luochang212/code-audit
skills/code-audit/SKILL.md
Security audit and code scanning. Use when the user asks to scan code for bugs/vulnerabilities, audit security, run SAST, find code patterns, or review code for security issues. Supports two modes — fast pattern scanning (Semgrep) for quick results and CI gating, and deep AI-powered investigation (deepsec) for thorough reasoning-based analysis. Also use when the user mentions "semgrep", "deepsec", "static analysis", "security scan", "code scanning", "find vulnerabilities", "scan my code", or "security audit".
$ install --global
skillsauthnpx skillsauth add luochang212/skills code-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 6:13 AM167.6s3 files scanned
SKILL.md
- name:
- code-audit
- description:
- Security audit and code scanning. Use when the user asks to scan code for bugs/vulnerabilities, audit security, run SAST, find code patterns, or review code for security issues. Supports two modes — fast pattern scanning (Semgrep) for quick results and CI gating, and deep AI-powered investigation (deepsec) for thorough reasoning-based analysis. Also use when the user mentions "semgrep", "deepsec", "static analysis", "security scan", "code scanning", "find vulnerabilities", "scan my code", or "security audit".
Code Audit
Overview
Two complementary security audit approaches, one skill. Pick the right mode for the task.
Fast scan — pattern-matching scanner. Finds bugs, security vulnerabilities, and coding standard violations across 30+ languages in seconds. Best for CI gating, quick baselines, and "find all places where X is used with Y."
Deep audit — AI-powered investigation. Regex matchers find candidate sites (~15s), then AI agents read full context and reason about exploitability. Best when you need to know "is this actually exploitable?" not just "this line matches a pattern."
The two modes can chain: run a fast scan to surface candidates, then deep-investigate the findings that matter.
Decision Guide
| User says | Mode | Read |
|-----------|------|------|
| "扫一下" / "find bugs" / "semgrep" / "CI scan" / "find patterns" / "SAST" | Fast scan | references/semgrep.md |
| "深度审计" / "deepsec" / "AI scan" / "PR security review" / "is this exploitable" | Deep audit | references/deepsec.md |
| "审计" / "security review" (ambiguous) | Ask: quick scan or deep AI investigation? | Both |
If the user provides no clear signal, briefly explain both modes and let them choose. Fast scan takes seconds and is free; deep audit takes minutes and costs money.
When NOT to use
- General code quality review (duplication, naming, dead code) — this is about security/bug scanning, not code style
- Dependency vulnerability audit — use
npm audit/cargo audit/pip audit - Runtime testing / fuzzing — these tools analyze source code only
- Runtime debugging — static analysis, not runtime inspection
Workflow
- Read the decision guide above and pick the right reference file
- Read the relevant
references/*.mdfile and follow its workflow - Report findings to the user, offer to fix if appropriate
Related Skills
luochang212/skills/md-to-pdf
development
VerifiedTrustedCommunity
--- name: md-to-pdf description: Use when converting Markdown files (.md) to PDF on macOS, Windows, or Linux, especially files containing CJK (Chinese/Japanese/Korean) text. Triggers include "convert md to pdf", "markdown to pdf", "generate pdf from markdown", "export md as pdf", "md转pdf". Two cross-platform backends: Playwright/Chromium for best quality (default), reportlab for pure-Python lightweight fallback. --- # Markdown to PDF Converter Two cross-platform backends. Choose based on your
1SKILL.mdUpdated May 10, 2026
luochang212/html-report
development
VerifiedTrustedCommunity
Create beautiful, self-contained single-file HTML reports, landing pages, and documents that are visual, interactive, and spatial. Use when the user wants to present information that would benefit from layout, color, diagrams, or interaction — such as project reports, product pages, architecture overviews, design documents, dashboards, slide decks, code review summaries, incident post-mortems, status reports, or any document where plain text would be too flat. Triggers include "create an HTML page", "make a report", "write a landing page", "build a dashboard", "present this information visually", or any request to communicate technical or business information in a polished, readable format.
1SKILL.mdUpdated May 10, 2026
luochang212/code-quality
development
VerifiedTrustedCommunity
Use when the user asks to review code quality, find redundant code, audit duplication, or "clean up" a codebase. Also use when the user says "find issues" or "anything worth fixing" after a feature is built. This skill provides a systematic framework for identifying code quality issues, evaluating whether each fix is worth making, and safely applying changes without over-engineering.
1SKILL.mdUpdated May 10, 2026
luochang212/deepsec
development
VerifiedTrustedCommunity
AI-powered vulnerability scanning with deepsec. Use when the user asks to audit security, scan for vulnerabilities, run a deep security audit, or review code for security issues. Also use when the user mentions "deepsec", "AI security scan", "agent-powered audit", "deep code audit", or wants to find hard-to-find vulnerabilities that grep/Semgrep would miss. Use for PR security review when the user mentions "review this PR for security" or "check these changes for vulnerabilities". Prefer this over semgrep when the user wants thorough, reasoning-based investigation rather than pattern matching.
1SKILL.mdUpdated May 8, 2026