← 返回 Skills 市场
suhteevah

authaudit

作者 suhteevah · GitHub ↗ · v1.0.1 · MIT-0
darwinlinuxwin32 ⚠ suspicious
92
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install authaudit
功能描述
Authentication & authorization pattern analyzer — finds missing auth checks, insecure sessions, broken access control, CSRF gaps, and token handling vulnerab...
使用说明 (SKILL.md)

\r \r

AuthAudit -- Authentication & Authorization Pattern Analyzer\r

\r AuthAudit scans your codebase for authentication and authorization vulnerabilities including missing auth checks, insecure session handling, broken access control, CSRF gaps, token storage issues, and credential management weaknesses. It supports JavaScript/TypeScript, Python, Ruby, Go, Java, and PHP codebases. All scanning happens locally using regex-based pattern matching -- no code is sent to external servers.\r \r

Check Categories\r

\r AuthAudit organizes its 90 security patterns into 6 categories:\r \r

1. AC -- Authentication Checks (15 patterns)\r

Detects missing authentication middleware, unprotected routes, bypassed login checks, missing auth decorators, unauthenticated API endpoints, disabled authentication, anonymous access to sensitive resources, and missing multi-factor authentication enforcement.\r \r

2. SM -- Session Management (15 patterns)\r

Finds insecure session configuration, missing session expiry, absent session rotation on privilege changes, predictable session IDs, session fixation vulnerabilities, missing Secure/HttpOnly cookie flags, overly long session lifetimes, and sessions stored in insecure locations.\r \r

3. AZ -- Authorization/Access Control (15 patterns)\r

Identifies missing role checks, broken object-level authorization (BOLA), insecure direct object references (IDOR), missing permission verification, privilege escalation paths, hardcoded admin roles, missing function-level authorization, and horizontal access control bypasses.\r \r

4. TK -- Token Handling (15 patterns)\r

Catches JWT stored in localStorage, tokens transmitted in URL parameters, missing token expiry validation, absent token refresh rotation, weak signing algorithms (none/HS256 with secrets), token leakage in logs, missing audience/issuer validation, and insecure token generation.\r \r

5. CS -- CSRF Protection (15 patterns)\r

Detects missing CSRF tokens on state-changing endpoints, absent SameSite cookie flag, GET requests performing side effects, missing Origin/Referer validation, state-changing GET endpoints, disabled CSRF middleware, CORS misconfigurations enabling CSRF, and missing double-submit cookie patterns.\r \r

6. PW -- Password & Credential Management (15 patterns)\r

Finds weak password requirements, plaintext password comparison, missing bcrypt/argon2 hashing, absent rate limiting on login endpoints, passwords in query strings, hardcoded credentials, insecure password reset tokens, missing password complexity enforcement, and credential logging.\r \r

Severity Levels\r

\r Each finding is classified by severity:\r \r | Severity | Weight | Description |\r |----------|--------|-------------|\r | Critical | 25 points | Active vulnerability that can be immediately exploited |\r | High | 15 points | Significant security weakness requiring prompt attention |\r | Medium | 8 points | Security concern to address in upcoming sprints |\r | Low | 3 points | Best-practice improvement or informational finding |\r \r

Scoring System\r

\r AuthAudit calculates a security score from 0 to 100:\r \r

  • Starting score: 100\r
  • Deductions: Each finding subtracts points based on severity weight\r
  • Scaling: Penalties are scaled relative to codebase size (more files = smaller per-issue impact)\r
  • Pass threshold: 70 (score >= 70 = pass, score \x3C 70 = fail)\r \r

Grades\r

\r | Grade | Score Range | Meaning |\r |-------|-------------|---------|\r | A | 90 -- 100 | Excellent auth posture |\r | B | 80 -- 89 | Good, minor improvements needed |\r | C | 70 -- 79 | Acceptable, several issues to fix |\r | D | 60 -- 69 | Below threshold, significant concerns |\r | F | 0 -- 59 | Critical auth vulnerabilities present |\r \r

