security-health-inline
Inline orchestration workflow for security vulnerability detection and remediation with Beads integration. Provides step-by-step phases for security-scanner detection, priority-based fixing with vulnerability-fixer, and verification cycles.
Best use case
security-health-inline is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Inline orchestration workflow for security vulnerability detection and remediation with Beads integration. Provides step-by-step phases for security-scanner detection, priority-based fixing with vulnerability-fixer, and verification cycles.
Teams using security-health-inline should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-health-inline/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-health-inline Compares
| Feature / Agent | security-health-inline | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Inline orchestration workflow for security vulnerability detection and remediation with Beads integration. Provides step-by-step phases for security-scanner detection, priority-based fixing with vulnerability-fixer, and verification cycles.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Security Health Check (Inline Orchestration)
You ARE the orchestrator. Execute this workflow directly without spawning a separate orchestrator agent.
## Workflow Overview
```
Beads Init → Detection → Create Issues → Fix by Priority → Close Issues → Verify → Beads Complete
```
**Max iterations**: 3
**Priorities**: critical → high → medium → low
**Beads integration**: Automatic issue tracking
---
## Phase 1: Pre-flight & Beads Init
1. **Setup directories**:
```bash
mkdir -p .tmp/current/{plans,changes,backups}
```
2. **Validate environment**:
- Check `package.json` exists
- Check `type-check` and `build` scripts exist
3. **Create Beads wisp**:
```bash
bd mol wisp exploration --vars "question=Security vulnerability scan"
```
**IMPORTANT**: Save the wisp ID (e.g., `mc2-xxx`) for later use.
4. **Initialize TodoWrite**:
```json
[
{"content": "Security scan", "status": "in_progress", "activeForm": "Scanning for vulnerabilities"},
{"content": "Create Beads issues", "status": "pending", "activeForm": "Creating issues"},
{"content": "Fix critical vulnerabilities", "status": "pending", "activeForm": "Fixing critical vulnerabilities"},
{"content": "Fix high priority vulnerabilities", "status": "pending", "activeForm": "Fixing high vulnerabilities"},
{"content": "Fix medium priority vulnerabilities", "status": "pending", "activeForm": "Fixing medium vulnerabilities"},
{"content": "Fix low priority vulnerabilities", "status": "pending", "activeForm": "Fixing low vulnerabilities"},
{"content": "Verification scan", "status": "pending", "activeForm": "Verifying fixes"},
{"content": "Complete Beads wisp", "status": "pending", "activeForm": "Completing wisp"}
]
```
---
## Phase 2: Detection
**Invoke security-scanner** via Task tool:
```
subagent_type: "security-scanner"
description: "Detect all vulnerabilities"
prompt: |
Scan the entire codebase for security vulnerabilities:
- SQL injection
- XSS vulnerabilities
- Authentication/authorization issues
- RLS policy violations
- Hardcoded secrets
- Insecure dependencies
- Categorize by priority (critical/high/medium/low)
Generate: security-scan-report.md
Return summary with vulnerability counts per priority.
```
**After security-scanner returns**:
1. Read `security-scan-report.md`
2. Parse vulnerability counts by priority
3. If zero vulnerabilities → skip to Phase 7 (Final Summary)
4. Update TodoWrite: mark detection complete
---
## Phase 3: Create Beads Issues
**For each vulnerability found**, create a Beads issue:
```bash
# Critical (P0) - Security critical gets highest priority
bd create "SECURITY: {vuln_title}" -t bug -p 0 -d "{description}" \
--deps discovered-from:{wisp_id}
# High (P1)
bd create "SECURITY: {vuln_title}" -t bug -p 1 -d "{description}" \
--deps discovered-from:{wisp_id}
# Medium (P2)
bd create "SECURITY: {vuln_title}" -t bug -p 2 -d "{description}" \
--deps discovered-from:{wisp_id}
# Low (P3)
bd create "SECURITY: {vuln_title}" -t bug -p 3 -d "{description}" \
--deps discovered-from:{wisp_id}
```
**Add security label**:
```bash
bd update {issue_id} --add-label security
```
**Track issue IDs** in a mapping for later closure.
Update TodoWrite: mark "Create Beads issues" complete.
---
## Phase 4: Quality Gate (Pre-fix)
Run inline validation:
```bash
pnpm type-check
pnpm build
```
- If both pass → proceed to fixing
- If fail → report to user, exit
---
## Phase 5: Fixing Loop
**For each priority** (critical → high → medium → low):
1. **Check if vulnerabilities exist** for this priority
- If zero → skip to next priority
2. **Update TodoWrite**: mark current priority in_progress
3. **Claim issues in Beads**:
```bash
bd update {issue_id} --status in_progress
```
4. **Invoke vulnerability-fixer** via Task tool:
```
subagent_type: "vulnerability-fixer"
description: "Fix {priority} vulnerabilities"
prompt: |
Read security-scan-report.md and fix all {priority} priority vulnerabilities.
For each vulnerability:
1. Backup file before editing
2. Implement fix
3. Log change to .tmp/current/changes/security-changes.json
Generate/update: security-fixes-implemented.md
Return: count of fixed vulnerabilities, count of failed fixes, list of fixed vuln IDs.
