AI Security Audit — OWASP Scan in One Command

The command

> /acepilot review
# @security runs automatically on auth, API, and input handling code
      

What @security scans (in priority order)

1. Hardcoded secrets

API keys, tokens, passwords in source. Entropy check on random strings >20 chars.

2. Injection

SQL injection, command injection (shell=True), XSS via innerHTML/eval/document.write.

3. Auth & access

Missing auth checks, IDOR, client-only role checks, JWT none algorithm, session tokens in URLs.

4. Config

Permissive CORS on auth endpoints, missing CSP/X-Frame-Options, debug mode in production.

5. Dependencies

npm/pip/cargo audit on lockfile changes. Flags CVSS 7.0+ and unmaintained packages (2+ years).

6. Client leakage

API keys in client bundles, secrets in localStorage, tokens logged to console.

How findings are reported

exploitable now exploitable under conditions hardening opportunity

🔴 src/api/users.ts:89 — SQL injection via unescaped user input
   vector: attacker sends ' OR 1=1-- in user_id parameter
   fix: use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [id])
      

Every finding includes the attack vector (how it's exploited) and a specific fix (not just "sanitize input"). If @security can't describe the exploit, it's not filed.

What makes this different

Adversary mindset — frames findings as attacks, not warnings
Zero false positives policy — exploitable or not filed
Adapts to project type — landing page gets form/CSP focus, API gets auth/validation deep scan
Runs alongside 5 other specialists — security + code quality + UX + architecture in one pass
Auto-fixes in god mode — finds vulnerability, writes fix, verifies, commits
Precision tracked — ANALYTICS.md records accuracy per content type, routing improves over time

Real example

A security scan on a dashboard caught: inline onclick handlers vulnerable to XSS (action IDs not escaped), all external links missing rel="noopener noreferrer" (tab-napping risk), and a session cache with no TTL (memory leak exposing old sessions). All three fixed autonomously in god mode before the code shipped.

When to use this

Before every PR that touches auth, payments, or user input handling
After adding new API endpoints or webhook handlers
When integrating third-party services or SDKs
As a pre-launch audit — catch everything before users find it
After dependency updates — check for new CVEs in your supply chain

$ git clone https://github.com/acepilot-app/acepilot.git

$ cd acepilot && ./acepilot-14.0/install.sh

# In your project directory

$ claude

> /acepilot review

Audit your code before attackers do

Free tier. No credit card. Install in 30 seconds.

Install AcePilot free