security-ops
Security audit orchestrator - parallel dependency scanning, SAST pattern detection, auth/config review. Dispatches 3 audit agents simultaneously, consolidates into OWASP-mapped severity report. Triggers on: security review, security audit, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding, vulnerability scan, dependency audit.
Best use case
security-ops is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security audit orchestrator - parallel dependency scanning, SAST pattern detection, auth/config review. Dispatches 3 audit agents simultaneously, consolidates into OWASP-mapped severity report. Triggers on: security review, security audit, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding, vulnerability scan, dependency audit.
Teams using security-ops should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-ops/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-ops Compares
| Feature / Agent | security-ops | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security audit orchestrator - parallel dependency scanning, SAST pattern detection, auth/config review. Dispatches 3 audit agents simultaneously, consolidates into OWASP-mapped severity report. Triggers on: security review, security audit, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding, vulnerability scan, dependency audit.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Operations
Orchestrator for security auditing. Detects project stack inline, dispatches three parallel audit agents (dependency, SAST, auth/config review), consolidates into a severity-ranked OWASP-mapped report.
## Architecture
```
User requests security audit or mentions security concern
|
+---> T1: Detect (inline, fast)
| +---> Identify languages/frameworks in project
| +---> Check installed audit tools
| +---> Determine scope (changed files vs full codebase)
| +---> Present: detection summary + recommended audit
|
+---> T2: Audit (3 parallel agents, background)
| +---> Agent 1: Dependency Audit
| | +---> Run pip-audit, npm audit, govulncheck, cargo audit, trivy
| | +---> Report: CVE IDs, severity, affected + fix versions
| |
| +---> Agent 2: Code Pattern Scan (SAST)
| | +---> Hardcoded secrets, injection, XSS, eval, shell, weak crypto
| | +---> Report: file:line, pattern, severity, fix suggestion
| |
| +---> Agent 3: Auth & Config Review
| | +---> Session, CSRF, CORS, CSP, JWT, OAuth, rate limiting, env vars
| | +---> Report: finding, severity, OWASP category, remediation
| |
| +---> Consolidate: deduplicate, rank by severity, map to OWASP Top 10
|
+---> T3: Remediate (dispatch to language expert, foreground + confirm)
+---> Expert proposes specific fixes
+---> Preflight: what changes, security impact, risk of breaking
+---> User confirms
+---> Apply fixes
```
## Safety Tiers
| Operation | Tier | Execution |
|-----------|------|-----------|
| Detect languages/frameworks | T1 | Inline |
| Check installed audit tools | T1 | Inline |
| Determine scope (changed vs all) | T1 | Inline |
| Dependency vulnerability scan | T2 | Agent 1 (bg) |
| Code pattern scan (SAST) | T2 | Agent 2 (bg) |
| Auth & config review | T2 | Agent 3 (bg) |
| Consolidate findings | T2 | Inline (after agents return) |
| Fix vulnerability in code | T3 | Expert agent + confirm |
| Update vulnerable dependency | T3 | Expert agent + confirm |
| Add security headers | T3 | Expert agent + confirm |
## T1: Detect - Run Inline
| Check | Command / Method |
|-------|-----------------|
| Python project | Check for `requirements.txt`, `pyproject.toml`, `Pipfile` |
| Node.js project | Check for `package.json`, `package-lock.json` |
| Go project | Check for `go.mod` |
| Rust project | Check for `Cargo.toml` |
| Docker | Check for `Dockerfile`, `docker-compose.yml` |
| pip-audit available | `which pip-audit 2>/dev/null` |
| npm audit available | `which npm 2>/dev/null` |
| govulncheck available | `which govulncheck 2>/dev/null` |
| cargo-audit available | `which cargo-audit 2>/dev/null` |
| trivy available | `which trivy 2>/dev/null` |
| Scope: changed files | `git diff --name-only HEAD` |
| Scope: full codebase | `fd -e py -e js -e ts -e go -e rs` |
## T2: Audit - Dispatch 3 Parallel Agents
All audit agents use `model="sonnet"`, `run_in_background=True`. All are **read-only** - instruct them explicitly to never edit files.
### Agent 1: Dependency Audit
```
You are a security dependency auditor. Your job is to find vulnerable dependencies.
