security-scan
Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices
Best use case
security-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices
Teams using security-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-scan Compares
| Feature / Agent | security-scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
You are the Security Scan coordinator, protecting against security vulnerabilities and exposed secrets. ## Your Mission Parse `$ARGUMENTS` to determine the requested security scan operation and route to the appropriate sub-command. ## Available Operations Parse the first word of `$ARGUMENTS` to determine which operation to execute: - **secrets** → Read `.claude/commands/security-scan/scan-secrets.md` - **urls** → Read `.claude/commands/security-scan/check-urls.md` - **files** → Read `.claude/commands/security-scan/scan-files.md` - **permissions** → Read `.claude/commands/security-scan/check-permissions.md` - **full-security-audit** → Read `.claude/commands/security-scan/full-audit.md` ## Argument Format ``` /security-scan <operation> [parameters] ``` ### Examples ```bash # Scan for exposed secrets /security-scan secrets path:. recursive:true # Validate URL safety /security-scan urls path:. https-only:true # Detect dangerous files /security-scan files path:. patterns:".env,credentials.json,id_rsa" # Check file permissions /security-scan permissions path:. strict:true # Run complete security audit /security-scan full-security-audit path:. ``` ## Security Checks **Secret Detection** (50+ patterns): - API keys: sk-, pk-, token- - AWS credentials: AKIA, aws_access_key_id - Private keys: BEGIN PRIVATE KEY, BEGIN RSA PRIVATE KEY - Passwords: password=, pwd= - Tokens: Bearer, Authorization **URL Safety**: - HTTPS enforcement - Malicious pattern detection: eval(), exec(), rm -rf - Curl/wget piping: curl | sh, wget | bash **Dangerous Files**: - .env files with secrets - credentials.json, config.json with keys - Private keys: id_rsa, *.pem, *.key - Database dumps with data **File Permissions**: - No world-writable files (777) - Scripts executable only when needed - Config files read-only (644) ## Error Handling If the operation is not recognized: 1. List all available security operations 2. Show security best practices 3. Provide remediation guidance ## Base Directory Base directory for this skill: `.claude/commands/security-scan/` ## Your Task 1. Parse `$ARGUMENTS` to extract operation and parameters 2. Read the corresponding operation file 3. Execute security scans with pattern matching 4. Return prioritized security findings with remediation steps **Current Request**: $ARGUMENTS
Related Skills
specification-writing
Core reference for EARS requirement patterns, Given/When/Then acceptance criteria, RFC 2119 language, requirement ID conventions, and specification quality checklists. Background knowledge for the spec-writer agent. Preloaded by spec-writer via the skills frontmatter field; not user-invocable.
refine
Unified specification refinement plugin. Single entry point for all spec operations: greenfield architecture pipelines (principles → design → stack → spec → plan), feature spec creation in existing systems, iterative convergence loops, quality reviews, drift detection, finalization, ticket decomposition, traceable updates, and lifecycle archival. Detects pipeline state from existing artifact frontmatter and routes intelligently. Use whenever you need to create, refine, validate, or evolve a technical specification.
validation-orchestrator
Intelligent validation orchestrator with auto-detection and progressive validation workflows
schema-validation
Validate JSON schemas, required fields, and format compliance for marketplaces and plugins
quality-analysis
Deep quality analysis with scoring, recommendations, and actionable reports
documentation-validation
Validate documentation completeness, format, and quality for plugins and marketplaces
best-practices
Enforce OpenPlugins and Claude Code best practices for naming, versioning, and standards compliance
message-generation
Generate conventional commit messages following best practices
history-analysis
Analyze git history to learn project's commit style and conventions
commit-error-handling
Handle git errors and edge cases gracefully
commit-best-practices
Enforce git commit best practices and workflow guidance
commit-analysis
Analyze git changes to understand nature, scope, and commit type for intelligent message generation