timequity/security-check
skills/security-check/SKILL.md
Automatic OWASP security checks on generated code. Use when: any code is generated in the pipeline. Triggers: internal use only.
development
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add timequity/vibe-coder security-checkInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 8:22 AM4.6s2 files scanned
SKILL.md
- name:
- security-check
- description:
- |
- Use when:
- any code is generated in the pipeline.
- Triggers:
- internal use only.
Security Check
OWASP validation on every code generation. User doesn't see.
Checks
Input Validation
- [ ] All user inputs sanitized
- [ ] No raw SQL queries (use parameterized)
- [ ] No eval() or dynamic code execution
- [ ] File uploads validated (type, size)
Authentication
- [ ] Passwords hashed (bcrypt/argon2)
- [ ] Sessions properly managed
- [ ] CSRF protection enabled
- [ ] Rate limiting on auth endpoints
Authorization
- [ ] Protected routes check auth
- [ ] API endpoints verify permissions
- [ ] No direct object references exposed
Data Exposure
- [ ] No secrets in code
- [ ] Sensitive data not logged
- [ ] API responses don't leak internals
- [ ] Error messages don't expose stack
Headers
- [ ] HTTPS enforced
- [ ] Security headers set (CSP, HSTS)
- [ ] Cookies secure + httpOnly
Auto-Fix
For common issues:
| Issue | Auto-Fix | |-------|----------| | Raw SQL | Convert to parameterized | | Missing sanitization | Add input validation | | Exposed secrets | Move to env vars | | Missing auth check | Add middleware |
Automation Script
Run OWASP checks programmatically:
python scripts/security_scan.py --path /project/path
python scripts/security_scan.py --path /project/path --json # JSON output
python scripts/security_scan.py --fail-on high # Fail on high+ severity
Checks: SQL injection, hardcoded secrets, unsafe eval, command injection, insecure HTTP.
Reporting
| Result | Action | |--------|--------| | All pass | Continue silently | | Auto-fixed | Continue, log internally | | Can't fix | Block + ask user to clarify |
User sees nothing unless there's an unfixable security issue.
Related Skills
timequity/verification-gate
development
VerifiedTrustedCommunity
Hidden quality gate that runs before showing "Done!" to user - ensures all tests pass, build succeeds, and requirements met before claiming completion
SKILL.mdUpdated Apr 17, 2026
timequity/verification-before-completion
data-ai
VerifiedTrustedCommunity
Use when about to claim work is complete or fixed - requires running verification commands and confirming output before making any success claims
SKILL.mdUpdated Apr 17, 2026
timequity/ui-generator
tools
VerifiedTrustedCommunity
Generate UI components from natural language descriptions. Use when: user asks for a page, component, or UI element. Triggers: "create page", "add component", "show form", "make button", "страница", "компонент", "форма".
SKILL.mdUpdated Apr 17, 2026
timequity/theme-factory
content-media
VerifiedTrustedCommunity
10 ready-to-use themes with colors and fonts for consistent styling. Use when: applying visual themes to pages, components, or design systems. Triggers: "theme", "color palette", "color scheme", "fonts", "branding", "visual identity", "design system colors".
SKILL.mdUpdated Apr 17, 2026