Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

awfixers-stuff/rust-security

Name: rust-security
Author: awfixers-stuff

skills/rust-security/SKILL.md

npx skillsauth add awfixers-stuff/opencode-config rust-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Rust Security

Purpose

Guide agents through Rust security practices: dependency auditing with cargo-audit, policy enforcement with cargo-deny, RUSTSEC advisory database, memory-safe patterns for FFI, and combining fuzzing with Miri for security review.

Triggers

"How do I check my Rust dependencies for CVEs?"
"How do I use cargo-audit?"
"How do I enforce dependency policies in CI?"
"What's the RUSTSEC advisory database?"
"How do I write memory-safe FFI in Rust?"
"How do I fuzz-test my Rust library for security bugs?"

Workflow

1. cargo-audit — vulnerability scanning

# Install
cargo install cargo-audit --locked

# Scan current project
cargo audit

# Full output including ignored
cargo audit --deny warnings

# Audit the lockfile (CI-friendly)
cargo audit --file Cargo.lock

# JSON output for CI integration
cargo audit --json | jq '.vulnerabilities.list[].advisory.id'

Output format:

error[RUSTSEC-2023-0052]: Vulnerability in `vm-superio`
    Severity: low
       Title: MMIO Register Misuse
    Solution: upgrade to `>= 0.7.0`

2. cargo-deny — policy enforcement

cargo-deny goes beyond audit: it enforces license policies, bans specific crates, checks source origins, and validates duplicate dependency versions.

cargo install cargo-deny --locked

# Initialize deny.toml
cargo deny init

# Run all checks
cargo deny check

# Run specific check
cargo deny check advisories
cargo deny check licenses
cargo deny check bans
cargo deny check sources

deny.toml configuration:

[advisories]
vulnerability = "deny"      # Deny known vulnerabilities
unmaintained = "warn"       # Warn on unmaintained crates
yanked = "deny"             # Deny yanked versions

# Ignore specific advisories
ignore = [
    "RUSTSEC-2021-0145",    # known false positive for our usage
]

[licenses]
unlicensed = "deny"
allow = [
    "MIT", "Apache-2.0", "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unicode-DFS-2016",
]
# Deny GPL for proprietary projects
deny = ["GPL-2.0", "GPL-3.0"]

[bans]
multiple-versions = "warn"  # Warn if same crate appears twice
wildcards = "deny"          # Deny wildcard dependencies

[[bans.deny]]
name = "openssl"            # Force rustls instead
wrappers = ["reqwest"]      # Allow if only required by these

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-git = [
    "https://github.com/my-org/private-crate",
]

GitHub Actions CI integration:

- name: Security audit
  run: |
    cargo install cargo-deny --locked
    cargo deny check

3. RUSTSEC advisory database

The RUSTSEC database at https://rustsec.org/ tracks vulnerabilities, unmaintained crates, and unsound code.

# Browse advisories from CLI
cargo audit --db ~/.cargo/advisory-db fetch
ls ~/.cargo/advisory-db/crates/

# Check a specific advisory
curl https://rustsec.org/advisories/RUSTSEC-2023-0001.json | jq .

# Common categories
# type: vulnerability — exploitable security bug
# type: unmaintained — no longer maintained (supply chain risk)
# type: unsound — documented unsoundness in safe API
# type: yanked — crate version yanked from crates.io

4. Memory-safe FFI patterns

Common sources of unsafety at the Rust/C boundary:

// UNSAFE pattern — raw pointer from C, no lifetime
extern "C" fn process_data(data: *const u8, len: usize) {
    // Don't do this — no bounds check, no lifetime guarantee
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
}

// SAFE pattern — validate before using
extern "C" fn process_data(data: *const u8, len: usize) -> i32 {
    // Validate pointer and length
    if data.is_null() || len == 0 || len > 1024 * 1024 {
        return -1;
    }
    // Safety: non-null, len validated, called from C with valid buffer
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
    do_work(slice);
    0
}

// Use safe wrapper crates for common patterns
use nix::unistd::read;   // safe POSIX wrappers
use windows::Win32::System::Memory::VirtualAlloc;  // safe Windows bindings

5. Fuzzing for security bugs

# cargo-fuzz — libFuzzer-based
cargo install cargo-fuzz

# Initialize
cargo fuzz init
cargo fuzz add my_target

# fuzz/fuzz_targets/my_target.rs
# #![no_main]
# use libfuzzer_sys::fuzz_target;
# fuzz_target!(|data: &[u8]| {
#     if let Ok(s) = std::str::from_utf8(data) {
#         let _ = my_lib::parse(s);
#     }
# });

