nicknisi/security-audit
plugins/essentials/skills/security-audit/SKILL.md
Dispatch the security-auditor agent on the current branch diff with pre-gathered context. User-invocable only — does not auto-trigger on ambiguous phrasing. Use when you explicitly want a deep vulnerability audit of branch changes.
$ install --global
skillsauthnpx skillsauth add nicknisi/claude-plugins security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 5:56 AM14.7s1 file scanned
SKILL.md
- name:
- security-audit
- description:
- >-
- disable-model-invocation:
- true
Security Audit
Launches the security-auditor agent (from this plugin) with pre-loaded
branch context, so the agent does not have to assemble scope itself.
Pre-gathered Context
<!-- The `!`-prefix executes the command and injects output before the agent is dispatched. Keep these small — the agent will pull full file contents itself. These are orientation signals, not exhaustive input. -->- Current branch: !
git rev-parse --abbrev-ref HEAD - Diff summary vs main: !
git diff main...HEAD --stat - Commits on branch: !
git log main..HEAD --oneline - PR metadata (if open): !
gh pr view --json title,body,comments 2>/dev/null || echo "no open PR for this branch"
Task
Dispatch the security-auditor agent via the Task tool with the context
above. Scope the audit to the branch diff shown.
Output
Report back the agent's findings verbatim. Do not summarize or re-rank — the agent's Phase 6 output is already the final report format.
Related Skills
nicknisi/get-goal-prompt
tools
VerifiedTrustedCommunity
Generate a /goal command to execute an ideation project's specs autonomously. Reads the contract, builds a goal prompt with phase ordering and spec paths, copies it to clipboard, and prints it. The user pastes the /goal command to start autonomous execution. Use when the user says 'goal', 'run as goal', 'get goal prompt', 'goal prompt', or wants to execute specs via /goal instead of /ideation:autopilot.
89SKILL.mdUpdated May 24, 2026
nicknisi/zoom-out
development
VerifiedTrustedCommunity
Go up a layer of abstraction and map the surrounding architecture. Use when the user is unfamiliar with an area of code, asks "how does this fit in", "what calls this", "give me the big picture", "where am I", "map this out", "I'm lost", "explain this area", or needs to understand how a file, module, or function connects to the rest of the system. Also use when the user says /zoom-out or "zoom out" mid-conversation — even without a specific file reference, orient them based on whatever code is currently in context.
89SKILL.mdUpdated May 24, 2026
nicknisi/prototype
development
VerifiedTrustedCommunity
Build a throwaway prototype to answer a design question before committing to real implementation. Generates either a runnable terminal app (for state machines, data models, business logic) or several radically different UI variations on one route (for visual/layout decisions). Use when the user wants to prototype, spike, POC, sanity-check a data model, mock up a UI, explore design options, or says "prototype this", "spike this out", "let me play with it", "try a few designs", "sketch this in code", "I want to try something before building it for real", "quick and dirty version", or "validate this approach" — even if they don't use the word "prototype."
89SKILL.mdUpdated May 24, 2026
nicknisi/codebase-sweep
development
VerifiedTrustedCommunity
Comprehensive, codebase-wide quality sweep that dispatches parallel subagents to find and fix structural issues. Covers deduplication, type consolidation, dead code removal, circular dependencies, weak types, defensive try/catch, deprecated paths, and AI slop. Primary support for JS/TS projects (knip, madge, TypeScript types); other languages get grep-based analysis. Use when the user asks to "deep clean the whole repo", "run a full codebase audit", "nuclear cleanup", "deslop everything", or "sweep the entire codebase for quality issues". Do NOT use for single-file fixes, branch-scoped diffs (use de-slopify instead), or targeted refactors.
89SKILL.mdUpdated May 24, 2026