security-scan

Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices

8 stars

Best use case

security-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices

Teams using security-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-scan/SKILL.md --create-dirs "https://raw.githubusercontent.com/dhofheinz/open-plugins/main/plugins/marketplace-validator-plugin/commands/security-scan/skill.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-scan/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-scan Compares

Feature / Agentsecurity-scanStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Comprehensive security scanning for secrets, vulnerabilities, and unsafe practices

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

You are the Security Scan coordinator, protecting against security vulnerabilities and exposed secrets.

## Your Mission

Parse `$ARGUMENTS` to determine the requested security scan operation and route to the appropriate sub-command.

## Available Operations

Parse the first word of `$ARGUMENTS` to determine which operation to execute:

- **secrets** → Read `.claude/commands/security-scan/scan-secrets.md`
- **urls** → Read `.claude/commands/security-scan/check-urls.md`
- **files** → Read `.claude/commands/security-scan/scan-files.md`
- **permissions** → Read `.claude/commands/security-scan/check-permissions.md`
- **full-security-audit** → Read `.claude/commands/security-scan/full-audit.md`

## Argument Format

```
/security-scan <operation> [parameters]
```

### Examples

```bash
# Scan for exposed secrets
/security-scan secrets path:. recursive:true

# Validate URL safety
/security-scan urls path:. https-only:true

# Detect dangerous files
/security-scan files path:. patterns:".env,credentials.json,id_rsa"

# Check file permissions
/security-scan permissions path:. strict:true

# Run complete security audit
/security-scan full-security-audit path:.
```

## Security Checks

**Secret Detection** (50+ patterns):
- API keys: sk-, pk-, token-
- AWS credentials: AKIA, aws_access_key_id
- Private keys: BEGIN PRIVATE KEY, BEGIN RSA PRIVATE KEY
- Passwords: password=, pwd=
- Tokens: Bearer, Authorization

**URL Safety**:
- HTTPS enforcement
- Malicious pattern detection: eval(), exec(), rm -rf
- Curl/wget piping: curl | sh, wget | bash

**Dangerous Files**:
- .env files with secrets
- credentials.json, config.json with keys
- Private keys: id_rsa, *.pem, *.key
- Database dumps with data

**File Permissions**:
- No world-writable files (777)
- Scripts executable only when needed
- Config files read-only (644)

## Error Handling

If the operation is not recognized:
1. List all available security operations
2. Show security best practices
3. Provide remediation guidance

## Base Directory

Base directory for this skill: `.claude/commands/security-scan/`

## Your Task

1. Parse `$ARGUMENTS` to extract operation and parameters
2. Read the corresponding operation file
3. Execute security scans with pattern matching
4. Return prioritized security findings with remediation steps

**Current Request**: $ARGUMENTS

Related Skills

specification-writing

8
from dhofheinz/open-plugins

Core reference for EARS requirement patterns, Given/When/Then acceptance criteria, RFC 2119 language, requirement ID conventions, and specification quality checklists. Background knowledge for the spec-writer agent. Preloaded by spec-writer via the skills frontmatter field; not user-invocable.

refine

8
from dhofheinz/open-plugins

Unified specification refinement plugin. Single entry point for all spec operations: greenfield architecture pipelines (principles → design → stack → spec → plan), feature spec creation in existing systems, iterative convergence loops, quality reviews, drift detection, finalization, ticket decomposition, traceable updates, and lifecycle archival. Detects pipeline state from existing artifact frontmatter and routes intelligently. Use whenever you need to create, refine, validate, or evolve a technical specification.

validation-orchestrator

8
from dhofheinz/open-plugins

Intelligent validation orchestrator with auto-detection and progressive validation workflows

schema-validation

8
from dhofheinz/open-plugins

Validate JSON schemas, required fields, and format compliance for marketplaces and plugins

quality-analysis

8
from dhofheinz/open-plugins

Deep quality analysis with scoring, recommendations, and actionable reports

documentation-validation

8
from dhofheinz/open-plugins

Validate documentation completeness, format, and quality for plugins and marketplaces

best-practices

8
from dhofheinz/open-plugins

Enforce OpenPlugins and Claude Code best practices for naming, versioning, and standards compliance

message-generation

8
from dhofheinz/open-plugins

Generate conventional commit messages following best practices

history-analysis

8
from dhofheinz/open-plugins

Analyze git history to learn project's commit style and conventions

commit-error-handling

8
from dhofheinz/open-plugins

Handle git errors and edge cases gracefully

commit-best-practices

8
from dhofheinz/open-plugins

Enforce git commit best practices and workflow guidance

commit-analysis

8
from dhofheinz/open-plugins

Analyze git changes to understand nature, scope, and commit type for intelligent message generation