clownnvd/security
security/SKILL.md
--- name: security description: Security quality system. 7 modes: score (10-category audit), fix (auto-fix from scorecard), loop (score->fix until target). OWASP Top 10 mapped. license: Complete terms in LICENSE.txt --- # Security Quality System One skill, 7 modes. Score security posture, fix vulnerabilities, or run the full loop. ## Modes | Mode | Use When | Workflow | |------|----------|----------| | **score** | Pre-launch audit, after adding routes/inputs, security review prep | Gather fi
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add clownnvd/claude-code-skills securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 3:56 PM4.6s38 files scanned
SKILL.md
- name:
- security
- description:
- Security quality system. 7 modes: score (10-category audit), fix (auto-fix from scorecard), loop (score->fix until target). OWASP Top 10 mapped.
- license:
- Complete terms in LICENSE.txt
Security Quality System
One skill, 7 modes. Score security posture, fix vulnerabilities, or run the full loop.
Modes
| Mode | Use When | Workflow | |------|----------|----------| | score | Pre-launch audit, after adding routes/inputs, security review prep | Gather files -> score 10 categories -> weighted total -> grade + issues | | fix | Scorecard has issues, score below target, CRITICAL/HIGH items found | Parse scorecard -> prioritize by severity*weight -> apply fixes -> verify | | loop | Want hands-off score->fix cycle until target grade reached | Score -> fix -> re-score -> repeat (max 5 iterations, stop on plateau) | | generate | Create new code | Load criteria -> Generate meeting all 10 -> Self-check | | review | Quick 1-2 file check | Read files -> Score applicable categories -> Annotate + fix | | migrate | Framework upgrade | Detect versions -> Map breaking changes -> Migrate -> Verify | | test | Generate test cases | Map categories to assertions -> Generate test files |
Mode: Score
Audit security design against 10 weighted categories (0-100 scale, A+ to F grade).
| # | Category | Weight | Key Signals | OWASP |
|---|----------|--------|-------------|-------|
| 1 | Input Validation & Sanitization | 15% | Zod at boundaries, XSS prevention, injection defense | A03 |
| 2 | Secrets & Environment Management | 12% | No hardcoded secrets, env sync, .env.example | A02, A05 |
| 3 | Dependency Security | 10% | npm audit clean, no known CVEs, lockfile integrity | A06 |
| 4 | Error Handling & Info Disclosure | 12% | No stack leak to client, safe error messages | A09 |
| 5 | Content Security Policy | 10% | CSP header, script-src, no unsafe-eval | A05 |
| 6 | Data Protection & PII | 10% | HTTPS enforced, PII minimization, no internal IDs leaked | A02 |
| 7 | Open Redirect & URL Validation | 8% | Redirect validation, // and /\ blocked | A01 |
| 8 | Webhook & External API Security | 8% | Signature verification, idempotency, replay protection | A08 |
| 9 | Security Monitoring & Logging | 8% | Security events logged, request IDs, anomaly detection | A09 |
| 10 | Supply Chain & Build Security | 7% | Lockfile, CI/CD, poweredByHeader off, source maps | A06 |
Grade Scale
| Grade | Score | Grade | Score | Grade | Score | |-------|-------|-------|-------|-------|-------| | A+ | 97-100 | B+ | 87-89 | C+ | 77-79 | | A | 93-96 | B | 83-86 | C | 73-76 | | A- | 90-92 | B- | 80-82 | D | 60-72 | | | | | | F | <60 |
Score Workflow
- Gather files: proxy, API routes, validations, env config, package.json, CSP, webhooks
- Score each category 0-10 using
references/scoring/criteria/files - Calculate weighted total, assign grade
- List issues with severity (CRITICAL/HIGH/MEDIUM/LOW) and affected files
Mode: Fix
Parse scorecard, prioritize by severity * weight, apply fixes, verify.
| Priority | Severity | Score Range | Action | |----------|----------|-------------|--------| | 1 | CRITICAL | 0-3 or data breach risk | Fix immediately -- blocks deploy | | 2 | HIGH + high weight (>=12%) | 4-5 | Fix next -- moves score most | | 3 | HIGH + low weight (<12%) | 4-5 | Fix after high-weight items | | 4 | MEDIUM | 6-7 | Fix next sprint | | 5 | LOW | 8 | Backlog or skip |
Fix Category -> Pattern Reference
| Scorecard Category | Fix Pattern File |
|-------------------|------------------|
| Input Validation, Secrets Management | references/fix/fix-patterns/input-secrets.md |
| Dependencies, Error Handling | references/fix/fix-patterns/deps-errors.md |
| CSP, Data Protection | references/fix/fix-patterns/csp-data.md |
| Redirects, Webhooks | references/fix/fix-patterns/redirect-webhook.md |
| Monitoring, Supply Chain | references/fix/fix-patterns/monitoring-supply.md |
Fix Workflow
Load references/fix/implementation-workflow.md for 6-step process: parse -> prioritize -> fix -> verify -> re-score.
