Skip to content

hamzashahbaz/ai-security-skill

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

AI Security Skill

A prompt-based security audit for AI systems. Copy it, paste it into any AI assistant with codebase access, and get a structured vulnerability report in minutes.

The Problem

Most AI systems ship with zero security review. MCP servers running unrestricted shell access. API keys hardcoded in config files committed to git. Agent prompts with no injection defenses. The AI ecosystem is moving fast, but security tooling hasn't caught up -- and most teams don't even know what to check.

What This Is

A comprehensive security audit prompt. Not a CLI tool. Not a SaaS product. Just a well-structured prompt that turns any AI assistant (Claude, GPT, Gemini, or anything with codebase access) into a security auditor.

You give it access to your project, it systematically reads your files, and it produces a detailed report with specific findings, evidence, and remediation steps.

What It Checks

The audit covers 8 categories across ~30 individual checks:

Category What It Looks For
MCP Server Security Transport security, tool exposure, input validation, secret handling, trust boundaries
Agent & Prompt Security Prompt injection resistance, system prompt leakage, agent boundary enforcement, instruction hierarchy
Secret & Credential Management Hardcoded secrets, env variable hygiene, secret scope, logging exposure
Data Flow & Privacy Data sent to LLM providers, retention policies, output validation, context window risks
LLM API Configuration Rate limiting, cost controls, model access restrictions, error handling
Permission & Access Control File system access, network access, destructive operations, least privilege
Supply Chain & Dependencies Third-party MCP servers, dependency vulnerabilities, model supply chain
Output Security Code execution risks, injection attacks, file write safety

Every finding includes a risk level (Critical / High / Medium / Low / Info), the exact file and line number, what could go wrong, and a specific fix.

How to Use It

1. Copy the prompt

Grab the contents of SKILL.md -- that's the entire audit.

2. Paste it into your AI assistant

Use any AI assistant that has access to your codebase:

  • Claude Code / Claude with project files
  • ChatGPT with Code Interpreter or file uploads
  • Cursor, Windsurf, or any AI-powered IDE
  • Any agent with MCP filesystem access

3. Let it run

The audit works in three phases:

  • Discovery -- maps your project structure, configs, and AI components
  • Audit -- works through all 8 categories, reading and analyzing relevant files
  • Report -- produces a findings list and a summary scorecard with severity counts, category scores, and a prioritized action plan

4. Review the report

You'll get a structured report like this for every issue found:

### [CRITICAL] Hardcoded OpenAI API Key in MCP Config

- Risk: Critical
- Category: C. Secret & Credential Management
- Finding: The .mcp.json file contains a hardcoded OpenAI API key
  passed directly as an argument rather than referenced as an
  environment variable.
- Evidence: .mcp.json, line 14: "args": ["--api-key", "sk-proj-abc123..."]
- Impact: Anyone with repository access can extract the API key.
  This allows unlimited usage billed to the org and potential
  data exfiltration through the API.
- Recommendation: Move the key to .env and reference it via the
  env field. Rotate the exposed key immediately.

See examples/sample-report.md for a full report against a hypothetical AI agent platform.

Who This Is For

  • Developers building AI agents or multi-agent systems
  • Teams running MCP servers (Claude, or any MCP-compatible client)
  • Anyone integrating LLM APIs into production applications
  • Security engineers reviewing AI-powered codebases

If your project has a .mcp.json, agent prompts, or LLM API calls, this audit is for you.

Contributing

Found a gap in the audit? Have a check we should add? PRs are welcome.

  • Add new checks to the relevant category in SKILL.md
  • Follow the existing format: check ID, description, what to examine
  • If you've run the audit on your own system and found something interesting, open an issue

License

MIT -- see LICENSE.

Built By

Hamza Shahbaz -- Senior web developer with 13+ years building for the web. Currently focused on AI systems, Shopify, and the infrastructure where code meets conversion.

About

A prompt-based security audit for AI systems. Copy it, paste it into any AI assistant with codebase access, and get a structured vulnerability report in minutes.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors