Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

praneethkukunuru/.agents/skills/hephaestus-security-audit

Name: .agents/skills/hephaestus-security-audit
Author: praneethkukunuru

.agents/skills/hephaestus-security-audit/SKILL.md

npx skillsauth add praneethkukunuru/synq-test-103 .agents/skills/hephaestus-security-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

hephaestus-security-audit

Use this skill as the explicit OWASP Top 10:2025 security gate before ship.

Purpose

Perform a structured security audit aligned to OWASP Top 10:2025 and persist security findings/blockers to DB.

Master Directive

This skill MUST follow .hephaestus/prompts/master-agent-directive.md. This skill MUST follow .hephaestus/prompts/db-navigation-contract.md. This skill MUST follow .hephaestus/prompts/ci-automation-contract.md. This skill MUST follow .hephaestus/prompts/security-review-contract.md.

Primary Owner

reviewer

Supporting Roles

system_architect
devops_infra
qa_engineer

Use When

Verification and review artifacts exist.
A ship decision is pending.
The changed surface is security-relevant or uncertain.

Inputs

.hephaestus/specs/<slug>.md
.hephaestus/plans/<slug>.md
.hephaestus/reports/<slug>-verify.md
.hephaestus/reports/<slug>-review.md
.hephaestus/reports/<slug>-laziness-audit.md (if present)
Git diff and touched files.
DB context (security_findings, review_findings, verification_results, blockers, retrieval_chunks, artifact_index, raw_artifacts).
OWASP checklist: references/owasp-2025-audit-checklist.md.
Shared API module (.hephaestus/db/storage/retrieval_api.py).

Outputs

.hephaestus/reports/<slug>-security-audit.md
DB updates in security_findings, security_controls, security_gate_decisions, security_evidence_links, review_findings, blockers, retrieval_chunks, and artifact_index.

DB Reads

get_run_state, get_security_findings, get_security_blockers, get_review_blockers, get_verification_summary, get_relevant_chunks
get_ci_failure_summary, get_ci_workflow_states, get_recent_ci_failures_by_signature (for CI/security signal)

DB Writes

register_artifact
persist_security_finding
persist_security_control
persist_security_gate_decision
link_security_evidence
persist_retrieval_chunk (security chunk types)
persist_blocker (for explicit gate blockers)
persist_handoff

Procedure

Load DB-first context and unresolved blockers/findings.
Inspect spec, plan, diff, verify, review, and CI evidence for security implications.
Apply all OWASP Top 10:2025 categories from the checklist and record deterministic control status per category.
Persist control rows via persist_security_control(...) and evidence links for each material check.
Persist each material finding via persist_security_finding(...) with category, severity, confidence, and blocker decision.
Persist gate decision via persist_security_gate_decision(...) with explicit block/conditional/approve.
Ensure blocker defaults are honored (A01-A08 block by default; A09/A10 conditional unless escalated).
Produce concise report using assets/security-audit-report-template.md.
Handoff to ship or rework owner with explicit block/conditional/pass decision.

Guardrails

No security conclusions without traceable evidence.
No ship-ready recommendation with unresolved high/critical OWASP findings.
No raw-log-first workflow when DB chunk evidence already exists.
Security audit must stay concise and point to DB-backed findings/chunks.

Handoff

Include:

OWASP findings by severity
Blockers with owners
Required fixes before ship
Final decision: blocked / conditional / passes

praneethkukunuru/.agents/skills/hephaestus-security-audit

.agents/skills/hephaestus-security-audit/SKILL.md

# hephaestus-security-audit Use this skill as the explicit OWASP Top 10:2025 security gate before ship. ## Purpose Perform a structured security audit aligned to OWASP Top 10:2025 and persist security findings/blockers to DB. ## Master Directive This skill MUST follow `.hephaestus/prompts/master-agent-directive.md`. This skill MUST follow `.hephaestus/prompts/db-navigation-contract.md`. This skill MUST follow `.hephaestus/prompts/ci-automation-contract.md`. This skill MUST follow `.hephaest

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add praneethkukunuru/synq-test-103 .agents/skills/hephaestus-security-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 8:57 PM1.8s1 file scanned

SKILL.md

hephaestus-security-audit

Use this skill as the explicit OWASP Top 10:2025 security gate before ship.

Purpose

Perform a structured security audit aligned to OWASP Top 10:2025 and persist security findings/blockers to DB.

Master Directive

Primary Owner

reviewer

Supporting Roles

system_architect
devops_infra
qa_engineer

Use When

Verification and review artifacts exist.
A ship decision is pending.
The changed surface is security-relevant or uncertain.

Inputs

.hephaestus/specs/<slug>.md
.hephaestus/plans/<slug>.md
.hephaestus/reports/<slug>-verify.md
.hephaestus/reports/<slug>-review.md
.hephaestus/reports/<slug>-laziness-audit.md (if present)
Git diff and touched files.
DB context (security_findings, review_findings, verification_results, blockers, retrieval_chunks, artifact_index, raw_artifacts).
OWASP checklist: references/owasp-2025-audit-checklist.md.
Shared API module (.hephaestus/db/storage/retrieval_api.py).

Outputs

.hephaestus/reports/<slug>-security-audit.md
DB updates in security_findings, security_controls, security_gate_decisions, security_evidence_links, review_findings, blockers, retrieval_chunks, and artifact_index.

DB Reads

get_run_state, get_security_findings, get_security_blockers, get_review_blockers, get_verification_summary, get_relevant_chunks
get_ci_failure_summary, get_ci_workflow_states, get_recent_ci_failures_by_signature (for CI/security signal)

DB Writes

register_artifact
persist_security_finding
persist_security_control
persist_security_gate_decision
link_security_evidence
persist_retrieval_chunk (security chunk types)
persist_blocker (for explicit gate blockers)
persist_handoff

Procedure

Load DB-first context and unresolved blockers/findings.
Inspect spec, plan, diff, verify, review, and CI evidence for security implications.
Apply all OWASP Top 10:2025 categories from the checklist and record deterministic control status per category.
Persist control rows via persist_security_control(...) and evidence links for each material check.
Persist each material finding via persist_security_finding(...) with category, severity, confidence, and blocker decision.
Persist gate decision via persist_security_gate_decision(...) with explicit block/conditional/approve.
Ensure blocker defaults are honored (A01-A08 block by default; A09/A10 conditional unless escalated).
Produce concise report using assets/security-audit-report-template.md.
Handoff to ship or rework owner with explicit block/conditional/pass decision.

Guardrails

No security conclusions without traceable evidence.
No ship-ready recommendation with unresolved high/critical OWASP findings.
No raw-log-first workflow when DB chunk evidence already exists.
Security audit must stay concise and point to DB-backed findings/chunks.

Handoff

Include:

OWASP findings by severity
Blockers with owners
Required fixes before ship
Final decision: blocked / conditional / passes

Related Skills

praneethkukunuru/system_architect

content-media

VerifiedTrustedCommunity

Design correctness and implementation drift owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/system_architect

praneethkukunuru/scrum_master

tools

VerifiedTrustedCommunity

Stage readiness and artifact completeness owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/scrum_master

praneethkukunuru/roadmap_advisor

tools

VerifiedTrustedCommunity

Roadmap Advisor

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/roadmap_advisor

praneethkukunuru/reviewer

testing

VerifiedTrustedCommunity

Correctness, security, and maintainability owner

SKILL.mdUpdated Apr 16, 2026

praneethkukunuru/reviewer

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/praneethkukunuru/synq-test-103.git

# Copy into Claude Code skills folder (global)
cp -r synq-test-103/.agents/skills/hephaestus-security-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

praneethkukunuru/synq-test-103

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT