ab-aswini/.agent-os/skills/security
.agent-os/skills/security/SKILL.md
# Security Skill > Loaded by: RC-001, QA-006, and all agents during security tasks | Version: 1.0 ## OWASP Top 10 Checklist 1. **Injection** - Parameterized queries, input validation, output encoding 2. **Broken Auth** - Strong passwords, MFA, secure sessions 3. **Sensitive Data** - HTTPS, encryption at rest, PII handling 4. **XXE** - Disable XML external entities and DTD processing 5. **Broken Access Control** - RBAC, resource ownership, path traversal prevention 6. **Security Misconfigurati
$ install --global
skillsauthnpx skillsauth add ab-aswini/agent-kit-p1 .agent-os/skills/securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Error
VirusTotalMulti-engine malware detection
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 26, 2026, 12:21 PM47.6s1 file scanned
SKILL.md
Security Skill
Loaded by: RC-001, QA-006, and all agents during security tasks | Version: 1.0
OWASP Top 10 Checklist
- Injection - Parameterized queries, input validation, output encoding
- Broken Auth - Strong passwords, MFA, secure sessions
- Sensitive Data - HTTPS, encryption at rest, PII handling
- XXE - Disable XML external entities and DTD processing
- Broken Access Control - RBAC, resource ownership, path traversal prevention
- Security Misconfiguration - No defaults, no info leaks, minimal surface
- XSS - Output encoding, CSP headers, sanitized DOM manipulation
- Insecure Deserialization - Input validation, type checking
- Vulnerable Components - Regular dependency audits, no known CVEs
- Insufficient Logging - Security events logged (without sensitive data), alerting
Security Headers
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Absolute Rules
- NEVER hardcode secrets, API keys, or passwords
- NEVER trust client-side validation alone
- NEVER log sensitive data (passwords, tokens, PII)
- NEVER use eval() with user input
- NEVER disable HTTPS in production
Related Skills
ab-aswini/webapp-testing
development
VerifiedTrustedCommunity
Web application testing principles. E2E, Playwright, deep audit strategies.
2SKILL.mdUpdated Mar 26, 2026
ab-aswini/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
2SKILL.mdUpdated Mar 26, 2026
ab-aswini/vulnerability-scanner
testing
VerifiedTrustedCommunity
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
2SKILL.mdUpdated Mar 26, 2026
ab-aswini/.agent-os/skills/testing
development
VerifiedTrustedCommunity
# Testing Skill > Loaded by: QA Division agents | Version: 1.0 ## Test Pyramid ``` / E2E \ <- Few, slow, expensive / Integr. \ <- Some, moderate / Unit \ <- Many, fast, cheap ``` ## Unit Test Pattern (Arrange, Act, Assert) ```python def test_user_creation(): # Arrange user_data = {"name": "Alice", "email": "[email protected]"} # Act user = UserService.create(user_data) # Assert assert user.name == "Alice" assert user.id is
2SKILL.mdUpdated Mar 26, 2026