```
5. **Quality Gate** (inline):
```bash
pnpm type-check
pnpm build
```
- If FAIL → report error, suggest rollback, exit
- If PASS → continue
6. **Close fixed issues in Beads**:
```bash
bd close {issue_id_1} {issue_id_2} ... --reason "Security fix applied"
```
7. **Update TodoWrite**: mark priority complete
8. **Repeat** for next priority
---
## Phase 6: Verification
After all priorities fixed:
1. **Update TodoWrite**: mark verification in_progress
2. **Invoke security-scanner** (verification mode):
```
subagent_type: "security-scanner"
description: "Verification scan"
prompt: |
Re-scan codebase after fixes.
Compare with previous security-scan-report.md.
Report:
- Vulnerabilities fixed (count)
- Vulnerabilities remaining (count)
- New vulnerabilities introduced (count)
```
3. **Decision**:
- If vulnerabilities_remaining == 0 → Phase 7
- If iteration < 3 AND vulnerabilities_remaining > 0 → Go to Phase 2
- If iteration >= 3 → Phase 7 with remaining vulnerabilities
---
## Phase 7: Final Summary & Beads Complete
1. **Complete Beads wisp**:
```bash
# If all fixed
bd mol squash {wisp_id}
# If nothing found
bd mol burn {wisp_id}
```
2. **Create issues for remaining vulnerabilities** (if any):
```bash
bd create "SECURITY REMAINING: {vuln_title}" -t bug -p {priority} \
-d "Not fixed in scan. REQUIRES MANUAL ATTENTION. See security-scan-report.md"
bd update {new_issue_id} --add-label security
```
3. **Generate summary for user**:
```markdown
## Security Health Check Complete
**Wisp ID**: {wisp_id}
**Iterations**: {count}/3
**Status**: {SUCCESS/PARTIAL}
### Results
- Found: {total} vulnerabilities
- Fixed: {fixed} ({percentage}%)
- Remaining: {remaining}
### By Priority
- Critical: {fixed}/{total}
- High: {fixed}/{total}
- Medium: {fixed}/{total}
- Low: {fixed}/{total}
### Beads Issues
- Created: {count}
- Closed: {count}
- Remaining: {count} (SECURITY LABEL - requires attention)
### Validation
- Type Check: {status}
- Build: {status}
### Artifacts
- Detection: `security-scan-report.md`
- Fixes: `security-fixes-implemented.md`
```
4. **Update TodoWrite**: mark wisp complete
5. **SESSION CLOSE PROTOCOL**:
```bash
git status
git add .
bd sync
git commit -m "security: {fixed} vulnerabilities fixed ({wisp_id})"
bd sync
git push
```
---
## Error Handling
**If quality gate fails**:
```
Rollback available: .tmp/current/changes/security-changes.json
To rollback:
1. Read changes log
2. Restore files from .tmp/current/backups/
3. Re-run workflow
```
**If worker fails**:
- Report error to user
- Keep Beads wisp open for manual completion
- Suggest manual intervention
- Exit workflow
**If Beads command fails**:
- Log error but continue workflow
- Beads tracking is enhancement, not blocker
---
## Quick Reference
| Phase | Beads Action |
|-------|--------------|
| 1. Pre-flight | `bd mol wisp exploration` |
| 3. After detection | `bd create` + `--add-label security` |
| 5. Before fix | `bd update --status in_progress` |
| 5. After fix | `bd close --reason "Fixed"` |
| 7. Complete | `bd mol squash/burn` |
| 7. Remaining | `bd create` with security label |Related Skills
reuse-health-inline
Inline orchestration workflow for code duplication detection and consolidation with Beads integration. Provides step-by-step phases for reuse-hunter detection, priority-based consolidation with reuse-fixer, and verification cycles.
health-bugs
Inline orchestration workflow for automated bug detection and fixing with Beads integration. Provides step-by-step phases for bug-hunter detection, history enrichment for priority bugs, priority-based fixing with bug-fixer, and verification cycles.
deps-health-inline
Inline orchestration workflow for dependency audit and updates with Beads integration. Provides step-by-step phases for dependency-auditor detection, priority-based updates with dependency-updater, and verification cycles.
cleanup-health-inline
Inline orchestration workflow for dead code detection and removal with Beads integration. Provides step-by-step phases for dead-code-hunter detection, priority-based cleanup with dead-code-remover, and verification cycles.
Beads Issue Tracking Skill
> **Attribution**: [Beads](https://github.com/steveyegge/beads) by [Steve Yegge](https://github.com/steveyegge)
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.
validate-report-file
Validate that worker-generated reports have all required sections and proper formatting. Use in quality gates, for report completeness checking, or when debugging missing report sections.
validate-plan-file
Validate that orchestrator plan files conform to expected JSON schema. Use before workers read plan files or after orchestrators create them to ensure proper structure and required fields.
ux-researcher-designer
UX research and design toolkit for Senior UX Designer/Researcher including data-driven persona generation, journey mapping, usability testing frameworks, and research synthesis. Use for user research, persona creation, journey mapping, and design validation.
ui-design-system
UI design system toolkit for Senior UI Designer including design token generation, component documentation, responsive design calculations, and developer handoff tools. Use for creating design systems, maintaining visual consistency, and facilitating design-dev collaboration.
theme-factory
Toolkit for styling artifacts with a theme. These artifacts can be slides, docs, reportings, HTML landing pages, etc. There are 10 pre-set themes with colors/fonts that you can apply to any artifact that has been creating, or can generate a new theme on-the-fly.
systematic-debugging
Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes