What Lictor is
A free, read-only, pre-release security audit you run from one slash command. It reads your code and observes what's already public. It never attacks a live system. Open-source, Apache 2.0, runs entirely on your machine.
Documentation · the knowledge base
Lictor, documented.
Start here
Three minutes to your first finding
Install in 60s
One command drops the skill into your Claude Code setup. No token, no signup, no telemetry.
Run your first scan
Point it at any project (AI-built or hand-written, web or mobile). It detects the stack, runs every applicable check, and hands back a plain-English report.
Reference · the 48 checks
Every check, as a readable module
Group 1 · Secrets & exposure · 6 checks
Things that should never be public
CRITICAL
Secrets in code
Hardcoded API keys, passwords, DB connection strings in source or build output.
CRITICAL
Leaked AI keys
OpenAI / Anthropic / Gemini keys shipped to the browser or committed to the repo.
CRITICAL
Exposed config files
.env, .git, configs your live site accidentally serves.
CRITICAL
Public cloud storage
World-readable S3 / GCS / Azure / Firebase / Supabase buckets.
HIGH
Secrets & PII in logs
Tokens and personal data leaking through logs and error responses.
HIGH
Weak / broken crypto
MD5/SHA1 for passwords, ECB mode, hardcoded IVs, Math.random() tokens.
Group 2 · Access control · 7 checks
Who can do what, and what they can see
CRITICAL
Unprotected user-data routes
/api/* returning user data with no login check.
CRITICAL
Broken auth & sessions
Weak or missing auth on mutations, broken JWT, default credentials.
CRITICAL
Users seeing others' data (IDOR)
Change the number in the URL, read records that aren't yours.
HIGH
Mass assignment
Extra JSON fields that set role/isAdmin you never meant to expose.
HIGH
The "painted lock" admin page
Admin pages that send the data first, then redirect you away.
CRITICAL
Open database
Supabase / Firebase with no security rules: the front-door key opens everything.
MEDIUM
Missing audit logging
No record of logins, permission changes, payments, so you can't detect or investigate a breach.
Group 3 · Injection & input · 5 checks
When your app trusts what the user types
CRITICAL
Injection
SQL / XSS / command / template injection from unsanitized input.
HIGH
SSRF
Your server (or AI agent) fetching attacker-controlled URLs / cloud metadata.
HIGH
Insecure file upload
Unrestricted uploads, traversal in filenames, paths to remote code execution.
CRITICAL
Path traversal
../ in a file path that lets anyone read arbitrary files.
CRITICAL
Unsafe deserialization
pickle / unserialize / readObject on untrusted input.
Group 4 · Web hardening · 6 checks
The headers and gates the framework left off
CRITICAL
Over-permissive CORS
Settings that let any website read your logged-in users' API responses.
MEDIUM
Missing security headers
CSP / HSTS / nosniff, and cookies without Secure/HttpOnly/SameSite.
HIGH
Unverified webhooks & CSRF
Unsigned Stripe/GitHub webhooks and missing CSRF protection.
HIGH
No rate limiting
Brute-force, and AI-endpoint cost-bombing that drains your wallet.
MEDIUM
Open redirect
User-controlled redirects used for phishing and token theft.
CRITICAL
Exposed admin / debug surfaces
Debug mode, stack traces, open dashboards, GraphQL introspection in production.
Group 5 · API-specific · 4 checks
The OWASP API Top 10, where the money usually is
MEDIUM
Shadow / old API inventory
Undocumented, deprecated, debug or /v1 endpoints still live.
HIGH
Unrestricted resource use
Uncapped page size, request body, batch size, GraphQL depth.
MEDIUM
Unprotected business flows
No bot gate on signup / checkout / referral: free-tier farming, scalping, fraud.
MEDIUM
Unsafe 3rd-party consumption
Trusting an external API's response blindly, with no validation or timeout.
Group 6 · Supply chain & integrity · 2 checks
What you pulled in, and how it ships
HIGH
Vulnerable dependencies
Outdated, vulnerable, typosquatted or confusable packages; dependency confusion.
