Professional white-box code security audit skill with 55+ vulnerability types, dual-track audit model, and multi-agent deep analysis.

中文文档

Code Audit is a professional security audit skill for Claude Code. It performs static white-box analysis to systematically discover and verify security vulnerabilities in source code.

• 9 Languages: Java, Python, Go, PHP, JavaScript/Node.js, C/C++, .NET/C#, Ruby, Rust
• 14 Frameworks: Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, Rust Web, NestJS/Fastify, MyBatis
• 55+ Vulnerability Types: SQL injection, RCE, deserialization, SSRF, SSTI, XXE, IDOR, race conditions, business logic flaws, and more
• 143 Mandatory Detection Items: Language-specific checklists across 10 security dimensions (D1-D10)
• Dual-Track Audit Model: Sink-driven for injection/RCE + Control-driven for authorization/business logic
• Multi-Agent Deep Analysis: Parallel agent execution for large codebases (874+ Java files in ~15 min)
• WooYun Case Library: 88,636 real-world vulnerability cases (2010-2016) for pattern reference
• Attack Chain Construction: Automatic chaining of findings into exploitable attack paths

# Clone to Claude Code skills directory
cp -r code-audit ~/.claude/skills/

# Or clone from repository
cd ~/.claude/skills
git clone <repository-url> code-audit

The skill activates automatically when you request security audits in Claude Code.

"Audit this project"
"Check code security"
"Find security vulnerabilities"
"/audit" or "/code-audit"

User: /code-audit deep /path/to/project

Claude: [MODE] deep
        [RECON] 874 files, Spring Boot 1.5 + Shiro 1.6 + JPA + Freemarker
        [PLAN] 5 Agents, D1-D10 coverage, estimated 125 turns
        ... (user confirms) ...
        [REPORT] 10 Critical, 14 High, 12 Medium, 4 Low

Different vulnerability types require fundamentally different detection strategies:

Phase 1: Reconnaissance
  -> Tech stack identification
  -> Attack surface mapping (5-layer deduction)
  -> Endpoint-Permission Matrix generation
  -> Agent allocation

Phase 2: Parallel Agent Execution (R1)
  -> Agent 1: Injection (D1) [sink-driven]
  -> Agent 2: Auth + AuthZ + Business Logic (D2+D3+D9) [control-driven]
  -> Agent 3: File + SSRF (D5+D6) [sink-driven]
  -> Agent 4: Deserialization (D4) [sink-driven]
  -> Agent 5: Config + Crypto + Supply Chain (D7+D8+D10) [config-driven]

Phase 3: Coverage Evaluation
  -> Per-track coverage metrics (fanout rate / endpoint audit rate)
  -> Gap identification -> R2 supplemental agents if needed

Phase 4: Report Generation
  -> Severity calibration (decision tree)
  -> Cross-agent deduplication
  -> Attack chain construction

code-audit/
├── SKILL.md                    # Skill entry point (frontmatter + execution controller)
├── agent.md                    # Agent workflow (state machine + dual-track model)
├── README.md                   # Documentation (English)
├── README_CN.md                # Documentation (Chinese)
└── references/
    ├── core/              (16) # Core methodology
    │   ├── phase2_deep_methodology.md   # Dual-track audit methodology
    │   ├── taint_analysis.md            # Data flow tracking
    │   ├── anti_hallucination.md        # False positive prevention
    │   └── ...
    ├── checklists/        (11) # D1-D10 coverage matrix + 9 language checklists
    ├── languages/         (18) # Language vulnerability patterns
    ├── security/          (21) # Security domain modules
    ├── frameworks/        (14) # Framework-specific modules
    ├── adapters/           (5) # Language adapters (YAML)
    ├── wooyun/             (9) # WooYun real-world case library
    ├── cases/              (1) # Real vulnerability cases
    └── reporting/          (1) # Report templates

Every finding must be based on actual code read via tools:

• File paths must be verified with Glob/Read before reporting
• Code snippets must come from actual Read tool output
• No guessing based on "typical project structure"
• Core principle: Better to miss a vulnerability than report a false positive

Java, Python, Go, PHP, JavaScript/TypeScript, C/C++, C#/.NET, Ruby, Rust

Spring Boot, Django, Flask, FastAPI, Express, Koa, Gin, Laravel, Rails, ASP.NET Core, NestJS, Fastify, Rust Web (Actix/Axum)

API Security, LLM/AI Security, Serverless, Cryptography, Race Conditions, OAuth/OIDC/SAML, WebSocket/gRPC, HTTP Smuggling, Supply Chain/CI-CD

Contributions welcome! To add support for a new language or framework:

1. Create references/languages/{language}.md or references/frameworks/{framework}.md
2. Follow existing module format (key questions per D1-D10 dimension)
3. Include: dangerous functions, detection patterns, vulnerability examples, secure alternatives
4. Update agent.md tech stack routing table if needed

• Code Audit Skill 详解（上）
• Code Audit Skill 详解（下）

Join our WeChat group for discussion and support:

MIT License

This skill is intended for authorized security testing only. Users must:

• Have legal authorization to audit the target code
• Responsibly disclose discovered vulnerabilities
• Comply with applicable laws and ethical guidelines

Unauthorized security testing of systems you do not own may be illegal.