Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aurite-ai/verify-security

Name: verify-security
Author: aurite-ai

skills/verify-security/SKILL.md

npx skillsauth add aurite-ai/agent-verifier verify-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Verification

Purpose

Verify code for security anti-patterns and vulnerabilities. All analysis happens locally—code never leaves your machine.

When to Use

Trigger this skill when the user asks to:

"verify agent security"
"verify security"
"check for secrets"
"scan for vulnerabilities"
"security audit"

Note: For full verification including patterns, quality, and language-specific checks, tell the user to say "verify agent".

Process

Step 1: Discover Files

Locate files to analyze:

Configuration files:

package.json, pyproject.toml, Cargo.toml - Dependencies
.env, .env.example, .env.local - Environment files
config.py, settings.py, config.ts - Configuration

Source files:

*.py, *.ts, *.js, *.go, *.rs - Source code
Prioritize files with: auth, api, client, secret, config in name

Exclude:

node_modules/, .venv/, venv/, __pycache__/
*.test.*, *.spec.*, *_test.go

Step 2: Run Security Checks

Check Tiers

[PATTERN] — Mechanical check. Apply exactly as written.
[HEURISTIC] — Judgment required. Mark findings clearly.

Tag every finding with [P] for pattern or [H] for heuristic.

2.1 `[PATTERN]` Hardcoded Secrets

Scan for assignments matching these patterns (case-insensitive):

| Variable pattern | Fail condition | |------------------|----------------| | API_KEY | Assigned to string literal | | SECRET | Assigned to string literal | | PASSWORD | Assigned to string literal | | TOKEN | Assigned to string literal | | PRIVATE_KEY | Assigned to string literal | | AWS_ACCESS_KEY_ID | Assigned to string literal | | AWS_SECRET_ACCESS_KEY | Assigned to string literal |

Examples of failures:

# ❌ Issue
API_KEY = "sk-abc123..."
password = "hunter2"
OPENAI_API_KEY = "sk-proj-..."

# ✅ Pass
API_KEY = os.environ["API_KEY"]
password = os.getenv("PASSWORD")
api_key = settings.API_KEY

Also flag:

String literals matching known API key patterns:
- sk-... (OpenAI)
- sk-ant-... (Anthropic)
- AKIA... (AWS)
- ghp_... (GitHub)
- xoxb-... (Slack)

Severity: ❌ Issue

2.2 `[PATTERN]` Dependency Version Pinning

Python (requirements.txt):

| Pattern | Severity | |---------|----------| | package>=1.0 | ❌ Issue | | package>1.0 | ❌ Issue | | package (no version) | ❌ Issue | | package==1.0.0 | ✅ Pass | | package~=1.0 | ✅ Pass |

Python (pyproject.toml):

Check [project.dependencies] and [tool.poetry.dependencies]:

Unpinned or >= versions → ❌ Issue
Pinned with == or ^ or ~ → ✅ Pass

JavaScript/TypeScript (package.json):

| Pattern | Severity | |---------|----------| | "package": "*" | ❌ Issue | | "package": "latest" | ❌ Issue | | "package": ">=1.0.0" | ⚠️ Warning | | "package": "^1.0.0" | ✅ Pass | | "package": "~1.0.0" | ✅ Pass | | "package": "1.0.0" | ✅ Pass |

2.3 `[HEURISTIC]` Input Validation

Check for external data handling:

Look for:

HTTP request handlers (@app.route, router.get, etc.)
User input processing (request.body, req.params, input())
File uploads
Database queries with user input

Flag if:

User input is passed directly to database queries without sanitization
File paths are constructed from user input without validation
JSON parsing without schema validation on external data

Severity: ⚠️ Warning

Example patterns to flag:

# ⚠️ Warning - SQL without parameterization
query = f"SELECT * FROM users WHERE id = {user_id}"

# ⚠️ Warning - Path traversal risk
file_path = os.path.join(base_dir, user_filename)

# ✅ Pass - Parameterized query
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

2.4 `[HEURISTIC]` Error Message Exposure

Check error handling for information leakage:

Flag if:

Stack traces returned in HTTP responses
Database error messages exposed to users
Internal paths or system info in error messages
Debug mode enabled in production code

Look for:

# ⚠️ Warning
except Exception as e:
    return {"error": str(e)}  # Exposes internal details

# ⚠️ Warning
app = Flask(__name__)
app.debug = True  # Debug in production

# ✅ Pass
except Exception as e:
    logger.error(f"Error: {e}")
    return {"error": "An error occurred"}

Severity: ⚠️ Warning

2.5 `[HEURISTIC]` Secure Defaults

Check configuration for insecure defaults:

| Setting | Insecure | Secure | |---------|----------|--------| | CORS | * (allow all) | Specific origins | | SSL verification | verify=False | verify=True or omitted | | Debug mode | debug=True | debug=False | | Cookie security | secure=False | secure=True | | CSRF | Disabled | Enabled |

Examples:

# ⚠️ Warning
requests.get(url, verify=False)
app.config["SESSION_COOKIE_SECURE"] = False
CORS(app, origins="*")

# ✅ Pass
requests.get(url)  # verify=True is default
app.config["SESSION_COOKIE_SECURE"] = True
CORS(app, origins=["https://example.com"])

Severity: ⚠️ Warning

2.6 `[HEURISTIC]` Sensitive Data Logging

Check logging statements for sensitive data:

Flag if logging includes:

Passwords or tokens
API keys
Personal identifiable information (PII)
Credit card numbers
Session tokens

Look for:

# ⚠️ Warning
logger.info(f"User login: {username} with password {password}")
print(f"API response: {response.json()}")  # May contain tokens

# ✅ Pass
logger.info(f"User login: {username}")
logger.debug(f"Request to {url}")  # No sensitive data

Severity: ⚠️ Warning

Step 3: Generate Report

# Security Verification Report

**Project:** [name or path]
**Date:** [current date]
**Files analyzed:** [count]

## Summary

✅ X checks passed | ⚠️ Y warnings | ❌ Z issues

## Secrets

- [x] No hardcoded secrets found
- [ ] ❌ Hardcoded secret at `[file:line]`

## Dependencies

- [x] All dependencies pinned
- [ ] ❌ Unpinned dependencies in `[file]`

## Input Validation

- [x] External input properly validated
- [ ] ⚠️ Potential injection at `[file:line]`

## Error Handling

- [x] Errors properly sanitized
- [ ] ⚠️ Information leakage at `[file:line]`

## Findings

> `[P]` = pattern-matched · `[H]` = heuristic

### ✅ Passing
- `[P]` No hardcoded API keys or secrets
- `[P]` Dependencies properly pinned

### ⚠️ Warnings
- `[H]` [Check]: [description]
  - **Location:** [file:line]
  - **Risk:** [what could go wrong]
  - **Suggestion:** [how to fix]

### ❌ Issues
- `[P]` [Check]: [description]
  - **Location:** [file:line]
  - **Rule:** [which rule violated]
  - **Fix:** [specific remediation]

## Recommendations

1. [Priority recommendation]
2. [Additional improvements]

For full verification including patterns, quality, and language-specific checks, say "verify agent".

aurite-ai/verify-security

skills/verify-security/SKILL.md

Verify code for security issues including hardcoded secrets, input validation, error exposure, and dependency vulnerabilities. Use when asked to "verify security", "check for secrets", or "scan for vulnerabilities".

21 stars

development

Updated May 2, 2026

$ install --global

skillsauth

npx skillsauth add aurite-ai/agent-verifier verify-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 2, 2026, 3:56 AM166.2s1 file scanned

SKILL.md

name:: verify-security
version:: 1.0.0
description:: Verify code for security issues including hardcoded secrets, input validation, error exposure, and dependency vulnerabilities. Use when asked to "verify security", "check for secrets", or "scan for vulnerabilities".

Security Verification

Purpose

Verify code for security anti-patterns and vulnerabilities. All analysis happens locally—code never leaves your machine.

When to Use

Trigger this skill when the user asks to:

"verify agent security"
"verify security"
"check for secrets"
"scan for vulnerabilities"
"security audit"

Note: For full verification including patterns, quality, and language-specific checks, tell the user to say "verify agent".

Process

Step 1: Discover Files

Locate files to analyze:

Configuration files:

package.json, pyproject.toml, Cargo.toml - Dependencies
.env, .env.example, .env.local - Environment files
config.py, settings.py, config.ts - Configuration

Source files:

*.py, *.ts, *.js, *.go, *.rs - Source code
Prioritize files with: auth, api, client, secret, config in name

Exclude:

node_modules/, .venv/, venv/, __pycache__/
*.test.*, *.spec.*, *_test.go

Step 2: Run Security Checks

Check Tiers

[PATTERN] — Mechanical check. Apply exactly as written.
[HEURISTIC] — Judgment required. Mark findings clearly.

Tag every finding with [P] for pattern or [H] for heuristic.

2.1 `[PATTERN]` Hardcoded Secrets

Scan for assignments matching these patterns (case-insensitive):

Examples of failures:

# ❌ Issue
API_KEY = "sk-abc123..."
password = "hunter2"
OPENAI_API_KEY = "sk-proj-..."

# ✅ Pass
API_KEY = os.environ["API_KEY"]
password = os.getenv("PASSWORD")
api_key = settings.API_KEY

Also flag:

String literals matching known API key patterns:
- sk-... (OpenAI)
- sk-ant-... (Anthropic)
- AKIA... (AWS)
- ghp_... (GitHub)
- xoxb-... (Slack)

Severity: ❌ Issue

2.2 `[PATTERN]` Dependency Version Pinning

Python (requirements.txt):

Python (pyproject.toml):

Check [project.dependencies] and [tool.poetry.dependencies]:

Unpinned or >= versions → ❌ Issue
Pinned with == or ^ or ~ → ✅ Pass

JavaScript/TypeScript (package.json):

2.3 `[HEURISTIC]` Input Validation

Check for external data handling:

Look for:

HTTP request handlers (@app.route, router.get, etc.)
User input processing (request.body, req.params, input())
File uploads
Database queries with user input

Flag if:

User input is passed directly to database queries without sanitization
File paths are constructed from user input without validation
JSON parsing without schema validation on external data

Severity: ⚠️ Warning

Example patterns to flag:

# ⚠️ Warning - SQL without parameterization
query = f"SELECT * FROM users WHERE id = {user_id}"

# ⚠️ Warning - Path traversal risk
file_path = os.path.join(base_dir, user_filename)

# ✅ Pass - Parameterized query
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

2.4 `[HEURISTIC]` Error Message Exposure

Check error handling for information leakage:

Flag if:

Stack traces returned in HTTP responses
Database error messages exposed to users
Internal paths or system info in error messages
Debug mode enabled in production code

Look for:

# ⚠️ Warning
except Exception as e:
    return {"error": str(e)}  # Exposes internal details

# ⚠️ Warning
app = Flask(__name__)
app.debug = True  # Debug in production

# ✅ Pass
except Exception as e:
    logger.error(f"Error: {e}")
    return {"error": "An error occurred"}

Severity: ⚠️ Warning

2.5 `[HEURISTIC]` Secure Defaults

Check configuration for insecure defaults:

Examples:

# ⚠️ Warning
requests.get(url, verify=False)
app.config["SESSION_COOKIE_SECURE"] = False
CORS(app, origins="*")

# ✅ Pass
requests.get(url)  # verify=True is default
app.config["SESSION_COOKIE_SECURE"] = True
CORS(app, origins=["https://example.com"])

Severity: ⚠️ Warning

2.6 `[HEURISTIC]` Sensitive Data Logging

Check logging statements for sensitive data:

Flag if logging includes:

Passwords or tokens
API keys
Personal identifiable information (PII)
Credit card numbers
Session tokens

Look for:

# ⚠️ Warning
logger.info(f"User login: {username} with password {password}")
print(f"API response: {response.json()}")  # May contain tokens

# ✅ Pass
logger.info(f"User login: {username}")
logger.debug(f"Request to {url}")  # No sensitive data

Severity: ⚠️ Warning

Step 3: Generate Report

# Security Verification Report

**Project:** [name or path]
**Date:** [current date]
**Files analyzed:** [count]

## Summary

✅ X checks passed | ⚠️ Y warnings | ❌ Z issues

## Secrets

- [x] No hardcoded secrets found
- [ ] ❌ Hardcoded secret at `[file:line]`

## Dependencies

- [x] All dependencies pinned
- [ ] ❌ Unpinned dependencies in `[file]`

## Input Validation

- [x] External input properly validated
- [ ] ⚠️ Potential injection at `[file:line]`

