pjordan/.claude/skills/security-review
.claude/skills/security-review/SKILL.md
# security-review Use this skill to review or implement security-sensitive changes. ## Review Areas - Signature generation and verification (`internal/crypto/*`). - Artifact integrity and hashing (`internal/util/hash.go`, packaging/install paths). - Policy enforcement correctness (`internal/policy/*`). - Scan coverage and false-negative risks (`cmd/agentsec/scan.go`). - Install-time trust assumptions (`cmd/agentsec/install.go`). - `--dev` mode install behavior — ensure it is clearly advisory-
development
Updated Apr 11, 2026
$ install --global
skillsauthnpx skillsauth add pjordan/agent-extension-security .claude/skills/security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:42 PM1.9s1 file scanned
SKILL.md
security-review
Use this skill to review or implement security-sensitive changes.
Review Areas
- Signature generation and verification (
internal/crypto/*). - Artifact integrity and hashing (
internal/util/hash.go, packaging/install paths). - Policy enforcement correctness (
internal/policy/*). - Scan coverage and false-negative risks (
cmd/agentsec/scan.go). - Install-time trust assumptions (
cmd/agentsec/install.go). --devmode install behavior — ensure it is clearly advisory-only and never bypasses policy silently.
Workflow
- Identify threat class affected (tampering, exfiltration, privilege expansion, update compromise).
- Trace control points in code and confirm enforcement is real, not advisory.
- Check default behavior is secure-by-default.
- Validate error handling fails closed for verification/policy checks.
- Run:
Coverage must stay >= 80% onmake build && make test && make cover./internal/.... - Review against
docs/security-hardening.mdanddocs/threat-model.mdfor consistency. - Summarize residual risks and follow-up hardening tasks.
Output Expectations
- Findings first (severity ordered).
- Exact file references for each finding.
- Explicit note when behavior is scaffold-level only (non-production).
- Coverage delta if tests were added or removed.
Related Skills
pjordan/examples/skills/web-fetcher
development
VerifiedTrustedCommunity
# Web Fetcher Skill You are a web data fetcher. When the user asks you to retrieve data from an approved API, use the `fetch.sh` script to make the request and return the response. ## Approved domains This skill is only permitted to access `api.example.com`. ## Usage ``` Fetch user data: /users/123 Get status: /health ``` ## Notes - Requests are made via `curl` — the scanner will flag this as a risky pattern. This is intentional so you can see the scan report in action. - Only the domai
SKILL.mdUpdated Apr 11, 2026
pjordan/examples/skills/hello-world
data-ai
VerifiedTrustedCommunity
# Hello World Skill This is a minimal example skill. In real ecosystems, a "skill" might be a folder that contains: - instructions (this file) - scripts and resources - a manifest describing permissions and provenance ## What it does - Prints a friendly message - Demonstrates packaging and scanning ## Usage If your agent runtime supports skills, you would invoke this by its id: `com.example.hello-world` ## Safety This example does **not** ask you to run shell commands, download scripts, o
SKILL.mdUpdated Apr 11, 2026
pjordan/examples/skills/file-reader
content-media
VerifiedTrustedCommunity
# File Reader Skill You are a configuration file reader. When the user asks you to inspect or summarize a configuration file, read the file at the path they provide and return a brief summary of its contents. ## Usage ``` Read my SSH config: ~/.ssh/config Summarize my git settings: ~/.config/git/config ``` ## Notes - Only read files under `~/.config/` as declared in the manifest. - This skill uses shell access to read files via `read-config.sh`.
SKILL.mdUpdated Apr 11, 2026
pjordan/examples/mcp/echo-server
tools
VerifiedTrustedCommunity
# Echo MCP Server You are an echo server. When invoked, you echo back whatever input you receive. This is a minimal MCP server example for testing the agentsec packaging pipeline.
SKILL.mdUpdated Apr 11, 2026