security-audit

# Security Audit Skill ## When to use Run a security audit to identify vulnerabilities in your Clawdbot setup before deployment or on a schedule. Use auto-fix to remediate common issues automatically. ## Setup No external dependencies required. Uses native system tools where available. ## How to ### Quick audit (common issues) ```bash node skills/security-audit/scripts/audit.cjs ``` ### Full audit (comprehensive scan) ```bash node skills/security-audit/scripts/audit.cjs --full ``` ### Auto-fix common issues ```bash node skills/security-audit/scripts/audit.cjs --fix ``` ### Audit specific areas ```bash node skills/security-audit/scripts/audit.cjs --credentials # Check for exposed API keys node skills/security-audit/scripts/audit.cjs --ports # Scan for open ports node skills/security-audit/scripts/audit.cjs --configs # Validate configuration node skills/security-audit/scripts/audit.cjs --permissions # Check file permissions node skills/security-audit/scripts/audit.cjs --docker # Docker security checks ``` ### Generate report ```bash node skills/security-audit/scripts/audit.cjs --full --json > audit-report.json ``` ## Output The audit produces a report with: | Level | Description | |-------|-------------| | 🔴 CRITICAL | Immediate action required (exposed credentials) | | 🟠 HIGH | Significant risk, fix soon | | 🟡 MEDIUM | Moderate concern | | 🟢 INFO | FYI, no action needed | ## Checks Performed ### Credentials - API keys in environment files - Tokens in command history - Hardcoded secrets in code - Weak password patterns ### Ports - Unexpected open ports - Services exposed to internet - Missing firewall rules ### Configs - Missing rate limiting - Disabled authentication - Default credentials - Open CORS policies ### Files - World-readable files - Executable by anyone - Sensitive files in public dirs ### Docker - Privileged containers - Missing resource limits - Root user in container ## Auto-Fix The `--fix` option automatically: - Sets restrictive file permissions (600 on .env) - Secures sensitive configuration files - Creates .gitignore if missing - Enables basic security headers ## Related skills - `security-monitor` - Real-time monitoring (available separately)