HIGH
CI/CD & update integrity
Unpinned GitHub Actions, curl | bash installs, unsigned auto-update.
Group 7 · AI / LLM · 10 checks · our niche
The whole OWASP Top 10 for LLM apps
CRITICAL
Prompt injection & tool abuse
Users overriding your rules to make the model do things you didn't allow.
CRITICAL
Indirect prompt injection
RAG docs, fetched pages, emails, DB rows carrying hidden instructions into the prompt.
HIGH
Secrets / rules in the system prompt
Keys or load-bearing authz rules baked into the prompt as if it were private.
HIGH
Unsanitized model-output sink
Model output flowing into HTML / eval / SQL: injection in reverse.
HIGH
Over-scoped LLM context
Feeding the model more data than the end user is allowed to see.
CRITICAL
Excessive agent tool permissions
An AI agent wired to shell, raw SQL or money-moving APIs with no guardrail.
CRITICAL
Vector-store tenant isolation
A RAG query with no per-tenant filter: one customer retrieves another's docs.
HIGH
RAG ingestion trust
A knowledge base anyone can poison with documents the model later trusts.
CRITICAL
Untrusted model artifacts
torch.load / trust_remote_code on third-party weights.
MEDIUM
Ungrounded output trust
Slopsquatting, and using a raw LLM answer as the sole decider for auth or pricing.
Group 8 · Mobile · 8 checks
iOS, Android, Flutter, React Native
CRITICAL
Mobile core leaks
Hardcoded keys in the bundle, cleartext traffic, insecure storage, exported components.
HIGH
Client-side-only auth
Biometric or role checks decided on the device, where anyone can flip them.
CRITICAL
Insecure data at rest
Unencrypted SQLite/Realm, world-readable files, secrets in device logs.
HIGH
Missing cert pinning
Trust-all overrides that let anyone MITM the app on a hostile network.
MEDIUM
Binary protections
No obfuscation, no root/jailbreak detection, no tamper checks.
HIGH
Input / output validation
Deep links, custom URL schemes, WebView bridges and exported IPC.
MEDIUM
Privacy controls
Over-broad permissions, undisclosed tracking, clipboard and screenshot leaks.
HIGH
Mobile supply chain
Unpinned SDK versions, abandoned ad/analytics libraries.
Methodology & quality
Verify before you flag. Observe, never attack.
Verify before flag
Each finding is confirmed against a "what NOT to flag" guard before it reaches you, then rewritten as a plain-English story with a 5-minute fix and the OWASP/CWE mapping.
Near-zero false positives
A scanner that cries wolf is worse than none. We document every false-positive class we filter, learned the hard way, from real disclosures and triager responses.
Observe-only boundaries
Lictor is read-only and local. It flags only what's confirmable by reading your code or observing what's already public. Anything that needs attacking a live system is out by design. That belongs to an authorized pentest.
The suite
One core, five surfaces
Sentinel
The detection engine: the 48 checks, the stack detection, the false-positive filters.
Shield
Runtime guardrails for AI apps: prompt-injection and output-sink defenses for what you ship.
Guardian
The shared core both Sentinel and Patrol build on: the rules, mappings and reporting.
Patrol
The external observe-only scanner: what's already public on the open internet.
The CLI
The slash command that ties it together and writes your SECURITY-AUDIT.md.
Standards & compliance
Standards, not a homemade list
OWASP Top 10 (Web, 2021)
Access control, crypto, injection, misconfiguration, vulnerable components, logging.
OWASP API Top 10 (2023)
BOLA, broken auth, property-level authz, resource consumption, business-flow abuse.
OWASP Mobile Top 10 (2024)
Credential use, supply chain, auth, input/output, comms, privacy, binary, storage.
OWASP Top 10 for LLM apps (2025)
Prompt injection, output handling, data leakage, supply chain, excessive agency, RAG.
CWE Top 25 (MITRE)
The most dangerous software weaknesses. Every check cites its CWE.
SOC 2 / GDPR / EU AI Act
Findings also map to compliance controls, surfaced only if you ask.