kanopi/security-audit
skills/security-audit/SKILL.md
Comprehensive OWASP Top 10 security vulnerability scanning and compliance reporting for Drupal and WordPress. Spawns security-specialist for full analysis. Invoke when user runs /audit-security, requests a full security audit, needs OWASP compliance review, or asks for comprehensive vulnerability scanning. Supports --quick, --standard, --comprehensive depth modes and scope/format/severity flags.
$ install --global
skillsauthnpx skillsauth add kanopi/cms-cultivator security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 19, 2026, 5:01 AM6.6s2 files scanned
SKILL.md
- name:
- security-audit
- description:
- Comprehensive OWASP Top 10 security vulnerability scanning and compliance reporting for Drupal and WordPress. Spawns security-specialist for full analysis. Invoke when user runs /audit-security, requests a full security audit, needs OWASP compliance review, or asks for comprehensive vulnerability scanning. Supports --quick, --standard, --comprehensive depth modes and scope/format/severity flags.
- disable-model-invocation:
- true
Security Audit
Comprehensive OWASP Top 10 security vulnerability scanning using the security-specialist agent.
Usage
/audit-security— Full OWASP Top 10 audit (standard depth)/audit-security --quick --scope=current-pr— Pre-commit security check/audit-security --comprehensive --format=summary— Pre-release deep audit with executive summary/audit-security --standard --format=sarif— Security tools integration/audit-security xss— Legacy focus area (still supported)
Arguments
Depth Modes
--quick— OWASP Top 3 only (~5 min): SQL injection, XSS, auth issues--standard— OWASP Top 10 (default, ~15 min)--comprehensive— OWASP Top 10 + CVE scanning + config review (~30 min)
Scope Control
--scope=current-pr— Only files changed in current PR--scope=user-input— Forms, queries, file uploads, API endpoints--scope=auth— Authentication/authorization logic--scope=api— API endpoints and integrations--scope=module=<name>— Specific module/directory--scope=file=<path>— Single file--scope=entire— Full codebase (default)
Output Formats
--format=report— Detailed security report with remediation steps (default)--format=json— Structured JSON for CI/CD--format=summary— Executive summary with risk assessment--format=sarif— SARIF format for security tools integration
Severity Thresholds
--min-severity=high— Only high and critical issues--min-severity=medium— Medium, high, and critical (default)--min-severity=low— All findings including informational
Legacy Focus Areas (Still Supported)
injection, xss, csrf, auth, encryption, dependencies
Environment Detection
Tier 1 — Portable (Claude Desktop, Codex, any environment)
When Task() or bash tools are unavailable, perform security analysis directly:
- Parse arguments — Determine depth, scope, format, and minimum severity
- Identify files to analyze — Use Glob and Grep to find PHP, JS, and template files
- Analyze security directly:
- Use Read and Grep to scan for SQL injection patterns (raw queries, string concatenation)
- Check for XSS vulnerabilities (unescaped output, innerHTML, echo without sanitization)
- Review CSRF protection (nonce verification, token validation)
- Check authentication patterns and authorization logic
- Identify hardcoded credentials or secrets in code
- Review CMS-specific patterns (Drupal db_query without placeholders, WordPress $wpdb without prepare())
- Generate report — Format findings per requested output format, prioritized Critical → High → Medium → Low
- Save report — Write to
audit-security-YYYY-MM-DD-HHMM.mdand present path to user
Supported checks in Tier 1: code pattern analysis for OWASP Top 10, CMS-specific vulnerability patterns.
