nomad3/security-review
apps/api/app/skills/_bundled/security-review/SKILL.md
--- name: security-review engine: markdown version: 1 category: coding tags: [security, owasp, vulnerabilities, pentest, audit] auto_trigger: "Use when doing a security audit, reviewing auth code, or before merging sensitive changes" --- ## Description Deep security audit of changed code focused exclusively on vulnerabilities — more thorough than a regular code review. # Security Review ## Overview Deep security audit of changed code. Focuses exclusively on vulnerabilities — more thorough th
$ install --global
skillsauthnpx skillsauth add nomad3/servicetsunami-agents security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 7:03 AM232.7s1 file scanned
SKILL.md
- name:
- security-review
- engine:
- markdown
- version:
- 1
- category:
- coding
- tags:
- [security, owasp, vulnerabilities, pentest, audit]
- auto_trigger:
- Use when doing a security audit, reviewing auth code, or before merging sensitive changes
Description
Deep security audit of changed code focused exclusively on vulnerabilities — more thorough than a regular code review.
Security Review
Overview
Deep security audit of changed code. Focuses exclusively on vulnerabilities — more thorough than a regular code review.
Announce at start: "Running security review."
Injection Vectors
- [ ] SQL: all queries use parameterized statements or ORM (never f-strings/concatenation)
- [ ] Shell: no
os.system,subprocess.shell=Truewith unsanitized input - [ ] Path traversal: file paths validated against allowed base directories
- [ ] Template injection: user content not rendered as Jinja/Mustache/etc templates
- [ ] LDAP/XPath/NoSQL injection: inputs sanitized for the respective query language
Authentication & Authorization
- [ ] Every new endpoint has auth middleware applied
- [ ] Role/permission checks happen server-side, not just frontend
- [ ] JWT/session tokens validated (signature, expiry, audience)
- [ ] Password reset tokens are hashed before storage, compared with constant-time function
- [ ] OAuth redirect URIs validated against allowlist
- [ ] Rate limiting on auth endpoints (login, register, reset)
Secrets & Sensitive Data
- [ ] No API keys, tokens, or passwords hardcoded in source
- [ ] Sensitive values not logged or included in error messages
- [ ] Encryption keys not in environment blocks that override .env (docker-compose footgun)
- [ ] Secrets not committed to Git
Input Validation
- [ ] All user-supplied data validated at API boundary
- [ ] File uploads: type checked, size limited, stored outside web root
- [ ] Deserialization of user-supplied data avoided (or sandboxed)
Dependency & Supply Chain
- [ ] New dependencies checked against known CVE databases
- [ ] Pinned versions (not floating
*orlatest) - [ ] Minimal permissions for new service accounts
Output Format
For each finding:
- Vulnerability class (OWASP category)
- File + line
- Severity: critical | high | medium | low
- Description: what the attack vector is
- Fix: concrete remediation with code example
End with a CVSS-style risk summary.
Related Skills
nomad3/writing-plans
development
VerifiedTrustedCommunity
--- name: writing-plans engine: markdown version: 1 category: coding tags: [planning, tdd, implementation, tasks] auto_trigger: "Use when creating an implementation plan for a multi-step feature or task" source_repo: https://github.com/obra/superpowers --- ## Description Create comprehensive, bite-sized implementation plans with full file structure mapping, TDD steps, and zero placeholders. # Writing Plans ## Overview Write comprehensive implementation plans assuming the engineer has zero co
1SKILL.mdUpdated Jun 12, 2026
nomad3/smart-commit
development
VerifiedTrustedCommunity
--- name: smart-commit engine: markdown version: 1 category: coding tags: [git, commit, quality, conventional-commits] auto_trigger: "Use when ready to commit changes with quality checks and a good commit message" source_repo: https://github.com/angakh/claude-skills-starter --- ## Description Run quality checks, then stage and commit with a well-formed conventional commit message. # Smart Commit ## Overview Run quality checks, then stage and commit with a well-formed conventional commit mess
1SKILL.mdUpdated Jun 12, 2026
nomad3/scaffold
tools
VerifiedTrustedCommunity
--- name: scaffold engine: markdown version: 1 category: coding tags: [scaffold, boilerplate, codegen, templates, components] auto_trigger: "Use when generating boilerplate for a new component, endpoint, model, or test file" source_repo: https://github.com/angakh/claude-skills-starter --- ## Description Generate boilerplate for common code structures: React components, API endpoints, test files, data models, CLI commands. # Scaffold ## Overview Generate boilerplate for common code structures
1SKILL.mdUpdated Jun 12, 2026
nomad3/run-tests
development
VerifiedTrustedCommunity
--- name: run-tests engine: markdown version: 1 category: coding tags: [testing, pytest, jest, coverage, quality] auto_trigger: "Use when running the test suite or checking test coverage" source_repo: https://github.com/angakh/claude-skills-starter --- ## Description Auto-detect the project's test framework and run the full test suite with coverage reporting. # Run Tests ## Overview Auto-detect the project's test framework and run the full test suite with coverage. **Announce at start:** "R
1SKILL.mdUpdated Jun 12, 2026