the-own-lab/security-scan
skills/security-scan/SKILL.md
Scan code changes for security vulnerabilities. Use as part of code review or independently.
development
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add the-own-lab/Claude-company-of-one security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:05 PM17.9s1 file scanned
SKILL.md
- name:
- security-scan
- description:
- Scan code changes for security vulnerabilities. Use as part of code review or independently.
Security Scan
Analyze code changes for security vulnerabilities across multiple categories.
Checklist
Secrets Detection
- API keys, tokens, passwords hardcoded in source or config files
- Private keys or certificates committed to the repository
- Connection strings with embedded credentials
- Environment-specific secrets not using environment variables
Injection Risks
- SQL injection — unsanitized user input in queries
- XSS — unescaped output rendered in HTML contexts
- Command injection — user input passed to shell execution
- Path traversal — user-controlled file paths without validation
Authentication and Authorization
- Missing auth checks on protected endpoints
- Improper session handling (fixation, insufficient expiry)
- Broken access control (horizontal/vertical privilege escalation)
- Insecure token storage or transmission
Dependency Security
- Known CVEs in direct or transitive dependencies
- Untrusted or unvetted packages
- Outdated dependencies with known security patches
- Typosquatting or supply chain risks
Data Exposure
- PII logged to application logs or monitoring systems
- Sensitive data in error messages returned to users
- Overly verbose stack traces in production error responses
- Unencrypted sensitive data at rest or in transit
Severity Levels
| Severity | Definition | | -------- | --------------------------------------------- | | Critical | Actively exploitable with significant impact | | High | Likely exploitable under realistic conditions | | Medium | Potential risk requiring specific conditions | | Low | Best practice violation, minimal direct risk |
Input Validation
- Validate ALL external input at system boundaries
- Whitelist valid input rather than blacklisting invalid
- Sanitize before use in interpreted contexts (SQL, HTML, shell)
Cryptography
- Never implement custom crypto — use established libraries
- Hash passwords with bcrypt, scrypt, or argon2 (never MD5/SHA)
- Use HTTPS for all external communication
- Encrypt sensitive data at rest
File Operations
- Validate file paths against traversal attacks
- Check file sizes before processing (prevent DoS)
- Validate file types (don't trust extensions alone)
- Use temp directories for ephemeral files; clean up after use
Report Format
For each finding, provide:
- Severity — Critical / High / Medium / Low
- Category — Which checklist area (e.g., Injection Risks)
- Location — Specific
file:linereference - Description — What the vulnerability is and why it matters
- Evidence — The problematic code or configuration
- Remediation — Specific steps to fix the issue
- References — Relevant CWE, OWASP, or advisory links where applicable
Related Skills
the-own-lab/write-brief
documentation
VerifiedTrustedCommunity
Update BRIEF.md sections during a command run. Any skill that produces a brief-persisted artifact calls this to write it back.
SKILL.mdUpdated Apr 22, 2026
the-own-lab/verify
development
VerifiedTrustedCommunity
Post-code check: run tests + confirm TODO acceptance items map to passing tests; applies a security lens but is not a separate scan.
SKILL.mdUpdated Apr 22, 2026
the-own-lab/update-docs
documentation
VerifiedTrustedCommunity
Command post-step: write CHANGELOG + TODO once per command run. One call, not per-skill doc writes.
SKILL.mdUpdated Apr 22, 2026
the-own-lab/spec-writing
content-media
VerifiedTrustedCommunity
Author REQUIREMENTS.md + DESIGN.md + TODO.md for a feature. The three files are one contract; they ship together.
SKILL.mdUpdated Apr 22, 2026