Mode: Loop
Auto-iterate score -> fix until target grade reached.
- Default target: B+ (production), A- (enterprise)
- Max 5 iterations
- Stop on plateau (score unchanged after full fix cycle)
- Each iteration: full score -> prioritized fix -> re-score
Mode: Generate
Generate code meeting all 10 categories at 9-10/10. Load references/generate/workflow.md.
Parse request → Load criteria → Generate with all patterns → Self-check → Output (assets/templates/generated-code.md.template)
Mode: Review
Quick 1-2 file review. Load references/review/workflow.md.
Read files → Score applicable categories → Annotate line numbers → Suggest fixes (assets/templates/review-report.md.template)
Mode: Migrate
Upgrade code for framework changes. Load references/migrate/workflow.md.
Detect versions → Map breaking changes → Apply migrations → Verify (assets/templates/migration-report.md.template)
Mode: Test
Generate tests from scoring criteria. Load references/test/workflow.md.
Map categories to assertions → Generate tests → Output suite (assets/templates/test-suite.md.template)
Quick Reference -- All Files
Scoring
references/scoring/overview.md-- Scoring system, output format, quality gates, OWASP mappingreferences/scoring/best-practices.md-- Do/Don't tables for all categoriesreferences/scoring/scoring-workflow.md-- Step-by-step audit processreferences/scoring/criteria/input-secrets.md-- Input Validation (15%) + Secrets (12%)references/scoring/criteria/deps-errors.md-- Dependencies (10%) + Error Handling (12%)references/scoring/criteria/csp-data.md-- CSP (10%) + Data Protection (10%)references/scoring/criteria/redirect-webhook.md-- Redirects (8%) + Webhooks (8%)references/scoring/criteria/monitoring-supply.md-- Monitoring (8%) + Supply Chain (7%)
Fix
references/fix/overview.md-- How fix works, priority order, score targetsreferences/fix/best-practices.md-- Fix discipline, safe vs dangerous changesreferences/fix/implementation-workflow.md-- 6-step process, priority matrixreferences/fix/verification.md-- Post-fix checklist, re-scoring protocol, loop modereferences/fix/fix-patterns/input-secrets.md-- Input validation, env syncreferences/fix/fix-patterns/deps-errors.md-- Dependency audit, error handlingreferences/fix/fix-patterns/csp-data.md-- CSP headers, data protectionreferences/fix/fix-patterns/redirect-webhook.md-- URL validation, webhook securityreferences/fix/fix-patterns/monitoring-supply.md-- Logging, build security
Output Templates
- Score:
assets/templates/scorecard.md.template - Fix:
assets/templates/fix-report.md.template - Generate:
assets/templates/generated-code.md.template - Review:
assets/templates/review-report.md.template - Migrate:
assets/templates/migration-report.md.template - Test:
assets/templates/test-suite.md.template
Related Skills
clownnvd/zustand-pro
tools
VerifiedTrustedCommunity
Zustand v5 state management for Next.js 16. Store patterns, middleware (persist/immer/devtools), SSR hydration, CV editor multi-step wizard, 20 documented errors. Triggers: zustand, store, state management, useState replacement, global state, persist, immer.
SKILL.mdUpdated Apr 4, 2026
clownnvd/vercel-react-best-practices
development
VerifiedTrustedCommunity
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
SKILL.mdUpdated Apr 4, 2026
clownnvd/ultimateuiux
development
VerifiedTrustedCommunity
Ultimate UI/UX design intelligence with real app flow knowledge. 93 styles, 121 palettes, 81 font pairings, 35 charts, 79 components, 62 animations, 65 WCAG criteria, 46 responsive patterns, 46 dark mode rules, 60 design tokens, 13 stacks. PLUS: Claude.ai full UI blueprint (19 flows, all screens), PageFlows app patterns. Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check, clone, recreate, rebuild. Styles: glassmorphism, brutalism, neumorphism, bento, dark mode, view transitions, scroll-driven, container queries, AI-native, liquid glass, neo-minimalism, mesh gradient, geometric abstraction. Topics: color, accessibility, animation, layout, typography, spacing, shadow, gradient, responsive, dark mode, WCAG 2.2, design tokens, components, spring physics, kinetic typography, container queries, popover API, semantic tokens. Apps: claude.ai, ChatGPT-style, AI chat UI, SaaS dashboard.
SKILL.mdUpdated Apr 4, 2026
clownnvd/ui
development
VerifiedTrustedCommunity
--- name: ui description: UI quality system. 4 modes: research (design brief), score (10-category audit), fix (auto-fix from scorecard), pipeline (end-to-end chain). license: Complete terms in LICENSE.txt --- # UI Quality System One skill, 4 modes. Research real products, score UI quality, fix issues, or run the full pipeline. ## Modes | Mode | Use When | Workflow | |------|----------|---------| | **research** | Before building any page | Extract tokens → Search → Fetch → Design Brief | | **
SKILL.mdUpdated Apr 4, 2026