AI Agent Skill HUB

security-watch

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

298 stars
byproffesor-for-testing
View on GitHubInstallation ↓

Best use case

security-watch is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

Teams using security-watch should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-watch/SKILL.md --create-dirs "https://raw.githubusercontent.com/proffesor-for-testing/agentic-qe/main/.claude/skills/security-watch/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-watch/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-watch Compares

Feature / Agentsecurity-watchStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Watch Mode

When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.

## What It Does

Flags or blocks writes containing:
- **Secrets**: API keys, passwords, tokens, private keys in source code
- **Dangerous functions**: `eval()`, `Function()`, `innerHTML`, `dangerouslySetInnerHTML`
- **Injection vectors**: Unsanitized template literals in SQL/shell commands
- **Insecure config**: `http://` URLs, disabled TLS verification, `*` CORS origins

## Activation

```
/security-watch
```

## Hook Configuration

```json
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
      }
    ]
  }
}
```

## Detection Patterns

```bash
#!/bin/bash
# scan-security.sh
CONTENT="$1"
ISSUES=0

# Secrets detection
SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

# Dangerous functions
DANGER_PATTERNS=(
  '\beval\s*\('
  '\bFunction\s*\('
  '\.innerHTML\s*='
  'dangerouslySetInnerHTML'
  'child_process.*exec\('
  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
)

for pattern in "${DANGER_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "WARNING: Dangerous pattern detected: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

if [ $ISSUES -gt 0 ]; then
  echo "Found $ISSUES security issues. Review before proceeding."
  exit 1
fi
```

## Gotchas

- False positives on test fixtures that intentionally contain patterns like `eval()` — use `// security-watch:ignore` comment
- Base64-encoded secrets won't be caught — this scans for plaintext patterns only
- Template literal injection detection has false positives on safe string interpolation — review warnings carefully
- This is a first line of defense, not a replacement for proper security review

Related Skills

qe-security-visual-testing

298
from proffesor-for-testing/agentic-qe

Security-first visual testing combining URL validation, PII detection, and visual regression with parallel viewport support. Use when testing web applications that handle sensitive data, need visual regression coverage, or require WCAG accessibility compliance.

qe-security-testing

298
from proffesor-for-testing/agentic-qe

Test for security vulnerabilities using OWASP principles. Use when conducting security audits, testing auth, or implementing security practices.

qe-security-compliance

298
from proffesor-for-testing/agentic-qe

Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.

qe-n8n-security-testing

298
from proffesor-for-testing/agentic-qe

Credential exposure detection, OAuth flow validation, API key management testing, and data sanitization verification for n8n workflows. Use when validating n8n workflow security.

V3 Security Overhaul

298
from proffesor-for-testing/agentic-qe

Complete security architecture overhaul for claude-flow v3. Addresses critical CVEs (CVE-1, CVE-2, CVE-3) and implements secure-by-default patterns. Use for security-first v3 implementation.

security-visual-testing

298
from proffesor-for-testing/agentic-qe

Security-first visual testing combining URL validation, PII detection, and visual regression with parallel viewport support. Use when testing web applications that handle sensitive data, need visual regression coverage, or require WCAG accessibility compliance.

security-testing

298
from proffesor-for-testing/agentic-qe

Scans for security vulnerabilities including XSS, SQL injection, CSRF, and auth flaws using OWASP Top 10 methodology. Use when conducting SAST/DAST scans, auditing authentication flows, testing authorization rules, or implementing security test automation.

n8n-security-testing

298
from proffesor-for-testing/agentic-qe

Credential exposure detection, OAuth flow validation, API key management testing, and data sanitization verification for n8n workflows. Use when validating n8n workflow security.

qe-visual-testing-advanced

298
from proffesor-for-testing/agentic-qe

Advanced visual regression testing with pixel-perfect comparison, AI-powered diff analysis, responsive design validation, and cross-browser visual consistency. Use when detecting UI regressions, validating designs, or ensuring visual consistency.

qe-verification-quality

298
from proffesor-for-testing/agentic-qe

Comprehensive truth scoring, code quality verification, and automatic rollback system with 0.95 accuracy threshold for ensuring high-quality agent outputs and codebase reliability.

qe-testability-scoring

298
from proffesor-for-testing/agentic-qe

AI-powered testability assessment using 10 principles of intrinsic testability with Playwright and optional Vibium integration. Evaluates web applications against Observability, Controllability, Algorithmic Simplicity, Transparency, Stability, Explainability, Unbugginess, Smallness, Decomposability, and Similarity. Use when assessing software testability, evaluating test readiness, identifying testability improvements, or generating testability reports.

qe-test-reporting-analytics

298
from proffesor-for-testing/agentic-qe

Advanced test reporting, quality dashboards, predictive analytics, trend analysis, and executive reporting for QE metrics. Use when communicating quality status, tracking trends, or making data-driven decisions.