codex-security-audit-skill

Codex Security Audit Skill

A Codex skill for practical security audits of codebases, SaaS apps, APIs, mobile apps, and MVPs before launch.

Install From GitHub

npm install -g github:Kappaemme-git/codex-security-audit-skill
codex-security-audit-skill

Or run without a global install:

npx github:Kappaemme-git/codex-security-audit-skill

After the package is published to npm, users can install it with:

npm install -g codex-security-audit-skill
npx codex-security-audit-skill

The installer copies the skill to:

~/.codex/skills/codex-security-audit-skill

Restart Codex or open a new chat if the skill autocomplete does not refresh immediately.

Use

In Codex, open a project and ask:

Use codex-security-audit-skill on this project.
Check secrets, auth, authorization, API routes, CORS, payments, webhooks, file uploads, logging, dependencies, and deploy config.
Give me confirmed findings, risk level, and the fastest safe fix plan.

You can also ask Codex to implement fixes:

Use codex-security-audit-skill and implement the Critical and High fixes.

What It Checks

• Exposed secrets and hardcoded credentials
• Authentication and session risks
• Authorization and multi-tenant data access bugs
• Input validation and injection risks
• CORS, CSRF, headers, and rate limits
• File upload handling
• Payment and webhook verification
• Dependency and supply-chain hygiene
• Logging, privacy, and production config issues

Included Utility

The skill includes a lightweight local secret-pattern scanner:

python3 ~/.codex/skills/codex-security-audit-skill/scripts/scan_secrets.py /path/to/project

The scanner output is only a first pass. Treat matches as leads that need code review.