Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

proffesor-for-testing/security-watch

Name: security-watch
Author: proffesor-for-testing

.claude/skills/security-watch/SKILL.md

npx skillsauth add proffesor-for-testing/agentic-qe security-watch

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Watch Mode

When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.

What It Does

Flags or blocks writes containing:

Secrets: API keys, passwords, tokens, private keys in source code
Dangerous functions: eval(), Function(), innerHTML, dangerouslySetInnerHTML
Injection vectors: Unsanitized template literals in SQL/shell commands
Insecure config: http:// URLs, disabled TLS verification, * CORS origins

Activation

/security-watch

Hook Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
      }
    ]
  }
}

Detection Patterns

#!/bin/bash
# scan-security.sh
CONTENT="$1"
ISSUES=0

# Secrets detection
SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

# Dangerous functions
DANGER_PATTERNS=(
  '\beval\s*\('
  '\bFunction\s*\('
  '\.innerHTML\s*='
  'dangerouslySetInnerHTML'
  'child_process.*exec\('
  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
)

for pattern in "${DANGER_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "WARNING: Dangerous pattern detected: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

if [ $ISSUES -gt 0 ]; then
  echo "Found $ISSUES security issues. Review before proceeding."
  exit 1
fi

Gotchas

False positives on test fixtures that intentionally contain patterns like eval() — use // security-watch:ignore comment
Base64-encoded secrets won't be caught — this scans for plaintext patterns only
Template literal injection detection has false positives on safe string interpolation — review warnings carefully
This is a first line of defense, not a replacement for proper security review

proffesor-for-testing/security-watch

.claude/skills/security-watch/SKILL.md

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

304 stars

development

Updated Apr 11, 2026

$ install --global

skillsauth

npx skillsauth add proffesor-for-testing/agentic-qe security-watch

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 11, 2026, 8:24 PM33.6s2 files scanned

SKILL.md

name:: security-watch
description:: Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.
user-invocable:: true

Security Watch Mode

When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.

What It Does

Flags or blocks writes containing:

Secrets: API keys, passwords, tokens, private keys in source code
Dangerous functions: eval(), Function(), innerHTML, dangerouslySetInnerHTML
Injection vectors: Unsanitized template literals in SQL/shell commands
Insecure config: http:// URLs, disabled TLS verification, * CORS origins

Activation

/security-watch

Hook Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
      }
    ]
  }
}

Detection Patterns

#!/bin/bash
# scan-security.sh
CONTENT="$1"
ISSUES=0

# Secrets detection
SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

# Dangerous functions
DANGER_PATTERNS=(
  '\beval\s*\('
  '\bFunction\s*\('
  '\.innerHTML\s*='
  'dangerouslySetInnerHTML'
  'child_process.*exec\('
  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
)

for pattern in "${DANGER_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "WARNING: Dangerous pattern detected: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

if [ $ISSUES -gt 0 ]; then
  echo "Found $ISSUES security issues. Review before proceeding."
  exit 1
fi

Gotchas

False positives on test fixtures that intentionally contain patterns like eval() — use // security-watch:ignore comment
Base64-encoded secrets won't be caught — this scans for plaintext patterns only
Template literal injection detection has false positives on safe string interpolation — review warnings carefully
This is a first line of defense, not a replacement for proper security review

Related Skills

proffesor-for-testing/qe-xp-practices

development

VerifiedTrustedCommunity

Apply XP practices including pair programming, ensemble programming, continuous integration, and sustainable pace. Use when implementing agile development practices, improving team collaboration, or adopting technical excellence practices.

304SKILL.mdUpdated Apr 11, 2026

proffesor-for-testing/qe-xp-practices

proffesor-for-testing/qe-wms-testing-patterns

development

VerifiedTrustedCommunity

Warehouse Management System testing patterns for inventory operations, pick/pack/ship workflows, wave management, EDI X12/EDIFACT compliance, RF/barcode scanning, and WMS-ERP integration. Use when testing WMS platforms (Blue Yonder, Manhattan, SAP EWM).

304SKILL.mdUpdated Apr 11, 2026

proffesor-for-testing/qe-wms-testing-patterns

proffesor-for-testing/qe-visual-testing-advanced

testing

VerifiedTrustedCommunity

Advanced visual regression testing with pixel-perfect comparison, AI-powered diff analysis, responsive design validation, and cross-browser visual consistency. Use when detecting UI regressions, validating designs, or ensuring visual consistency.

304SKILL.mdUpdated Apr 11, 2026

proffesor-for-testing/qe-visual-testing-advanced

proffesor-for-testing/qe-verification-quality

development

VerifiedTrustedCommunity

Comprehensive truth scoring, code quality verification, and automatic rollback system with 0.95 accuracy threshold for ensuring high-quality agent outputs and codebase reliability.

304SKILL.mdUpdated Apr 11, 2026

proffesor-for-testing/qe-verification-quality

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/proffesor-for-testing/agentic-qe.git

# Copy into Claude Code skills folder (global)
cp -r agentic-qe/.claude/skills/security-watch ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

proffesor-for-testing/agentic-qe

304 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT