martinffx/code-security
skills/code-security/SKILL.md
Security audit and vulnerability detection. Use when reviewing code for security issues, scanning dependencies, or addressing security concerns. Triggers on "security", "vulnerability", "audit", "CVE", "injection", "XSS", "SQL injection", "auth", or when the user asks to check for security issues.
$ install --global
skillsauthnpx skillsauth add martinffx/claude-code-atelier code-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 1:06 PM256.5s4 files scanned
SKILL.md
- name:
- code-security
- description:
- >
- user-invocable:
- true
Code Security
Security audit workflow and checklist.
The Workflow
1. Scan
Run automated security tools.
# Check dependencies
npm audit
pip audit
cargo audit
# Run security scanner
trivy fs .
snyk test
2. Review
Manual code review against checklist.
See references/owasp-top-10.md for common vulnerabilities.
3. Fix
Remediate vulnerabilities found.
4. Verify
Re-scan to confirm fixes.
Security Checklist
Injection
| Check | Pattern | |-------|---------| | SQL | Parameterized queries | | Command | No shell execution with user input | | XSS | Escape/validate output | | LDAP | Escape DN components |
Authentication
| Check | Pattern | |-------|---------| | Passwords | Hash with bcrypt/argon2 | | Sessions | Secure, httpOnly cookies | | Tokens | Short-lived, proper validation | | MFA | Consider for sensitive ops |
Data Protection
| Check | Pattern | |-------|---------| | Secrets | Never in code | | PII | Encrypt at rest | | Transport | HTTPS only | | Logs | No sensitive data |
Dependencies
| Check | Pattern | |-------|---------| | Vulnerabilities | Scan regularly | | Outdated | Update promptly | | Sources | Trusted packages only |
Common Vulnerabilities
See references/vulnerability-patterns.md for detailed patterns:
SQL Injection
# BAD
query = f"SELECT * FROM users WHERE id = {user_id}"
# GOOD
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
XSS
// BAD
element.innerHTML = userInput;
// GOOD
element.textContent = userInput;
// or
element.setAttribute('title', sanitize(userInput))
Command Injection
# BAD
os.system(f"ping {host}")
# GOOD
subprocess.run(['ping', host])
Hardcoded Secrets
// BAD
const apiKey = "sk_live_12345";
// GOOD (environment variable)
const apiKey = process.env.API_KEY;
Tools
See references/security-tools.md for setup and usage:
| Tool | Ecosystem | Purpose | |------|-----------|---------| | npm audit | Node.js | Dependency vulnerabilities | | pip-audit | Python | Dependency vulnerabilities | | cargo-audit | Rust | Dependency vulnerabilities | | Snyk | Multi | Vulnerability scanning | | Trivy | Multi | Container/infra scanning | | OWASP ZAP | Multi | Web app scanning | | bandit | Python | Static analysis | | ESLint security | JS/TS | Static analysis |
Output Format
After security audit:
## Security Audit
### Scan Results
- Dependencies: 0 vulnerabilities
- Static analysis: 1 issue found
### Issues Found
| Severity | Issue | Location | Fix |
|----------|-------|----------|-----|
| High | SQL injection | users.py:42 | Use parameterized query |
| Medium | Hardcoded secret | config.js:5 | Use env var |
### Recommendations
1. Enable 2FA for admin accounts
2. Rotate API keys quarterly
3. Set up automated dependency scanning
Skill Loading
- For database issues → load python-sqlalchemy or typescript-drizzle-orm
- For auth issues → load relevant auth patterns
- For deployment security → load infra skills if available
Related Skills
martinffx/oracle-security
development
VerifiedTrustedCommunity
Security architecture and threat modeling knowledge. Auto-invokes when designing features that handle untrusted data, authentication, authorization, external integrations, file uploads, or sensitive data. Provides risk assessment frameworks, trust boundary analysis, and security design principles — not implementation code.
25SKILL.mdUpdated May 24, 2026
martinffx/oracle-doubt
testing
VerifiedTrustedCommunity
Adversarial review of non-trivial decisions using fresh-context scrutiny. Use when correctness matters more than speed, when stakes are high (production, security-sensitive logic, irreversible operations), or before committing significant architectural or implementation choices.
25SKILL.mdUpdated May 24, 2026
martinffx/code-handoff
development
VerifiedTrustedCommunity
Compact the current conversation into a handoff document for another agent to pick up.
25SKILL.mdUpdated May 24, 2026
martinffx/oracle-grillme
testing
VerifiedTrustedCommunity
Socratic interrogation of plans against the project's domain model and documented decisions. Use when the user wants to stress-test a plan, clarify terminology, or validate assumptions against existing domain language. Updates CONTEXT.md and ADRs inline as decisions crystallise.
25SKILL.mdUpdated May 23, 2026