Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

kanopi/security-scanner

Name: security-scanner
Author: kanopi

skills/security-scanner/SKILL.md

npx skillsauth add kanopi/cms-cultivator security-scanner

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Scanner

Automatically scan code for security vulnerabilities.

Security Philosophy

Security is a continuous practice, not a one-time fix.

Core Beliefs

Defense in Depth: Multiple layers of security controls
Least Privilege: Grant minimum access necessary
Secure by Default: Safe configurations out of the box
Fail Securely: Errors should deny access, not grant it

Scope Balance

Quick checks (this skill): Fast feedback on specific code patterns (catches common vulnerabilities)
Comprehensive audits (/audit-security command): Full OWASP Top 10 scan with dependency checks
Penetration testing: Professional security testing (irreplaceable for production systems)

This skill provides rapid feedback during development. For production readiness, use comprehensive audits + professional pentesting.

When to Use This Skill

Activate this skill when the user:

Asks "is this secure?"
Shows code handling user input
Mentions "security vulnerability", "exploit", or "hack"
References XSS, SQL injection, CSRF, or authentication
Shows database queries or file operations
Asks "could this be exploited?"

Decision Framework

Before scanning for security issues, assess:

What's the Attack Surface?

User input → Check for injection vulnerabilities (SQL, XSS, command injection)
Authentication → Check for weak passwords, session handling, brute force protection
Authorization → Check for privilege escalation, IDOR, access control
File operations → Check for path traversal, unrestricted uploads
API endpoints → Check for rate limiting, authentication, CORS

What's the Risk Level?

Critical risks (prioritize first):

SQL injection in authentication
XSS on admin pages
Authentication bypass
Remote code execution
Data exposure (PII, passwords)

High risks:

CSRF on state-changing operations
Authorization flaws
Insecure file uploads
Weak session management

Medium/Low risks:

Information disclosure
Missing security headers
Weak error messages

What Type of Code Is This?

User-facing:

Forms → Check input validation, CSRF tokens
Search → Check SQL injection, XSS
File uploads → Check file type, size, path validation

Backend:

Database queries → Check parameterization
File system → Check path traversal
External API calls → Check credential handling

Authentication/Authorization:

Login → Check brute force protection, password requirements
Sessions → Check secure flags, timeout
Permissions → Check role-based access control

What Platform Standards Apply?

Drupal:

Use database API (no raw queries)
Use Form API (built-in CSRF)
Use Render API (auto-escaping)
Check permissions with hasPermission()

WordPress:

Use wpdb->prepare() for queries
Use wp_nonce_field() for CSRF
Use esc_html(), esc_attr() for output
Check permissions with current_user_can()

Decision Tree

User shows code or asks about security
    ↓
Identify attack surface (input/auth/files)
    ↓
Assess risk level (Critical/High/Medium)
    ↓
Check against OWASP Top 10
    ↓
Apply platform-specific patterns
    ↓
Report vulnerabilities with fixes
    ↓
Prioritize by exploitability and impact

Best Practices

DO:

✅ Always validate and sanitize user input
✅ Use parameterized queries or ORM for database operations
✅ Escape output based on context (HTML, JavaScript, URL, CSS)
✅ Implement CSRF protection on all state-changing operations
✅ Check permissions before sensitive operations
✅ Use strong, unique API keys and rotate them regularly
✅ Log security-relevant events (failed logins, permission denials)
✅ Keep dependencies updated and scan for CVEs
✅ Use HTTPS for all data transmission

DON'T:

❌ Trust user input without validation
❌ Build SQL queries with string concatenation
❌ Echo user input directly without escaping
❌ Store passwords in plain text or use weak hashing
❌ Hard-code secrets, API keys, or credentials in code
❌ Use eval(), unserialize(), or exec() with user input
❌ Disable security features (CSRF protection, XSS filters)
❌ Expose detailed error messages to end users
❌ Use outdated cryptographic algorithms (MD5, SHA1 for passwords)
❌ Assume data from database or API is safe (defense in depth)

Quick Security Checks

For detailed before/after code examples for SQL injection, XSS, CSRF, file uploads, and access control, see security-patterns.md.

Key categories: SQL injection, XSS (output escaping), CSRF (nonce/token validation), authentication bypass, insecure file uploads.

Response Format

## Security Scan Results

### 🔴 Critical Issues (Fix Immediately)

**1. SQL Injection Vulnerability**
- **Location**: `src/Controller/UserController.php:45`
- **Risk**: Critical - Allows database manipulation
- **Code**:
  ```php
  $query = "SELECT * FROM users WHERE id = " . $_GET['id'];

Fix:

$query = $connection->select('users', 'u')
  ->condition('id', $id, '=')
  ->execute();

OWASP: A03:2021 – Injection

🟠 High Priority

2. Missing CSRF Protection

Location: src/Form/DeleteForm.php:67
Risk: High - Allows unauthorized actions
Fix: Add CSRF token validation

🟡 Medium Priority

3. Weak Password Policy

Current: Minimum 6 characters
Recommended: Minimum 12 characters + complexity rules

✅ Secure Patterns Found

✅ Output properly escaped (XSS protection)
✅ Access checks on admin routes
✅ File upload validation present


## OWASP Top 10 Quick Check

1. **Injection** - SQL, command, LDAP injection
2. **Broken Authentication** - Weak passwords, session management
3. **Sensitive Data Exposure** - Unencrypted data, weak crypto
4. **XML External Entities (XXE)** - XML parsing vulnerabilities
5. **Broken Access Control** - Missing permission checks
6. **Security Misconfiguration** - Default configs, verbose errors
7. **XSS** - Unescaped user input
8. **Insecure Deserialization** - Unsafe object deserialization
9. **Known Vulnerabilities** - Outdated dependencies
10. **Insufficient Logging** - No audit trail

## Platform-Specific Security

### Drupal Security

**Use**:
- `\Drupal\Component\Utility\Html::escape()` for output
- `\Drupal::database()->select()` for queries
- `\Drupal::csrfToken()->validate()` for forms
- `$this->currentUser()->hasPermission()` for access checks

### WordPress Security

**Use**:
- `esc_html()`, `esc_attr()`, `esc_url()` for output
- `$wpdb->prepare()` for queries
- `wp_verify_nonce()` for forms
- `current_user_can()` for permissions

## Integration with /audit-security Command

- **This Skill**: Focused code-level security checks
  - "Is this query secure?"
  - "Check this form for vulnerabilities"
  - Single function/file analysis

- **`/audit-security` Command**: Comprehensive security audit
  - Full OWASP Top 10 scan
  - Dependency vulnerability check
  - File permission analysis
  - Secrets detection

## Common Vulnerabilities

For input validation, output escaping, and access control code patterns, see [security-patterns.md](security-patterns.md).

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Drupal Security Best Practices](https://www.drupal.org/docs/security-in-drupal)
- [WordPress Security](https://developer.wordpress.org/apis/security/)

kanopi/security-scanner

skills/security-scanner/SKILL.md

Automatically scan code for security vulnerabilities when user asks if code is secure or shows potentially unsafe code. Performs focused security checks on specific code, functions, or patterns. Invoke when user asks "is this secure?", "security issue?", mentions XSS, SQL injection, or shows security-sensitive code.

5 stars

development

Updated Apr 19, 2026

$ install --global

skillsauth

npx skillsauth add kanopi/cms-cultivator security-scanner

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 19, 2026, 5:01 AM5.8s2 files scanned

SKILL.md

name:: security-scanner
description:: Automatically scan code for security vulnerabilities when user asks if code is secure or shows potentially unsafe code. Performs focused security checks on specific code, functions, or patterns. Invoke when user asks "is this secure?", "security issue?", mentions XSS, SQL injection, or shows security-sensitive code.

Security Scanner

Automatically scan code for security vulnerabilities.

Security Philosophy

Security is a continuous practice, not a one-time fix.

Core Beliefs

Defense in Depth: Multiple layers of security controls
Least Privilege: Grant minimum access necessary
Secure by Default: Safe configurations out of the box
Fail Securely: Errors should deny access, not grant it

Scope Balance

Quick checks (this skill): Fast feedback on specific code patterns (catches common vulnerabilities)
Comprehensive audits (/audit-security command): Full OWASP Top 10 scan with dependency checks
Penetration testing: Professional security testing (irreplaceable for production systems)

This skill provides rapid feedback during development. For production readiness, use comprehensive audits + professional pentesting.

When to Use This Skill

Activate this skill when the user:

Asks "is this secure?"
Shows code handling user input
Mentions "security vulnerability", "exploit", or "hack"
References XSS, SQL injection, CSRF, or authentication
Shows database queries or file operations
Asks "could this be exploited?"

Decision Framework

Before scanning for security issues, assess:

What's the Attack Surface?

User input → Check for injection vulnerabilities (SQL, XSS, command injection)
Authentication → Check for weak passwords, session handling, brute force protection
Authorization → Check for privilege escalation, IDOR, access control
File operations → Check for path traversal, unrestricted uploads
API endpoints → Check for rate limiting, authentication, CORS

What's the Risk Level?

Critical risks (prioritize first):

SQL injection in authentication
XSS on admin pages
Authentication bypass
Remote code execution
Data exposure (PII, passwords)

High risks:

CSRF on state-changing operations
Authorization flaws
Insecure file uploads
Weak session management

Medium/Low risks:

Information disclosure
Missing security headers
Weak error messages

What Type of Code Is This?

User-facing:

Forms → Check input validation, CSRF tokens
Search → Check SQL injection, XSS
File uploads → Check file type, size, path validation

Backend:

Database queries → Check parameterization
File system → Check path traversal
External API calls → Check credential handling

Authentication/Authorization:

Login → Check brute force protection, password requirements
Sessions → Check secure flags, timeout
Permissions → Check role-based access control

What Platform Standards Apply?

Drupal:

Use database API (no raw queries)
Use Form API (built-in CSRF)
Use Render API (auto-escaping)
Check permissions with hasPermission()

WordPress:

Use wpdb->prepare() for queries
Use wp_nonce_field() for CSRF
Use esc_html(), esc_attr() for output
Check permissions with current_user_can()

Decision Tree

User shows code or asks about security
    ↓
Identify attack surface (input/auth/files)
    ↓
Assess risk level (Critical/High/Medium)
    ↓
Check against OWASP Top 10
    ↓
Apply platform-specific patterns
    ↓
Report vulnerabilities with fixes
    ↓
Prioritize by exploitability and impact

Best Practices

DO:

✅ Always validate and sanitize user input
✅ Use parameterized queries or ORM for database operations
✅ Escape output based on context (HTML, JavaScript, URL, CSS)
✅ Implement CSRF protection on all state-changing operations
✅ Check permissions before sensitive operations
✅ Use strong, unique API keys and rotate them regularly
✅ Log security-relevant events (failed logins, permission denials)
✅ Keep dependencies updated and scan for CVEs
✅ Use HTTPS for all data transmission

DON'T:

❌ Trust user input without validation
❌ Build SQL queries with string concatenation
❌ Echo user input directly without escaping
❌ Store passwords in plain text or use weak hashing
❌ Hard-code secrets, API keys, or credentials in code
❌ Use eval(), unserialize(), or exec() with user input
❌ Disable security features (CSRF protection, XSS filters)
❌ Expose detailed error messages to end users
❌ Use outdated cryptographic algorithms (MD5, SHA1 for passwords)
❌ Assume data from database or API is safe (defense in depth)

Quick Security Checks

For detailed before/after code examples for SQL injection, XSS, CSRF, file uploads, and access control, see security-patterns.md.

Key categories: SQL injection, XSS (output escaping), CSRF (nonce/token validation), authentication bypass, insecure file uploads.

Response Format

## Security Scan Results

### 🔴 Critical Issues (Fix Immediately)

**1. SQL Injection Vulnerability**
- **Location**: `src/Controller/UserController.php:45`
- **Risk**: Critical - Allows database manipulation
- **Code**:
  ```php
  $query = "SELECT * FROM users WHERE id = " . $_GET['id'];