Commands\r

\r

Free Tier (No license required)\r

\r

authaudit scan [file|directory]\r

One-shot authentication and authorization audit of source files.\r \r How to execute:\r

bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Finds all source files (excluding .git/, node_modules/, dist/, build/, vendor/, __pycache__)\r
3. Runs the first 30 auth/authz patterns against each file (free tier limit)\r
4. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
5. Calculates a security score (0-100) with letter grade\r
6. Free tier: limited to 30 of 90 patterns\r
7. Exit code 0 if score >= 70, exit code 1 if score \x3C 70\r
\r
**Example usage scenarios:**\r
- "Scan my code for auth vulnerabilities" -> runs `authaudit scan .`\r
- "Check for missing authentication" -> runs `authaudit scan src/`\r
- "Audit my session handling" -> runs `authaudit scan .`\r
- "Find CSRF vulnerabilities" -> runs `authaudit scan .`\r
- "Check token security" -> runs `authaudit scan .`\r
\r
#### `authaudit scan [file|directory] --category AC`\r
Scan only a specific category.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --category AC\r
```\r
\r
#### `authaudit scan [file|directory] --format json`\r
Output results in JSON format for CI/CD integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --format json\r
```\r
\r
### Pro Tier ($19/user/month -- requires AUTHAUDIT_LICENSE_KEY)\r
\r
#### `authaudit scan [file|directory]` (60 patterns)\r
Full security audit with 60 patterns enabled (free + pro patterns).\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does (beyond free):**\r
1. Runs 60 of 90 patterns (all free + pro-tier patterns)\r
2. Includes advanced session management, token handling, and credential checks\r
3. Detailed remediation advice per finding\r
4. HTML report output support\r
\r
#### `authaudit hooks install`\r
Install git pre-commit hooks that scan staged files for auth issues before every commit.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" hooks install\r
```\r
\r
#### `authaudit hooks uninstall`\r
Remove AuthAudit git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" hooks uninstall\r
```\r
\r
#### `authaudit report [directory]`\r
Generate a markdown security audit report.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" report [directory]\r
```\r
\r
### Team/Enterprise Tier ($39/user/month -- requires AUTHAUDIT_LICENSE_KEY with team tier)\r
\r
#### `authaudit scan [file|directory]` (all 90 patterns)\r
Complete audit with all 90 patterns across all 6 categories.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
#### `authaudit scan [file|directory] --format html`\r
HTML report with interactive severity filtering.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --format html\r
```\r
\r
## Tier-Based Pattern Access\r
\r
| Tier | Patterns Available | Categories |\r
|------|-------------------|------------|\r
| **Free** | 30 (first 5 per category) | AC, SM, AZ, TK, CS, PW |\r
| **Pro** | 60 (first 10 per category) | AC, SM, AZ, TK, CS, PW |\r
| **Team** | 90 (all patterns) | AC, SM, AZ, TK, CS, PW |\r
| **Enterprise** | 90 (all patterns) | AC, SM, AZ, TK, CS, PW |\r
\r
## Output Formats\r
\r
- **text** (default) -- Human-readable terminal output with colors and severity icons\r
- **json** -- Machine-readable JSON for CI/CD pipelines and tooling integration\r
- **html** -- Self-contained HTML report with severity filtering (Team+)\r
\r
## Configuration\r
\r
Users can configure AuthAudit in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
  "skills": {\r
    "entries": {\r
      "authaudit": {\r
        "enabled": true,\r
        "apiKey": "YOUR_LICENSE_KEY_HERE",\r
        "config": {\r
          "severityThreshold": "medium",\r
          "excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],\r
          "reportFormat": "text",\r
          "categories": ["AC", "SM", "AZ", "TK", "CS", "PW"]\r
        }\r
      }\r
    }\r
  }\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration (30 patterns)\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Supports JS/TS, Python, Ruby, Go, Java, and PHP codebases\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = pass (score >= 70), 1 = fail (score \x3C 70 or critical issues)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://authaudit.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no source files found in target, report clean scan with info message\r
- If an invalid category is specified, list valid categories and exit\r
\r
## When to Use AuthAudit\r
\r
The user might say things like:\r
- "Scan my code for authentication issues"\r
- "Check if my routes have auth middleware"\r
- "Find missing authorization checks"\r
- "Audit my session handling"\r
- "Check for CSRF vulnerabilities"\r
- "Find insecure token storage"\r
- "Check for hardcoded credentials"\r
- "Audit my password handling"\r
- "Find privilege escalation paths"\r
- "Check for broken access control"\r
- "Scan for insecure session configuration"\r
- "Find JWT vulnerabilities in my code"\r
- "Check my login flow for security issues"\r
- "Audit auth patterns in my codebase"\r
安全使用建议
This skill appears to do what it says: a local, grep/regex-based auth/authz scanner that requires a license key. Before installing or running hooks: 1) Verify the license key source and avoid pasting keys from untrusted locations. 2) Back up ~/.openclaw/openclaw.json if you are concerned, since the skill will read it to find its apiKey. 3) Review the scripts (already bundled) if you plan to enable pre-commit/pre-push hooks — installing hooks will modify your repository's lefthook.yml and run lefthook. 4) If you do not want local signature verification to access any CLAWHUB_JWT_SECRET, do not set that env var; it is optional. 5) Run scans on a copy/isolated repo first if you want to validate behavior. Overall, nothing indicates exfiltration or unrelated credential access, but exercise normal caution with license keys and repo hook installation.
功能分析
Type: OpenClaw Skill Name: authaudit Version: 1.0.1 AuthAudit is a security scanning tool designed to identify authentication and authorization vulnerabilities in codebases using regex-based pattern matching. The skill bundle contains a core analysis engine (analyzer.sh), a CLI dispatcher (dispatcher.sh), and a license validation module (license.sh) that uses offline JWT decoding to gate features by tier. The tool performs all scanning locally, excludes sensitive directories like .git and node_modules, and provides legitimate security checks across categories such as Session Management and Token Handling. No evidence of data exfiltration, unauthorized network calls, or malicious intent was found; the functionality is entirely consistent with the stated purpose of a local security auditor.
能力标签
cryptorequires-walletcan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
The name/description (auth/authz pattern analyzer) match the shipped files: patterns.sh contains regex checks, analyzer.sh runs local grep-based scans, dispatcher.sh provides a CLI, and license.sh gates Pro/Team features. Required binaries (git, bash, python3, jq) are reasonable for the shipped implementation.
Instruction Scope
SKILL.md and the scripts instruct the agent to run local scripts (dispatcher.sh → analyzer.sh → patterns.sh). Scanning is performed locally with grep/find and does not send code to external servers. The only external references are informational (product URL) and license prompts; there are no instructions to exfiltrate files or read unrelated secrets beyond the OpenClaw config file used to obtain the license key.
Install Mechanism
The only declared install action is to install the 'lefthook' git-hook manager via brew, which is coherent with the hooks functionality. No downloads from untrusted URLs or opaque extract actions are present. Scripts provide alternate guidance (npm global) but do not automatically fetch remote code.
Credentials
The skill declares a single primary credential (AUTHAUDIT_LICENSE_KEY) which is appropriate for tier gating. It also reads ~/.openclaw/openclaw.json to locate a stored apiKey (declared in metadata). license.sh optionally checks a CLAWHUB_JWT_SECRET env var (used only to verify license signatures) but that variable is not declared in requires.env; its use is optional and limited to local signature verification. Overall requested env/config access is proportionate, but note that reading ~/.openclaw/openclaw.json means the script will parse your OpenClaw config to locate its apiKey (it does not exfiltrate it).
Persistence & Privilege
always is false and the skill is user-invocable. The skill can install git hooks (lefthook) into a repository when the user runs 'authaudit hooks install' which will modify lefthook.yml and run lefthook install — this is expected for a hooks feature but is a change to the repo that the user should approve. The skill does not request permanent platform-level privileges or modify other skills.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install authaudit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /authaudit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: declare all deps, JWT signature verification, configPaths
v1.0.0
Initial release of AuthAudit — a code security scanner for authentication and authorization. - Scans codebases for vulnerabilities across 6 security categories (auth checks, session management, access control, tokens, CSRF, credentials) - Supports JavaScript/TypeScript, Python, Ruby, Go, Java, and PHP code - Offers free, pro, and enterprise tiers with tier-based pattern access (30/60/90 patterns) - Outputs detailed findings, severity grading, and provides a security score (0–100) with letter grade - Supports multiple output formats (text, JSON, HTML) and git pre-commit hook integration - All analysis runs locally; no code is uploaded or sent externally
元数据
Slug authaudit
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

authaudit 是什么?

Authentication & authorization pattern analyzer — finds missing auth checks, insecure sessions, broken access control, CSRF gaps, and token handling vulnerab... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。

如何安装 authaudit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install authaudit」即可一键安装,无需额外配置。

authaudit 是免费的吗?

是的,authaudit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

authaudit 支持哪些平台?

authaudit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。

谁开发了 authaudit?

由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论