## Error Handling

- [x] Errors properly sanitized
- [ ] ⚠️ Information leakage at `[file:line]`

## Findings

> `[P]` = pattern-matched · `[H]` = heuristic

### ✅ Passing
- `[P]` No hardcoded API keys or secrets
- `[P]` Dependencies properly pinned

### ⚠️ Warnings
- `[H]` [Check]: [description]
  - **Location:** [file:line]
  - **Risk:** [what could go wrong]
  - **Suggestion:** [how to fix]

### ❌ Issues
- `[P]` [Check]: [description]
  - **Location:** [file:line]
  - **Rule:** [which rule violated]
  - **Fix:** [specific remediation]

## Recommendations

1. [Priority recommendation]
2. [Additional improvements]

For full verification including patterns, quality, and language-specific checks, say "verify agent".

Related Skills

aurite-ai/verify-quality

development

VerifiedTrustedCommunity

Verify code quality including naming conventions, organization, documentation, and general best practices. Use when asked to "verify quality", "check code quality", or "review code organization".

21SKILL.mdUpdated May 2, 2026

aurite-ai/verify-quality

aurite-ai/verify-patterns

tools

VerifiedTrustedCommunity

Verify AI agent patterns including loop safety, retry limits, tool consistency, context size, and graph cycle analysis. Use when asked to "verify agent patterns", "check loops", "verify tools", or "check retry limits".

11SKILL.mdUpdated Apr 29, 2026

aurite-ai/verify-patterns

aurite-ai/verify-language

development

VerifiedTrustedCommunity

Language-specific verification for Python, TypeScript/JavaScript, and Go. Checks type safety, language idioms, and best practices. Use when asked to "verify language", "check types", or for language-specific checks.

4SKILL.mdUpdated Apr 28, 2026

aurite-ai/verify-language

aurite-ai/verification

testing

VerifiedTrustedCommunity

Full agent verification suite. Runs security, patterns, quality, and language-specific checks. Use when asked to "verify agent", "verify my agent", "audit agent", or "full verification".

3SKILL.mdUpdated Apr 26, 2026

aurite-ai/verification

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aurite-ai/agent-verifier.git

# Copy into Claude Code skills folder (global)
cp -r agent-verifier/skills/verify-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aurite-ai/agent-verifier

21 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

aurite-ai/verify-security

$ install --global

Security Scan Results

SKILL.md

Security Verification

Purpose

When to Use

Process

Step 1: Discover Files

Step 2: Run Security Checks

Check Tiers

2.1 [PATTERN] Hardcoded Secrets

2.2 [PATTERN] Dependency Version Pinning

2.3 [HEURISTIC] Input Validation

2.4 [HEURISTIC] Error Message Exposure

2.5 [HEURISTIC] Secure Defaults

2.6 [HEURISTIC] Sensitive Data Logging

Step 3: Generate Report

Related Skills

aurite-ai/verify-quality

aurite-ai/verify-patterns

aurite-ai/verify-language

aurite-ai/verification

aurite-ai/verify-security

$ install --global

Security Scan Results

SKILL.md

Security Verification

Purpose

When to Use

Process

Step 1: Discover Files

Step 2: Run Security Checks

Check Tiers

2.1 [PATTERN] Hardcoded Secrets

2.2 [PATTERN] Dependency Version Pinning

2.3 [HEURISTIC] Input Validation

2.4 [HEURISTIC] Error Message Exposure

2.5 [HEURISTIC] Secure Defaults

2.6 [HEURISTIC] Sensitive Data Logging

Step 3: Generate Report

Related Skills

aurite-ai/verify-quality

aurite-ai/verify-patterns

aurite-ai/verify-language

aurite-ai/verification

2.1 `[PATTERN]` Hardcoded Secrets

2.2 `[PATTERN]` Dependency Version Pinning

2.3 `[HEURISTIC]` Input Validation

2.4 `[HEURISTIC]` Error Message Exposure

2.5 `[HEURISTIC]` Secure Defaults

2.6 `[HEURISTIC]` Sensitive Data Logging

2.1 `[PATTERN]` Hardcoded Secrets

2.2 `[PATTERN]` Dependency Version Pinning

2.3 `[HEURISTIC]` Input Validation

2.4 `[HEURISTIC]` Error Message Exposure

2.5 `[HEURISTIC]` Secure Defaults

2.6 `[HEURISTIC]` Sensitive Data Logging