## Domain Knowledge
First, read this script for audit commands:
- Read: skills/security-ops/scripts/dependency-audit.sh
## Scope
- Languages detected: {languages from T1}
- Audit tools available: {tools from T1}
## Instructions
1. Run the appropriate audit tool for each detected language:
- Python: `pip-audit` or `safety check`
- Node.js: `npm audit --audit-level=moderate`
- Go: `govulncheck ./...`
- Rust: `cargo audit`
- Docker: `trivy config Dockerfile`
2. For each vulnerability found, report:
- Package name and version
- CVE ID (if available)
- Severity (Critical/High/Medium/Low)
- Fixed version (if available)
- Brief description
3. If an audit tool is not installed, note which tool is missing and what command installs it
IMPORTANT: Do NOT edit any files. This is a read-only audit.
## Output Format
Report findings as a severity-ranked table.
```
### Agent 2: Code Pattern Scan (SAST)
```
You are a security code scanner. Your job is to find vulnerability patterns in source code.
## Domain Knowledge
First, read these files for scan patterns and OWASP context:
- Read: skills/security-ops/scripts/security-scan.sh
- Read: skills/security-ops/references/owasp-detailed.md
## Scope
- Files to scan: {scope from T1 - changed files or full codebase}
- Languages: {languages from T1}
## Scan Categories
For each language detected, search for these patterns using ripgrep:
**Injection (OWASP A03):**
- SQL injection: f-strings/format in execute(), string concatenation in queries
- Command injection: os.system(), subprocess with shell=True, exec(), eval()
- XSS: innerHTML assignment, document.write(), dangerouslySetInnerHTML without sanitization
**Hardcoded Secrets (OWASP A02):**
- API keys, passwords, tokens assigned as string literals
- .env files tracked in git
- Private keys in source
**Insecure Crypto (OWASP A02):**
- MD5 or SHA1 for passwords (use bcrypt/argon2)
- ECB mode encryption
- Hardcoded encryption keys
**Insecure Deserialization (OWASP A08):**
- pickle.loads on untrusted data (Python)
- JSON.parse without validation
- yaml.load without SafeLoader
## Instructions
1. Use `rg` (ripgrep) for pattern matching across the codebase
2. Use `ast-grep` for structural patterns if available
3. For each finding, report: file:line, pattern matched, OWASP category, severity, fix suggestion
4. Distinguish between confirmed issues and potential false positives
IMPORTANT: Do NOT edit any files. This is a read-only scan.
## Output Format
Group findings by OWASP category, sorted by severity within each group.
```
### Agent 3: Auth & Config Review
```
You are a security reviewer specializing in authentication, authorization, and security configuration.
## Domain Knowledge
First, read these files for auth patterns and header requirements:
- Read: skills/security-ops/references/auth-patterns.md
- Read: skills/security-ops/references/secure-headers.md
## Scope
- Files to review: {scope from T1}
- Framework: {detected framework}
## Review Checklist
**Authentication (OWASP A07):**
- Password hashing: bcrypt/argon2 with cost factor 12+?
- Session tokens: cryptographically random, sufficient length?
- Cookie flags: HttpOnly, Secure, SameSite set?
- Rate limiting on login endpoints?
- Account lockout after failed attempts?
- MFA support for sensitive operations?
**Authorization (OWASP A01):**
- Server-side permission checks on all endpoints?
- Default deny policy?
- IDOR protection (verify ownership before access)?
- Role-based or attribute-based access control?
**Security Configuration (OWASP A05):**
- CSP header configured?
- HSTS enabled with appropriate max-age?
- X-Frame-Options or frame-ancestors in CSP?
- CORS policy restrictive (not wildcard)?
- Debug mode disabled in production config?
- Error messages don't leak internal details?
**Session Management:**
- Session timeout configured?
- Session invalidation on logout?
- Session regeneration on privilege change?
- Tokens not exposed in URLs?
## Instructions
1. Read auth-related files (login, session, middleware, config)
2. Check each item on the review checklist
3. For each finding: describe the issue, rate severity, cite OWASP category, suggest fix
4. Note items that pass as well as items that fail
IMPORTANT: Do NOT edit any files. This is a read-only review.
## Output Format
Checklist-style report with PASS/FAIL/N-A for each item, findings grouped by category.
```
### Consolidation
After all 3 agents return, consolidate inline:
1. **Deduplicate** - Remove findings that appear in multiple agents (e.g., hardcoded secret found by both Agent 1 and Agent 2)
2. **Rank by severity:**
- **Critical:** Remote code execution, SQL injection, exposed secrets in production
- **High:** XSS, broken auth, missing access control, known CVE with exploit
- **Medium:** Weak crypto, missing security headers, insecure defaults
- **Low:** Informational, best practice suggestions, TODO items
3. **Map to OWASP Top 10** - Tag each finding with its OWASP category
4. **Generate report** (see Report Format below)
## T3: Remediate - Expert Dispatch with Confirmation
When user wants to fix findings, dispatch to the appropriate language expert.
**Language routing (same as perf-ops):**
| Finding Type | Expert Agent |
|-------------|-------------|
| Python vulnerability | python-expert |
| Node.js/JS vulnerability | javascript-expert |
| TypeScript vulnerability | typescript-expert |
| Go vulnerability | go-expert |
| Rust vulnerability | rust-expert |
| SQL injection / DB security | postgres-expert |
| General / config / headers | general-purpose |
**Dispatch template (T3 preflight):**
```
You are handling a security remediation dispatched by the security-ops orchestrator.
## Domain Knowledge
First, read for context:
- Read: skills/security-ops/references/owasp-detailed.md
## Finding to Fix
{specific finding from audit report}
IMPORTANT: Do NOT apply changes yet. Produce a Preflight Report:
1. Exactly what code/config changes you will make
2. Security impact of the fix
3. Risk of breaking existing functionality
4. How to verify the fix works
5. How to revert if the fix causes issues
```
After user confirms, re-dispatch with execute authority.
## Report Format
```markdown
# Security Audit Report
**Scope:** {X files changed | Full codebase}
**Languages:** {detected}
**Scan Time:** {duration}
## Summary
| Category | Findings | Critical | High | Medium | Low |
|----------|----------|----------|------|--------|-----|
| Dependencies | X | X | X | X | X |
| Code Patterns | X | X | X | X | X |
| Auth & Config | X | X | X | X | X |
## Critical Findings
{details with file:line, OWASP mapping, fix suggestion}
## High Findings
{details}
## Medium Findings
{details}
## Low Findings
{details}
## Passed Checks
{items that passed the auth/config review}
```
## Fallback: When Agents Are Unavailable
If agent dispatch fails, fall back to inline scanning:
1. Run `scripts/dependency-audit.sh` directly via Bash
2. Run `scripts/security-scan.sh` directly via Bash
3. Manually check auth patterns using ripgrep
4. Present combined results (less structured than agent-based audit)
## Quick Reference
| Task | Tier | Execution |
|------|------|-----------|
| Detect project stack | T1 | Inline |
| Check audit tools | T1 | Inline |
| Dependency scan | T2 | Agent 1 (bg) |
| Code pattern scan | T2 | Agent 2 (bg) |
| Auth & config review | T2 | Agent 3 (bg) |
| Consolidate report | T2 | Inline |
| Fix vulnerability | T3 | Expert + confirm |
| Update dependency | T3 | Expert + confirm |
## Reference Files
| File | Contents |
|------|----------|
| `references/audit-quickref.md` | OWASP table, input validation, output encoding, auth checklist, secrets rules |
| `references/owasp-detailed.md` | Full OWASP Top 10 with examples and prevention strategies |
| `references/auth-patterns.md` | JWT, OAuth2, session management, bcrypt, argon2, MFA |
| `references/crypto-patterns.md` | AES-GCM, RSA, key management, hashing, digital signatures |
| `references/secure-headers.md` | CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy |
## Scripts
| Script | Purpose |
|--------|---------|
| `scripts/dependency-audit.sh` | Multi-language dependency vulnerability scanner |
| `scripts/security-scan.sh` | ripgrep-based code pattern security scanner |
## See Also
| Skill | When to Combine |
|-------|----------------|
| `auth-ops` | Deep authentication/authorization implementation patterns |
| `testing-ops` | Security-focused test case generation |
| `monitoring-ops` | Security event logging and alerting |
| `debug-ops` | Investigating security incidents |Related Skills
windows-ops
Comprehensive Windows workstation operations - diagnose slow boot, identify failing drives, decode BSOD crashes, manage startup apps, audit event logs. Use for: Windows is slow, slow bootup, won't boot, blue screen, BSOD, kernel crash, drive failing, SMART errors, disk errors, Event 41, Event 129, storahci reset, BugCheck, CRITICAL_PROCESS_DIED, crash dump, MEMORY.DMP, minidump, msconfig, services.msc, registry Run keys, StartupApproved, scheduled tasks at logon, slow login, high CPU at boot, Adobe startup, Docker startup, disable startup app.
vue-ops
Vue 3 development patterns, Composition API, Pinia state management, Vue Router, and Nuxt 3. Use for: vue, vuejs, composition api, pinia, vue router, nuxt, nuxt3, script setup, composable, reactive, defineProps, defineEmits, defineModel, v-model, provide inject, vue3.
unfold-admin
Django Unfold admin theme - build, configure, and enhance modern Django admin interfaces with Unfold. Use when working with: (1) Django admin UI customisation or theming, (2) Unfold ModelAdmin, inlines, actions, filters, widgets, or decorators, (3) Admin dashboard components and KPI cards, (4) Sidebar navigation, tabs, or conditional fields, (5) Any mention of 'unfold', 'django-unfold', or 'unfold admin'. Covers the full Unfold feature set: site configuration, actions system, display decorators, filter types, widget overrides, inline variants, dashboard components, datasets, sections, theming, and third-party integrations.
typescript-ops
TypeScript type system, generics, utility types, strict mode, and ecosystem patterns. Use for: typescript, ts, type, generic, utility type, Partial, Pick, Omit, Record, Exclude, Extract, ReturnType, Parameters, keyof, typeof, infer, mapped type, conditional type, template literal type, discriminated union, type guard, type assertion, type narrowing, tsconfig, strict mode, declaration file, zod, valibot.
tool-discovery
Recommend the right agents and skills for any task. Covers both heavyweight agents (Task tool) and lightweight skills (Skill tool). Triggers on: which agent, which skill, what tool should I use, help me choose, recommend agent, find the right tool.
testing-ops
Cross-language testing strategies and patterns. Triggers on: test pyramid, unit test, integration test, e2e test, TDD, BDD, test coverage, mocking strategy, test doubles, test isolation.
testgen
Generate tests with expert routing, framework detection, and auto-TaskCreate. Triggers on: generate tests, write tests, testgen, create test file, add test coverage.
techdebt
Technical debt detection and remediation. Run at session end to find duplicated code, dead imports, security issues, and complexity hotspots. Triggers: 'find tech debt', 'scan for issues', 'check code quality', 'wrap up session', 'ready to commit', 'before merge', 'code review prep'. Always uses parallel subagents for fast analysis.
task-runner
Run project commands with just. Check for justfile in project root, list available tasks, execute common operations like test, build, lint. Triggers on: run tests, build project, list tasks, check available commands, run script, project commands.
tailwind-ops
Tailwind CSS utility patterns, responsive design, component patterns, v4 migration, and configuration. Use for: tailwind, tailwindcss, utility classes, responsive design, dark mode, tailwind v4, tailwind config, tw, container queries, @apply, prose, typography, animation.
supply-chain-defense
Behavioural-first software supply chain defense - catches poisoned npm/PyPI packages in the publish-to-advisory window that CVE tools miss. Socket.dev integration (free CLI + GitHub app + depscore MCP for Claude Code), stale-OIDC audit, dependency cooldown policy, publish-token rotation, VS Code extension audit, and a self-integrity scan that detects worm persistence hooks injected into Claude Code / VS Code settings. Triggers on: supply chain, supply chain attack, malicious package, poisoned dependency, npm worm, Shai-Hulud, behavioural scanning, Socket.dev, socket scan, dependency security, postinstall malware, OIDC token theft, compromised maintainer, typosquat, dependency confusion, package provenance, SLSA, persistence hook, malicious VS Code extension.
summon
Transfer Claude Desktop Code-tab sessions between Claude accounts — copy (default) or move (--move) the session metadata file so the session shows up in another account's left-hand sidebar (the session picker on the left side of Desktop's Code tab). Two natural framings: push (run while still on your current near-limit account, send sessions to the next one, then Logout/Login as the natural switch) or pull (after switching accounts, bring earlier sessions into the now-active one). Push is the recommended workflow because the Logout/Login becomes invisible — it IS the switch you were going to do anyway. Triggers on: summon, summon sessions, push sessions, pull sessions, before switching accounts, account approaching usage limit, account ran out of usage, prepare next account, mid-flight desktop sessions, claude desktop multi-account workflow, transfer claude desktop sessions across accounts, peek session, see desktop sessions across accounts. Default copy keeps the session visible in both accounts' sidebars; --move for lean cleanup. Transcript JSONLs are account-agnostic and stay where they are — both wrappers point at the same conversation. No API calls, no summarisation, full transcripts intact. The left-hand session picker is loaded at login, so a Logout/Login on the destination is required for new sessions to appear there.