Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

bjesuiter/security-check

Name: security-check
Author: bjesuiter

skills/security-check/SKILL.md

npx skillsauth add bjesuiter/skills security-check

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Check

Red-team style security review for code changes. Think like an attacker.

Modes

1. Pending Changes (default)

Review uncommitted changes in the current working directory:

git diff HEAD
git diff --cached  # staged changes

2. Branch vs Main

Review all commits on a branch against main:

git log main..<branch> --oneline  # list commits
git diff main...<branch>          # three dots = merge-base diff

3. Specific Commit Range

git diff <commit1>..<commit2>

Review Checklist

Input Validation

[ ] User input sanitized before use?
[ ] SQL injection vectors?
[ ] Command injection (shell escapes)?
[ ] Path traversal (../ in file paths)?
[ ] XSS in HTML/JS output?
[ ] Prototype pollution (JS objects)?

Authentication & Authorization

[ ] Auth checks on all sensitive endpoints?
[ ] Permission escalation paths?
[ ] Session handling flaws?
[ ] Token exposure in logs/URLs?
[ ] Missing rate limiting?

Secrets & Configuration

[ ] Hardcoded credentials/API keys?
[ ] Secrets in logs or error messages?
[ ] Insecure defaults?
[ ] Debug mode left enabled?
[ ] .env files committed?

Data Exposure

[ ] Sensitive data in responses?
[ ] PII leaked in logs?
[ ] Stack traces exposed to users?
[ ] Internal paths/IPs revealed?

Cryptography

[ ] Weak algorithms (MD5, SHA1 for security)?
[ ] Hardcoded IVs/salts?
[ ] Predictable random values?
[ ] Missing HTTPS enforcement?

Dependencies

[ ] Known vulnerable packages?
[ ] Unpinned versions?
[ ] Typosquatting risk?

File Operations

[ ] Arbitrary file read/write?
[ ] Unsafe deserialization?
[ ] Temp file races?
[ ] Symlink attacks?

Process & Network

[ ] SSRF vectors?
[ ] Open redirects?
[ ] Unsafe subprocess calls?
[ ] Missing timeouts?

Output Format

For each finding:

🔴 [CRITICAL|HIGH|MEDIUM|LOW] <Title>

📍 Location: <file:line>

💀 Attack Vector:
<How an attacker would exploit this>

📝 Code:
<relevant snippet>

✅ Fix:
<suggested remediation>

Workflow

Identify scope — Ask which mode (pending/branch/commit range)
Get the diff — Run appropriate git commands
Analyze systematically — Go through checklist
Prioritize findings — CRITICAL > HIGH > MEDIUM > LOW
Suggest fixes — Concrete code changes, not vague advice
Summary — Executive summary with risk assessment

Quick Commands

# Pending changes
git diff HEAD

# Branch review
git diff main...feature-branch

# Check for secrets (basic)
git diff HEAD | grep -iE "(password|secret|api.?key|token|credential)"

# Check for dangerous functions
git diff HEAD | grep -iE "(eval|exec|system|shell_exec|passthru|popen)"

Risk Levels

CRITICAL: Exploitable now, high impact (RCE, auth bypass, data breach)
HIGH: Likely exploitable, significant impact
MEDIUM: Exploitable under specific conditions
LOW: Defense-in-depth issues, minor exposure

bjesuiter/security-check

skills/security-check/SKILL.md

Use when reviewing pending changes, branch diffs, or new features for concrete security risks, injection, auth, permissions, or attack paths.

testing

Updated Jun 4, 2026

$ install --global

skillsauth

npx skillsauth add bjesuiter/skills security-check

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 4, 2026, 4:41 AM132.4s1 file scanned

SKILL.md

name:: security-check
description:: Use when reviewing pending changes, branch diffs, or new features for concrete security risks, injection, auth, permissions, or attack paths.
private:: true
emoji:: 🔴
bins:: ["git"]

Security Check

Red-team style security review for code changes. Think like an attacker.

Modes

1. Pending Changes (default)

Review uncommitted changes in the current working directory:

git diff HEAD
git diff --cached  # staged changes

2. Branch vs Main

Review all commits on a branch against main:

git log main..<branch> --oneline  # list commits
git diff main...<branch>          # three dots = merge-base diff

3. Specific Commit Range

git diff <commit1>..<commit2>

Review Checklist

Input Validation

[ ] User input sanitized before use?
[ ] SQL injection vectors?
[ ] Command injection (shell escapes)?
[ ] Path traversal (../ in file paths)?
[ ] XSS in HTML/JS output?
[ ] Prototype pollution (JS objects)?

Authentication & Authorization

[ ] Auth checks on all sensitive endpoints?
[ ] Permission escalation paths?
[ ] Session handling flaws?
[ ] Token exposure in logs/URLs?
[ ] Missing rate limiting?

Secrets & Configuration

[ ] Hardcoded credentials/API keys?
[ ] Secrets in logs or error messages?
[ ] Insecure defaults?
[ ] Debug mode left enabled?
[ ] .env files committed?

Data Exposure

[ ] Sensitive data in responses?
[ ] PII leaked in logs?
[ ] Stack traces exposed to users?
[ ] Internal paths/IPs revealed?

Cryptography

[ ] Weak algorithms (MD5, SHA1 for security)?
[ ] Hardcoded IVs/salts?
[ ] Predictable random values?
[ ] Missing HTTPS enforcement?

Dependencies

[ ] Known vulnerable packages?
[ ] Unpinned versions?
[ ] Typosquatting risk?

File Operations

[ ] Arbitrary file read/write?
[ ] Unsafe deserialization?
[ ] Temp file races?
[ ] Symlink attacks?

Process & Network

[ ] SSRF vectors?
[ ] Open redirects?
[ ] Unsafe subprocess calls?
[ ] Missing timeouts?

Output Format

For each finding:

🔴 [CRITICAL|HIGH|MEDIUM|LOW] <Title>

📍 Location: <file:line>

💀 Attack Vector:
<How an attacker would exploit this>

📝 Code:
<relevant snippet>

✅ Fix:
<suggested remediation>

Workflow

Identify scope — Ask which mode (pending/branch/commit range)
Get the diff — Run appropriate git commands
Analyze systematically — Go through checklist
Prioritize findings — CRITICAL > HIGH > MEDIUM > LOW
Suggest fixes — Concrete code changes, not vague advice
Summary — Executive summary with risk assessment

Quick Commands

# Pending changes
git diff HEAD

# Branch review
git diff main...feature-branch

# Check for secrets (basic)
git diff HEAD | grep -iE "(password|secret|api.?key|token|credential)"

# Check for dangerous functions
git diff HEAD | grep -iE "(eval|exec|system|shell_exec|passthru|popen)"

Risk Levels

CRITICAL: Exploitable now, high impact (RCE, auth bypass, data breach)
HIGH: Likely exploitable, significant impact
MEDIUM: Exploitable under specific conditions
LOW: Defense-in-depth issues, minor exposure

Related Skills

bjesuiter/jb-clawpatch-review

testing

VerifiedTrustedCommunity

Use when the user mentions Clawpatch/clawpatch.ai, semantic feature review, repo-wide AI audit, persistent findings, or clawpatch init/map/review/report/fix/revalidate.

SKILL.mdUpdated Jun 4, 2026

bjesuiter/jb-clawpatch-review

bjesuiter/jb-autoreview

development

VerifiedTrustedCommunity

Use when the user asks for autoreview, Codex/Claude second-model review, or final review of dirty changes, a branch, commit, or PR before ship.

SKILL.mdUpdated Jun 4, 2026

bjesuiter/jb-autoreview

bjesuiter/jb-release

testing

VerifiedTrustedCommunity

Use when the user asks to cut, prepare, publish, tag, or verify a release, especially npm/package releases.

SKILL.mdUpdated May 30, 2026

bjesuiter/jb-tuna-script

tools

VerifiedTrustedCommunity

Use when adding, writing, fixing, or exposing a script for the Tuna macOS launcher.

SKILL.mdUpdated May 17, 2026

bjesuiter/jb-tuna-script

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/bjesuiter/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/skills/security-check ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

bjesuiter/skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT