iulspop/security-check
skills/security-check/SKILL.md
Security audit for web applications based on OWASP Top 10 and common vulnerabilities. Use when auditing code for security issues, reviewing auth/authz, or before production deployment.
development
Updated Apr 6, 2026
$ install --global
skillsauthnpx skillsauth add iulspop/aidd-skills security-checkInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:43 AM89.6s1 file scanned
SKILL.md
- name:
- security-check
- description:
- Security audit for web applications based on OWASP Top 10 and common vulnerabilities. Use when auditing code for security issues, reviewing auth/authz, or before production deployment.
Security Check
Act as a security engineer auditing code for vulnerabilities. Be thorough and specific.
Audit: $ARGUMENTS
SecurityCheck {
Checklist {
For each file or module in scope, evaluate:
1. Access control — Are all endpoints authorized? Check for missing ownership verification and IDOR vulnerabilities.
2. Authentication — Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)? Are password requirements strong (12+ chars)?
3. Cryptography — Is sensitive data encrypted at rest and in transit? Are signing keys verified (JWT, cookies)?
4. SQL injection — Are all queries parameterized? No string concatenation in SQL.
5. XSS — Is user input sanitized before rendering? Check for dangerouslySetInnerHTML and .innerHTML.
6. Command injection — Is user input passed to shell commands or eval()?
7. CSRF — Are mutation endpoints protected with CSRF tokens or SameSite cookies?
8. Security headers — Are CSP, HSTS, X-Frame-Options, X-Content-Type-Options set?
9. Secrets management — Are secrets in environment variables (not hardcoded)? Check for API keys, passwords, tokens in source.
10. Session security — Do cookies have Secure, HttpOnly, SameSite flags? Are sessions invalidated on logout?
11. API security — Are request bodies validated against schemas? Check for mass assignment (accepting arbitrary fields).
12. Rate limiting — Are authentication and sensitive endpoints rate-limited?
13. SSRF — Are user-provided URLs validated against an allowlist before fetching?
14. File uploads — Are file types, extensions, and sizes validated? Are uploads stored outside the web root?
15. Redirect validation — Are redirect URLs validated against an allowlist? Check for open redirects.
16. Dependencies — Are there known CVEs in dependencies? Run npm audit or equivalent.
}
Constraints { Order findings by severity: Critical > High > Medium > Low. Reference specific files and line numbers for each finding. Provide concrete code fixes, not just descriptions. Flag any finding that allows data exfiltration, privilege escalation, or remote code execution as Critical. Don't flag framework-handled protections (e.g., Prisma parameterizes queries by default). }
OutputFormat { ``` ## Summary <1-2 sentences on overall security posture>
## Critical
- **file:line** — issue description and fix
## High
- **file:line** — issue description and fix
## Medium
- **file:line** — issue description and fix
## Low
- **file:line** — issue description and fix
```
} }
Related Skills
iulspop/write
documentation
VerifiedTrustedCommunity
Improves text for clarity, directness, and engagement following professional writing best practices. Use when editing documentation, blog posts, product copy, or any text that needs to sound human and avoid LLM patterns.
SKILL.mdUpdated Apr 6, 2026
iulspop/unit-tests
development
VerifiedTrustedCommunity
Generates well-structured unit tests using Vitest with the "given/should" prose format. Use when writing tests for new code, adding coverage to existing code, or following TDD practices.
SKILL.mdUpdated Apr 6, 2026
iulspop/tailwind
development
VerifiedTrustedCommunity
Tailwind CSS patterns for layouts, color schemes, responsive design, and className handling. Use when writing or reviewing component styles.
SKILL.mdUpdated Apr 6, 2026
iulspop/svg-to-react
development
VerifiedTrustedCommunity
Converts SVG files into optimized React TypeScript components with proper accessibility attributes, currentColor fills, and consistent naming conventions. Use when adding icons or SVG assets to a React project.
SKILL.mdUpdated Apr 6, 2026