Fix:

$query = $connection->select('users', 'u')
  ->condition('id', $id, '=')
  ->execute();

OWASP: A03:2021 – Injection

🟠 High Priority

2. Missing CSRF Protection

Location: src/Form/DeleteForm.php:67
Risk: High - Allows unauthorized actions
Fix: Add CSRF token validation

🟡 Medium Priority

3. Weak Password Policy

Current: Minimum 6 characters
Recommended: Minimum 12 characters + complexity rules

✅ Secure Patterns Found

✅ Output properly escaped (XSS protection)
✅ Access checks on admin routes
✅ File upload validation present


## OWASP Top 10 Quick Check

1. **Injection** - SQL, command, LDAP injection
2. **Broken Authentication** - Weak passwords, session management
3. **Sensitive Data Exposure** - Unencrypted data, weak crypto
4. **XML External Entities (XXE)** - XML parsing vulnerabilities
5. **Broken Access Control** - Missing permission checks
6. **Security Misconfiguration** - Default configs, verbose errors
7. **XSS** - Unescaped user input
8. **Insecure Deserialization** - Unsafe object deserialization
9. **Known Vulnerabilities** - Outdated dependencies
10. **Insufficient Logging** - No audit trail

## Platform-Specific Security

### Drupal Security

**Use**:
- `\Drupal\Component\Utility\Html::escape()` for output
- `\Drupal::database()->select()` for queries
- `\Drupal::csrfToken()->validate()` for forms
- `$this->currentUser()->hasPermission()` for access checks

### WordPress Security

**Use**:
- `esc_html()`, `esc_attr()`, `esc_url()` for output
- `$wpdb->prepare()` for queries
- `wp_verify_nonce()` for forms
- `current_user_can()` for permissions

## Integration with /audit-security Command

- **This Skill**: Focused code-level security checks
  - "Is this query secure?"
  - "Check this form for vulnerabilities"
  - Single function/file analysis

- **`/audit-security` Command**: Comprehensive security audit
  - Full OWASP Top 10 scan
  - Dependency vulnerability check
  - File permission analysis
  - Secrets detection

## Common Vulnerabilities

For input validation, output escaping, and access control code patterns, see [security-patterns.md](security-patterns.md).

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Drupal Security Best Practices](https://www.drupal.org/docs/security-in-drupal)
- [WordPress Security](https://developer.wordpress.org/apis/security/)

Related Skills

kanopi/strategist-site-audit

tools

VerifiedTrustedCommunity

Strategist-focused site audit for discovery and pre-discovery. Given a site URL and optional qualitative research data, navigates the site via CoWork, audits against all 21 UX Laws from lawsofux.com, reviews content hierarchy, synthesises qualitative data, runs Lighthouse, and produces two deliverables — a Project Knowledge Summary (Markdown for Claude Desktop Projects) and a polished, iterable HTML Artifact for client sharing. Use when a strategist, UX lead, or PM asks for a discovery audit, UX laws audit, content hierarchy review, pre-discovery site review, "audit this site for strategy", "strategist audit", "UX audit", or pastes a site URL with discovery context. Not for developer audits — use accessibility-audit, performance-audit, or live-site-audit for those.

11SKILL.mdUpdated May 15, 2026

kanopi/strategist-site-audit

kanopi/story-point-estimator

development

VerifiedTrustedCommunity

Provide story point estimation guidance with hour calculations for software development tasks. Uses Fibonacci sequence (1, 2, 3, 5, 8, 13, 21, 34+) and converts story points to hours. Includes platform-specific adjustments and velocity calculations.

11SKILL.mdUpdated May 15, 2026

kanopi/story-point-estimator

kanopi/qa-review

tools

VerifiedTrustedCommunity

Perform a full QA review of a Teamwork task by reading the task and all its comments for context, extracting the multi-dev URL, generating dynamic validation steps tailored to the task type, and using CoWork browser automation to execute those steps on the multi-dev environment. Produces a structured validation report with pass/fail per step, screenshots, internal notes, and a client-facing summary — all shown in chat. Use this skill whenever the user asks to QA, test, validate, or review a Teamwork task or multi-dev environment — even if they just say "can you QA this?" or paste a Teamwork link. Also triggers for phrases like "run QA on", "check the multi-dev", "validate this task", "test the dev link", or "review the ticket". Works across Drupal/CMS updates, WordPress/plugin updates, bug fixes, new feature development, and general web development tasks.

11SKILL.mdUpdated May 15, 2026

kanopi/project-heartbeat

tools

VerifiedTrustedCommunity

Generate a client-facing project heartbeat / status update message for a Kanopi project, ready to be posted as a Teamwork message. Use this skill whenever the user asks to write, draft, generate, or send a project update, heartbeat, status update, or progress report to a client. Also triggers when the user says things like "time for a project update", "draft the heartbeat", "write up the update for [project]", or "it's been two weeks, let's send an update". Always use this skill — even if the user doesn't say "heartbeat" — whenever the intent is to summarise recent project activity for a client audience.

11SKILL.mdUpdated May 15, 2026

kanopi/project-heartbeat

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/kanopi/cms-cultivator.git

# Copy into Claude Code skills folder (global)
cp -r cms-cultivator/skills/security-scanner ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

kanopi/cms-cultivator

5 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT