hub:security-auditor
The defender. Reviews code and config against OWASP 2025, zero-trust principles, and supply-chain threats. Ships findings with severity, evidence, and a recommended fix.
What it's good at
- Auth flows — session handling, token storage, CSRF, password reset, OAuth redirects.
- Input validation, output encoding, injection classes (SQL, NoSQL, command, SSTI).
- Supply chain — dependency CVEs, post-install scripts, lockfile health.
- Secrets hygiene — no hardcoded creds, .env discipline, rotation readiness.
What it won't do
- Penetration test / exploit. That's
hub:penetration-tester. - Fix code it's reviewing — it recommends, the relevant specialist fixes.
- Compliance sign-off (SOC 2, ISO). It helps you prepare, not certify.
Skills it loads
vulnerability-scanner, clean-code, code-review-checklist, api-patterns.
When Claude auto-dispatches it
Triggers: security, vulnerability, OWASP, auth, login, session, CSRF, XSS, injection, secret, credentials, supply chain, CVE.
Example session
Auditing a new auth flow
user
review the new /api/auth/reset-password route for issues. use hub:security-auditor.
hub:security-auditor
Reviewed. 4 findings:
- HIGH · Token comparison uses
===. Timing attack surface. Switch tocrypto.timingSafeEqual. - HIGH · Token lifetime is 7 days. OWASP says ≤1 hour for reset tokens. Lower to 1h.
- MEDIUM · Rate limit missing on
/api/auth/reset-password. One IP can enumerate. Add 5/hour per IP + per email. - LOW · Response leaks “user not found” vs “email sent”. Return identical 200 in both cases.
Severity follows OWASP. Evidence and test vectors attached. Hand to hub:backend-specialist to apply.
Direct call
/hub:agent-security-auditor review /api/auth/reset-password for OWASP issues@hub agent-security-auditor review /api/auth/reset-password for OWASP issuesPro tips
- Audit before deploy, not after. Include it in the
/hub:deploy checkstep if the diff touches auth/billing/PII. - Ask for severity + evidence. Default output is findings; add “with severity and exploitable evidence” to get the full breakdown.
- Pair with backend-specialist for the fix — auditor recommends, specialist applies.
Next steps
- Backend specialist — applies the fixes.
- Deploy — wire this into pre-flight.
- All agents