A security audit skill for Claude Code
AI writes a lot of code. The same handful of mistakes ship over and over, hardcoded secrets, SQL built by string interpolation, missing auth on API routes, untrusted input reaching shell calls. Snitch is the second pass that catches them before they reach production.
Drop the skill into Claude Code, run /snitch, pick a scope. The audit runs locally, your source code never leaves your machine. You get a report with file paths, line numbers, CWE tags, and a one-line fix for each finding. The catalog covers 67 categories (OWASP Top 10:2025, API Top 10, prompt injection, JWT confusion, prototype pollution, IaC misconfig).
What a finding looks like
| File | Severity | Issue | Fix |
|---|---|---|---|
| api/webhooks/stripe/route.ts:18 | Critical | Stripe webhook signature not verified | Call stripe.webhooks.constructEvent before any side effect |
| app/api/users/route.ts:67 | High | SQL built with template literal from req.query.id | Use parameterized query (prisma.$queryRaw with tagged template) |
| middleware.ts:23 | Medium | No matcher set, auth bypassed on static paths | Add matcher: ['/api/:path*'] to middleware config |
| package.json:32 | Low | lodash pinned to 4.17.20 (CVE-2021-23337) | Bump to ^4.17.21 |
Install
curl -fsSL https://snitchplugin.com/snitch.sh | shOr download the bundle, unzip it, and run ./install.sh. Either path drops the skill into ~/.claude/skills/snitch/.
Changelog
- v1.2.0: Ultra Audit, findings that survive adversarial verification. What changed.
- v1.1.0: Deep Scan goes live, tuned for Claude Opus 4.8.
- v1.0.0: First release.