Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

FrancoStino/security-audit

Name: security-audit
Author: FrancoStino

bundled-skills/security-audit/SKILL.md

npx skillsauth add FrancoStino/opencode-skills-antigravity security-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Auditing Workflow Bundle

Overview

Comprehensive security auditing workflow for web applications, APIs, and infrastructure. This bundle orchestrates skills for penetration testing, vulnerability assessment, security scanning, and remediation.

When to Use This Workflow

Use this workflow when:

Performing security audits on web applications
Testing API security
Conducting penetration tests
Scanning for vulnerabilities
Hardening application security
Compliance security assessments

Workflow Phases

Phase 1: Reconnaissance

Skills to Invoke

scanning-tools - Security scanning
shodan-reconnaissance - Shodan searches
top-web-vulnerabilities - OWASP Top 10

Actions

Identify target scope
Gather intelligence
Map attack surface
Identify technologies
Document findings

Copy-Paste Prompts

Use @scanning-tools to perform initial reconnaissance

Use @shodan-reconnaissance to find exposed services

Phase 2: Vulnerability Scanning

Skills to Invoke

vulnerability-scanner - Vulnerability analysis
security-scanning-security-sast - Static analysis
security-scanning-security-dependencies - Dependency scanning

Actions

Run automated scanners
Perform static analysis
Scan dependencies
Identify misconfigurations
Document vulnerabilities

Copy-Paste Prompts

Use @vulnerability-scanner to scan for OWASP Top 10 vulnerabilities

Use @security-scanning-security-dependencies to audit dependencies

Phase 3: Web Application Testing

Skills to Invoke

top-web-vulnerabilities - OWASP vulnerabilities
sql-injection-testing - SQL injection
xss-html-injection - XSS testing
broken-authentication - Authentication testing
idor-testing - IDOR testing
file-path-traversal - Path traversal
burp-suite-testing - Burp Suite testing

Actions

Test for injection flaws
Test authentication mechanisms
Test session management
Test access controls
Test input validation
Test security headers

Copy-Paste Prompts

Use @sql-injection-testing to test for SQL injection vulnerabilities

Use @xss-html-injection to test for cross-site scripting

Use @broken-authentication to test authentication security

Phase 4: API Security Testing

Skills to Invoke

api-fuzzing-bug-bounty - API fuzzing
api-security-best-practices - API security

Actions

Enumerate API endpoints
Test authentication/authorization
Test rate limiting
Test input validation
Test error handling
Document API vulnerabilities

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to fuzz API endpoints

Phase 5: Penetration Testing

Skills to Invoke

pentest-commands - Penetration testing commands
pentest-checklist - Pentest planning
ethical-hacking-methodology - Ethical hacking
metasploit-framework - Metasploit

Actions

Plan penetration test
Execute attack scenarios
Exploit vulnerabilities
Document proof of concept
Assess impact

Copy-Paste Prompts

Use @pentest-checklist to plan penetration test

Use @pentest-commands to execute penetration testing

Phase 6: Security Hardening

Skills to Invoke

security-scanning-security-hardening - Security hardening
auth-implementation-patterns - Authentication
api-security-best-practices - API security

Actions

Implement security controls
Configure security headers
Set up authentication
Implement authorization
Configure logging
Apply patches

Copy-Paste Prompts

Use @security-scanning-security-hardening to harden application security

Phase 7: Reporting

Skills to Invoke

reporting-standards - Security reporting

Actions

Document findings
Assess risk levels
Provide remediation steps
Create executive summary
Generate technical report

Security Testing Checklist

OWASP Top 10

[ ] Injection (SQL, NoSQL, OS, LDAP)
[ ] Broken Authentication
[ ] Sensitive Data Exposure
[ ] XML External Entities (XXE)
[ ] Broken Access Control
[ ] Security Misconfiguration
[ ] Cross-Site Scripting (XSS)
[ ] Insecure Deserialization
[ ] Using Components with Known Vulnerabilities
[ ] Insufficient Logging & Monitoring

API Security

[ ] Authentication mechanisms
[ ] Authorization checks
[ ] Rate limiting
[ ] Input validation
[ ] Error handling
[ ] Security headers

Quality Gates

[ ] All planned tests executed
[ ] Vulnerabilities documented
[ ] Proof of concepts captured
[ ] Risk assessments completed
[ ] Remediation steps provided
[ ] Report generated

Related Workflow Bundles

development - Secure development practices
wordpress - WordPress security
cloud-devops - Cloud security
testing-qa - Security testing

Limitations

Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.

FrancoStino/security-audit

bundled-skills/security-audit/SKILL.md

Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.

25 stars

development

Updated May 26, 2026

$ install --global

skillsauth

npx skillsauth add FrancoStino/opencode-skills-antigravity security-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 26, 2026, 3:04 AM56.5s1 file scanned

SKILL.md

name:: security-audit
description:: Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.
category:: workflow-bundle
risk:: safe
source:: personal
date_added:: 2026-02-27

Security Auditing Workflow Bundle

Overview

When to Use This Workflow

Use this workflow when:

Performing security audits on web applications
Testing API security
Conducting penetration tests
Scanning for vulnerabilities
Hardening application security
Compliance security assessments

Workflow Phases

Phase 1: Reconnaissance

Skills to Invoke

scanning-tools - Security scanning
shodan-reconnaissance - Shodan searches
top-web-vulnerabilities - OWASP Top 10

Actions

Identify target scope
Gather intelligence
Map attack surface
Identify technologies
Document findings

Copy-Paste Prompts

Use @scanning-tools to perform initial reconnaissance

Use @shodan-reconnaissance to find exposed services

Phase 2: Vulnerability Scanning

Skills to Invoke

vulnerability-scanner - Vulnerability analysis
security-scanning-security-sast - Static analysis
security-scanning-security-dependencies - Dependency scanning

Actions

Run automated scanners
Perform static analysis
Scan dependencies
Identify misconfigurations
Document vulnerabilities

Copy-Paste Prompts

Use @vulnerability-scanner to scan for OWASP Top 10 vulnerabilities

Use @security-scanning-security-dependencies to audit dependencies

Phase 3: Web Application Testing

Skills to Invoke

top-web-vulnerabilities - OWASP vulnerabilities
sql-injection-testing - SQL injection
xss-html-injection - XSS testing
broken-authentication - Authentication testing
idor-testing - IDOR testing
file-path-traversal - Path traversal
burp-suite-testing - Burp Suite testing

Actions

Test for injection flaws
Test authentication mechanisms
Test session management
Test access controls
Test input validation
Test security headers

Copy-Paste Prompts

Use @sql-injection-testing to test for SQL injection vulnerabilities

Use @xss-html-injection to test for cross-site scripting

Use @broken-authentication to test authentication security

Phase 4: API Security Testing

Skills to Invoke

api-fuzzing-bug-bounty - API fuzzing
api-security-best-practices - API security

Actions

Enumerate API endpoints
Test authentication/authorization
Test rate limiting
Test input validation
Test error handling
Document API vulnerabilities

Copy-Paste Prompts

Use @api-fuzzing-bug-bounty to fuzz API endpoints

Phase 5: Penetration Testing

Skills to Invoke

pentest-commands - Penetration testing commands
pentest-checklist - Pentest planning
ethical-hacking-methodology - Ethical hacking
metasploit-framework - Metasploit

Actions

Plan penetration test
Execute attack scenarios
Exploit vulnerabilities
Document proof of concept
Assess impact

Copy-Paste Prompts

Use @pentest-checklist to plan penetration test

Use @pentest-commands to execute penetration testing

Phase 6: Security Hardening

Skills to Invoke

security-scanning-security-hardening - Security hardening
auth-implementation-patterns - Authentication
api-security-best-practices - API security

Actions

Implement security controls
Configure security headers
Set up authentication
Implement authorization
Configure logging
Apply patches

Copy-Paste Prompts

Use @security-scanning-security-hardening to harden application security

Phase 7: Reporting

Skills to Invoke

reporting-standards - Security reporting

Actions

Document findings
Assess risk levels
Provide remediation steps
Create executive summary
Generate technical report

Security Testing Checklist

OWASP Top 10

[ ] Injection (SQL, NoSQL, OS, LDAP)
[ ] Broken Authentication
[ ] Sensitive Data Exposure
[ ] XML External Entities (XXE)
[ ] Broken Access Control
[ ] Security Misconfiguration
[ ] Cross-Site Scripting (XSS)
[ ] Insecure Deserialization
[ ] Using Components with Known Vulnerabilities
[ ] Insufficient Logging & Monitoring

API Security

[ ] Authentication mechanisms
[ ] Authorization checks
[ ] Rate limiting
[ ] Input validation
[ ] Error handling
[ ] Security headers

Quality Gates

[ ] All planned tests executed
[ ] Vulnerabilities documented
[ ] Proof of concepts captured
[ ] Risk assessments completed
[ ] Remediation steps provided
[ ] Report generated

Related Workflow Bundles

development - Secure development practices
wordpress - WordPress security
cloud-devops - Cloud security
testing-qa - Security testing

Limitations

Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.

Related Skills

FrancoStino/papers-skill

research

VerifiedTrustedCommunity

Skill for academic research workflows: search Semantic Scholar (200M+ papers), inspect citations, download arXiv PDFs, and extract PDF text. Bundles a self-contained Python CLI.

36SKILL.mdUpdated Jun 13, 2026

FrancoStino/papers-skill

FrancoStino/not-a-vibe-coder

development

VerifiedTrustedCommunity

Turns vague prompts into 8 structured planning files for brand new projects. DO NOT use on existing codebases.

36SKILL.mdUpdated Jun 13, 2026

FrancoStino/not-a-vibe-coder

FrancoStino/fsi-compliance-checker

development

VerifiedTrustedCommunity

Maps code, architecture, and infrastructure changes to specific control IDs in PCI-DSS v4.0 and MAS TRM (Singapore financial regulator), producing an audit-traceable findings report with per-control remediation.

36SKILL.mdUpdated Jun 13, 2026

FrancoStino/fsi-compliance-checker

FrancoStino/atlas-ledger

testing

VerifiedTrustedCommunity

Companion to atlas-contract. Auto-invoked by its Final Audit on caught drift; also use after Post Reviews or user requests to record a mistake. Distills drift into WHEN/DON'T/INSTEAD clauses, writes to Atlas.md after confirmation.

36SKILL.mdUpdated Jun 13, 2026

FrancoStino/atlas-ledger

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/FrancoStino/opencode-skills-antigravity.git

# Copy into Claude Code skills folder (global)
cp -r opencode-skills-antigravity/bundled-skills/security-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

FrancoStino/opencode-skills-antigravity

25 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT