where available.
- Separate verified code findings from items that require manual confirmation in the hosting or cloud platform.
- Produce a severity-based report with file references and practical fixes.
This skill does not replace a professional penetration test, compliance audit, or production incident response process.
It is designed to make AI-assisted code review more systematic and security-focused, especially for small teams and solo developers shipping quickly to cloud platforms.
If the audit finds real secrets, rotate them immediately in the provider dashboard and inspect git history, deployment logs, and third-party access logs.
Some deployment risks cannot be fully verified from code. Always confirm these in your hosting or cloud platform:
- Production and preview variables are separated.
- Preview deployments do not use production databases.
- Public networking is enabled only for services that must be public.
- Databases, Redis, queues, and internal services are not exposed through public TCP proxies unless required.
- Custom domains use HTTPS correctly.
- Spend caps, budget alerts, or usage alerts are enabled.
- Temporary test services have been removed or disabled.
- Logs do not contain credentials, tokens, PII, or full database connection strings.
Contributions are welcome.
Good improvements include:
- More framework-specific security patterns
- Better examples for Node.js, Python, Go, Ruby, Rust, and Java projects
- Additional cloud platform deployment checks
- Better DDoS and cost-control guidance
- Report templates in more languages
Please keep the skill concise and practical. The goal is to help AI agents produce useful, repo-specific security findings rather than generic checklists.
This project is released under the MIT License. See LICENSE for details.