# Run fuzzing (long-running)
cargo fuzz run my_target

# With sanitizers for security coverage
cargo fuzz run my_target -- -sanitizer=address

# Reproduce a crash
cargo fuzz run my_target artifacts/my_target/crash-xxxx

# Honggfuzz — good for security targets
cargo install honggfuzz
cargo hfuzz run my_target

6. Miri for soundness

# Install Miri
rustup +nightly component add miri

# Run tests under Miri
cargo +nightly miri test

# Check for UB in unsafe code
MIRIFLAGS="-Zmiri-disable-isolation -Zmiri-backtrace=full" \
  cargo +nightly miri test

# Miri detects:
# - Use-after-free
# - Dangling references
# - Invalid pointer arithmetic
# - Data races (with -Zmiri-tree-borrows)
# - Uninitialized memory reads

7. Supply chain hardening

# Pin Cargo.lock in applications (not libraries)
# Always commit Cargo.lock for binaries

# Verify checksums (cargo already does this)
cargo fetch --locked    # fails if Cargo.lock doesn't match

# Audit all dependencies including transitive
cargo tree              # view full dependency tree
cargo tree -d           # show duplicate versions

# Use cargo-vet for peer review of new deps
cargo install cargo-vet
cargo vet              # check all deps have been vetted

# Minimal dependency principle
cargo machete          # finds unused dependencies

Related skills

Use skills/rust/rust-sanitizers-miri for Miri and sanitizer details
Use skills/runtimes/fuzzing for fuzzing strategy and corpus management
Use skills/rust/rust-unsafe for unsafe code audit patterns
Use skills/rust/cargo-workflows for Cargo.lock and workspace management

awfixers-stuff/rust-security

skills/rust-security/SKILL.md

Rust security skill for supply chain safety and memory-safe development. Use when auditing dependencies with cargo-audit, enforcing policies with cargo-deny, reviewing RUSTSEC advisories, writing memory-safe FFI patterns, or integrating fuzzing and Miri into a security review pipeline. Activates on queries about cargo-audit, cargo-deny, RUSTSEC advisories, supply chain security, Rust CVEs, safe FFI, or fuzzing for security.

development

Updated Apr 27, 2026

$ install --global

skillsauth

npx skillsauth add awfixers-stuff/opencode-config rust-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 19, 2026, 4:12 AM6.0s1 file scanned

SKILL.md

name:: rust-security
description:: Rust security skill for supply chain safety and memory-safe development. Use when auditing dependencies with cargo-audit, enforcing policies with cargo-deny, reviewing RUSTSEC advisories, writing memory-safe FFI patterns, or integrating fuzzing and Miri into a security review pipeline. Activates on queries about cargo-audit, cargo-deny, RUSTSEC advisories, supply chain security, Rust CVEs, safe FFI, or fuzzing for security.

Rust Security

Purpose

Triggers

"How do I check my Rust dependencies for CVEs?"
"How do I use cargo-audit?"
"How do I enforce dependency policies in CI?"
"What's the RUSTSEC advisory database?"
"How do I write memory-safe FFI in Rust?"
"How do I fuzz-test my Rust library for security bugs?"

Workflow

1. cargo-audit — vulnerability scanning

# Install
cargo install cargo-audit --locked

# Scan current project
cargo audit

# Full output including ignored
cargo audit --deny warnings

# Audit the lockfile (CI-friendly)
cargo audit --file Cargo.lock

# JSON output for CI integration
cargo audit --json | jq '.vulnerabilities.list[].advisory.id'

Output format:

error[RUSTSEC-2023-0052]: Vulnerability in `vm-superio`
    Severity: low
       Title: MMIO Register Misuse
    Solution: upgrade to `>= 0.7.0`

2. cargo-deny — policy enforcement

cargo-deny goes beyond audit: it enforces license policies, bans specific crates, checks source origins, and validates duplicate dependency versions.

cargo install cargo-deny --locked

# Initialize deny.toml
cargo deny init

# Run all checks
cargo deny check

# Run specific check
cargo deny check advisories
cargo deny check licenses
cargo deny check bans
cargo deny check sources

deny.toml configuration:

[advisories]
vulnerability = "deny"      # Deny known vulnerabilities
unmaintained = "warn"       # Warn on unmaintained crates
yanked = "deny"             # Deny yanked versions

# Ignore specific advisories
ignore = [
    "RUSTSEC-2021-0145",    # known false positive for our usage
]

[licenses]
unlicensed = "deny"
allow = [
    "MIT", "Apache-2.0", "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unicode-DFS-2016",
]
# Deny GPL for proprietary projects
deny = ["GPL-2.0", "GPL-3.0"]

[bans]
multiple-versions = "warn"  # Warn if same crate appears twice
wildcards = "deny"          # Deny wildcard dependencies

[[bans.deny]]
name = "openssl"            # Force rustls instead
wrappers = ["reqwest"]      # Allow if only required by these

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-git = [
    "https://github.com/my-org/private-crate",
]

GitHub Actions CI integration:

- name: Security audit
  run: |
    cargo install cargo-deny --locked
    cargo deny check

3. RUSTSEC advisory database

The RUSTSEC database at https://rustsec.org/ tracks vulnerabilities, unmaintained crates, and unsound code.

# Browse advisories from CLI
cargo audit --db ~/.cargo/advisory-db fetch
ls ~/.cargo/advisory-db/crates/

# Check a specific advisory
curl https://rustsec.org/advisories/RUSTSEC-2023-0001.json | jq .

# Common categories
# type: vulnerability — exploitable security bug
# type: unmaintained — no longer maintained (supply chain risk)
# type: unsound — documented unsoundness in safe API
# type: yanked — crate version yanked from crates.io

4. Memory-safe FFI patterns

Common sources of unsafety at the Rust/C boundary:

// UNSAFE pattern — raw pointer from C, no lifetime
extern "C" fn process_data(data: *const u8, len: usize) {
    // Don't do this — no bounds check, no lifetime guarantee
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
}

// SAFE pattern — validate before using
extern "C" fn process_data(data: *const u8, len: usize) -> i32 {
    // Validate pointer and length
    if data.is_null() || len == 0 || len > 1024 * 1024 {
        return -1;
    }
    // Safety: non-null, len validated, called from C with valid buffer
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
    do_work(slice);
    0
}

// Use safe wrapper crates for common patterns
use nix::unistd::read;   // safe POSIX wrappers
use windows::Win32::System::Memory::VirtualAlloc;  // safe Windows bindings

5. Fuzzing for security bugs

# cargo-fuzz — libFuzzer-based
cargo install cargo-fuzz

# Initialize
cargo fuzz init
cargo fuzz add my_target

# fuzz/fuzz_targets/my_target.rs
# #![no_main]
# use libfuzzer_sys::fuzz_target;
# fuzz_target!(|data: &[u8]| {
#     if let Ok(s) = std::str::from_utf8(data) {
#         let _ = my_lib::parse(s);
#     }
# });

# Run fuzzing (long-running)
cargo fuzz run my_target

# With sanitizers for security coverage
cargo fuzz run my_target -- -sanitizer=address

# Reproduce a crash
cargo fuzz run my_target artifacts/my_target/crash-xxxx

# Honggfuzz — good for security targets
cargo install honggfuzz
cargo hfuzz run my_target

6. Miri for soundness

# Install Miri
rustup +nightly component add miri

# Run tests under Miri
cargo +nightly miri test

# Check for UB in unsafe code
MIRIFLAGS="-Zmiri-disable-isolation -Zmiri-backtrace=full" \
  cargo +nightly miri test

# Miri detects:
# - Use-after-free
# - Dangling references
# - Invalid pointer arithmetic
# - Data races (with -Zmiri-tree-borrows)
# - Uninitialized memory reads

7. Supply chain hardening

# Pin Cargo.lock in applications (not libraries)
# Always commit Cargo.lock for binaries

# Verify checksums (cargo already does this)
cargo fetch --locked    # fails if Cargo.lock doesn't match

# Audit all dependencies including transitive
cargo tree              # view full dependency tree
cargo tree -d           # show duplicate versions

# Use cargo-vet for peer review of new deps
cargo install cargo-vet
cargo vet              # check all deps have been vetted

# Minimal dependency principle
cargo machete          # finds unused dependencies

Related skills

Use skills/rust/rust-sanitizers-miri for Miri and sanitizer details
Use skills/runtimes/fuzzing for fuzzing strategy and corpus management
Use skills/rust/rust-unsafe for unsafe code audit patterns
Use skills/rust/cargo-workflows for Cargo.lock and workspace management

Related Skills

awfixers-stuff/zmx

development

VerifiedTrustedCommunity

Use when starting dev servers, watchers, tilt, or any process expected to outlive the conversation. Provides zmx session management patterns for long-lived processes.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-testing

development

VerifiedTrustedCommunity

Zig testing skill for writing and running tests. Use when using zig build test, writing comptime tests, using test filters, working with test allocators to detect leaks, or using Zig's built-in fuzz testing (0.14+). Activates on queries about Zig tests, zig test, zig build test, comptime testing, test allocators, Zig fuzz testing, or detecting memory leaks in Zig tests.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-testing

awfixers-stuff/zig-debugging

development

VerifiedTrustedCommunity

Zig debugging skill. Use when debugging Zig programs with GDB or LLDB, interpreting Zig runtime panics, using std.debug.print for tracing, configuring debug builds, or debugging Zig programs in VS Code. Activates on queries about debugging Zig, Zig panics, zig gdb, zig lldb, std.debug.print, Zig stack traces, or Zig error return traces.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-debugging

awfixers-stuff/zig-cross

tools

VerifiedTrustedCommunity

Zig cross-compilation skill. Use when cross-compiling Zig programs to different targets, using Zig's built-in cross-compilation for embedded, WASM, Windows, ARM, or using zig cc to cross-compile C code without a system cross-toolchain. Activates on queries about Zig cross-compilation, zig target triples, zig cc cross-compile, Zig embedded targets, or Zig WASM.

SKILL.mdUpdated Apr 27, 2026

awfixers-stuff/zig-cross

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/awfixers-stuff/opencode-config.git

# Copy into Claude Code skills folder (global)
cp -r opencode-config/skills/rust-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

awfixers-stuff/opencode-config

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT