audit

Run /audit in any project. Get a graded security report with exact fixes in under 2 minutes.

Built for code written with Claude Code, Cursor, Copilot, Windsurf, and other AI coding tools. Covers OWASP Top 10 with 130+ detection patterns across 16 security categories.

npx skills add oktsec/audit

Works with Claude Code, Codex, Gemini CLI, Amp, and 40+ other agents.

Most AI-generated code ships with the same security gaps: hardcoded API keys, missing auth on API routes, SQL injection via string interpolation, CORS wildcards, no rate limiting. This skill finds them before your users do.

## Security Audit

**Project:** my-saas
**Stack:** Next.js 14 + Supabase + Stripe + Vercel
**Scanned:** 142 files across 23 directories

### Score: D

2 critical findings require immediate attention.

**1. Supabase service_role key in client bundle** `CRITICAL`
📍 `.env.local:7`
Service role bypasses all Row Level Security. Any user can read/write all database tables.

**2. Stripe webhook without signature verification** `HIGH`
📍 `app/api/webhook/route.ts:12`
Anyone can POST fake payment events to this endpoint.

### Top 3 actions
1. Move service_role to server-side only, use anon key in client
2. Add constructEvent() with webhook secret to verify Stripe signatures
3. Enable RLS on all Supabase tables with per-user policies

After the report, it offers to fix issues one by one - showing what changes before applying them.

1. Detect - reads your project root and identifies your stack automatically
2. Load - pulls only the checks relevant to your stack (progressive disclosure)
3. Scan - runs 130+ patterns against your code
4. Report - grades A through F with before/after code for every finding
5. Fix - optionally walks through each finding and applies the fix

A Next.js + Supabase project loads Next.js and Supabase checks. A plain Express API sk