astro44/security-scan
.gemini/skills/security-scan/SKILL.md
Security vulnerability scanning. Detects OWASP Top 10 issues, hardcoded secrets, XSS, SQL injection, and insecure dependencies. Returns JSON with findings.
$ install --global
skillsauthnpx skillsauth add astro44/Autonom8-Agents security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 1:27 AM5.0s1 file scanned
SKILL.md
- name:
- security-scan
- description:
- Security vulnerability scanning. Detects OWASP Top 10 issues, hardcoded secrets, XSS, SQL injection, and insecure dependencies. Returns JSON with findings.
security-scan - Security Vulnerability Scanner
Scans codebase for security vulnerabilities using pattern matching and static analysis. Detects OWASP Top 10 issues, hardcoded credentials, and insecure coding patterns.
Input Schema
{
"project_dir": "/path/to/project",
"scope": "changed|all|ticket",
"ticket_id": "TICKET-XXX",
"checks": ["secrets", "owasp", "dependencies"]
}
Instructions
1. Secrets Detection
Scan for hardcoded credentials and API keys:
# Common secret patterns
grep -rn "password\s*=" --include="*.js" --include="*.ts" --include="*.py"
grep -rn "api_key\s*=" --include="*.js" --include="*.ts"
grep -rn "AWS_SECRET" --include="*"
grep -rn "PRIVATE_KEY" --include="*"
# Base64 encoded secrets (entropy check)
grep -rn "eyJ" --include="*.js" # JWT tokens
# .env files in version control
git ls-files | grep -E "\.env$|\.env\."
2. OWASP Top 10 Checks
| Vulnerability | Pattern | Example |
|---------------|---------|---------|
| SQL Injection | query("SELECT * FROM " + var) | Use parameterized queries |
| XSS | innerHTML = userInput | Use textContent or sanitize |
| Command Injection | exec(userInput) | Validate/escape input |
| Path Traversal | readFile(userPath) | Normalize and validate paths |
| Insecure Deserialization | JSON.parse(untrusted) | Validate schema first |
# SQL Injection
grep -rn "query.*\+.*\$" --include="*.js"
grep -rn "execute.*%s" --include="*.py"
# XSS
grep -rn "innerHTML\s*=" --include="*.js" --include="*.jsx"
grep -rn "document\.write" --include="*.js"
# Command Injection
grep -rn "exec\s*(" --include="*.js"
grep -rn "subprocess\..*shell=True" --include="*.py"
# Path Traversal
grep -rn "\.\./" --include="*.js" --include="*.py"
3. Dependency Scanning
# Check for known vulnerable packages
npm audit --json 2>/dev/null
pip-audit --format json 2>/dev/null
4. Severity Classification
| Severity | Examples | CVSS Range | |----------|----------|------------| | CRITICAL | RCE, SQL Injection, hardcoded AWS keys | 9.0-10.0 | | HIGH | XSS, CSRF, auth bypass | 7.0-8.9 | | MEDIUM | Info disclosure, weak crypto | 4.0-6.9 | | LOW | Verbose errors, missing headers | 0.1-3.9 |
Output Format
{
"skill": "security-scan",
"status": "pass|fail|warning",
"scan_id": "SEC-20260107-001",
"timestamp": "2026-01-07T12:00:00Z",
"files_scanned": 42,
"summary": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 3
},
"vulnerabilities": [
{
"id": "V-001",
"severity": "HIGH",
"category": "XSS",
"cwe_id": "CWE-79",
"title": "innerHTML with user input",
"description": "User-controlled data assigned to innerHTML without sanitization",
"location": {
"file": "src/components/UserComment.js",
"line": 42,
"code_snippet": "element.innerHTML = comment.body"
},
"remediation": "Use textContent for plain text or sanitize with DOMPurify",
"references": ["https://owasp.org/www-community/attacks/xss/"]
}
],
"secrets_found": [
{
"type": "api_key",
"file": "src/config.js",
"line": 15,
"pattern": "API_KEY = 'sk-...'",
"remediation": "Move to environment variable"
}
],
"dependency_vulnerabilities": [
{
"package": "lodash",
"version": "4.17.19",
"vulnerability": "Prototype Pollution",
"severity": "HIGH",
"fix_version": "4.17.21"
}
],
"errors": [],
"warnings": [],
"next_action": "proceed|fix|review"
}
Decision Logic
Any CRITICAL vulnerabilities?
YES → status: "fail", next_action: "fix"
Any HIGH vulnerabilities?
YES → status: "fail", next_action: "fix"
Any MEDIUM vulnerabilities?
YES → status: "warning", next_action: "review"
Only LOW or no issues?
YES → status: "pass", next_action: "proceed"
Usage Examples
Full security scan:
{
"project_dir": "/projects/oxygen_site",
"scope": "all",
"checks": ["secrets", "owasp", "dependencies"]
}
Scan changed files only:
{
"project_dir": "/projects/oxygen_site",
"scope": "changed",
"checks": ["secrets", "owasp"]
}
Quick secrets check:
{
"project_dir": "/projects/api-service",
"scope": "all",
"checks": ["secrets"]
}
Ticket-specific scan:
{
"project_dir": "/projects/api-service",
"scope": "ticket",
"ticket_id": "TICKET-API-001",
"checks": ["owasp", "secrets"]
}
CWE Reference
| Category | CWE | Description | |----------|-----|-------------| | SQL Injection | CWE-89 | Improper neutralization of SQL | | XSS | CWE-79 | Improper neutralization of input | | Command Injection | CWE-78 | OS command injection | | Path Traversal | CWE-22 | Improper path limitation | | Hardcoded Credentials | CWE-798 | Use of hardcoded credentials | | Weak Crypto | CWE-327 | Use of broken crypto algorithm |
Token Efficiency
- Pattern-based detection (no LLM inference)
- Parallel file scanning
- ~10-60 second execution
- Returns actionable fix suggestions
Related Skills
astro44/bookend-score-complexity
development
VerifiedTrustedCommunity
Scores proposal complexity against codebase surface. Uses proposal text analysis and readiness stats to determine decomposition tier and agent count.
2SKILL.mdUpdated May 13, 2026
astro44/bookend-scan-readiness
testing
VerifiedTrustedCommunity
Fast filesystem readiness scan — counts docs, source files, manifests, platform signals. Produces initial ReadinessReport for agent spawning decisions.
2SKILL.mdUpdated May 13, 2026
astro44/bookend-reconcile
testing
VerifiedTrustedCommunity
Merges bookend agent reports into revised readiness, complexity, and decomposition plan. Produces the final evidence-backed assessment consumed by sprint-architect-agent.
2SKILL.mdUpdated May 13, 2026
astro44/mathematician
development
VerifiedTrustedCommunity
Rigorously reasons about definitions, proofs, and computations in algebra, analysis, discrete math, probability, linear algebra, and applied math. Verifies derivations, spots invalid steps, and states assumptions clearly. Use when solving or proving math problems, reviewing mathematical arguments, modeling with equations, interpreting statistics, or when the user mentions proofs, lemmas, theorems, integrals, series, matrices, optimization, or numerical methods.
2SKILL.mdUpdated May 4, 2026