Tier 2 — Claude Code Enhanced
When running in Claude Code with Task() available:
- Parse arguments — Determine depth, scope, format, and minimum severity
- Determine files — For
--scope=current-pr:
Forgit diff --name-only origin/main...HEAD | grep -E '\.(php|tsx?|jsx?|sql)$'--scope=user-input: find*Form*.php,*Controller*.php,*API*.phpFor--scope=auth: find*Auth*.php,*Login*.php,*Permission*.php - Spawn security-specialist:
Task(cms-cultivator:security-specialist:security-specialist, prompt="Perform comprehensive OWASP security audit with: - Depth mode: {depth} - Scope: {scope} - Format: {format} - Minimum severity: {min_severity} - Focus area: {focus or 'complete audit'} - Files to analyze: {file_list} Scan for OWASP Top 10 vulnerabilities, check input validation and output encoding, analyze authentication/authorization, review CMS-specific security for Drupal and WordPress, and check dependencies for CVEs. Save report to audit-security-YYYY-MM-DD-HHMM.md and present the file path.") - Present results to user with file path
OWASP Top 10 Coverage
- A01 Broken Access Control — Permission checks, access control bypass
- A02 Cryptographic Failures — Encryption, sensitive data exposure
- A03 Injection — SQL, command, LDAP injection
- A04 Insecure Design — Architecture-level security issues
- A05 Security Misconfiguration — Default configs, unnecessary features
- A06 Vulnerable Components — Outdated dependencies with CVEs
- A07 Auth Failures — Authentication/session management
- A08 Integrity Failures — CI/CD pipeline security
- A09 Logging Failures — Insufficient security logging
- A10 SSRF — Server-side request forgery
CMS-Specific Checks
Drupal: Form API CSRF tokens, db_query() with placeholders, render API XSS prevention, node access system, permissions.yml review
WordPress: $wpdb->prepare(), nonce verification, capability checks, sanitize_/esc_ usage, wp_verify_nonce(), update_option() security
Related Skills
- security-scanner — Quick code-level security checks (auto-activates on "is this secure?")
- audit-export — Export findings to CSV for project management tools
- audit-report — Generate client-facing executive summary from audit file
Related Skills
kanopi/strategist-site-audit
tools
VerifiedTrustedCommunity
Strategist-focused site audit for discovery and pre-discovery. Given a site URL and optional qualitative research data, navigates the site via CoWork, audits against all 21 UX Laws from lawsofux.com, reviews content hierarchy, synthesises qualitative data, runs Lighthouse, and produces two deliverables — a Project Knowledge Summary (Markdown for Claude Desktop Projects) and a polished, iterable HTML Artifact for client sharing. Use when a strategist, UX lead, or PM asks for a discovery audit, UX laws audit, content hierarchy review, pre-discovery site review, "audit this site for strategy", "strategist audit", "UX audit", or pastes a site URL with discovery context. Not for developer audits — use accessibility-audit, performance-audit, or live-site-audit for those.
11SKILL.mdUpdated May 15, 2026
kanopi/story-point-estimator
development
VerifiedTrustedCommunity
Provide story point estimation guidance with hour calculations for software development tasks. Uses Fibonacci sequence (1, 2, 3, 5, 8, 13, 21, 34+) and converts story points to hours. Includes platform-specific adjustments and velocity calculations.
11SKILL.mdUpdated May 15, 2026
kanopi/qa-review
tools
VerifiedTrustedCommunity
Perform a full QA review of a Teamwork task by reading the task and all its comments for context, extracting the multi-dev URL, generating dynamic validation steps tailored to the task type, and using CoWork browser automation to execute those steps on the multi-dev environment. Produces a structured validation report with pass/fail per step, screenshots, internal notes, and a client-facing summary — all shown in chat. Use this skill whenever the user asks to QA, test, validate, or review a Teamwork task or multi-dev environment — even if they just say "can you QA this?" or paste a Teamwork link. Also triggers for phrases like "run QA on", "check the multi-dev", "validate this task", "test the dev link", or "review the ticket". Works across Drupal/CMS updates, WordPress/plugin updates, bug fixes, new feature development, and general web development tasks.
11SKILL.mdUpdated May 15, 2026
kanopi/project-heartbeat
tools
VerifiedTrustedCommunity
Generate a client-facing project heartbeat / status update message for a Kanopi project, ready to be posted as a Teamwork message. Use this skill whenever the user asks to write, draft, generate, or send a project update, heartbeat, status update, or progress report to a client. Also triggers when the user says things like "time for a project update", "draft the heartbeat", "write up the update for [project]", or "it's been two weeks, let's send an update". Always use this skill — even if the user doesn't say "heartbeat" — whenever the intent is to summarise recent project activity for a client audience.
11SKILL.mdUpdated May 15, 2026