Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

dyoshikawa/security-scan-diff

Name: security-scan-diff
Author: dyoshikawa

.rulesync/skills/security-scan-diff/SKILL.md

npx skillsauth add dyoshikawa/rulesync security-scan-diff

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

target_ref = $ARGUMENTS

If target_ref is not provided, ask the user which tag or commit to compare against HEAD.

Overview

Thoroughly check for malicious code in the diff between ${target_ref} and the latest commit (HEAD).

Steps

Verify the target ref exists and get the diff scope.
- Run git log ${target_ref}..HEAD --oneline to list commits.
- Run git diff ${target_ref}..HEAD --stat to get file change statistics.
- Categorize changed files into: CI/CD workflows, source code, and config/docs.
Execute the following security reviews in parallel using subagents:
- Call security-reviewer subagent to review CI/CD and workflow files (.github/, scripts/) for:
  - Secret exfiltration
  - Script injection (${{ github.event.* }} direct expansion in run:)
  - Suspicious external URLs/API connections
  - Privilege escalation or token misuse
  - Malicious command execution (curl | bash, eval, base64 decode execution)
  - Supply chain attack patterns (suspicious npm packages, unsigned action references)
  - Dangerous pull_request_target usage
- Call security-reviewer subagent to review source code files (src/) for:
  - Arbitrary code execution (eval, Function constructor, suspicious child_process usage)
  - Path traversal (../.. directory escape)
  - Command injection (user input passed directly to shell commands)
  - Suspicious external communication (fetch, http.request, axios to external URLs)
  - Unauthorized filesystem operations
  - Credential/token leakage (hardcoded tokens, logging sensitive values)
  - Dependency tampering (suspicious package.json changes)
  - Backdoor patterns (obfuscated code, suspicious conditionals, hidden functionality)
  - Prototype pollution and deserialization vulnerabilities
  - Supply chain attacks (suspicious new dependency packages)
- Call security-reviewer subagent to review config and documentation files for:
  - Suspicious dependencies or scripts in package.json
  - Suspicious registries or URLs in lockfiles
  - Security rule relaxation in config schemas or linter configs
  - Suspicious settings in devcontainer or editor configs
  - Phishing URLs in documentation
  - Malicious instructions in AI rule/subagent/skill definitions

Integrate the results from all subagents and produce a unified report in the following format:

## Security Review Report: ${target_ref} -> HEAD

### Conclusion
- Whether malicious code was detected or not

### Check Results Summary Table
| Check Item | Result |
|------------|--------|
| ... | ... |

### Findings (if any)
| Severity | Description | File | Risk |
|----------|-------------|------|------|
| ... | ... | ... | ... |

### Recommendations (if any)
- Actionable recommendations for each finding

### Positive Observations
- Good security practices found in the diff

dyoshikawa/security-scan-diff

.rulesync/skills/security-scan-diff/SKILL.md

Scan for malicious code in git diff between a tag/commit and HEAD

1,006 stars

development

Updated Apr 15, 2026

$ install --global

skillsauth

npx skillsauth add dyoshikawa/rulesync security-scan-diff

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 15, 2026, 5:23 PM64.5s1 file scanned

SKILL.md

name:: security-scan-diff
description:: Scan for malicious code in git diff between a tag/commit and HEAD

target_ref = $ARGUMENTS

If target_ref is not provided, ask the user which tag or commit to compare against HEAD.

Overview

Thoroughly check for malicious code in the diff between ${target_ref} and the latest commit (HEAD).

Steps

Verify the target ref exists and get the diff scope.
- Run git log ${target_ref}..HEAD --oneline to list commits.
- Run git diff ${target_ref}..HEAD --stat to get file change statistics.
- Categorize changed files into: CI/CD workflows, source code, and config/docs.
Execute the following security reviews in parallel using subagents:
- Call security-reviewer subagent to review CI/CD and workflow files (.github/, scripts/) for:
  - Secret exfiltration
  - Script injection (${{ github.event.* }} direct expansion in run:)
  - Suspicious external URLs/API connections
  - Privilege escalation or token misuse
  - Malicious command execution (curl | bash, eval, base64 decode execution)
  - Supply chain attack patterns (suspicious npm packages, unsigned action references)
  - Dangerous pull_request_target usage
- Call security-reviewer subagent to review source code files (src/) for:
  - Arbitrary code execution (eval, Function constructor, suspicious child_process usage)
  - Path traversal (../.. directory escape)
  - Command injection (user input passed directly to shell commands)
  - Suspicious external communication (fetch, http.request, axios to external URLs)
  - Unauthorized filesystem operations
  - Credential/token leakage (hardcoded tokens, logging sensitive values)
  - Dependency tampering (suspicious package.json changes)
  - Backdoor patterns (obfuscated code, suspicious conditionals, hidden functionality)
  - Prototype pollution and deserialization vulnerabilities
  - Supply chain attacks (suspicious new dependency packages)
- Call security-reviewer subagent to review config and documentation files for:
  - Suspicious dependencies or scripts in package.json
  - Suspicious registries or URLs in lockfiles
  - Security rule relaxation in config schemas or linter configs
  - Suspicious settings in devcontainer or editor configs
  - Phishing URLs in documentation
  - Malicious instructions in AI rule/subagent/skill definitions

Integrate the results from all subagents and produce a unified report in the following format:

## Security Review Report: ${target_ref} -> HEAD

### Conclusion
- Whether malicious code was detected or not

### Check Results Summary Table
| Check Item | Result |
|------------|--------|
| ... | ... |

### Findings (if any)
| Severity | Description | File | Risk |
|----------|-------------|------|------|
| ... | ... | ... | ... |

### Recommendations (if any)
- Actionable recommendations for each finding

### Positive Observations
- Good security practices found in the diff

Related Skills

dyoshikawa/rulesync

tools

VerifiedTrustedCommunity

Generates and syncs AI rule configuration files (.cursorrules, CLAUDE.md, copilot-instructions.md) across 20+ coding tools from a single source. Use when syncing AI rules, running rulesync commands, importing or generating rule files, or managing shared AI coding configurations.

1,142SKILL.mdUpdated Apr 15, 2026

dyoshikawa/skill-creator

tools

VerifiedTrustedCommunity

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.

1,006SKILL.mdUpdated Apr 15, 2026

dyoshikawa/skill-creator

dyoshikawa/release-dry-run

tools

VerifiedTrustedCommunity

Dry run for release: summarize changes since last release and suggest version bump.

1,006SKILL.mdUpdated Apr 15, 2026

dyoshikawa/release-dry-run

dyoshikawa/playwright-cli

tools

VerifiedTrustedCommunity

Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.

1,006SKILL.mdUpdated Apr 15, 2026

dyoshikawa/playwright-cli

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/dyoshikawa/rulesync.git

# Copy into Claude Code skills folder (global)
cp -r rulesync/.rulesync/skills/security-scan-diff ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

dyoshikawa/rulesync

1,006 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT