Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

nirholas/.agents/skills/security

Name: .agents/skills/security
Author: nirholas

.agents/skills/security/SKILL.md

npx skillsauth add nirholas/auditkit .agents/skills/security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Skill — AuditKit

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

HTTP Security Headers

Add all of these to every response. Vercel users: add to vercel.json. Next.js users: add to next.config.ts.

next.config.ts

const securityHeaders = [
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload',
  },
  {
    key: 'Content-Security-Policy',
    value: [
      "default-src 'self'",
      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // tighten after audit
      "style-src 'self' 'unsafe-inline'",
      "img-src 'self' data: https:",
      "font-src 'self'",
      "connect-src 'self'",
      "frame-ancestors 'none'",
    ].join('; '),
  },
  {
    key: 'X-Frame-Options',
    value: 'DENY',
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff',
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin',
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()',
  },
]

export default {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }]
  },
}

vercel.json

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
      ]
    }
  ]
}

HTTPS

Ensure your domain has a valid TLS certificate
Redirect all HTTP → HTTPS (Vercel does this automatically)
Use HSTS preloading: https://hstspreload.org

Content Security Policy (CSP)

Start permissive, then tighten:

# Start with report-only to find violations without breaking site:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

Hide Server Information

// next.config.ts — remove X-Powered-By header
export default {
  poweredByHeader: false,
}

Dependency Security

# Check for known vulnerabilities
pnpm audit

# Auto-fix where possible
pnpm audit --fix

Enable Dependabot in .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly

Security.txt

Create public/.well-known/security.txt so researchers know how to report vulnerabilities:

Contact: https://github.com/yourrepo/security/advisories/new
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

nirholas/.agents/skills/security

.agents/skills/security/SKILL.md

# Security Skill — AuditKit This skill is auto-included in the generated ZIP when the Security pillar score is below 90. ## HTTP Security Headers Add all of these to every response. Vercel users: add to `vercel.json`. Next.js users: add to `next.config.ts`. ### next.config.ts ```typescript const securityHeaders = [ { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload', }, { key: 'Content-Security-Policy', value: [ "default-src

10 stars

development

Updated Apr 8, 2026

$ install --global

skillsauth

npx skillsauth add nirholas/auditkit .agents/skills/security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 8, 2026, 2:10 AM8.4s1 file scanned

SKILL.md

Security Skill — AuditKit

This skill is auto-included in the generated ZIP when the Security pillar score is below 90.

HTTP Security Headers

Add all of these to every response. Vercel users: add to vercel.json. Next.js users: add to next.config.ts.

next.config.ts

const securityHeaders = [
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload',
  },
  {
    key: 'Content-Security-Policy',
    value: [
      "default-src 'self'",
      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // tighten after audit
      "style-src 'self' 'unsafe-inline'",
      "img-src 'self' data: https:",
      "font-src 'self'",
      "connect-src 'self'",
      "frame-ancestors 'none'",
    ].join('; '),
  },
  {
    key: 'X-Frame-Options',
    value: 'DENY',
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff',
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin',
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()',
  },
]

export default {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }]
  },
}

vercel.json

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
      ]
    }
  ]
}

HTTPS

Ensure your domain has a valid TLS certificate
Redirect all HTTP → HTTPS (Vercel does this automatically)
Use HSTS preloading: https://hstspreload.org

Content Security Policy (CSP)

Start permissive, then tighten:

# Start with report-only to find violations without breaking site:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report

Hide Server Information

// next.config.ts — remove X-Powered-By header
export default {
  poweredByHeader: false,
}

Dependency Security

# Check for known vulnerabilities
pnpm audit

# Auto-fix where possible
pnpm audit --fix

Enable Dependabot in .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly

Security.txt

Create public/.well-known/security.txt so researchers know how to report vulnerabilities:

Contact: https://github.com/yourrepo/security/advisories/new
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

Related Skills

nirholas/.agents/skills/structured-data

development

VerifiedTrustedCommunity

# Structured Data Skill — AuditKit This skill is auto-included in the generated ZIP when the Structured Data pillar score is below 90. Structured data (Schema.org JSON-LD) helps search engines and AI systems understand your content type — enabling rich results in Google Search and better AI discoverability. --- ## JSON-LD Basics Always use `application/ld+json` script tags in `<head>`. Never use Microdata or RDFa (JSON-LD is the recommended format per Google). ```html <script type="applica

10SKILL.mdUpdated Apr 8, 2026

nirholas/.agents/skills/structured-data

nirholas/.agents/skills/seo

development

VerifiedTrustedCommunity

# SEO Skill — AuditKit This skill is auto-included in the generated ZIP when the SEO pillar score is below 90. ## Critical Requirements Every page MUST have: - `<title>` tag (50–60 characters) - `<meta name="description">` (120–158 characters) - `<link rel="canonical">` pointing to the preferred URL - At least one `<h1>` tag ## Meta Tags Checklist ```html <head>  <title>Page Title — Site Name</title> <meta name="description" content="120–158 char description of this s

10SKILL.mdUpdated Apr 8, 2026

nirholas/.agents/skills/seo

nirholas/.agents/skills/performance

development

VerifiedTrustedCommunity

# Performance Skill — AuditKit This skill is auto-included in the generated ZIP when the Performance pillar score is below 90. ## What it covers Core Web Vitals (LCP, CLS, TBT/FID, FCP, TTFB, Speed Index) and general page weight / render-blocking resource issues. ## Thresholds (Google's "good" targets) | Metric | Good | Needs Improvement | Poor | |--------|------|-------------------|------| | LCP (Largest Contentful Paint) | < 2.5s | 2.5–4s | > 4s | | CLS (Cumulative Layout Shift) | < 0.1 |

10SKILL.mdUpdated Apr 8, 2026

nirholas/.agents/skills/performance

nirholas/.agents/skills/ai-readiness

tools

VerifiedTrustedCommunity

# AI Readiness Skill — AuditKit This skill is auto-included in the generated ZIP when the AI Readiness pillar score is below 90. AI Readiness measures how discoverable and usable your project is by AI coding agents, LLM crawlers, and vibe-coders who ask their AI about your tool. --- ## llms.txt The `llms.txt` standard (https://llmstxt.org) is a Markdown file at your domain root that gives LLMs context about your project — like `robots.txt` but for AI. ``` # YourProject > One-sentence desc

10SKILL.mdUpdated Apr 8, 2026

nirholas/.agents/skills/ai-readiness

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/nirholas/auditkit.git

# Copy into Claude Code skills folder (global)
cp -r auditkit/.agents/skills/security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

nirholas/auditkit

10 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT