codewithbehnam/security-scan
skills/security-scan/SKILL.md
Scan the codebase for security vulnerabilities based on the OWASP Top 10. Use when the user asks to audit security, find vulnerabilities, check for security issues, or says "security scan", "audit this", "find security bugs".
development
Updated Apr 20, 2026
$ install --global
skillsauthnpx skillsauth add codewithbehnam/cc-docs security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:21 AM56.8s1 file scanned
SKILL.md
- name:
- security-scan
- description:
- >
- context:
- fork
- agent:
- Explore
- allowed-tools:
- Read, Grep, Glob, Bash(find *), Bash(git *)
Context
- Repository: !
git rev-parse --show-toplevel 2>/dev/null || pwd - Languages detected: !
find . -type f \( -name "*.py" -o -name "*.ts" -o -name "*.js" -o -name "*.go" -o -name "*.rb" -o -name "*.java" \) | sed 's/.*\.//' | sort | uniq -c | sort -rn | head -10 - Target: $ARGUMENTS
Task
Perform a security audit of the codebase (or the path specified in $ARGUMENTS) covering the OWASP Top 10:
-
A01 - Broken Access Control: Look for missing authorization checks, IDOR patterns, direct object references, insecure direct database access without ownership checks.
-
A02 - Cryptographic Failures: Find hardcoded secrets, API keys, passwords in source code. Check for use of weak algorithms (MD5, SHA1 for passwords, ECB mode). Look for unencrypted sensitive data in logs or responses.
-
A03 - Injection: Search for SQL queries built with string concatenation, unsanitized shell commands, template injection, LDAP injection, and XSS sinks.
-
A04 - Insecure Design: Identify missing rate limiting on auth endpoints, no CSRF protection on state-changing forms, missing input length limits.
-
A05 - Security Misconfiguration: Check for debug mode enabled, verbose error messages exposing internals, permissive CORS headers, default credentials in config files.
-
A06 - Vulnerable Components: Note any obviously outdated dependency versions or known-vulnerable packages in
package.json,requirements.txt,go.mod, orGemfile. -
A07 - Authentication Failures: Look for weak session management, missing account lockout, insecure password reset flows, JWT with weak or no signature verification.
-
A08 - Software Integrity Failures: Check for use of untrusted CDN resources without integrity hashes, insecure deserialization of user-supplied data.
-
A09 - Logging Failures: Verify that authentication events are logged, that logs do not contain passwords or tokens, and that errors are logged without exposing stack traces to users.
-
A10 - SSRF: Find URL parameters or user-controlled values passed to HTTP clients, file readers, or DNS lookups without validation.
For each finding, read the surrounding code to confirm it is a real issue, not a false positive.
Output Format
Executive Summary
Total findings by severity. One-paragraph risk assessment.
Findings
For each vulnerability:
- ID: VULN-001, VULN-002, ...
- Category: OWASP category (e.g., A03 - Injection)
- Severity: Critical / High / Medium / Low / Informational
- File:
path/to/file.py:42 - Description: what the vulnerability is
- Evidence: the specific code snippet or pattern found
- Remediation: concrete steps to fix it
No Issues Found
List categories where no issues were detected (to show coverage).
Out of Scope
Note any areas not checked (e.g., third-party libraries, infrastructure config not present in the repo).
Related Skills
codewithbehnam/steer
tools
VerifiedTrustedCommunity
macOS GUI automation CLI. Use steer to see the screen, click elements, type text, send hotkeys, scroll, drag, manage windows and apps, run OCR on Electron apps, and wait for UI conditions.
1SKILL.mdUpdated Apr 18, 2026
codewithbehnam/ship
testing
VerifiedTrustedCommunity
Ship workflow: merge main, run tests, review diff, bump VERSION, update CHANGELOG, commit, push, create PR.
1SKILL.mdUpdated Apr 18, 2026
codewithbehnam/setup-browser-cookies
testing
VerifiedTrustedCommunity
Import cookies from your real browser (Comet, Chrome, Arc, Brave, Edge) into the headless browse session. Opens an interactive picker UI where you select which cookie domains to import. Use before QA testing authenticated pages.
1SKILL.mdUpdated Apr 18, 2026
codewithbehnam/retro
development
VerifiedTrustedCommunity
Weekly engineering retrospective. Analyzes commit history, work patterns, and code quality metrics with persistent history and trend tracking. Team-aware: breaks down per-person contributions with praise and growth areas.
1SKILL.mdUpdated Apr 18, 2026