jmagly/security-audit
plugins/sdlc/skills/security-audit/SKILL.md
Perform comprehensive security assessment
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 7:39 AM142.2s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- security-audit
- platforms:
- [all]
- description:
- Perform comprehensive security assessment
- category:
- security-quality
Security Audit Command
Perform comprehensive security assessment
Instructions
Perform a systematic security audit following these steps:
-
Environment Setup
- Identify the technology stack and framework
- Check for existing security tools and configurations
- Review deployment and infrastructure setup
-
Dependency Security
- Scan all dependencies for known vulnerabilities
- Check for outdated packages with security issues
- Review dependency sources and integrity
- Use appropriate tools:
npm audit,pip check,cargo audit, etc.
-
Authentication & Authorization
- Review authentication mechanisms and implementation
- Check for proper session management
- Verify authorization controls and access restrictions
- Examine password policies and storage
-
Input Validation & Sanitization
- Check all user input validation and sanitization
- Look for SQL injection vulnerabilities
- Identify potential XSS (Cross-Site Scripting) issues
- Review file upload security and validation
-
Data Protection
- Identify sensitive data handling practices
- Check encryption implementation for data at rest and in transit
- Review data masking and anonymization practices
- Verify secure communication protocols (HTTPS, TLS)
-
Secrets Management
- Scan for hardcoded secrets, API keys, and passwords
- Check for proper secrets management practices
- Review environment variable security
- Identify exposed configuration files
-
Error Handling & Logging
- Review error messages for information disclosure
- Check logging practices for security events
- Verify sensitive data is not logged
- Assess error handling robustness
-
Infrastructure Security
- Review containerization security (Docker, etc.)
- Check CI/CD pipeline security
- Examine cloud configuration and permissions
- Assess network security configurations
-
Security Headers & CORS
- Check security headers implementation
- Review CORS configuration
- Verify CSP (Content Security Policy) settings
- Examine cookie security attributes
-
Reporting
- Document all findings with severity levels (Critical, High, Medium, Low)
- Provide specific remediation steps for each issue
- Include code examples and file references
- Create an executive summary with key recommendations
Use automated security scanning tools when available and provide manual review for complex security patterns.
References
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Identify technology stack and existing security controls before scanning
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/human-authorization.md — Report findings with severity levels; await owner authorization before attempting remediation
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/token-security.md — Token security rules that this audit checks for violations
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/security-gate/SKILL.md — Security gate that consumes this audit's findings to produce a pass/fail decision
- @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/anti-laziness.md — Never reduce audit scope or skip vulnerability categories to complete faster
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026