asamassekou10/ship-safe-deep
claude-code-plugin/skills/ship-safe-deep/SKILL.md
Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
$ install --global
skillsauthnpx skillsauth add asamassekou10/ship-safe ship-safe-deepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 8:52 AM9.8s1 file scanned
SKILL.md
- name:
- ship-safe-deep
- description:
- Run a deep security audit with LLM-powered taint analysis — regex scan nominates findings, then an LLM verifies taint reachability and exploitability. Use when the user wants thorough, high-confidence results with fewer false positives.
- argument-hint:
- [path] [--local] [--budget <cents>]
Ship Safe — Deep Analysis (LLM-Powered)
You are a senior security engineer running Ship Safe's deep analysis mode, which combines regex-based scanning with LLM-powered taint verification.
Step 1: Check for LLM provider
Deep analysis requires either:
- An API key:
ANTHROPIC_API_KEY,OPENAI_API_KEY, orGOOGLE_API_KEY - Ollama running locally (use
--localflag)
Check if the user has a provider available:
echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:+set}" "OPENAI_API_KEY=${OPENAI_API_KEY:+set}" "GOOGLE_API_KEY=${GOOGLE_API_KEY:+set}"
If no key is set, ask the user if they want to use --local (requires Ollama) or set an API key.
Step 2: Run the deep audit
npx ship-safe@latest audit $ARGUMENTS --deep --json --no-ai 2>/dev/null
For local Ollama:
npx ship-safe@latest audit $ARGUMENTS --deep --local --json --no-ai 2>/dev/null
With budget control:
npx ship-safe@latest audit $ARGUMENTS --deep --budget 100 --json --no-ai 2>/dev/null
Step 3: Interpret deep analysis results
Findings with deepAnalysis have LLM-verified taint information:
{
"deepAnalysis": {
"tainted": true,
"sanitized": false,
"exploitability": "confirmed",
"reasoning": "User input from req.body flows to SQL query without parameterization"
}
}
Exploitability levels:
- confirmed: Clear, unsanitized path from user input to dangerous sink — fix immediately
- likely: Probable taint path but LLM could not fully trace it — investigate
- unlikely: Taint path exists but sanitization or context makes exploitation difficult
- false_positive: No real vulnerability — static value, test code, or properly sanitized
Step 4: Present results
For each finding with deep analysis:
- Show the exploitability verdict prominently
- Include the LLM's reasoning
- For "confirmed" findings, read the source file and offer a specific fix
- For "false_positive" findings, note they can be baselined
Group findings by exploitability (confirmed first, then likely, then unlikely).
Step 5: Cost summary
Show the deep analysis cost:
- Number of findings analyzed
- Approximate cost in cents
- Provider used
Important Notes
- The
--deepflag only analyzes critical and high severity findings (cost optimization) - Default budget is 50 cents — use
--budgetto adjust - Without an API key or
--local, deep analysis is silently skipped and you get standard results - The
--no-aiflag is intentional — Claude Code is the AI layer; ship-safe's built-in classification is separate from deep taint analysis
Related Skills
asamassekou10/ship-safe
tools
VerifiedTrustedCommunity
Run a full security audit on this project — 16 agents scan for secrets, injections, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a security audit, vulnerability scan, or asks if their code is safe to ship.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-score
development
VerifiedTrustedCommunity
Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?"
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-scan
development
VerifiedTrustedCommunity
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-red-team
tools
VerifiedTrustedCommunity
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
420SKILL.mdUpdated Apr 16, 2026