asamassekou10/ship-safe-red-team
claude-code-plugin/skills/ship-safe-red-team/SKILL.md
Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
$ install --global
skillsauthnpx skillsauth add asamassekou10/ship-safe ship-safe-red-teamInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 8:52 AM8.7s1 file scanned
SKILL.md
- name:
- ship-safe-red-team
- description:
- Run a multi-agent red team scan — 16 specialized security agents scan for 80+ attack classes including injection, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a deep security analysis beyond just secrets.
- argument-hint:
- [path] [--agents <list>]
Ship Safe — Red Team Scan
You are running a multi-agent red team scan using Ship Safe's 13 security agents.
Step 1: Run the red team scan
npx ship-safe@latest red-team $ARGUMENTS --json --no-ai 2>/dev/null
If $ARGUMENTS is empty, default to .:
npx ship-safe@latest red-team . --json --no-ai 2>/dev/null
If the user wants specific agents only, use the --agents flag:
npx ship-safe@latest red-team . --agents injection,auth,ssrf --json --no-ai 2>/dev/null
Available agents: injection, auth, ssrf, supply-chain, config, llm, mobile, git-history, cicd, api, supabase-rls
Step 2: Parse and present results
The JSON output contains findings from each agent. Present results grouped by agent:
For each agent that found issues:
- Agent name and category (e.g., "InjectionTester — Code Vulnerabilities")
- Finding count by severity
- Top findings — list critical and high severity findings with:
- File and line number
- Rule name and description
- Code context (if available, show the flagged line with surrounding lines)
- Suggested fix
- Confidence level
Agent summary table
Show a table: Agent | Findings | Critical | High | Medium
Agents with zero findings
List them briefly as clean — this is useful context.
Step 3: Deep dive and remediation
For the most critical findings:
- Read the actual source file for full context
- Explain the vulnerability in plain language — what could an attacker do?
- Offer to fix it with a concrete code change
- After fixing, offer to re-run just that agent to verify:
npx ship-safe@latest red-team . --agents <agent>
Step 4: Recommendations
Based on the results, suggest:
- Which agents to focus on (highest finding count or most critical findings)
- Whether to create a baseline (
/ship-safe-baseline) for the current state - Framework-specific hardening tips based on detected stack (from recon agent)
Important Notes
- The 13 agents are: InjectionTester, AuthBypassAgent, SSRFProber, SupplyChainAudit, ConfigAuditor, SupabaseRLSAgent, LLMRedTeam, MobileScanner, GitHistoryScanner, CICDScanner, APIFuzzer, ReconAgent, ScoringEngine
- Agents run in parallel — the scan should complete in under 60 seconds for most projects
- Low-confidence findings in test files or documentation are likely false positives
- Never display actual secret values
Related Skills
asamassekou10/ship-safe
tools
VerifiedTrustedCommunity
Run a full security audit on this project — 16 agents scan for secrets, injections, auth bypass, SSRF, supply chain, Supabase RLS, MCP security, agentic AI, RAG poisoning, PII compliance, and more. Use when the user wants a security audit, vulnerability scan, or asks if their code is safe to ship.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-score
development
VerifiedTrustedCommunity
Get your project's security health score (0-100, A-F grade). Use when the user wants a quick security check or asks "is my code safe to ship?"
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-scan
development
VerifiedTrustedCommunity
Quick scan for leaked secrets — API keys, passwords, tokens, database URLs. Use when the user wants to check for hardcoded secrets or exposed credentials.
420SKILL.mdUpdated Apr 16, 2026
asamassekou10/ship-safe-hooks
development
VerifiedTrustedCommunity
Install ship-safe as real-time Claude Code hooks — blocks secrets and dangerous commands before they land on disk. Use when the user wants automatic security scanning on every file write or bash command.
420SKILL.mdUpdated Apr 16, 2026